State insists it owns eCitizen, but how did the platform end up in Webmasters' hands?
The State’s e-Citizen payment platform.
What you need to know:
- The idea of digitising revenue collection in the country was an initiative of the government.
- Reliance on the vendor for system maintenance and support increases the risk of service disruptions.
National Treasury Principal Secretary Chris Kiptoo has sought to assure the public that the government owns and controls the eCitizen platform, despite questions about the platform's influence and control by private entities.
But even as Dr Kiptoo affirmed the ownership, he could not explain how the government’s digital payment platform ended up in the hands of Webmasters Kenya Limited, its vendor, despite the “transfer” as revealed in a special audit by Auditor-General Nancy Gathungu.
Dr Kiptoo, at a meeting with the National Assembly Public Accounts Committee (PAC), stated that as per the agreement the government entered into, Webmasters Kenya limited “agreed to completely and unconditionally hand over the eCitizen platform to the government of Kenya.”
National Treasury Principal Secretary Chris Kiptoo when he appeared before the National Assembly Public Accounts Committee at County Hall, Nairobi on March 25, 2026.
The contract was signed between the owners of Webmasters limited and three Principal Secretaries for the State Department of Information, Communication, and Digital Economy, the State Department of Immigration and Citizen Services, and the National Treasury on behalf of the government in January 2023.
“The eCitizen platform is owned by the government of Kenya as guided by the handover agreement,” said Dr Kiptoo.
The lack of control of the platform and the high dependency on the vendor, the audit says, “have contributed to the identified unauthorised modifications to the platform and irregular payments to the vendor.”
The idea of digitising revenue collection in the country was an initiative of the government.
The development was financed by the World Bank through the International Finance Corporation (IFC), which contracted Webmasters Kenya limited to provide software development and maintenance support services.
The special audit notes that in 2017, the International Finance Corporation (IFC), an agency of the World Bank, handed over instruments including contracts, source code, business case and handover notes to the National Treasury via a handover letter of August 7, 2017.
However, the audit established that on January 13, 2023, the Ministry of Information, Communications and Digital Economy and Webmasters Kenya Limited entered into a handover agreement where Webmasters agreed to unconditionally hand over the platform to the government.
“It was not explained how the ownership and control of the eCitizen platform ended up in the hands of the vendor after having been handed over to the National Treasury by IFC in 2017,” the audit reveals.
Further, it was established that after the transfer of ownership by Webmasters Kenya limited in January 2023, the government did not obtain full control of the systems, resulting in continued over-reliance on the vendor.
Risk of service disruptions
Noting that the majority of government services are provided through the digital payment platform, the audit reveals that the control of the system by the vendor “creates a single point of failure.”
“The government did not have controls over the eCitizen Platform. This poses significant risks to operational independence, data security, and service continuity,” the audit says, adding, “this dependency limits the government's ability to make system modifications, enforce security measures, and ensure compliance with regulatory requirements.”
The eCitizen portal consists of a payment gateway, single sign-on authentication module, as well as other systems that host Ministries, Departments, and Agencies (MDAs) solutions to provide services to the citizenry.
According to Dr Kiptoo, the various instances of source code for different applications are compiled and stored within data centers managed by the respective government bodies.
However, the audit notes that reliance on the vendor for system maintenance and support increases the risk of service disruptions, vendor third-party risks, high costs, and potential data privacy violations.
“Without ownership and administrative access, the government remains vulnerable to vendor lock-in, limiting future scalability and integration with other government systems,” says the audit.
The National Treasury was also on the receiving end for not facilitating access “needed to assess security at the application, database, and network level.”
This, according to the audit, “significantly limited the ability to evaluate the effectiveness of security controls and identify potential vulnerabilities.”
“Without access, the audit could not verify compliance with security policies, data protection regulations, and best practices, increasing the risk of undetected security weaknesses that could lead to data breaches, unauthorized access, or service disruptions.”
“This lack of cooperation raises concerns about transparency and accountability in managing the Platform. There was also no evidence of third-party assurance, either internal or external to the government."
Follow our WhatsApp channel for breaking news updates and more stories like this.
