β North-Star KPI
24-Hour Compliance Closure Rate
The percentage of taxable transactions that successfully reach Kenya Revenue Authority (KRA) via eTIMS within 24 hours of the transaction occurring. This is a board-level metric β tracked live on the BomaOS dashboard and auditable by any KRA inspector.
Target: β₯ 95%
- Automatically computed from all taxable transactions each day
- Displayed in real time on the Strategic View dashboard
- Retry worker fires every 5 minutes on any failed eTIMS submission until success
- No other SACCO platform in Kenya measures or guarantees this KPI
- A rate below 90% triggers a management alert before it becomes a KRA problem
ποΈ SASRA Β· SACCO Act 2008 (Rev 2020)
Prudential Reporting Standards
Section 6 of the SACCO Act requires licensed SACCOs to maintain and report specific financial ratios to SASRA on a regular basis. These include Core Capital to Total Assets, Institutional Capital, Liquidity Ratio, PAR30, and NPL rate.
What BomaOS does
- Computes all SASRA prudential ratios in real time from live transaction data
- PAR30 and NPL displayed on the officer dashboard at all times
- Liquidity ratio tracked continuously against the 16%/15% SASRA threshold
- Full compliance report exportable on demand β before, during, or after a SASRA inspection
- Automated liquidity alert when ratio approaches the regulatory floor
Important note on report accuracy: BomaOS computes ratios from live transaction data. The accuracy of these reports depends on correct opening balance entry during the onboarding and data migration phase. Our team guides this process carefully β it is the most critical step in the setup. SACCOs with accurate historical data get accurate reports from day one.
π°πͺ Kenya Data Protection Act 2019
Member Data Privacy
The Kenya DPA 2019 requires organisations processing personal data to maintain consent records, purpose limitations, and audit logs of data access.
What BomaOS does
- Every Member 360 lookup by a staff member is logged with timestamp and officer identity
- Member consent for data processing captured at onboarding
- Data access audit trail exportable for DPA compliance review
- PII fields encrypted at rest; access restricted by staff role
- Member data is not shared with third parties beyond M-Pesa, KRA eTIMS, and Safaricom USSD β all disclosed in the privacy notice
π KRA eTIMS
Electronic Invoice Management
Kenya Revenue Authority requires VAT-registered entities to issue and validate electronic invoices through the eTIMS (Electronic Tax Invoice Management System). Asset-linked SACCO loans require invoice validation.
What BomaOS does
- eTIMS invoice validation integrated directly into the loan disbursement workflow
- Asset-linked loans require an eTIMS invoice reference before disbursement can proceed
- Invoice validation status displayed in the officer dashboard alongside each loan application
- Full eTIMS transaction log maintained and exportable
π¨ POCAMLA 2009 & FRC goAML
Anti-Money Laundering (AML)
The Proceeds of Crime and Anti-Money Laundering Act 2009 (POCAMLA) designates SACCOs as Reporting Institutions. They must appoint a Money Laundering Reporting Officer (MLRO) and file Suspicious Transaction Reports (STRs) with the Financial Reporting Centre (FRC) in goAML XML format.
What BomaOS does
- Automated AML scanner runs daily at 05:00 EAT, applying four detection rules: large cash (β₯ KES 1M), rapid deposits (3+ deposits totalling β₯ KES 500K within 24 hours), structuring/smurfing (deposits designed to stay just below reporting thresholds), and dormant-account spikes
- Each flagged transaction creates an AML flag assigned to the MLRO review queue with a reference number (e.g. AML-2026-0001)
- MLRO can clear benign flags with documented justification or escalate to a full STR
- On escalation, BomaOS generates a FRC-compliant goAML XML file automatically, ready for submission
- Full audit trail: who reviewed, when, what decision, with what rationale
πͺͺ IPRS β Integrated Population Registration System
Member Identity Verification
Kenya's IPRS is the national identity database. SACCOs are required to verify that a prospective member's name matches their national ID number before activating their account. BomaOS automates this check at self-registration β no manual lookup required.
