Uganda Registration Services Bureau’s (URSB) flagship digital business registration platform remains slow, unreliable and vulnerable to abuse despite an investment of nearly UGX 6.5 billion, according to the Auditor General.
In the Annual Report of the Auditor General for the year ended 31st December 2025, the Online Business Registration System (OBRS), launched in December 2022 to modernise and accelerate business registration, is faulted for persistent delays, frequent system outages, weak fraud controls and serious data privacy gaps.
The Auditor General notes that over three years, URSB spent UGX 6.49 billion designing, developing and maintaining OBRS as part of government’s broader digitalisation agenda aimed at improving access to public services.
However, the system has consistently failed to meet approved turnaround times for key services.
Reviews of company name reservations, business name amendments, new registrations and data updates revealed significant delays, particularly in processing company name applications, frustrating users who depend on timely registration to operate formally.
System outages undermine service delivery
Beyond delays, OBRS suffers repeated system outages. Incident logs reviewed during the audit show multiple disruptions between August 2023 and September 2025 caused by network failures, storage exhaustion, system misconfigurations, inadequate power backup and human error.
These outages frequently prevented users from completing registration applications, undermining the system’s core objective of improving service delivery.
In response, URSB management said the outages were linked to a combination of planned maintenance activities, infrastructure limitations, network instability and configuration challenges.
Management explained that corrective measures have been implemented, including plans to introduce multi-homing with more than one internet service provider to ensure failover in case one provider experiences downtime.
URSB also reported that following incidents of disk space exhaustion, additional storage has been provisioned for OBRS, with 40 terabytes allocated within the current 113.9 terabytes available across systems, while procurement to expand storage by another 50 terabytes is underway.
On power disruptions, management said downtime in September 2024 was traced to UPS battery failure, prompting installation of new batteries and improved generator support during extended outages.
To reduce operational errors, URSB noted that change management processes have been strengthened, with structured review and rollback plans now required for system deployments.
Management also acknowledged that human error contributed to some incidents, including erroneous shutdown of active servers, but said Standard Operating Procedures have since been approved to guide operational activities.
The Bureau further reported deployment of a centralized monitoring and alerting system using Icinga, providing real-time infrastructure visibility, performance dashboards, and early warning alerts before issues escalate into outages.
Data protection concerns raised
The report also raises serious concerns about data protection. The Auditor General found that historical business registration records shared with third parties through OBRS contained unredacted sensitive personal information, including full dates of birth of directors, proprietors and subscribers.
This exposure, the audit warns, places citizens at risk and highlights weaknesses in URSB’s data governance controls.
In its response, URSB management stressed that the Bureau processes personal data for lawful purposes under statutes such as the Companies Act and Business Names Registration Act, and that the collection of dates of birth is a statutory requirement reflected in prescribed forms.
Management further noted that URSB is mandated under Regulation 3(k) of the Companies (Power of Registrar) Regulations, 2016 and the Access to Information Act to certify and share extracts from its registers.
However, URSB said it is strengthening privacy safeguards through data clean-up exercises, enhanced access controls, audit trails, and limiting access to beneficial ownership information to enforcement agencies only.
URSB also reported that Memoranda of Understanding have been signed with various ministries and agencies to guide responsible data sharing, while a Records Management Policy aligned with the Data Protection and Privacy Act is in place.
The Bureau has appointed a Data Protection Officer, established a breach notification mechanism, and plans to conduct a data mapping exercise in FY 2025/26 to enhance protection mechanisms.
Management added that OBRS Phase 2, planned for FY 2025/26, will introduce privacy notices, user consent prompts, redaction of sensitive identifiers such as dates of birth from search outputs, and a Data Protection Impact Assessment.
Africa Takes The Stage: From Raw Supply To Brand OwnershipURSB also disclosed that it is undergoing an audit by the Personal Data Protection Office (PDPO), which began in November 2025, and expects recommendations to further strengthen compliance.
Weak fraud prevention controls
Fraud prevention measures were also found to be inadequate. According to the Auditor General, fraudulent filings such as forged signatures and unauthorised submissions are only addressed when detected or reported.
OBRS lacks the capacity to authenticate digital signatures or verify whether approvals are submitted by legitimate company owners, leaving the platform vulnerable to impersonation, unlawful filings and registry abuse.
Management acknowledged these gaps and said URSB is exploring integration with UGPass, the national digital identity and authentication platform managed by NITA-U, which would enable secure digital signing linked to the national ID database.
URSB also noted that OBRS assigns each registered business a dedicated account accessible only to authorised individuals such as directors or company secretaries, with filings initiated exclusively through these verified accounts to improve accountability.
ISO certification delays and complaints tracking gaps
Quality assurance reforms at URSB have similarly stalled. The Bureau began the ISO 9001:2015 certification process in August 2018 and committed to completing certification by 30th June 2024.
However, by the end of the 2024/25 financial year, certification had not been achieved, delaying implementation by at least one year.
Management attributed the delay to digitisation of core processes, including OBRS and the Insolvency System, which required repeated updates to Quality Management System documentation.
URSB said a one-year extension was approved to allow system stabilisation, and a revised certification roadmap was implemented starting December 2024.
The Bureau reported that an external QMS audit conducted from 17th–21st November 2025 confirmed compliance with ISO 9001:2015 requirements and recommended URSB for certification, which is expected by end of December 2025.
In another governance gap, URSB failed to maintain a register of customer complaints for OBRS.
Management acknowledged this weakness and said a structured complaints management framework is being prioritised, including integration into OBRS to track complaint volumes, trends and resolution timelines.
SIMPRS and broader governance challenges
The audit also reviewed URSB’s implementation of the Security Interest in Movable Property Act and the SIMPRS registry system, developed at UGX 1.2 billion.
However, major challenges persist, including lack of unique identifiers for movable assets, absence of integration with the Warehouse Receipt System, and limited interoperability with the Uganda Microfinance Regulatory Authority.
URSB said it is engaging relevant agencies to improve system integration and address structural constraints affecting uptake.
The Auditor General also flagged low trademark registration, capacity gaps in patent examination, and the absence of a National Policy on Business Formalisation.
Beyond ICT systems, URSB recorded outstanding arrears of UGX 1.58 billion, low procurement competition, manual procurements outside the e-GP system, uninsured vehicles, and inaccuracies in the asset register.
Strategic plan implementation was constrained by underfunding, with only 57 of 172 interventions fully achieved.
Reform intentions versus persistent gaps
The Auditor General advised URSB to strengthen OBRS availability through improved monitoring, power and network redundancy, implement stronger data minimisation and redaction controls, and integrate digital signature authentication to curb fraud.
URSB was further urged to complete ISO certification, establish a comprehensive complaints management system, enhance SIMPRS interoperability and promote intellectual property protection.
The report concludes that while URSB’s digital investments were intended to improve efficiency and trust in Uganda’s registration ecosystem, persistent delays, outages, weak controls and governance gaps continue to undermine these reforms and threaten confidence in the country’s business formalisation agenda.
