DTB and Safaricom Ruling Redefines Responsibility in Kenya's SIM Swap Fraud Cases


A High Court judgment stemming from a SIM swap fraud case in Kenya has clarified where responsibility lies when failures by banks and telecom operators combine to enable financial fraud. The court upheld joint liability against Diamond Trust Bank (DTB) and Safaricom after customer Mercy Wairimu Kariuki lost KSh4.4 million through unauthorised mobile banking and Pesalink transactions following a SIM swap.

Justice Asenath Ongeri dismissed appeals from both companies and affirmed an earlier judgment that allocated 60 percent of the liability to Safaricom and 40 percent to DTB. The ruling concludes that each organisation owed the customer an independent duty of care and breached that obligation through separate failures.

The dispute began on February 6, 2022, when Kariuki received notifications indicating that her Safaricom SIM card had been replaced without her permission. She immediately contacted Safaricom customer care and was advised that the matter would be addressed before visiting a customer service centre to restore her line.

Despite the report, the SIM swap proceeded.

On the morning of February 8, Kariuki discovered that KSh4.4 million had been withdrawn from her DTB account through a series of mobile banking transfers and Pesalink transactions directed to multiple bank accounts and mobile numbers.

JOIN OUR TECHTRENDS NEWSLETTER

The High Court agreed with the trial court that Safaricom failed to stop the unauthorised SIM replacement after the customer had raised the alarm. It also found that DTB failed to identify a pattern of transactions that should have triggered further scrutiny before the transfers were completed.

The court therefore upheld the earlier allocation of liability, ordering Safaricom to bear 60 percent of the loss and DTB 40 percent, while also affirming awards relating to negligence, breach of confidentiality, costs and interest.

DTB argued that every disputed transaction had been authenticated using the customer’s correct PIN and therefore complied with its banking systems and terms.

The court rejected that argument.

Justice Ongeri held that successful PIN authentication does not remove a bank’s wider obligation to identify transactions that fall well outside a customer’s normal behaviour.

According to the judgment, the rapid movement of large sums to multiple unrelated beneficiaries presented obvious warning signs that required intervention.

The court also dismissed DTB’s reliance on its daily transfer limits. Although the fraudsters structured withdrawals to remain within those limits, the judgment held that compliance with transaction ceilings alone does not satisfy a bank’s broader duty to protect customer funds.

Safaricom maintained that the SIM replacement followed its verification procedures and argued that it simply provided telecommunications services rather than controlling banking transactions.

The High Court rejected that position as well.

The judgment found that Safaricom’s duty arose from its handling of the reported SIM swap itself. Since the customer had promptly reported the unauthorised replacement, the operator had an obligation to prevent the fraudulent SIM from remaining active.

One of the most important aspects of the decision is its treatment of responsibility.

The court declined to view the SIM swap and the bank transfers as isolated events. Instead, it described them as part of one continuous sequence in which failures by two separate organisations enabled the same fraud.

That distinction matters because it reinforces that banks and telecom operators each owe customers their own duty of care. A failure by one organisation does not automatically remove responsibility from the other.

The ruling also broadens the standard against which institutions may be judged. The court found that procedural compliance alone is not always enough where the surrounding circumstances point to a foreseeable fraud. For banks, successful PIN authentication and adherence to transaction limits did not remove the obligation to question a pattern of transactions that appeared abnormal. For telecom operators, completing a SIM replacement after a customer had reported suspicious activity amounted to a separate breach of duty.

The ruling is likely to receive close attention across Kenya’s banking and telecommunications sectors.

Banks may review how fraud detection systems identify unusual payment patterns, particularly where large transfers occur within short periods or involve unfamiliar beneficiaries. Greater emphasis may also be placed on behavioural analytics that can identify account takeover attempts even when the correct credentials are used.

Telecom operators may also revisit SIM replacement procedures, customer verification requirements and escalation processes when subscribers report suspected SIM swap attempts. The judgment places particular weight on how operators respond once a customer has warned that a SIM replacement is unauthorised.

The decision also arrives as telecom operators occupy a much larger role in Kenya’s digital economy than providing mobile connectivity alone. Safaricom now supports payment infrastructure through M-PESA, enterprise platforms, APIs and public digital services, placing its mobile network and customer identity systems at the centre of millions of financial transactions each day.

That broader role makes SIM management more than a telecommunications function. A mobile number has become part of the trust infrastructure that underpins digital banking, payments and customer authentication. The High Court’s decision reflects that reality by holding that telecom operators and banks each carry independent responsibilities when protecting customers from foreseeable fraud.

For consumers, the judgment reinforces that organisations responsible for different parts of the digital financial ecosystem may each be held accountable where separate failures combine to produce financial loss. It also establishes that technical compliance on its own may not be be enough where evidence shows that preventable fraud could reasonably have been detected and stopped.

Download the free Kaspersky SMB Cybersecurity Guide here to learn how businesses can move beyond traditional antivirus and build a more resilient approach to cybersecurity.

Go to TECHTRENDSKE.co.ke for more tech and business news from the African continent and across the world.

Follow us on WhatsAppTelegramTwitter, and Facebook, or subscribe to our weekly newsletter to ensure you don’t miss out on any future updates. Send tips to editorial@techtrendsmedia.co.ke

Facebook Comments

FORUM

By George Kamau

I brunch on consumer tech. Send scoops to george@techtrendsmedia.co.ke
Back to top button
×