OMP Domain Profile: Kenya Deposit-Taking SACCOs -- SASRA Supervision and Cooperative Governance Accountability

Internet-Draft	OMP SACCO Profile	March 2026
Adebayo & Makanjuola	Expires 22 September 2026	[Page]

Abstract

This document defines the OMP domain profile for deposit-taking SACCOs (Savings and Credit Cooperative Organisations) operating under SASRA supervision in Kenya. It specifies the Intent Class configuration, routing threshold ranges, Watchtower definitions, and Audit Trace extensions required to satisfy board-level principal accountability requirements under the SACCO Societies Act and the Cooperatives Bill 2024.¶

The PricewaterhouseCoopers forensic audit of KUSCCO [KUSCCO-PWC-2025] (Kenya Union of Savings and Credit Co-operatives), presented to the Cabinet Secretary for Cooperatives and MSMEs in 2025, identified KES 13.3 billion in misappropriated funds. Every specific failure identified -- forged auditor signatures, unauthorised executive loans, fraudulent commission rate changes, unlicensed operations -- was undetectable because no evidence trail connected board authorisation to operational outcome. This profile specifies the OMP architecture that closes each of those specific failure modes.¶

The Cooperatives Bill 2024 [COOPERATIVES-BILL-2024] (Bill No. 7 of 2024), currently before the Kenyan Senate, introduces criminal penalties for SACCO board directors who cannot produce governance evidence. This profile REQUIRES implementation of the core OMP protocol as defined in [I-D.veridom-omp]. The full specification is also available at [ZENODO-OMP].¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 22 September 2026.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶

1. Introduction

SASRA [SASRA-DT-RULES-2020] supervises 355 deposit-taking SACCOs in Kenya. The Cooperatives Bill 2024, currently before the Senate with passage expected Q2 2026, introduces a Commissioner for Cooperative Development with enforcement powers, mandatory quarterly board reports, and criminal penalties for board directors who fail to produce governance evidence of oversight.¶

The KUSCCO forensic audit demonstrated that the principal accountability gap -- the absence of an evidence trail connecting board decisions to operational outcomes -- is not an AI governance problem. It is a structural accountability problem that predates AI and is compounded by AI-assisted lending decisions. The same three-state routing invariant that produces per-decision credit explainability for CBK DCPs produces board-level principal accountability evidence for SASRA-supervised SACCOs.¶

SASRA committed to "advancing digitization" at its strategic Board and Management retreat held March 12-13, 2026. Cabinet Secretary Oparanya confirmed in 2025 that investigations are ongoing into SACCOs beyond KUSCCO. This profile addresses the governance evidence requirements that these enforcement actions and the forthcoming Cooperatives Bill will impose.¶

This document focuses on the principal-agent evidence gap at two levels: board-to-executive (the KUSCCO failure level) and executive-to-loan-officer (the daily operational level). OMP addresses both levels through a single consistent evidence architecture.¶

3. KUSCCO Failure Mode Analysis

The PwC forensic audit identified the following specific governance evidence failures. This section maps each failure to the specific OMP Watchtower that closes it.¶

Forged auditor signature (Alfred Basweti, deceased):: No governance record of who engaged the auditor, who reviewed the audit output, or who authorised the audit sign-off. Closed by WT-SACCO-02 (Audit Engagement Verifier): requires named auditor identity verification and Named Accountable Officer acceptance before any audit engagement record is created.¶
Unauthorised KES 50 million loan to Managing Director:: Processed without board authorisation records. Closed by WT-SACCO-01 (Executive Threshold Guardian): any loan or financial action above the configurable KSh threshold MUST be approved by a Named Accountable Officer with logged rationale before execution can proceed.¶
Commission rate fraudulently raised from 1% to 3%:: No audit trail of rate change authorisation. Closed by WT-SACCO-03 (Commission Rate Guardian): any change to commission rates, fee structures, or member benefit rates MUST have Named Accountable Officer approval and generates a sealed change record that cannot be deleted.¶
KES 318 million transferred to KUSCCO Housing without oversight documentation:: Closed by WT-SACCO-01 at the INTERCO_TRANSFER intent class: all inter-entity transfers above threshold require Named Accountable Officer approval with logged rationale and documentary reference.¶
Unlicensed deposit-taking and insurance operations:: No evidence trail of regulatory authorisations or board decisions to operate unlicensed. Closed by REGULATORY_SUBMISSION intent class with theta = 0.99 and mandatory Named Officer attestation: all regulatory submissions and operational authorisations generate sealed, immutable records.¶

