← Writing · Civic & Democratic Infrastructure
Flux Working Paper No. 15

Your Donor Is Now Your Regulator

Ken Ruto · Flux (FluxImpact) · May 2026 · 7 min
↩ Read as essay
BibTeX · RIS
Abstract

International donors' due-diligence requirements increasingly impose compliance pressure that the Kenyan state itself has never consistently applied. This paper argues that the organisations least able to meet these requirements are often those doing the most essential ground-level work, producing an unintended regulatory effect that nobody designed. Understanding the mechanism, it argues, is the first step to addressing it.

Keywords: donor compliance, civil society, regulation, development funding, accountability

When the Kenyan government has wanted to restrict civil society, it has used the registration system. The NGO Co-ordination Board was the mechanism. The story of Kenya's civil society development sector in the 1990s and early 2000s is, in significant part, a story of organisations learning to navigate, and occasionally challenge, a regulatory body that was susceptible to political direction. The threat was the regulator. The protection was donor funding, international visibility, and the network of relationships that made deregistration politically costly.

Something has changed. The regulatory pressure on Kenya's civil society now comes, in significant proportion, from the donor community itself. The foundations, bilateral agencies, and international NGOs that fund a large fraction of Kenyan civil society work have, over the past decade, tightened their due diligence requirements in ways that are producing compliance pressure the Kenyan state has never consistently managed to apply. The organisations that cannot demonstrate legal standing, auditable financial systems, and governance accountability frameworks are no longer merely at risk from a hostile government. They are at risk of losing the funding that was historically their protection against that hostility.

This is not a conspiracy. It is the structural consequence of several simultaneous developments in international development finance, none of which was designed to produce this outcome.

How Due Diligence Became Compliance Regulation

International due diligence requirements for civil society partners are not new. Donors have always asked potential partners to demonstrate legitimacy — to show they are what they say they are, that their finances are managed by someone accountable, and that the money will reach the intended beneficiaries. For most of the 2000s, these requirements were met by producing registration certificates, audit reports, and organisational profiles. For an established NGO with a legal team and a finance function, this was straightforward. For a community-based organisation, it was manageable.

What changed is the regulatory environment in which international donors themselves operate. Two developments are directly relevant.

The first is the Financial Action Task Force's Recommendation 8, which designates non-profit organisations as entities vulnerable to potential misuse for terrorist financing or money laundering.1 The FATF is an intergovernmental body whose recommendations, while not legally binding in themselves, are implemented through member countries' national legislation and through the self-regulatory standards of financial institutions. Its classification of NPOs as a risk category has produced a global trend: financial institutions are tightening the conditions under which they will provide banking services to NPOs; donors operating under FATF-aligned national regulations are tightening the conditions under which they will provide grants to NPO partners in high-risk jurisdictions.

Kenya has appeared on FATF's grey list — the register of jurisdictions under increased monitoring for deficiencies in their anti-money-laundering and counter-terrorism financing frameworks — at various points in recent years.2 Being on the grey list increases the due diligence obligations of international funders working in Kenya, because working with Kenyan partners is classified as inherently higher-risk.

The second development is the alignment of USAID, the European Union's external action instruments, and major private foundations around standardised partner vetting frameworks. USAID's partner vetting requirements have become significantly more specific since the mid-2010s.3 EU external action regulations require financial audits, organisational assessments, and registration verification mapped against each member state's legal framework.4 Large private funders have adopted grantee due diligence frameworks that require registration under a legally recognised civil society framework as a precondition for grant agreements above certain thresholds.

These requirements are not coordinated. They are not designed to produce the same effect. But their combined impact on the Kenyan civil society landscape is, in practice, regulatory: they define a compliance threshold that an organisation must meet to access international funding, and that threshold now requires PBO registration or equivalent legal standing in almost every serious partnership context.

The Distribution Problem

The organisations most capable of meeting these requirements are not randomly distributed across Kenya's civil society. They are concentrated among older, Nairobi-based organisations with established legal and finance functions — the organisations that have been operating long enough, and at a scale large enough, to have hired the staff and built the systems that due diligence requires.

Community-based organisations doing last-mile work — in health, water, protection, and food security — are disproportionately represented in the non-compliant tail. They are the organisations most likely to lack PBO registration, most likely to have financial systems below the threshold of auditability international donors now require, and most likely to have governance structures that do not satisfy the specific composition and accountability requirements that donor frameworks now mandate.

The irony is precise. The organisations that international funders most want to reach — the ones with genuine community trust, embedded field presence, and programmatic reach into populations that larger NGOs cannot access — are the ones most likely to be excluded by the compliance requirements those funders now impose.

