By Every few weeks, another business owner posts on Twitter about being penalised for an eTIMS violation they did not fully understand. Every few weeks, a consultant publishes another guide about how to reconcile your records before KRA's automated validation flags your returns. Every few weeks, the same conversation repeats: Kenyans need to comply with eTIMS.
The conversation almost always frames the problem as awareness or digital literacy. Kenyans do not understand the system. Kenyans are not tech-savvy enough. Kenyans need more training.
This framing is wrong, and it is worth saying clearly: the people failing to comply with eTIMS are the same people who run their entire businesses on WhatsApp, manage supplier relationships over Facebook groups, process payments through M-Pesa without thinking twice, and navigate Jumia, Instagram, and TikTok daily without a manual. They are not technophobic. They are being failed by a system that was not designed with them in mind and then blamed for the failure.
The Real Problem: eTIMS Is a Walled Garden
Here is what KRA built.
eTIMS Lite ( the web version) runs on a platform that looks and functions like it was designed in 2003. The dropdown menus only work on hover, which means they are invisible on any touchscreen device. In a country where the majority of internet access happens on smartphones, this is not a minor UX oversight. It is a structural exclusion. By the time a small trader navigates eTIMS Lite on their phone to generate one invoice, their competitor without eTIMS has served three more customers.
The USSD option (*222#) is session-sensitive and requires navigating nested menus by entering numbers under time pressure. Everyone who has ever lost a USSD session mid-transaction because a call came in, or because they hesitated for ten seconds, understands why this is not a viable compliance tool for high-volume traders. It was not designed for volume. It was designed to check a compliance box.
The eTIMS app crashes. The eTIMS portal logs you out if your connection drops for a minute. One manufacturer at a Kenya Association of Manufacturers forum this February described their team hiring up to 100 additional staff solely to reconcile eTIMS invoice mismatches, not to grow their business, not to serve customers better, but to manage the administrative overhead of a system that cannot reliably transmit invoices without generating errors.
System downtime is not occasional. Businesses report daily glitches and full-day outages. When your invoicing platform is down and you are legally required to generate an invoice before making a sale, your business effectively stops.
The Walled Garden Behind the Walled Garden
The consumer-facing problems are bad. The developer-facing problem is worse, because it is the reason the consumer problems exist.
eTIMS has an API. If that API were open ( freely available, well-documented, accessible to any developer who registers) the market would solve the UX problem within months. Developers would build mobile-first invoicing apps. They would build eTIMS plugins for existing POS systems. They would build WhatsApp bots that let a mama mboga generate a compliant invoice by typing a message. The same competitive pressure that made M-Pesa integrations ubiquitous, cheap, and excellent would apply to eTIMS compliance tools.
That is not what happened.
Getting access to the eTIMS API requires forming a registered company, presenting a list of directors, assembling a team of at least three developers, submitting to interviews with KRA, and waiting for approval that is not guaranteed. The documentation itself (what the endpoints are, what the request and response formats look like, what the authentication flow requires) is only released after you are approved. Developers who successfully navigate the process and receive access sign NDAs that prevent them from sharing what they learned.
The result is exactly what you would expect. A small number of approved vendors hold a monopoly on eTIMS-integrated software. They know it. They price accordingly. Ksh 5,000, Ksh 10,000, Ksh 20,000 per month for compliance software that the underlying technology could support for free. Small businesses that cannot afford proprietary software are left with eTIMS Lite's hover menus and the USSD option. The compliance gap is not a mystery. It is the predictable output of artificial scarcity.
Compare This to Daraja
Safaricom's Daraja API handles money. Real money, moving between real accounts, in real time, at scale, over one hundred million transactions per day. By any reasonable security assessment, a payment API is more sensitive infrastructure than an invoicing system. A compromised Daraja integration can drain accounts. A compromised eTIMS integration can generate a fake invoice.
Yet Daraja is open. Any developer can register at developer.safaricom.co.ke today, create a sandbox app, receive their credentials, and start building an M-Pesa integration. The documentation is public, comprehensive, and detailed. The sandbox environment lets you test without touching real money. The developer community has produced hundreds of integrations (open source libraries, tutorials, YouTube guides, Stack Overflow answers, GitHub repositories) because the barrier to entry is low enough that building on Daraja is worth doing.
