1 Legal and enforcement framework
1.1 What general regulatory regimes and issues should blockchain developers consider when building the governance framework for the operation of blockchain/distributed ledger technology protocols?
Kenyan law does not regulate the creation of databases, record keeping or archiving generally. However, blockchain developers will encounter the following regulatory frameworks and accompanying issues.
Data protection and privacy: Kenya recently enacted the Data Protection Act (2019), which is largely modelled on the EU General Data Protection Regulation (GDPR). The act regulates the processing of (non-anonymised) personal data. For a detailed discussion of these challenges, see question 5.1.
Property in crypto-assets: Tokens (ie, digital assets that can be tokenised using a cryptographic protocol) are the main vehicles of value exchange within a blockchain system. However, no regulations specify which of such crypto-assets are considered property (eg, those that are not asset backed and derive their value mainly from scarcity), or whether some types of crypto-assets qualify as financial instruments. Moreover, conveyances of land can be effected only via written contract and must be authenticated and witnessed.
Anti-money laundering (AML) and know-your-customer (KYC) requirements: The Kenyan AML and KYC requirements are set out in the Proceeds of Crime and Anti-money Laundering Act.
The provisions on which entities can be caught under the reporting and monitoring obligations are drafted broadly and may include entities that employ blockchain technology. The act provides that the cabinet secretary in charge of finance may "designate such other business or profession in which the risk of money laundering exists..., to have to comply with the reporting and monitoring obligations".
Blockchain technology poses a challenge with regard to compliance with KYC provisions. Practical recommendations would include:
- outsourcing the data validation function to external entities that can certify or validate the data being put into the blockchain, while responsibility and corresponding liability for compliance remains with the regulated entity; and
- using blockchain explorer software.
However, the Proceeds of Crime and Anti-money Laundering Act is silent on whether KYC due diligence obligations can be outsourced to third parties. That said, it does specifically prohibit the outsourcing of KYC due diligence obligations when transacting with jurisdictions that have been designated as high risk or are otherwise monitored by the Financial Action Task Force.
The Proceeds of Crime and Anti-money Laundering Act has extra-territorial application if the conduct in question would constitute an offence against a provision of any law in Kenya if it occurred in Kenya.
Taxation: Tax regulation in Kenya has only recently been updated to recognise income accrued from digital marketplaces. The Finance Act 2019 provides that income accruing from a digital marketplace falls within the ambit of taxable income. A ‘digital marketplace' is defined as "a platform that enables the direct interaction between buyers and sellers of goods and services through electronic means". This definition is broad enough to include a blockchain or distributed ledger technology (DLT) platform. The cabinet secretary in charge of finance has not yet promulgated the regulations that will put these provisions into effect.
Conflict of laws and dispute resolution: Distributed ledgers may have nodes (participants) located in multiple jurisdictions. This raises questions of governing law and jurisdiction. Kenyan law generally gives parties the freedom to choose the governing law and the forum for dispute resolution, except in relation to criminal offences and the protection of constitutional rights. The governing framework for blockchain should attempt to provide some clarity on how disputes should be resolved.
1.2 How do the foregoing considerations differ for public and private blockchains?
Most of the considerations noted above apply to both public and private blockchains. The most important distinctions in how they apply are as follows.
Privacy: In private blockchains, an external mechanism facilitates the identification of parties that want to add records to the blockchain and/or participate as validators. These parties can be ‘chosen', to some extent. The existence of this external mechanism and the choice of who adds what to the blockchain may be important indicators when dealing with the question of who the data controller and processor is. Private blockchains therefore provide better mechanisms for compliance with the Data Protection Act than public blockchains.
Liability: Public open source blockchains pose an added risk, as the question of liability for non-compliance with the above legal requirements is compounded by the fact that multiple unknown and unrelated developers are continuously changing or amending code, and bugs or other undesirable results of the system thus cannot be easily traced back to an individual or entity.
1.3 What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?
Users of blockchain applications should be aware of the inherent risks involved in using an unregulated platform to transact, as outlined in questions 1.1 and 1.2.
Users would be well advised to use blockchain or other DLT applications with robust governance frameworks that attempt to resolve the pervasive question of assigning liability and consequently provide a clearer path to obtaining remedial measures in the event of loss. Private or permissioned blockchains may be better placed to offer such safeguards.
