Policy & Regulation
TechCabalabout 20 hours ago
1

Kenyan court holds banks, telcos liable over $34,000 SIM swap fraud

AI

Kenya's High Court held Diamond Trust Bank and Safaricom jointly liable for a $34,000 SIM swap fraud, ruling that both failed in their duty to prevent foreseeable losses.

Kenyan court holds banks, telcos liable over $34,000 SIM swap fraud

Intelligence Insights

Context + impact, normalized for TechCulture.

The Big Picture
On June 18, Kenya's High Court ruled that Diamond Trust Bank and Safaricom were both responsible for a $34,000 SIM swap fraud against Mercy Wairimu Kariuki, upholding a lower court's 40:60 liability split. The fraud occurred after fraudsters swapped Kariuki's SIM on February 6, 2022, which she reported but was not stopped, and her account was drained via mobile banking and Pesalink transfers that stayed under daily limits. Justice Asenath Ongeri rejected arguments that the SIM swap was an intervening act, stating that banks cannot hide behind a customer's PIN when transactions are glaringly out of the ordinary. The court also dismissed Safaricom's claim that telecoms and banks operate in separate regulatory lanes, affirming concurrent duties of care. The ruling sets a precedent that automated systems and compliance with transaction ceilings do not absolve institutions from broader customer protection obligations. This decision comes amid persistent SIM swap fraud in Kenya's mobile money ecosystem, raising the standard of care for both banks and telecom operators.
Why It Matters
This ruling sets a precedent in Kenya that banks and telecoms cannot shift blame to each other in SIM swap fraud cases, holding both independently liable for customer losses. It forces financial institutions to upgrade fraud detection beyond PIN verification and transaction limits, potentially reshaping security practices across Africa's mobile money ecosystem.

Deepen your understanding

Use our AI to break down complex signals.

Select an AI action to generate more depth.

Mercy Wairimu Kariuki woke up on the morning of February 8, 2022, to a stream of alerts showing that KES 4.4 million ($34,000) had been withdrawn from her Diamond Trust Bank (DTB) account overnight, two days after fraudsters hijacked her phone line in a SIM swap she had already reported and believed had been resolved.

On June 18, Kenya’s High Court ruled that both Diamond Trust Bank and Safaricom bore responsibility for the theft, finding that separate failures by the lender and the telecom operator enabled the fraud to succeed. Justice Asenath Ongeri upheld a lower court’s decision to split liability between the two companies, rejecting arguments from both that the other’s failures broke the chain of responsibility.

The ruling raises the standard of care for banks and telecom operators handling SIM swap fraud, holding that each owes customers an independent duty to prevent foreseeable losses even when the fraud originates outside its own systems.

Ongeri upheld a chief magistrate’s court decision that split liability between DTB Kenya, the Nairobi Securities Exchange-listed lender, and Safaricom, the telecommunications company behind M-PESA, ordering the bank to pay Kariuki KES 1,788,601 ($13,800) and Safaricom KES 2,630,000 ($20,300). 

The 40:60 split reflected the court’s finding that while Safaricom’s SIM swap failure enabled the fraud, DTB independently breached its duty of care by failing to detect and halt a series of suspicious transactions that should have prompted further checks.

The underlying sequence is one that fraud investigators in Kenya’s mobile money ecosystem have seen before. According to the ruling, fraudsters swapped Kariuki’s SIM on February 6, and she reported the incident to Safaricom customer care the same day after receiving suspicious alerts, only for the swap to go through regardless. 

Her line was restored the following day at a Safaricom shop, but by the morning of February 8, her DTB account had already been emptied through a combination of mobile banking transfers and Pesalink withdrawals, structured to stay just under the bank’s KES 2 million ($15,400) daily limit by straddling a weekend reset.

In the same ruling, DTB argued that its systems had worked exactly as designed, since every disputed transaction followed successful entry of Kariuki’s PIN. It also argued that the SIM swap itself was a novus actus interveniens, an intervening act that severed any chain of liability running back to the ban. 

Ongeri rejected that framing directly. “A bank cannot hide behind a customer’s PIN when it is presented with a series of transactions that are so glaringly out of the ordinary that a reasonable banker would have been put on inquiry,” she wrote, pointing to the rapid succession of transfers to unrelated accounts and phone numbers as red flags the bank ought to have caught.

The bank’s secondary argument fared no better with the court, which was unmoved by the claim that the fraud fell outside normal monitoring because part of it occurred over a non-business day. 

“The banking system operates on an automated 24/7 basis,” the judgment states, adding that mere compliance with a transaction ceiling “does not satisfy the broader duty of care to protect a customer from loss.” 

Ongeri treated the daily limit reset not as a technical safeguard working in the bank’s favour, but as evidence of precisely the vulnerability it was obliged to guard against.

Safaricom’s cross-appeal against its larger 60% share of liability was dismissed on similar grounds, with the court declining to treat the SIM swap and the subsequent withdrawals as separate events with separate causal chains. 

Ongeri ruled that both companies owed Kariuki concurrent and independent duties of care, drawing on the standard for bank liability set in Fidelity Commercial Bank v Italian Market Kenya and the threshold for flagging suspicious transactions established in Joe Owaka Ager v Barclays Bank of Kenya.

The ruling arrives as SIM swap fraud remains a persistent threat to Kenya’s mobile money-linked banking system, and it complicates the argument, advanced by Safaricom through Wachira v Safaricom, that telecoms operators and banks occupy separate regulatory lanes.

The implication for lenders is that a system capable of waving through an unusual fraud pattern without human review is no longer a defence in itself. 

True scale demands moving beyond surface-level integrations to robust execution. We’ve filtered the noise out of Moonshot 2026, optimising the conference strictly for high-calibre connections between startup founders, global financial operators, enterprise leaders and individuals rewiring Africa’s technical frameworks. Get 20% off Early Bird tickets for a limited time.

Big Tech Cybersecurity Policy Fintech Africa Tech

Intelligence Exchange

0

Log in to participate in the exchange.

Sign In

Syncing Discussions...

Finding Related Intelligence...