The result of that openness is a payment ecosystem that reaches the furthest corners of Kenya's informal economy. A boda boda rider accepts M-Pesa because there are fifty cheap or free apps that made integration trivial for whoever set up their phone. A market trader accepts till payments because someone built a free app for them. Competition drove quality up and price down until the tools were accessible to everyone.
KRA has chosen the opposite model for eTIMS and then expressed confusion about why compliance rates are low.
The January 2026 Enforcement and What It Actually Did
From January 1, 2026, KRA began automatically cross-validating expense claims against eTIMS records. Any expense not backed by a valid eTIMS invoice is automatically disallowed, treated as profit, taxed accordingly, with penalties and interest accruing from the original due date. KRA's own projections suggest this will increase revenue collection by 15 to 20 percent.
What it has actually done, in the first two months of enforcement, is penalise compliance failure that KRA itself engineered.
Consider a small agribusiness buying fertiliser from a rural supplier who has no PIN and cannot issue an eTIMS invoice. The agribusiness paid Ksh 400,000 for a genuine business expense. KRA now treats that Ksh 400,000 as profit. The agribusiness pays tax on money it already spent, plus penalties, plus interest. The rural fertiliser supplier ( who has not been given a workable tool to issue a compliant invoice) is not penalised. The buyer is.
This is not tax compliance. It is a penalty levied on businesses for failing to solve a problem the government has not actually made solvable for their suppliers.
The concession KRA offered in January — a one-time "non-eTIMS section" in the 2025 iTax return allowing businesses to declare income and expenses without eTIMS receipts for this year only — is an acknowledgment that the system is not ready. A regulator with genuine confidence in its infrastructure does not grant blanket exemptions in the first month of enforcement.
What Opening the API Would Actually Do
The argument KRA and its approved vendors make for restricting API access is security. eTIMS handles tax data. Tax data is sensitive. Not everyone can have access to the infrastructure that processes it.
This argument would be more convincing if Safaricom had not already demonstrated, with a more sensitive system, that open access and security are not mutually exclusive. Daraja is open and secure because Safaricom designed it with security guardrails, rate limiting, OAuth authentication, sandbox environments, webhook signatures, audit logs. The openness did not create the security risk. The guardrails manage it.
An open eTIMS developer API, with proper authentication requirements, a mandatory sandbox environment, clear rate limits, and certificate-based webhook delivery, would be meaningfully more secure than the current situation, where approved vendors hold documentation under NDA, creating a black box that KRA cannot fully audit and users cannot independently verify.
What it would produce, within 12 to 18 months of opening:
A mobile-first eTIMS app built by Kenyan developers for Kenyan traders, optimised for the smartphone-first reality of how this market actually operates. WhatsApp-based invoicing tools that let informal traders generate compliant receipts without navigating a government website. eTIMS plugins for every popular POS system in Kenya, most of which have APIs that a developer could connect to eTIMS in an afternoon if the documentation were available. Free and low-cost compliance tools that eliminate the Ksh 5,000 monthly software tax that currently sits between small businesses and compliance.
The compliance rate would rise. Not because of enforcement, but because the friction of compliance would fall to near zero.
The Daraja Lesson KRA Has Not Learned
Daraja is popular because Safaricom made it easy to build on. The developer guides are comprehensive. The sandbox is free. The documentation is public. The result is thousands of integrations, a competitive market for M-Pesa-powered products, and tools that reach every segment of Kenya's economy from the largest banks to the smallest dukas.
eTIMS could work the same way. The underlying technology is not the constraint. The policy choice to restrict API access is the constraint. And unlike the hover menus and the USSD sessions and the system downtime (which are problems of execution) the closed API is a choice. It can be reversed.
KRA's Medium-Term Revenue Strategy projects that enhanced compliance measures could increase collection by 15 to 20 percent without raising tax rates. That projection assumes the compliance gap is primarily a detection problem, that people are evading and the solution is automation that catches them. The actual compliance gap is at least partly an access problem, that people would comply if the tools to comply were affordable and worked properly on the devices they actually own.
The detection infrastructure is already built. The automated cross-validation is live. The penalty framework is in place. What is missing is the open, competitive ecosystem of compliance tools that would make the system accessible enough to justify the enforcement.
Open the API. Publish the documentation. Let Kenyan developers build what KRA has failed to build itself.
The compliance rate will follow.
Do you run a business in Kenya dealing with eTIMS compliance? We want to hear your specific experience, what works, what does not, and what tool you wish existed. Drop a comment below.
Comments