Users should further note that contributing as a validator in a blockchain (whether public or private) comes with the responsibility of processing transactions that do not belong to you. In a legal environment that has not yet determined how this mutual consensus protocol affects liability, the question remains open and the risk of being held liable remains real.
1.4 Which administrative bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
No administrative bodies are specifically responsible for blockchain, although the following regulators may play a role, depending on the relevant industry and blockchain application.
|Industry/ Application||Regulator||Key enforcement powers|
|AML||Financial Reporting Centre||
|Financial services: banking, payment systems, money remittance and forex trading||Central Bank of Kenya (CBK)||
|Capital markets – securities trading and investments||Capital Markets Authority (CMA)||
1.5 What is the regulators' general approach to blockchain?
As noted above, blockchain has no clearly designated regulator. The following are some approaches that some of the industry-specific regulators have taken to specific blockchain applications:
- The Ministry of Information Communication and Technology appears to be generally pro-blockchain and has even issued a report that encourages the adoption of blockchain technology in the private and public sectors.
- The CBK has been very wary of cryptocurrencies and has issued a circular which prohibits financial institutions (including banks and payment service providers) from engaging with entities that trade in cryptocurrencies. It has also issued a notice to the public warning of the dangers of trading in cryptocurrencies.
- The CMA has established a regulatory sandbox which, although not specifically intended for blockchain or cryptocurrency enterprises, could provide the opportunity to test such applications – and perhaps identify how best to regulate them – in a risk-mitigated environment.
1.6 Are any industry or trade associations influential in the blockchain space?
The Blockchain Association of Kenya is a non-profit organisation set up to promote the adoption of blockchain and cryptocurrency technology in Kenya and East Africa by building a network of competent, home-grown human capital.
The Ministry of Information Communication and Technology is leading the charge in the public sector, through its Taskforce on Distributed Ledgers and Artificial Intelligence. The taskforce is mandated to explore and analyse nascent digital technologies that demonstrate the potential to transform Kenya's economy. The taskforce released a report in July 2019 encouraging the adoption of blockchain technology by both public and private sector actors.
2 Blockchain market
2.1 Which blockchain applications and protocols have become most embedded in your jurisdiction?
Blockchain registries are the most common applications of blockchain in Kenya.
However, notwithstanding the Central Bank of Kenya's (CBK) warnings, cryptocurrencies are the most popular use of blockchain. There are a few traders in cryptocurrencies such as Bitcoin and a number of start-ups have issued initial coin offerings.
2.2 What potential new applications/protocols are most actively being explored?
In the private sector, blockchain applications that use blockchain as a registry in supply chain management are gaining popularity in the agribusiness, healthcare and consumer goods industries.
In the public sector, the Ministry of Information Communication and Technology (ICT) has recommended that the use of blockchain be explored in the following industries:
- land titling and registration;
- food security;
- government transacting; and
- government-backed cryptocurrencies, borrowing from the Venezuelan example.
2.3 Which industries within your jurisdiction are making material investments within the blockchain space?
Quite a few start-ups are developing blockchain solutions in the agribusiness, manufacturing and private healthcare industries.
There is also significant interest in the financial services industry, as major banks and other financial technology companies seek to fund and partner with blockchain developers and start-ups in order to determine their value proposition. However, financial institutions are staying clear of cryptocurrencies, due to the CBK's prohibition.
2.4 Are any initiatives or governmental programmes in place to incentivise blockchain development in your jurisdiction?
There is a general policy to promote the development of the ICT sector and propel Kenya into the fourth industrial revolution. While there are no incentives aimed specifically at blockchain or distributed ledger technology applications, blockchain developers may take advantage of the following:
- Konza City is a special economic zone that has been set up to incentivise investment in digital solutions in ICT. Special economic zone incentives are available, such as a corporation tax rate of 10% for the first 10 years of operation and 15% for the next 10 years (the statutory corporation tax rate in Kenya is 30%). Blockchain developers can set up shop in Konza City.
- The ICT Ministry Taskforce on Distributed Ledgers and Artificial Intelligence released a report in July 2019 that encouraged the adoption of blockchain technology by public and private sector actors.