4. Regulatory Reference Framework

SACCO Societies Act Cap 490B:: Board accountability for executive operations. OMP ASSISTED path with Named Accountable Officer logging provides interaction-level evidence of supervision for every executive action above defined thresholds.¶
SASRA DT SACCO Rules 2020:: Annual audited financials, AML compliance, fit-and-proper governance requirements. Watchtower 6 Proof-Point generates the board-ready governance evidence artifact. Chain integrity verification demonstrates financial records have not been altered since creation.¶
Cooperatives Bill 2024 (Bill No. 7 of 2024, before Senate):: Criminal penalties for board directors who cannot produce governance evidence. The OMP Proof-Point is the governance evidence artifact. Every board decision, every executive action above threshold, and every governance exception generates a sealed, independently verifiable record.¶
Financial Reporting Centre (FRC) requirements:: AML compliance and suspicious transaction reporting. OMP Watchtower-class detection of unusual transaction patterns with ESCALATED routing to Named Accountable Officer for AML review.¶
Kenya Data Protection Act 2019:: Member data processing audit trail. WT-01 (PII Exposure Shield) and H_s anchoring of member consent records at time of processing.¶

5. Intent Class Configuration

Table 1
Intent Class	Theta Min	Rationale
LOAN_OFFICER_DECISION	0.88	Loan officer credit decision within delegated authority. Fully logged. Board can audit any decision.
EXECUTIVE_THRESHOLD_ACTION	0.95	Executive action above board-delegated threshold. MUST route ASSISTED. Named board-delegated officer MUST approve before execution.
BOARD_RESOLUTION_RECORD	0.99	Board resolution or board-delegated decision. Always ASSISTED or ESCALATED. Named board officer signature mandatory.
MEMBER_COMPLAINT	0.85	Member complaint or dispute. Regulatory Silence Detector active. 5-day SASRA response deadline enforced.
AUDIT_ENGAGEMENT	0.99	External auditor engagement or audit report acceptance. Named board officer mandatory. Prevents forged auditor signatures.
INTERCO_TRANSFER	0.95	Transfer to subsidiary or affiliated entity. Hard block above KSh 10M without board-delegated officer approval and documented rationale.
REGULATORY_SUBMISSION	0.99	Submission to SASRA, FRC, or ODPC. Named officer MUST attest before dispatch. Creates immutable record that submission was reviewed.
RATE_CHANGE	0.99	Change to commission rates, fee structures, or member benefit rates. Named officer MUST approve. Immutable change record generated.

6. Watchtower Configuration

6.1. WT-SACCO-01: Executive Threshold Guardian

Severity:: HARD_BLOCK¶
Trigger:: Any EXECUTIVE_THRESHOLD_ACTION or INTERCO_TRANSFER above the configurable KSh threshold (RECOMMENDED default: KSh 10,000,000).¶
Action:: Blocks execution. Routes to ASSISTED. Named Accountable Officer MUST approve with logged rationale before any execution proceeds. The rationale field is mandatory and MUST reference a board resolution or delegated authority document.¶
KUSCCO failure mode closed:: Unauthorised KES 50 million loan to Managing Director. KES 318 million transfer to Housing subsidiary.¶

6.2. WT-SACCO-02: Audit Engagement Verifier

Severity:: HARD_BLOCK¶
Trigger:: Any AUDIT_ENGAGEMENT intent class interaction.¶
Action:: Requires before execution: (i) named auditor identity logged, (ii) auditor licence verification query with H_s anchor, (iii) Named Accountable Officer acceptance with timestamp. No audit engagement record can be created without all three elements sealed in the Audit Trace.¶
KUSCCO failure mode closed:: Forged signature of deceased auditor Alfred Basweti. With this Watchtower active, any audit engagement requires a live, timestamped, sealed record of auditor identity verification. A deceased auditor's licence cannot pass the verification query.¶

6.3. WT-SACCO-03: Commission Rate Guardian

Severity:: FORCE_ASSISTED¶
Trigger:: Any RATE_CHANGE intent class interaction, or any configuration change to commission rates, fee structures, or member benefit rates.¶
Action:: Forces ASSISTED path. Named Accountable Officer MUST approve. Generates a sealed change record in the Audit Trace that cannot be deleted and is included in every subsequent Proof-Point for the deployment lifetime.¶
KUSCCO failure mode closed:: Commission rate fraudulently raised from 1% to 3% without board approval. With this Watchtower active, every rate change generates an immutable, board-officer-approved, cryptographically sealed record.¶

