Gaps and consequences that lie in wait for startups when ignored
In Kenya’s dynamic fintech landscape, innovation moves fast but governance often lags behind. While regulatory compliance gets most of the attention, weak governance structures can quietly expose fintech companies to serious legal, financial, and reputational risks. Whether you’re a founder, investor, or board member, understanding the governance pain points in your start up is essential to safeguarding long-term success.
Below are some of the common governance gaps that startups face and the high-stakes consequences of ignoring them.
“Governance is not just about structure it’s also about monitoring”
1. Lack of Formalized Board Oversight
Many fintech startups operate without a functional board or treat the board as a formality. In the absence of proper oversight, critical decisions around capital raising, data protection, customer funds, or partnerships may be made without structured risk assessment or fiduciary accountability. This opens the company up to conflicts of interest, regulatory scrutiny, and even shareholder disputes. Risk Consequence: Regulatory penalties, fraud, investor fallout, poor decision-making.
2. Blurred Roles Between Founders and Management
In early stage founders often act as both directors and operational leads without clear role separation. Without board charters, delegation frameworks, or governance policies, key controls may be bypassed in the name of agility. Risk Consequence: Operational bottlenecks, unchecked authority, lack of audit trail.
3. Inadequate Compliance & Risk Reporting Frameworks
Governance is not just about structure it’s also about monitoring. Many fintech startups fail to establish proper risk registers, compliance dashboards, or internal audit mechanisms. With rising demands from regulators like the Central Bank of Kenya (CBK) and the Capital Markets Authority (CMA), fintechs without robust risk reporting expose themselves to non-compliance. Risk Consequence: Licence revocation, fines, reputational damage, loss of funding.
4. Weak Data Governance and Cybersecurity Oversight
Fintechs handle sensitive user data and financial transactions, making them prime targets for cybercrime. Yet, boards often lack the technical knowledge or the committees to oversee cybersecurity and data governance. Without documented policies, risk matrices, or incident response plans, exposure to breaches and litigation is high. Risk Consequence: Data theft, class action suits, CBK/CMA enforcement, user attrition.
5. Failure to Align with ESG & Responsible Innovation Standards
Globally and locally, particularly fintechs, are under pressure to demonstrate Environmental, Social, and Governance (ESG) integrity. Yet, many startups treat ESG as a post-funding requirement, not a core strategic pillar. Poor ESG integration may hinder access to institutional capital or sandbox eligibility. Risk Consequence: Disqualification from grants, poor investor ratings, brand dilution.
Time to Close the Gaps
Governance failures aren’t always dramatic they’re often slow-burning liabilities. At EKC Advocates LLP, we help fintech founders and boards identify these risks early, develop and align governance align structures with Kenya’s regulatory and fintech licensing standards.
Let’s Talk Governance, eddah@ekcadvocates.com
4. Protect the data you’re entrusted with
If you’re a board member, you may be privy to confidential company information. Andrew suggests seeking resources that provide guidance for boards, such as Canadian Securities Administrators (CSA), the Investment Industry Regulatory Organization of Canada (IIROC) and the Office of the Superintendent of Financial Institutions (OSFI).
5. Understand the threats
Ransomware is software that essentially holds your data hostage until you pay a sum to retrieve it. Still, there’s no guarantee paying that sum will get your data back.
The best thing you can do is to have a data backup and a disaster recovery system ready so you can bring your data back immediately. With ransomware attacks expected to increase by 100 per cent in 2022, it’s important to know how to react should one happen.
6. Train staff
Andrew tells of an email he received from a regular client that read, “Here’s the report you asked for.” He hadn’t requested a report, so he responded to see if the email was legit. The client assured him it was. Andrew then forwarded the email to his company’s IT department and confirmed it was spam. Threats are becoming increasingly sophisticated. Andrew recommends training staff on how to identify threats, using different passwords for different applications, and picking up the phone if there’s uncertainty over an email. Two-factor authentication can weed out threats like the one Andrew experienced.
The best law firm in NYC! They explain everything to you and they are very generous and helpful. The lawyers are excellent and very respectful. I highly recommend the Avvocato law firm.