3.1 How are cryptocurrencies and/or virtual currencies defined and regulated in your jurisdiction?
Kenyan law makes no specific mention of cryptocurrencies and views on how they are regulated appear to differ, as follows:
- The Central Bank of Kenya (CBK) is emphatic in its position that cryptocurrencies such as Bitcoin are not legal tender in Kenya.
- In one case (Lipisha Consortium Limited v Safaricom Limited  eKLR) the High Court of Kenya classified cryptocurrency trading as money remittance. ‘Money remittance business' is defined in law as "a service for the transmission of money or any representation of monetary value without any payment accounts being created in the name of the payer or the payee".
- In another case (Wiseman Talent Ventures v Capital Markets Authority  eKLR) the High Court held that cryptocurrencies constitute securities. However, the Capital Markets Authority (CMA) has not yet designated cryptocurrencies as securities.
- Other scholars suggest that cryptocurrencies should be regulated under the National Payment Systems Act. A ‘payment system' is defined under this act as "a system or arrangement that enables payments to be effected between a payer and a beneficiary, or facilitates the circulation of money, and includes any instruments and procedures that relate to the system".
As yet, cryptocurrencies remain unregulated in Kenya.
3.2 What anti-money laundering provisions apply to cryptocurrencies?
The following anti-money laundering (AML) provisions may have implications for cryptocurrencies:
- The Proceeds of Crime and Anti-money Laundering Act provides that the cabinet secretary in charge of finance may "designate such other business or profession in which the risk of money laundering exists..., to have to comply with the reporting and monitoring obligations". Therefore, entities that trade in cryptocurrencies may be designated as reporting institutions. Reporting institutions are obliged to monitor and report any suspicious activities, report any transfers of funds above $10,000 and maintain adequate AML policies and systems.
- The cryptography protocols built into blockchain and distributed ledger technology applications pose a challenge with regard to compliance with know-your-customer (KYC) requirements. Recommendations include the following:
- AML and KYC functions could be outsourced to external entities that can certify or validate the data being put into the blockchain, while responsibility and corresponding liability for compliance remain with the regulated entity. However, the Proceeds of Crime and Anti-money Laundering Act is silent on whether KYC due diligence obligations can be outsourced to third parties. That said, it does specifically prohibit the outsourcing of KYC due diligence obligations when transacting with jurisdictions that have been designated as high risk or are otherwise monitored by the Financial Action Task Force.
- The use of blockchain explorer software may facilitate compliance with KYC obligations.
3.3 What consumer protection provisions apply to cryptocurrencies?
It appears that legally, there are no consumer protection provisions that apply to cryptocurrencies. The CBK noted this when it warned Kenyans that trading in cryptocurrencies exposes them to the risk of fraud and loss without recourse.
In Wiseman Talent Ventures v Capital Markets Authority  eKLR the High Court of Kenya further stressed that nobody should be allowed to engage in unregulated financial transactions that expose the Kenyan public to risk, making express reference to trading in cryptocurrencies.
In the absence of specific regulations, we would suggest that trading in cryptocurrencies can be regulated by private contract law and robust protocols which mitigate the risks to consumers. Practical workarounds that can be employed in this regard include:
- using private or permissioned blockchains rather than public blockchains to trade in cryptocurrencies;
- using blockchain explorer technology to identify unscrupulous dealers; and
- requiring third-party certification of data inputted into the system.
3.4 How are cryptocurrencies treated from a tax perspective?
This question has not yet been resolved, as their legal categorisation remains to be determined.
3.5 What regulatory requirements apply to a cryptocurrency trader/exchange?
There is no clear regulatory framework for cryptocurrency traders or exchanges under Kenyan law. However, the CMA has developed a regulatory sandbox through which traders and exchanges that wish to set up in Kenya can test the market and the regulatory environment.
3.6 How are initial coin offerings and securities token offerings defined and regulated in your jurisdiction?
There is no clear regulatory framework for initial coin offerings and securities token offerings under Kenyan law. However, the CMA has developed a regulatory sandbox through which traders and exchanges that wish to set up in Kenya can test the market and the regulatory environment.
