• Kenyan court holds banks, telcos liable over $34,000 SIM swap fraud

    Kenyan court holds banks, telcos liable over $34,000 SIM swap fraud
    Image: KWS

    Share

    Share

    Mercy Wairimu Kariuki woke up on the morning of February 8, 2022, to a stream of alerts showing that KES 4.4 million ($34,000) had been withdrawn from her Diamond Trust Bank (DTB) account overnight, two days after fraudsters hijacked her phone line in a SIM swap she had already reported and believed had been resolved.

    On June 18, Kenya’s High Court ruled that both Diamond Trust Bank and Safaricom bore responsibility for the theft, finding that separate failures by the lender and the telecom operator enabled the fraud to succeed. Justice Asenath Ongeri upheld a lower court’s decision to split liability between the two companies, rejecting arguments from both that the other’s failures broke the chain of responsibility.

    The ruling raises the standard of care for banks and telecom operators handling SIM swap fraud, holding that each owes customers an independent duty to prevent foreseeable losses even when the fraud originates outside its own systems.

    Ongeri upheld a chief magistrate’s court decision that split liability between DTB Kenya, the Nairobi Securities Exchange-listed lender, and Safaricom, the telecommunications company behind M-PESA, ordering the bank to pay Kariuki KES 1,788,601 ($13,800) and Safaricom KES 2,630,000 ($20,300). 

    The 40:60 split reflected the court’s finding that while Safaricom’s SIM swap failure enabled the fraud, DTB independently breached its duty of care by failing to detect and halt a series of suspicious transactions that should have prompted further checks.

    The underlying sequence is one that fraud investigators in Kenya’s mobile money ecosystem have seen before. According to the ruling, fraudsters swapped Kariuki’s SIM on February 6, and she reported the incident to Safaricom customer care the same day after receiving suspicious alerts, only for the swap to go through regardless. 

    Her line was restored the following day at a Safaricom shop, but by the morning of February 8, her DTB account had already been emptied through a combination of mobile banking transfers and Pesalink withdrawals, structured to stay just under the bank’s KES 2 million ($15,400) daily limit by straddling a weekend reset.

    In the same ruling, DTB argued that its systems had worked exactly as designed, since every disputed transaction followed successful entry of Kariuki’s PIN. It also argued that the SIM swap itself was a novus actus interveniens, an intervening act that severed any chain of liability running back to the ban. 

    Ongeri rejected that framing directly. “A bank cannot hide behind a customer’s PIN when it is presented with a series of transactions that are so glaringly out of the ordinary that a reasonable banker would have been put on inquiry,” she wrote, pointing to the rapid succession of transfers to unrelated accounts and phone numbers as red flags the bank ought to have caught.

    The bank’s secondary argument fared no better with the court, which was unmoved by the claim that the fraud fell outside normal monitoring because part of it occurred over a non-business day. 

    “The banking system operates on an automated 24/7 basis,” the judgment states, adding that mere compliance with a transaction ceiling “does not satisfy the broader duty of care to protect a customer from loss.” 

    Ongeri treated the daily limit reset not as a technical safeguard working in the bank’s favour, but as evidence of precisely the vulnerability it was obliged to guard against.

    Safaricom’s cross-appeal against its larger 60% share of liability was dismissed on similar grounds, with the court declining to treat the SIM swap and the subsequent withdrawals as separate events with separate causal chains. 

    Ongeri ruled that both companies owed Kariuki concurrent and independent duties of care, drawing on the standard for bank liability set in Fidelity Commercial Bank v Italian Market Kenya and the threshold for flagging suspicious transactions established in Joe Owaka Ager v Barclays Bank of Kenya.

    The ruling arrives as SIM swap fraud remains a persistent threat to Kenya’s mobile money-linked banking system, and it complicates the argument, advanced by Safaricom through Wachira v Safaricom, that telecoms operators and banks occupy separate regulatory lanes.

    The implication for lenders is that a system capable of waving through an unusual fraud pattern without human review is no longer a defence in itself. 

    True scale demands moving beyond surface-level integrations to robust execution. We’ve filtered the noise out of Moonshot 2026, optimising the conference strictly for high-calibre connections between startup founders, global financial operators, enterprise leaders and individuals rewiring Africa’s technical frameworks. Get 20% off Early Bird tickets for a limited time.