
Technology
Kenya High Court Holds Safaricom and DTB Liable in KES 4.4M SIM-Swap Fraud Case
July 15, 2026GashoTech Team
Kenya's High Court Just Made Telcos and Banks Equally Liable for Digital Fraud
A Machakos High Court ruling in July 2026 has redrawn the map of digital-fraud liability in Kenya. Justice ruled that Safaricom — Kenya's largest mobile network operator — and Diamond Trust Bank Kenya (DTB) are jointly liable for a KES 4.42 million SIM-swap fraud that drained customer Mercy Wairimu Kariuki's account in February 2022. The court split responsibility 60% to Safaricom and 40% to DTB. Both appeals were dismissed.
This is not just a single-case outcome. It is a precedent that puts the entire telco-bank trust chain that powers M-Pesa and mobile banking under judicial scrutiny — and it will have ripple effects across every mobile-money market in Africa.
What Actually Happened
In February 2022, fraudsters executed a SIM swap on Mercy Wairimu Kariuki's Safaricom line without her authorization. With control of her phone number, the attackers intercepted one-time passwords and authentication codes from DTB, then initiated multiple transfers from her bank account. The cumulative loss was KES 4.42 million — a sum that represents years of savings for most Kenyan households.
Both Safaricom and DTB denied responsibility. Safaricom argued it provides "infrastructure only" — a passive network — and cannot be held liable for fraudsters' actions. DTB argued that the correct PIN was used, and a bank has no duty to question legitimate-looking transactions. The case wound through the court system for over four years before the High Court issued its final ruling.
The court rejected both defenses, and in doing so, it laid out a new framework for digital-fraud liability that will be cited in courts across East Africa for years to come.
Why the "Infrastructure Only" Defense Failed
The court's central finding is that a SIM swap is not a neutral network event. It is the moment a telco hands the keys to a customer's digital identity to someone else. By completing the SIM swap — which the customer had reported as unauthorized — Safaricom breached its duty of care.
The court treated the SIM swap as the entry point. Once the telco enabled that entry, the rest of the fraud sequence was foreseeable. Telcos cannot outsource accountability by calling themselves "just infrastructure." In the digital age, infrastructure is identity, and identity carries legal weight.
The judgment is particularly pointed on this point. The court noted that telcos profit from the SIM as a customer-identification token, and from that profit flows a corresponding duty to protect the token from unauthorized transfer. The "we just carry bits" defense, the court said, "ignores the role of the SIM as the primary authentication factor in mobile banking."
Why the "Correct PIN" Defense Failed
The court also rejected DTB's defense that the correct PIN had been used. The transfers in question went to multiple unrelated accounts, in patterns inconsistent with normal customer behavior. The court held that a "reasonable banker" should have flagged these transactions as suspicious — regardless of whether the PIN was technically correct.
This is a significant shift. PIN-based authentication is no longer a complete defense. Banks now have an obligation to monitor for anomalous transaction patterns and intervene when they appear. The "we validated the credentials" defense will not survive scrutiny if the transaction itself looks like fraud.
The court drew an analogy to a bank teller who processes a withdrawal with a valid check. The teller still has a duty to notice if the person cashing the check is wearing a mask, or if the withdrawal is wildly out of step with the customer's history. Mobile banking, the court said, is no different in principle.
The "Continuous Sequence of Failures" Doctrine
Perhaps the most consequential part of the ruling is the court's framing: fraud is not a single point of failure, but a "continuous sequence of failures" across multiple institutions. The telco enabled entry. The bank processed exit. Both failed in their respective duties.
This framing matters because it establishes shared liability as the default — not an exception. In the old model, each institution could point to the other and disclaim responsibility. In the new model, the customer can pursue both, and the court will apportion liability based on each institution's role in the chain.
The 60/40 split itself is informative. Safaricom carries the larger share because the SIM swap is the originating failure. But DTB's 40% is substantial — it is a clear statement that the bank is not a passive recipient of transactions. Both institutions were active participants in a chain that should have been broken at multiple points.
What This Means for M-Pesa and Mobile Banking Users
For the average Kenyan who uses M-Pesa, Airtel Money, or bank apps linked to a mobile number, this ruling is a direct protection. It means:
- Telcos must strengthen SIM-swap verification. Expect additional identity checks, cooling-off periods, and customer notifications. The days of walking into a Safaricom shop with a forged ID and walking out with someone else's number are ending.
- Banks must upgrade transaction monitoring. Static PIN-based security is no longer sufficient. Behavioral analytics and risk-based authentication are now the baseline. If a customer has never sent money to a particular account type, the bank has a duty to question it.
- Customers have a clearer path to compensation. Joint liability means the customer can recover from either institution, and the institutions must sort out their own internal contribution. The customer is no longer caught in the middle of a blame game.
What This Means for Telcos and Banks
The compliance implications are immediate. Telcos should review their SIM-swap thresholds and customer-notification workflows. Banks should audit their transaction-monitoring rules and ensure that unusual transfer patterns are flagged in real time. Both should expect increased regulatory scrutiny from the Communications Authority of Kenya and the Central Bank of Kenya.
For risk and compliance teams, the practical steps include:
- Audit SIM-swap processes. Implement multi-factor verification (ID + biometrics + customer callback) before completing a swap. Add mandatory waiting periods for high-risk swaps.
- Review transaction-monitoring thresholds. Move beyond PIN validation. Look for velocity, beneficiary novelty, and time-of-day anomalies. Train models on local fraud patterns, not just global ones.
- Establish cross-institution fraud signals. Telcos and banks serving the same customers should share high-level fraud indicators, not just customer complaints. Industry working groups should formalize this exchange.
- Document duty-of-care policies. In the event of litigation, the court will look at whether documented policies existed and were followed. If you cannot produce the policy, the court will assume there was none.
Implications for Africa's Mobile-Money Ecosystems
Kenya is the test case for M-Pesa-style mobile money. If this ruling is upheld on any further appeal, it will set a precedent across East Africa and the continent. Uganda, Tanzania, Rwanda, and Nigeria all have similar telco-bank trust chains. Courts in those jurisdictions will be watching.
The broader trend is clear: regulators and courts are moving from a "consumer-beware" model to a "shared-duty-of-care" model. Institutions that profit from digital transactions also bear responsibility for the failures that enable fraud. This is a global pattern — similar rulings have emerged in the UK (Authorised Push Payment fraud), India (RBI's digital lending guidelines), and Singapore (Shared Responsibility Framework). Kenya has now joined that list.
For African fintechs building cross-border products, the takeaway is that liability rules are converging. Designing for "shared duty of care" is no longer a Kenya-specific concern; it is the new global baseline.
The Bottom Line
The Machakos High Court has done something rare: it has made a legal ruling that is both legally sound and practically useful. By apportioning liability 60/40, it sends a clear signal — telcos carry the larger share because they control the entry point, but banks cannot hide behind the PIN.
For M-Pesa and mobile banking customers in Kenya, this is a quiet victory. For telcos and banks, it is a wake-up call. The trust chain is no longer implicit. It is explicit, and the court is watching.
The full implications will unfold over the next several quarters — in updated compliance procedures, in renewed insurance pricing, and most likely in similar cases filed against other telco-bank pairs. What is certain is that the era of "not our problem" defenses in digital fraud is over. The shared duty of care has arrived.
Want to learn more?
Contact GashoTech for personalized consultations on AI, automation, and cybersecurity solutions.
Get in Touch