7. Board Delegated Authority Framework

The SACCO profile introduces a board_delegated_authority_level field in the Audit Trace to record the authority level of the Named Accountable Officer for each ASSISTED path decision. This field enables boards to review the authority structure under which each decision was made.¶

board_delegated_authority_level: enum {
  FULL_BOARD,           // resolution of the full board
  DELEGATED_COMMITTEE,  // board-delegated committee decision
  CEO,                  // CEO within board-delegated authority
  LOANS_MANAGER,        // Loans Manager within delegated limits
  LOAN_OFFICER          // Loan Officer within delegated limits
}

Any EXECUTIVE_THRESHOLD_ACTION MUST carry authority level FULL_BOARD or DELEGATED_COMMITTEE. Any lower authority level on this intent class MUST be flagged as an authority mismatch and routed to ESCALATED.¶

8. Audit Trace Extensions

{
  "sasra_sacco_registration_number": "string",
  "board_delegated_authority_level": "enum (see Section 6)",
  "delegation_resolution_reference": "string | null",
  "interco_counterparty_id":         "string | null",
  "auditor_licence_hash":            "sha256 | null",
  "rate_change_previous_value":      "string | null",
  "rate_change_new_value":           "string | null",
  "rate_change_board_reference":     "string | null",
  "sacco_schema_version":            "SACCO-PROFILE-v1.0"
}

sasra_sacco_registration_number MUST be present in every trace. delegation_resolution_reference MUST be present and non-null for all EXECUTIVE_THRESHOLD_ACTION interactions. auditor_licence_hash MUST be present and non-null for all AUDIT_ENGAGEMENT interactions. rate_change_board_reference MUST be present for all RATE_CHANGE interactions.¶

9. Proof-Point Output Format

The SACCO Proof-Point, generated quarterly by default and on-demand for SASRA inspections or forensic audit requests, MUST include:¶

Board Governance Summary: actions taken in period by authority level. Percentage requiring board-delegated approval. Threshold exceptions with Named Officer identities.¶
Executive Action Register: all EXECUTIVE_THRESHOLD_ACTION decisions with Named Officer approvals, rationales, and timestamps. Every executive action above threshold reviewable from the Proof-Point alone.¶
Audit Engagement Record: all AUDIT_ENGAGEMENT events with auditor identity, licence verification status, and Named Officer acceptance timestamps.¶
Commission and Fee Change Log: all WT-SACCO-03 activations with Named Officer approvals and before/after values. Immutable record of every rate change authorisation.¶
Member Complaint Status: all MEMBER_COMPLAINT interactions with SASRA SLA compliance rate. Any SLA breach itemised separately.¶
Chain Integrity Verification: SHA-256 Merkle chain and RFC 3161 timestamp integrity confirmation across the full period with independent verification instructions.¶

10. Security Considerations

All security considerations in draft-veridom-omp apply.¶

Authority Level Spoofing: the board_delegated_authority_level field is set at deployment configuration time, not at runtime. Changing it requires a Threshold Change Record sealed with SHA-256 per the core protocol Change Control process. Any modification creates an immutable record of the authority level change.¶

Threshold Manipulation: the KSh threshold for WT-SACCO-01 is a deployment configuration parameter subject to Change Control. The configuration hash (config_hash field in VerticalConfig) detects any unauthorised threshold change at verification time.¶

Retroactive Document Insertion: an institution could attempt to fabricate a board resolution reference after the fact to satisfy delegation_resolution_reference requirements. The H_s anchor on the referenced document and the RFC 3161 timestamp on the Audit Trace together establish whether the referenced document predated the executive action. Any reference document timestamped after the executive action timestamp MUST be flagged as a sequencing violation.¶

12. References

12.1. Normative References

[I-D.veridom-omp]: Adebayo, T., "Operating Model Protocol (OMP)", Work in Progress, Internet-Draft, draft-veridom-omp-00, 21 March 2026, <https://datatracker.ietf.org/doc/html/draft-veridom-omp-00>.
[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <https://www.rfc-editor.org/rfc/rfc2119>.

12.2. Informative References

[KUSCCO-PWC-2025]: PricewaterhouseCoopers, "Forensic Audit Report: Kenya Union of Savings and Credit Co-operatives", 2025.
[COOPERATIVES-BILL-2024]: Parliament of Kenya, "Cooperatives Bill 2024 (Bill No. 7 of 2024)", 2024.
[SASRA-DT-RULES-2020]: SACCO Societies Regulatory Authority, "SACCO Societies (Deposit-Taking SACCO Business) Regulations 2010 and DT SACCO Rules 2020", 2020.
[ZENODO-OMP]: Adebayo, T., "OMP - Operating Model Protocol: A Deterministic Routing Invariant for Tamper-Evident AI Decision Accountability in Regulated Industries", Zenodo 10.5281/zenodo.19140948, 21 March 2026.