4 Smart contracts
4.1 Can a smart contract satisfy the legal requirements of a legal contract under the laws of your jurisdiction? What will be considered when making this determination?
No specific provisions relate to smart contracts and the law will need to be clarified in this regard. However, in our view, there is room to argue that the current law can accommodate smart contracts in some respects. Two legal regimes should be taken into consideration in this regard: contract law and consumer protection law.
Contract law: Kenya incorporates common law principles of contract law, as follows:
- The creation of a contract should include, at a minimum, offer, acceptance, consideration and an intention to create legally binding relations. Self-executing code may not incorporate these aspects in all transactions, particularly if artificial intelligence is embedded in it. We recommend that the ‘wrapper' of a written contract be integrated into the transaction, to ensure that the offer and acceptance criteria are satisfied. The wrapper could involve accepting terms and conditions by clicking a button – a recognised method of contracting in Kenya.
- The law is not clear on whether a contract must be written in a particular language, so as to exclude programming language. We recommend that the smart contract be integrated with a written contract ‘wrapper', to mitigate this risk.
- The question of remedies is particularly complex. Kenyan law recognises damages, restitution, rescission, specific performance and other equitable remedies.
- If a breach of contract is due to a bug in the code or some unforeseen undesired effect of the code, the law is unclear as to how to attribute responsibility or liability.
- Even if a responsible party can be identified, the immutable nature of blockchain and distributed ledger technology (DLT) makes it practically impossible to ‘void' a smart contract in the event that a court or tribunal determines that the contract is void or voidable.
- Rescission, or simply returning the parties to their state prior to the transaction, may be one available remedy. Other than rescission, specific performance may be another option, where the offending party is compelled to perform its obligations under the contract.
Consumer protection: The Consumer Protection Act appears to envision only agreements developed by text-based applications and those reduced to writing. Key features include the following:
- The act recognises internet agreements. An ‘internet agreement' is "a consumer agreement formed by text-based internet communications". The inclusion of the terms ‘text-based' may be interpreted to mean that self-executing code does not fall within the ambit of internet agreements.
- The act recognises internet agreements and remote agreements. A ‘remote agreement' is a consumer agreement entered into when the consumer and supplier are not present together. It must be in writing – which again excludes self-executing code from its definition.
- The act further requires that both internet agreements and remote agreements contain certain ‘prescribed information'. It does not specify what this ‘prescribed information' is, although it grants customers the right to terminate internet agreements and remote agreements within seven days for failure to include this prescribed information.
- Notwithstanding the foregoing, there is nothing in consumer protection law that appears to expressly exclude the use of smart contracts.
4.2 Are there any regulatory or governmental guidelines or policies within your jurisdiction which provide guidance on regulating/defining smart contracts?
Other than contract law and consumer protection law, there are no further guidelines or policies on the regulation or definition of smart contracts.
4.3 What parts of traditional contract might smart contracts be able to replace?
Smart contracts represent an efficient alternative to traditional contracts in the following ways:
- They can be a more efficient and cost-effective alternative for transactions that are very predictable (eg, agreements to remit money at certain intervals).
- The certainty of execution reduces time and risk with regard to the performance of automatable functions.
- They are a more efficient alternative when it comes to contracts that contain mostly boilerplate clauses which can be drafted strictly.
4.4 What parts of traditional contracts might smart contracts be unable to replace?
Smart contracts are not desirable where there is need for ambiguity or flexibility of contract terms. Contracts may include an agreement to undertake "all reasonable efforts" to perform an obligation or force majeure clauses that are not very specific, to allow for flexibility in their interpretation. Current artificial intelligence technology still cannot provide for the flexibility of interpretation that such clauses require; in such cases, therefore, a written contract might be the best alternative.
4.5 What issues might present themselves in your jurisdiction with regard to judicial enforcement of smart contracts?
As discussed, it is not clear whether smart contracts can be deemed contracts under Kenyan law and are therefore legally enforceable. There is also a question as to whether such a contract is enforceable in Kenya, given that DLT can be operated across multiple jurisdictions.
4.6 What are some practical considerations that parties should consider when drafting a smart contract?
As discussed, the best option is to use an integrated model in which written contracts are integrated into the agreement as wrappers containing clear indications of offer and acceptance, choice of law and dispute resolution provisions.
