eCitizen scandal: Shadowy ownership and missing billions

From shadowy ownership, missing billions and contracts that appear to strip the state of control over its own system, eCitizen continues to process billions with over 22,000 government services onboarded, making it one of the busiest digital platforms in the country.

 Investigations have, however, revealed a trail of irregularities suggesting that the multi-billion shilling platform—through which millions of Kenyans pay for passports, IDs, driving licenses and hundreds of government services—may not fully belong to the government, as private firms have an upper hand on its control.

 At the heart of the crisis lies a fundamental question of ownership and a series of opaque agreements that critics say allowed little-known intermediaries to embed themselves between the state and its citizens, giving them veto powers over transactions worth billions of shillings annually, and even ability to switch it off.

 Despite government assurances that the platform is fully state-owned, contractual documents reveal that for instance, private companies can uninstall the system at will, holding the government hostage to their demands.

Principal Secretary for Immigration and Citizen Services Belio Kipsang told the Committee on Administration and Internal Security that the government had taken over the eCitizen engine from its developer, Webmaster, through a formal procurement process.

 “The government took over the eCitizen engine from Webmaster, and the contract was later awarded to the same company for system maintenance,” Kipsang said.

 Kipsang said the transfer of the platform included the source codes, system architecture, knowledge and operational control to the state.

 “The eCitizen platform has been in operation since 2013, and we have fully transitioned it to government ownership. Maintenance is procured from the private sector to ensure smooth operations,” the PS said.

Treasury principal secretary Chris Kiptoo is also holding the same stance and he told the National Assembly's Public Accounts Committee that "the government fully owns the platform and has all the access passwords."

 However, contractual documents tell a different story—one of vendor dependency and compromised control.

 Despite public assurances, a closer look at the contractual agreements reveals a disturbing reality— the government's control might in fact, be an illusion.

 The developer’s M/S Webmasters Kenya Limited, in an interview with a local television station confirmed that yes, they had handed over, but they are still holding onto the “base” of the platform.

 The visionary behind Webmasters Kenya and developer of eCitizen James Ayugi said that the ‘base’ is the software running the eCitizen platform. 

 “The government owns all the brands and the technology stack that is there. There are different agreements with different providers but for us what we handed over is the core customised version of our software,” Ayugi said.

 The platform originated in 2013 as a World Bank-IFC-backed initiative, with Webmasters Kenya Ltd contracted for development and maintenance.

 In 2017, IFC formally handed over source code, contracts and business documentation to the National Treasury, making the platform a public asset by law.

 Despite this transfer, the government inexplicably signed another handover agreement with Webmasters Kenya Ltd in January 2023, in which the vendor agreed to "unconditionally hand over" the platform to the government.

 This contradiction raises questions about how ownership and control of eCitizen ended up back with the vendor after the 2017 transfer.

 A contract signed on May 25, 2023, between the ICT Authority and the consortium of Webmasters Kenya Limited, PesaFlow Limited and Olive Tree Media Limited contains alarming clauses that effectively cede sovereignty over Kenya's digital governance infrastructure to private entities.

 The agreement stipulates that in the event of termination, "the suppliers shall be entitled to rescind, withdraw or otherwise uninstall all their proprietary infrastructure and resources".

 As the government scrambles to provide answers, the public is left with a stark image of a digital system that, rather than empowering citizens and streamlining services, has become a source of national shame and a fertile ground for graft.

 A special audit report by the Auditor General is now highlighting a dubious flow of funds. Billions collected from citizens through "convenience fees" and other payments have allegedly been funneled into private accounts, with the government seemingly unable to track or account for the money.

 The Auditor General has flagged unaccounted receipts in settlement accounts with revenue accountability statements for the period ending June 30, 2024, for instance, indicated a balance of Sh2.6 billion, relating to receipts in the settlement account that could not be linked to any invoices from the Pesaflow System.

 According to the accountability statements, the unaccounted receipts were due to partial payments, erroneous payments and duplicate payments. There are also delays in remittance of funds to Ministries, Departments and Agencies (MDAs).

 “This indicates lack of revenue traceability and accountability, which can lead to misappropriation, fraud or revenue leakages. In addition, this may affect service delivery, because not all revenue collected is remitted to MDAs,” Auditor General Nancy Gathungu notes in her special audit report.

 An analysis of the eCitizen reporting module also revealed inconsistencies in settlement reports.

 For instance, settlement reports for the Tourism Fund generated from the eCitizen Platform at Government Digital Payment (GDP) Unit for the period ending June 30, 2O24, indicated that Sh2.2 billion was due for settlement by the GDP Unit to the Fund.

 However, a summation of weekly reports used by GDP Unit to settle collections to MDAs and counties for the same period totaled to Sh1.7 billion, resulting in a variance of Sh515.5 million.

 This discrepancy highlights inadequacies in the eCitizen reporting module, raising concerns about the reliability and accuracy of the settlement reports generated by the system.

 Irregular payments for support and maintenance contract have also come out where the total payments as at June 30, 2024, amounted to Sh492.2 million and $414,299 (Sh53.7 million).

 This amount was paid to a company named 'Electronic Citizen Solutions Ltd' which was not party to the agreement, with the arrangement exposing the government to potential legal disputes that might arise from payments to parties not part of the contract.

 Out of the total payment under the contract, Sh142.2 million and $414,299 was for provision of payment gateway services.

 “These payments were deemed irregular as the government should not pay for use of its own platform,” Gathungu notes.

 It was established that Equity Bank statements for eCitizen's collection accounts had receipts amounting to Sh68.7 million and $48,142, 844 (Sh6.2 billion) from an undisclosed account named 'pesaflow’.

 According to audit, this account was not listed among the approved collection accounts by the National Treasury, pointing to irregularly collected monies.

 The total amount irregularly collected using this account was not been established as the bank statements for this account was not provided for audit, said Gathungu, who also raised a red flag on un authorised transfers from MPesa Paybill-222222.

 All collections paid using the paybill were expected to be auto transferred to the Settlement Account at KCB Bank.

 However, review of the paybill statement revealed that on January 25, 2024, there were four transactions made from the paybill account to private entities instead of the designated settlement account.

 The four transactions amounted to Sh127.9 million with approval and documentation to support these transfers of money directly from the paybill to the private entities not provided for audit.

 This is against Article 201 on principles of Public Finance that requires public funds to be used in a prudent and responsible way.

 There are also concerns over unapproved revenue collection and settlement accounts, irregular collection of convenience fee and unauthorised changes to digital payment gateway with parallel accounts being used in some instances, where the eCitizen platform had two Pesaflow Payment Gateways.

 The Auditor General has since concluded that the government did not have controls over the eCitizen platform.

 “This poses significant risks to operational independence, data security and service continuity. This dependency limits the government's ability to make system modifications, enforce security measures and ensure compliance with regulatory requirements. Additionally, reliance on the vendor for system maintenance and support increases the risk of service disruptions, Vendor third party risks, excessive costs and potential data privacy violations,” Gathungu said.

 Without ownership and administrative access, the government hence remains vulnerable to vendor lock-in, limiting future scalability and integration with other government systems.

 The lack of control of the platform and the high dependency on the vendor have contributed to the identified unauthorised modifications to the platform, unauthorised diversion and transfer of funds and irregular payments to vendor, who is also making an earning in every transaction made by the public on the eCitizen platform.

 A total of Sh105.1 billion was collected without a valid contract between the 2014-15 financial year and 2022-23, with Sh1.9 billion in commissions. Similar amounts were collected in US dollar at $174,926,958 (Sh22.7 billion) and $3,688,856 (Sh477.7 million), respectively.