By 
Since its launch in 2007, M-Pesa — operated by Safaricom — has transformed digital payments in Kenya. But with every transfer, fuel payment, grocery purchase or boda boda transaction, users’ phone numbers have routinely appeared in payment notifications sent to recipients and merchants.
For more than 37 million users, that visibility has created an unintended vulnerability: phone numbers that could be saved, shared or harvested by fraudsters, sometimes forming the first link in scams that result in drained accounts.
That risk profile is now set to change.
Regulatory Green Light for Data Minimisation
On Friday, the Central Bank of Kenya approved Safaricom’s request to introduce number masking on peer-to-peer transactions.
In a letter to the telecom operator, the regulator confirmed it had reviewed and approved the proposed data-minimisation solution, marking a significant shift in digital privacy protections within Kenya’s mobile money ecosystem.
Under the updated system:
- Phone numbers in peer-to-peer transactions will be partially masked.
- Recipients who wish to view the full number must formally request access.
- The sender retains the right to approve or decline that request.
- Merchants using Till or Paybill numbers will no longer see the payer’s full name or mobile number.
The changes are designed to reduce unnecessary exposure of personally identifiable information while maintaining transaction transparency.
Why This Matters: The Fraud Link
The reform directly addresses long-standing concerns about SIM-swap fraud and identity spoofing.
In 2025, Kenya’s Directorate of Criminal Investigations arrested six suspects in Mombasa over an alleged scam network that used ID spoofing applications — reportedly purchased for more than KES 500,000 — to impersonate bank and telecom customer service agents.
Fraudsters often rely on phone numbers harvested from legitimate transactions to build credibility. Once contact is established, victims may be persuaded to disclose PINs or passwords under the guise of account “verification.”
SIM-swap fraud has been particularly damaging in Kenya’s mobile-first economy, where a phone number often functions as both a banking identifier and mobile money account key. Criminals trick or collude with telecom agents to transfer a victim’s number to a new SIM card, effectively locking them out. With control of the line, they reset credentials, intercept one-time passwords, and empty accounts within minutes.
Regulators including the Communications Authority of Kenya have repeatedly warned about such schemes, prompting tighter SIM registration requirements and enhanced customer verification measures.
Strengthening Data Protection Standards
Beyond fraud, privacy concerns have also intensified. Kenya’s High Court has previously awarded damages in cases involving unsolicited communications and misuse of personal data. It is common for businesses to send promotional messages to customers whose contact details were obtained through mobile money payments.
In 2024, financial and insurance institutions accounted for roughly 30% of determinations issued by the Office of the Data Protection Commissioner, with more than 5,000 complaints filed — a signal of rising public scrutiny over data handling practices.
A Turning Point for Digital Trust
The introduction of number masking represents more than a technical adjustment. It reflects a broader regulatory shift toward privacy-by-design principles in digital finance.
By limiting the automatic exposure of mobile numbers, the reform could disrupt a common entry point for fraud networks while enhancing consumer confidence in Kenya’s digital payments ecosystem.
As mobile money continues to underpin commerce and financial inclusion in the country, reducing identity risk at the transaction level may prove to be one of the most impactful anti-fraud interventions in recent years.
Comments