KENYA Law and Practice Contributed by: Sammy Ndolo, Brian Muchiri, Nicholas Owino and Valere Nyaboke, Cliffe Dekker Hofmeyr
AML Non-Compliance (Reporting Institutions) For reporting institutions under POCAMLA, AI systems used in AML compliance (eg, transaction monitoring, customer due diligence, risk scoring) must meet the standards required by the Act. POCAMLA requires monitoring and reporting of suspicious transactions. If AI systems fail to detect or correctly flag suspicious activity, the institution may face liability for failure to comply with AML obligations. POCAMLA provides that where an offence is committed by a body corpo - rate with the consent or connivance of any director, manager, secretary or other officer, that person may be prosecuted alongside the body corporate. AI Bill Offences (if enacted) The AI Bill creates several offences that may expose boards and officers to liability: • deploying a system classified as unacceptable risk – up to KES5,000,000 or two years imprisonment; • deploying a high-risk system without conducting required risk assessments or implementing mitiga - tion measures – up to KES5,000,000 or two years imprisonment; • failing to comply with disclosure or transparency obligations – up to KES1,000,000 or six months imprisonment; • obstructing the AI Commissioner or providing false information – up to KES1,000,000 or six months imprisonment; • generating AI content using a person’s image, voice or likeness without consent, causing harm, misinformation, defamation or privacy infringement – up to KES5,000,000 or two years imprisonment. The AI Bill imposes personal liability on directors and officers: where an offence is committed by a body cor - porate, every director or officer who had knowledge of the commission of the offence and did not exercise due diligence to ensure compliance shall be guilty of the offence. Reputational Risk Reputational risk is a pervasive consequence of AI- related failures, often arising from data breaches, biased outputs, unethical use of AI or regulatory inves - tigations. While not a standalone legal claim, reputa -
ment, civil liability to affected parties and reputational harm. Breach of Directors’ Duties Directors may be personally liable under the Compa - nies Act where they fail to exercise reasonable care, skill and diligence in overseeing AI-related risks. The Companies Act imposes a duty to act in good faith and in the best interests of the company, requires the exercise of independent judgment and requires directors to exercise the care, skill and diligence that would be exercised by a reasonably diligent person with the general knowledge, skill and experience rea - sonably expected of a director. Failure to implement appropriate AI governance frame - works, monitor AI system performance or respond to known risks may constitute a breach of these duties. Enforcement may occur through shareholder deriva - tive actions or court proceedings for unfair prejudice. Under the AI Bill (if enacted), where an offence is com - mitted by a body corporate, every director or officer who had knowledge of the commission of the offence and did not exercise due diligence to ensure compli - AI systems may infringe intellectual property rights, for example, by using copyrighted material in training datasets or by generating infringing outputs. Liability may arise under the Copyright Act and the Industrial Property Act. Enforcement is typically undertaken by rights holders through civil litigation, with remedies including damages, injunctions and an account of profits. ance shall be guilty of the offence. Intellectual Property Infringement The AI Bill does not directly address IP liability but requires consent where AI systems generate or manip - ulate images, voice or likeness and creates an offence for generating AI content using a person’s image, voice or likeness without explicit consent where such content causes harm, misinformation, defamation or infringement of privacy.
422 CHAMBERS.COM
Powered by FlippingBook