
A High Court judgment stemming from a SIM swap fraud case in Kenya has clarified where responsibility lies when failures by banks and telecom operators combine to enable financial fraud. The court upheld joint liability against Diamond Trust Bank (DTB) and Safaricom after customer Mercy Wairimu Kariuki lost KSh4.4 million through unauthorised mobile banking and Pesalink transactions following a SIM swap.
Justice Asenath Ongeri dismissed appeals from both companies and affirmed an earlier judgment that allocated 60 percent of the liability to Safaricom and 40 percent to DTB. The ruling concludes that each organisation owed the customer an independent duty of care and breached that obligation through separate failures.
The dispute began on February 6, 2022, when Kariuki received notifications indicating that her Safaricom SIM card had been replaced without her permission. She immediately contacted Safaricom customer care and was advised that the matter would be addressed before visiting a customer service centre to restore her line.
Despite the report, the SIM swap proceeded.
On the morning of February 8, Kariuki discovered that KSh4.4 million had been withdrawn from her DTB account through a series of mobile banking transfers and Pesalink transactions directed to multiple bank accounts and mobile numbers.
The High Court agreed with the trial court that Safaricom failed to stop the unauthorised SIM replacement after the customer had raised the alarm. It also found that DTB failed to identify a pattern of transactions that should have triggered further scrutiny before the transfers were completed.
The court therefore upheld the earlier allocation of liability, ordering Safaricom to bear 60 percent of the loss and DTB 40 percent, while also affirming awards relating to negligence, breach of confidentiality, costs and interest.
DTB argued that every disputed transaction had been authenticated using the customer’s correct PIN and therefore complied with its banking systems and terms.
The court rejected that argument.
Justice Ongeri held that successful PIN authentication does not remove a bank’s wider obligation to identify transactions that fall well outside a customer’s normal behaviour.
According to the judgment, the rapid movement of large sums to multiple unrelated beneficiaries presented obvious warning signs that required intervention.
The court also dismissed DTB’s reliance on its daily transfer limits. Although the fraudsters structured withdrawals to remain within those limits, the judgment held that compliance with transaction ceilings alone does not satisfy a bank’s broader duty to protect customer funds.
Safaricom maintained that the SIM replacement followed its verification procedures and argued that it simply provided telecommunications services rather than controlling banking transactions.
The High Court rejected that position as well.
The judgment found that Safaricom’s duty arose from its handling of the reported SIM swap itself. Since the customer had promptly reported the unauthorised replacement, the operator had an obligation to prevent the fraudulent SIM from remaining active.
One of the most important aspects of the decision is its treatment of responsibility.
The court declined to view the SIM swap and the bank transfers as isolated events. Instead, it described them as part of one continuous sequence in which failures by two separate organisations enabled the same fraud.
That distinction matters because it reinforces that banks and telecom operators each owe customers their own duty of care. A failure by one organisation does not automatically remove responsibility from the other.
The ruling also broadens the standard against which institutions may be judged. The court found that procedural compliance alone is not always enough where the surrounding circumstances point to a foreseeable fraud. For banks, successful PIN authentication and adherence to transaction limits did not remove the obligation to question a pattern of transactions that appeared abnormal. For telecom operators, completing a SIM replacement after a customer had reported suspicious activity amounted to a separate breach of duty.