4.7 How will the foregoing considerations differ when smart contracts are running on a private versus public blockchain?
On a public blockchain, it is harder to determine questions of liability. Open source DLTs have multiple developers making amendments to the code, and thus errors in the execution of a smart contract cannot easily be traced back to an individual.
Further, public blockchains are not necessarily owned by an individual entity. This decentralised characteristic makes it difficult to identify the party against which an award of damages can be directed.
Users of public blockchains are therefore exposed to a greater risk that they will be unable to enforce their rights.
5 Data and privacy
5.1 What specific challenges or concerns does blockchain present from a data protection/privacy perspective?
The Data Protection Act regulates the processing of (non-anonymised) personal data. Unfortunately, the act presents similar challenges to distributed ledger technology (DLT) as the EU General Data Protection Regulation (GDPR). These include the following.
Hashing and anonymisation: Whether the hashing of public/private keys inherent in blockchain technology would render the personal data contained on a blockchain to have been sufficiently anonymised and therefore outside the scope of the act is still unclear. Regulatory clarification is awaited on whether hashing amounts to pseudonymisation (as is the position under the GDPR).
Right to erasure of personal data: Blockchain protocols currently take advantage of the chain structure, which makes it very difficult to delete or update a transaction in the chain.
Liability: The collection, storage, processing and transfer abroad of personal data must accord with the data protection principles set out in the Data Protection Act. However, in the case of DLTs, data inputted into the system is replicated almost instantaneously across various nodes that could be located across multiple jurisdictions. This raises some pertinent questions:
- Who must seek consent? In a public blockchain or even a decentralised autonomous organisation where there is no central authority, would users be understood to have consented to the multiple users across the possible multiple jurisdictions to the ‘processing' of their data through the mutual consent and validation protocols that are the bedrock of blockchain technology? The legal position here still needs to be clarified.
- The Data Protection Act designates the titles of data protectors and controllers, but does not assign unique roles and responsibilities to either role. However, the general obligations and liability for data protection set out in the Data Protection Act fall on both. Blockchain protocols enable transparent transaction validation by a supermajority of the community that transact. This decentralised nature of a DLT platform makes it difficult to identify who the data controller or data processor is, and therefore on whom liability for a data breach should fall.
5.2 What potential advantages can blockchain offer in the data protection/privacy context?
Blockchain is designed to prevent the identification of users through the analysis of blockchain transactions, and to obscure the contents of transactions from outsiders and validators, with a minimal trade-off in the complexity of the validation protocol. These two design features of blockchain are especially advantageous in maintaining anonymity and protecting privacy.
As the technology matures, there are various options to bolster blockchain's privacy protection – for example, integrating advanced cryptography techniques into validation protocols to obscure potentially private information. One such option is ring signatures technology.
Further, and specifically with regard to public blockchains, designing them in such a way that a new private/public key is generated for every transaction reduces the risk of malicious individuals identifying users by tracking their transaction trends.
DLTs can also be designed to integrate machine-readable consent protocols which employ smart contracts to ensure that data is processed only for the purposes that the data subject has consented to. Thanks to such solutions, blockchain solutions are a great tool for the protection of privacy.
6.1 What specific challenges or concerns does blockchain present from a cybersecurity perspective?
Kenyan cybersecurity law is set out in the Computer Misuse and Cybercrimes Act and the Kenya Information and Communication Act.
The acts outline what are considered to constitute breaches of cybersecurity under law, but impose no obligations on entities to take particular cybersecurity prevention measures. Thus, they do not limit the opportunities for entities to adopt novel technologies such as blockchain.
The exception concerns critical information infrastructure systems or data – that is, "an information system, program or data that supports or performs a function with respect to a national critical information infrastructure". ‘Critical infrastructure' comprises "the processes, systems, facilities, technologies, networks, assets and services essentials to the health, safety, security or economic well-being of Kenyans and the effective functioning of Government". Blockchain solutions that fall within this definition must be registered with the National Computer and Cybercrimes Coordination Committee and undergo assessments as to the adequacy of their systems for the prevention of cybersecurity threats.