What BomaOS does
- Runs an automated IPRS name-match at the point of WhatsApp self-registration for domestic members
- Uses two complementary algorithms (Levenshtein + Jaro-Winkler similarity) to handle name transpositions and common African naming patterns
- Match score β₯ 85%: automatically verified, member proceeds to KYC approval queue
- Match score 60β85%: flagged for staff manual review
- Match score below 60%: hard mismatch, staff review required before any account activation
- Diaspora members (non-Kenya phone numbers) register with passport β IPRS is skipped and manual staff verification is mandatory
π CRB β Credit Reference Bureaus
Credit Bureau Integration
SACCOs are required by SASRA to check a borrower's credit bureau status before approving a loan, and to submit their own loan book data to licensed CRBs monthly. BomaOS integrates both obligations into the standard loan workflow.
What BomaOS does
- Live CRB check available to loan officers at the click of a button from the loan application view
- Adverse CRB listings (defaulted loans at other institutions) are surfaced alongside the BomaScoreβ’ result for officer review
- A negative listing does not automatically reject the application β it is documented in the loan file for audit purposes
- Monthly CRB submission file (performing and non-performing loans) generated automatically in the prescribed format
- Supports TransUnion, Metropol, and CreditInfo β Kenya's three licensed credit bureaus
π Safaricom M-Pesa Daraja
Payment Integration
Safaricom's Daraja API governs STK push payments (member deposits) and B2C disbursements (loan payouts). Integration requires Safaricom approval and adherence to their transaction guidelines.
What BomaOS does
- STK push initiates member savings deposits directly from their M-Pesa
- B2C transfers send approved loan amounts directly to member M-Pesa wallets
- Every M-Pesa transaction logged with reference numbers for reconciliation
- Failed transactions handled with automatic retry and officer notification
- Real-time transaction feed in officer dashboard reflects M-Pesa events as they occur
π Fraud Prevention
Voice Verification for High-Value Loans
Loan fraud β including staff-initiated fraudulent applications and member impersonation β is a material risk for SACCOs. Physical branch visits reduce this risk but create friction. BomaOS provides a digital alternative.
What BomaOS does
- Loans above KES 50,000 require voice biometric verification before disbursement
- Member speaks a passphrase verified against their enrolled voice profile
- Enrollment is a one-time process completed via phone β no physical visit required
- Verification results logged alongside each loan application for audit purposes
- Mock mode available for testing without live biometric calls
π Data Security
Encryption & Access Controls
Financial data requires bank-grade security standards at rest and in transit.
What BomaOS does
- 256-bit TLS encryption on all API calls, web sessions, and webhook communications
- JWT-based officer authentication with short-lived tokens, 15-minute idle timeout, session revocation
- 13 granular roles with 50+ permission strings β not just "admin" and "user"
- Mandatory MFA for management roles (TOTP with recovery codes)
- Nonce-protected WhatsApp webhook to prevent replay attacks
- M-Pesa callback IP allowlist β Safaricom CIDR validation
- Bot and vulnerability scanner blocking at nginx + application level
π Segregation of Duties
Nobody can do everything. By design.
SASRA requires that loan origination, approval, and disbursement are handled by different people. BomaOS enforces this at the code level β not just policy.
What BomaOS enforces automatically
- Loan officer scores β credit manager approves β admin disburses β three different staff, enforced by the system
- The person who scored a loan cannot approve it (403 SEGREGATION_VIOLATION)
- Dividend maker-checker: manager declares, CEO/admin approves β same person can't do both
- Staff cannot write off their own loans or allocate shares to their own account
- Teller transactions above KES 100K require supervisor override (separate credentials)
- Interest rate changes logged with before/after values β rate manipulation detectable
- Dividend rate hard-capped at 30% β prevents mathematical fraud
- Internal auditor has full read access but cannot modify a single record
- Board members see SASRA ratios and financial summaries β zero access to individual member data
- IT admin manages staff accounts and branches β zero access to financial or member data
π Audit Trail
Every action logged. Every question answerable.
When SASRA inspectors or external auditors ask "who did what, when, and why?" β BomaOS has the answer before you finish the question.
What's logged
- Every member data access β who looked up which member, from what IP, at what time, for what purpose
- Every transaction β deposit, withdrawal, repayment, disbursement with full GL double-entry
- Every teller session β till open/close, cash reconciliation with denomination breakdown
- Every loan decision β who scored, who approved, what the score was, what was overridden
- Every rate change β savings interest, dividend rate, with before/after values
- Every login, logout, failed attempt, MFA event β staff session management
- WhatsApp notification delivery β member gets a message on every deposit/withdrawal with reference number