The 7 software mistakes Kenyan SACCOs make when going digital
Victor Chumo
Managing Director, Raven Tech Group

Why SACCOs are especially hard to digitise well
SACCOs sit in an awkward middle: you need retail-grade transaction handling, but you also run a member-owned institution where authority, minutes, and resolutions matter as much as ledgers. A teller screen that ignores committee approvals is not a small UX issue — it is a governance failure waiting to surface at the AGM.
Where SASRA supervision applies, examiners do not care whether your React bundle is pretty. They care whether controls are demonstrable: who approved a limit change, which officer disbursed, what evidence sits behind a waiver. I have watched teams buy “banking” software and then spend a year retrofitting SACCO-specific rules because the vendor sold them a product built for branch networks, not for societies with guarantor chains and tiered lending policies.
Kenya adds another layer: mobile money is the default rail for many members, tax and statutory deductions have real teeth, and your staff already juggle paper while members expect WhatsApp-speed responses. Digitisation is not “put the form online.” It is rebuild the operating model with software — and that is why generic playbooks fail.
I also see a timing problem. Societies often digitise in a rush — AGM pressure, competitor marketing, or a grant window — without sequencing data cleanup, workflow design, and training. The system goes live; adoption does not. Then leadership concludes “our members are not tech-savvy,” when the real issue is that the software never matched how decisions actually get made. The seven mistakes below are the patterns I see repeat across that rush.
None of this is an argument against digitising. It is an argument against treating SACCOs like small banks with co-ops pasted on the homepage. Get the model right, and members adopt fast — because the tool finally matches the way they already work.
Mistake 1: Copying bank UI patterns for a member-owned model
What it looks like. You pick a core or portal that speaks “account number” and “product catalogue” because the demo looked familiar to someone who last logged into a commercial bank app. Screens show balances first, loans second, and nowhere does the member see share capital, meeting attendance, or eligibility rules in language the society actually uses.
Why it keeps happening. Boards and IT committees benchmark against banks — they are the visible standard. Vendors lean into that because “like a bank” sells. Nobody in that room is paid to explain that a SACCO’s risk model is not a retail credit score; it is bylaws plus committee judgment plus historical behaviour in the register.
Real consequence. Members stop trusting the channel. They call the office anyway. Staff re-key data from the “official” system into spreadsheets because the committee workflow never fit. Within months you run two truths: the core says one thing, Excel says another. When reconciliation breaks during busy season, the project sponsor gets blamed — not the category error of copying the wrong reference architecture.
Better pattern. Start from loan and share ledgers, resolutions, and approval limits. Design labels and navigation from credit committee language outward. If the first wireframe cannot be read aloud to your chairperson without translation, you are still building a bank skin on SACCO bones.
Mistake 2: Underestimating the loan approval workflow
What it looks like. Someone maps “apply → approve → disburse” in three boxes. The build ships with a status field and email notifications. Then reality arrives: guarantor capture, partial documentation, rescheduled committee sittings, exceptions for long-standing members, and disputes over appraisal values.
Why it keeps happening. Loan workflow is invisible to executives until it breaks. Everyone sees the member queue at the front office; few people model the full state machine. Vendors quote modules, not ethnography of how your credit officers actually decide.
Real consequence. I have seen a society (anonymised) push automation on disbursement before routing was settled. Loans went “approved” in the system while paper files were incomplete. Finance halted payouts; IT rolled back three weeks of configuration. The cost was not the sprint hours — it was credibility with members who had already received SMS confirmations.
Better pattern. Walk the real path with officers: paper form to committee minutes to disbursement instruction. Name every state, every actor, every reversal. Only then encode. If your workflow engine cannot express “returned to member for co-guarantor” without a hack, your model is still wrong.
Mistake 3: Building member portals before member data is clean
What it looks like. Leadership wants a glossy app because competitors launched one. IT accelerates the portal. Members register and immediately see wrong names, duplicated accounts, or balances that do not match passbooks.
Why it keeps happening. The portal is visible; data cleanup is not. Funding follows screenshots. Everyone underestimates how many member records were keyed under pressure during growth years — typos, inconsistent ID formats, merged families, dormant accounts still “active” in Excel.
Real consequence. Self-service turns into a complaint desk. Trust drops faster than it was built. You also create legal exposure: if statements are official, wrong statements are worse than no statements.
Better pattern. Freeze scope on the portal until master data has owners, validation rules, and a reconciliation plan against legacy books. Run a closed pilot with staff-only accounts, then branch staff acting as members, before public launch.
Practical checklist before you expose balances: one national ID format, one phone format, deduplicated member numbers, written rules for joint accounts and estate cases, and a sign-off from finance that opening balances tie to the last audited trial balance. If that sounds boring, it is cheaper than explaining wrong statements to five hundred members.