All entities are obliged to report cyber threats. This presents a challenge for public blockchains in which there is no central authority, as it is unclear whose responsibility it is to report such cyber threats.
6.2 What potential advantages can blockchain offer in the cybersecurity context?
Blockchain offers the following advantages from a cybersecurity context:
- Its consensus mechanisms can help to prevent fraudulent activities;
- Its characteristics of immutability and mutual consensus can assist with the prevention and detection of data tampering;
- Encryption allows for improved data confidentiality and data access control; and
- It has no single point of failure.
6.3 What tools and measures could be implemented to mitigate cybersecurity risk?
Developers of private blockchains should develop better user controls to ensure that only those authorised to input data or participate in validation protocols do so. Improving the encryption technology in public blockchains could also help to mitigate cybersecurity risks.
7 Intellectual property
7.1 What specific challenges or concerns does blockchain present from an IP perspective?
Kenyan law recognises IP rights such as copyrights, trademarks, industrial designs and patents. There are no challenges or concerns specific to blockchain from an IP perspective.
7.2 What type of IP protection can blockchain developers obtain?
Software code is protected by copyright law in Kenya. Blockchain developers can obtain copyright protection for their blockchain-related applications.
7.3 What are the best open-source platforms that could be used to protect developers' innovations?
As far as we are aware, Kenya has no indigenous open-source platforms for blockchain or DLT. However, developers based in Kenya can access international open source platforms from Kenya.
7.4 What potential advantages can blockchain offer in the IP context?
The IP industry is particularly suited to blockchain solutions. Key uses in this context include the following:
- providing evidence of creatorship and provenance authentication;
- registering and clearing IP rights;
- controlling and tracking the distribution of (un)registered IP rights, including detection and/or retrieval of counterfeit, stolen and parallel-imported goods;
- providing evidence of genuine and/or first use in trade and/or commerce; and
- establishing and enforcing IP agreements, licences or exclusive distribution networks through smart contracts.
8 Trends and predictions
8.1 How do you think the regulatory landscape in your jurisdiction will evolve in the blockchain space over the next two years? Are any pending changes currently being considered?
No fundamental regulatory changes are anticipated in the next two years. This is because the regulators appear to be very cautious in their approach to these novel technologies. As far as we are aware, no changes are currently under consideration.
8.2 What regulatory changes would you like your jurisdiction to implement to further advance the blockchain industry?
In our view, the following regulatory changes would advance the development of blockchain technology in Kenya:
- clarification of which regulatory regimes govern crypto-assets and cryptocurrencies;
- clarification of whether smart contracts are legally enforceable in Kenya;
- clarification of the roles of data protector and processor under the Data Protection Act in the blockchain context; and
- clarification of the right to erasure under the Data Protection Act as it relates to blockchain technology.
8.3 What is the largest impediment within your jurisdiction to the adoption of blockchain technology?
The Central Bank of Kenya's aversion to cryptocurrencies is serving to limit the development of this technology in Kenya. The lack of clarity in the Data Protection Act also presents a challenge to the development of blockchain technology.
However, there are no significant challenges to other uses of blockchain, which may well increase more rapidly depending on the development of these technologies and available financing.
9 Tips and traps
9.1 What are your top tips for effective use of blockchain technologies in your jurisdiction and what potential sticking points would you highlight?
- The Kenyan regulators often interpret their powers as broadly as possible. Their general approach to emerging technologies that fall outside the ambit of existing law is extremely cautious. Given this reality, blockchain developers and investors should not be seeking to fundamentally transform the business environment, particularly in these nascent stages of the development and regulation of this technology in Kenya. Instead, their aim should be to demonstrate that blockchain technology is a more efficient electronic alternative to existing forms and practices, which is nonetheless capable of meeting the same standards of authenticity, integrity and legitimacy required under prevailing legal standards.
- The president of Kenya has identified affordable housing, healthcare, manufacturing and education as the administration's key priorities. Solutions targeted at these areas and modelled for the public sector may attract a positive response from government.
- The Ministry of Information and Communication Technology has recommended a public-private partnership model in developing Kenya's key digital infrastructure. While there are no details available as to how this could work, it is a concept that blockchain and distributed ledger technology investors and developers should consider when entering the Kenyan market.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.