This is not a story about donor bad faith. The due diligence requirements exist for reasons that are, individually, defensible. No donor wants to be named in a financial crime investigation because a partner organisation was used as a conduit. No donor wants to be unable to account for how its funds reached its stated beneficiaries. The requirements are responses to real risks and real accountability obligations.

But good individual reasons can produce bad collective outcomes. The compliance threshold, across the sector as a whole, is now sorting Kenya's civil society by administrative capability rather than programmatic effectiveness. Organisations that are good at compliance are getting the funding. Organisations that are good at the work are increasingly finding the funding inaccessible.

What the Compliance Gap Actually Costs

I want to make this concrete. In the WASH sector, the organisations doing demand-side monitoring in rural Kenya — tracking household water quality, identifying usage patterns, flagging system failures before they become service interruptions — are mostly CBOs with budgets under one million shillings per year, run by a coordinator and two or three field staff. They cannot afford a lawyer to fix their constitutions. They cannot afford an audit from a registered CPA firm. They do not have a finance officer capable of producing quarterly financial reports in the format now required by international health donors.

The operational data these organisations generate — household connection status, water quality test results, system uptime records — is precisely the data that water utilities and county governments need for planning and accountability. The funding they need to continue generating it is precisely the funding that compliance requirements are now conditioning on administrative capabilities they do not have.

The compliance gap, in this sector as in others, is not costing Kenya administrative tidiness. It is costing operational coverage. The early warning system for water system failures exists in the organisations doing the monitoring. It disappears from practice when those organisations lose funding because they cannot pass a due diligence threshold designed for organisations operating at a different scale.

What Changes When the Infrastructure Exists

PBOMaster addresses the registration layer — the first and most fundamental barrier. An organisation that is PBO-registered has cleared the first and highest threshold. The audit requirement, the financial system requirement, the governance composition requirement — these remain. But they are requirements that an organisation with legal standing can address progressively. An organisation without legal standing cannot address them at all, because the due diligence conversation does not begin.

The larger argument is that the infrastructure for closing the compliance gap needs to extend beyond registration. The audit market for small CBOs — accessible, affordable, and calibrated to organisations with simple financial structures — is thin. The governance advisory capacity available to rural CBOs is almost nonexistent outside of Nairobi. Building the compliance infrastructure that makes Kenya's civil society sector legible to international funders will require attention to all three layers: registration, financial systems, and governance capability.

PBOMaster is the registration layer. The sector needs the others. And building them — rather than assuming that better legislation alone will close the gap — is the argument the next essay makes.


  1. Financial Action Task Force, International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation (Paris: FATF, updated 2023), Recommendation 8 and its Interpretive Note.

  2. FATF, Jurisdictions Under Increased Monitoring [verify Kenya's current status and relevant dates at fatf-gafi.org].

  3. USAID, Partner Vetting System [verify current documentation at usaid.gov]; see also USAID Acquisition Regulation (AIDAR) and Standard Provisions for USAID partner agreements [verify specific provision numbers].

  4. European Parliament and Council, Regulation (EU) No 236/2014 laying down common rules and procedures for the implementation of the Union's instruments for financing external action [verify regulation number and partner vetting provisions].

Provenance
Flux Working Paper No. 15 · Ken Ruto, Flux (FluxImpact)
Published 20 May 2026
Content hash (SHA-256): 48148294e93a195c… · build 81caba6
DOI: pending deposit
Ken Ruto
About the author
Ken Ruto

Founder of Flux. Building vertical AI-powered SaaS for Africa's institutions — and writing the thesis behind every bet. kenruto.fluximpact.org →

Share X LinkedIn WhatsApp
Did this land?
Was it useful?

Comments

No comments yet — be the first.

Get new essays

No spam — just the next piece when it's out.

Think I got something wrong? Highlight any sentence to push back on it — or It comes straight to me, never shown publicly.

Push back
Related writing
10 min
Your NGO Is Illegal and That Is Not Your Fault
Kenya's civil society compliance gap is not a story about organisations evading registration. It is a story about a registration system designed for organisations with lawyers — and what changes when the infrastructure to navigate it finally exists.
7 min
Africa's Regulatory Failure Is Not a Law Problem
The PBO Act 2013 is better legislation than what it replaced in almost every respect. Registration rates did not meaningfully improve after it passed. The failure mode in African regulatory reform is almost never the quality of the law. It is the absence of the translation layer that makes the law navigable.
7 min
What a Language Model Finds When It Reads Your Constitution
The AI and law conversation is fixated on the hard problem — can AI reason about law? It has missed the tractable problem that is already solved: can AI read a document against a specific checklist and identify gaps? The answer is yes. This is what PBOMaster does, and what it finds.