Mistake 4: Not planning for audit trails from day one
What it looks like. Developers ship features fast. Logging is an afterthought — maybe application logs, maybe database backups, but no immutable trail tied to user identity for sensitive actions.
Why it keeps happening. Audit feels like overhead until a regulator letter lands or a board member asks who moved a limit. SASRA-aligned societies need to show that controls operated on the dates in question — not that you can grep a server file if someone is awake at midnight.
Real consequence. You cannot reconstruct history for a disputed loan decision. External auditors qualify findings. Internal teams blame each other because the system cannot answer “who clicked approve.”
Better pattern. Treat audit events as a first-class table from sprint one: actor, before/after snapshots for financial fields, timestamp in Nairobi time, correlation ID across services. If a feature cannot be audited, it is not done for production in a supervised context.
Separate operational logs from security logs. Your DBA should not be the only person who can prove who deleted a row. Exporters and reporting jobs should leave their own trace: file name, row counts, who triggered the run. When SASRA or your external auditors ask for evidence, you hand a folder — not a story about what probably happened.
Mistake 5: Choosing vendors based on price, not on Kenya-specific knowledge
What it looks like. Procurement ranks three bids; the lowest day rate wins. The winning team has never wired M-Pesa Daraja into a regulated workflow, never mapped KRA reporting expectations for payroll-side work, and treats “mobile” as responsive CSS.
Why it keeps happening. Price is easy to compare on a spreadsheet. Local context is not line-itemed. Offshore shops often win on rate cards — then burn hours learning rails your junior engineer in Nairobi already knows.
Real consequence. Integration gaps show up late: STK callbacks, idempotency, statement formats members actually read. You pay for rework, or you ship late and eat opportunity cost during peak lending season.
Better pattern. Score vendors on reference work in East Africa, on integration depth, and on who will sit with your credit committee when the workflow argument happens. Paying a higher rate for fewer surprises is often cheaper than the alternative.
Mistake 6: Launching without board buy-in on the operational change
What it looks like. Management procures a system. The board hears a quarterly update. Go-live arrives; loan officers resist because their incentives and daily routines were never redesigned to match the tool.
Why it keeps happening. Boards approve budgets; they rarely approve process change in the same motion. Sponsors avoid hard conversations about headcount, branch roles, and who owns data quality.
Real consequence. Passive resistance at the counter — workarounds, shadow spreadsheets, “the old way” for VIP members. The system looks live in the report; adoption metrics tell the truth.
Better pattern. Pair UAT with change management: job descriptions, training calendars, escalation paths. Put operational owners in weekly demos, not a big reveal at the end.
Board buy-in is not a one-off town hall. It is a standing agenda item: what behaviour we expect from branch managers, how incentives align with the new process, and what we stop doing manually when the system is live. If compensation still rewards paper throughput, software will lose every time.
Mistake 7: Treating the website and the system as separate projects
What it looks like. Marketing runs a WordPress site; operations run the core; the two never share member identity. Someone re-types enquiry forms into the loan register.
Why it keeps happening. Budgets sit in different lines. Agencies sell websites; core vendors sell cores. Nobody owns the full member journey from first click to first repayment.
Real consequence. You cannot measure acquisition cost per funded loan. Marketing celebrates leads; credit says leads are junk. The organisation argues instead of iterating.
Better pattern. One architecture: public web feeds authenticated flows with the same member keys as core. We ship that mindset on complex builds — see Eagle HR for how far “front door + operations system” can go when treated as one product.
What to do instead
Sequence matters. Lock data ownership and auditability first. Model loan and share workflows second — with officers in the room, not after handover. Only then invest in member-facing channels that expose verified data.
Run weekly demos with compliance and operations in attendance. If your vendor dodges those meetings, you have the wrong partner. Measure adoption by reduced re-keying and reduced reconciliation time — not by login counts alone.
Fund training like a line item, not an afterthought. Branch staff should see the system before members do — with scripts for failure (network down, printer broken, member forgot PIN). Nothing erodes trust faster than a teller who improvises because nobody rehearsed the bad day.
Finally, plan for the third year, not just go-live. Cores and portals age; bylaws change; regulators issue new guidance. If your architecture cannot swap a module or add a field without a rewrite, you will repeat this cycle with interest.
Read the case studies for systems we have shipped in production. If you want a straight assessment of your stack and governance fit, book a discovery call — we will tell you what we would fix first, and what we would not touch until data is clean.

About the author
Victor Chumo
Managing Director, Raven Tech Group
Victor founded Raven Tech Group in 2024 after a decade building software across East Africa. He leads engagements for SACCOs, fintechs, and growth-stage businesses from Westlands, Nairobi.
