In a move for digital privacy and consumer protection, the Central Bank of Kenya (CBK) has approved a request by Safaricom to partially mask users’ phone numbers on M-Pesa transactions, a decision that could significantly curb mobile money fraud in Kenya.
Since M-Pesa’s launch in 2007, every payment made on the platform has displayed the sender’s full phone number in transaction notifications received by the payee or merchant. For Kenya’s more than 37 million M-Pesa users, that routine disclosure has long been an overlooked vulnerability in a mobile-first economy where a phone number doubles as a financial identity.
Now, under a newly approved system, phone numbers will be partially masked in peer-to-peer transfers. Should a recipient wish to view the full number, they must submit a request, and the sender retains the right to approve or decline access.
“This is to inform you that the CBK has reviewed your application and submissions in support of the solution and approves your request to implement data minimalisation for peer-to-peer transactions,” the CBK stated in its formal communication to Safaricom,
Closing a Critical Fraud Loophole
The decision represents more than a technical update, it is a direct regulatory intervention aimed at closing a loophole that has facilitated thousands of scams.
For years, scammers have harvested phone numbers from legitimate mobile money transactions, building databases that are later exploited in phishing schemes and SIM-swap fraud. The visibility of personal identifiers has provided criminals with credible entry points into victims’ financial lives.
Under the revised framework, merchants receiving payments via Till or Paybill numbers will no longer automatically see a payer’s full name or mobile number. By reducing the visibility of personally identifiable information, regulators hope to shrink the attack surface available to fraudsters.
The Rise of SIM-Swap and Impersonation Fraud
Kenya’s rapid digital financial inclusion has made it a global case study in mobile money success. However, that same integration has created new risks.
In 2025, the Directorate of Criminal Investigations (DCI) arrested six cybercrime suspects in Mombasa linked to an organised scamming ring. According to investigators, the suspects used ID spoofing applications, reportedly costing over KES 500,000 to impersonate bank and telecom customer service agents.
Armed with phone numbers obtained from legitimate transactions, scammers contacted victims under the guise of trusted institutions, persuading them to disclose PINs and passwords.
SIM-swap fraud has proven even more damaging. In such cases, fraudsters manipulate or bribe telecom agents into transferring a victim’s mobile number onto a new SIM card. Once control of the number is secured, they reset banking credentials, intercept one-time passwords and empty accounts within minutes.
Given that a Kenyan mobile number often functions simultaneously as a bank username and a mobile money account, the consequences can be swift and severe.
Repeated warnings from the Communications Authority of Kenya and the Central Bank have led to tighter SIM registration rules and enhanced customer verification requirements in recent years. Yet fraud has persisted, fuelled in part by the ease with which personal data circulates.
Data Protection Pressure Mounts
The new masking feature also reflects intensifying scrutiny around data privacy in Kenya’s financial services sector.
In 2024, financial and insurance companies accounted for an estimated 30 per cent of determinations issued by the Office of the Data Protection Commissioner (ODPC), with more than 5,000 complaints filed during the year. Consumers have increasingly challenged unauthorised marketing communications and the misuse of personal data.
Kenya’s High Court has, in several cases, awarded damages to individuals over unwarranted contact and spam messaging from private companies, practices often linked to mobile money transaction records.
By embedding “data minimalisation” into M-Pesa’s operational framework, regulators are signalling that convenience must no longer outweigh privacy.
Balancing Transparency and Protection
While the masking feature enhances privacy, it also introduces a new layer of consent-based transparency. Recipients can request access to a sender’s full number, but ultimate control rests with the sender, an approach that attempts to balance accountability in transactions with individual data rights.
For Safaricom, the reform may strengthen user trust at a time when digital financial services are becoming increasingly sophisticated and increasingly targeted by cybercriminals.
For Kenya’s millions of mobile money users, the change could mark a consequential turning point. In a system where a phone number functions as both communication tool and financial gateway, experts say reducing its exposure may prove to be one of the most effective anti-fraud measures yet.
As Kenya continues to refine its digital financial ecosystem, the CBK’s approval suggests a broader shift that security and privacy are no longer peripheral concerns, but central pillars of the country’s mobile money architecture.
Talking Points
It is a significant and timely intervention that the Central Bank of Kenya has approved phone number masking on M-Pesa transactions. In a mobile-first economy where a phone number functions as both identity and financial access point, reducing its exposure directly addresses a long-standing vulnerability.
For years, the automatic display of full phone numbers in transaction notifications has created an unintended data trail that fraudsters could exploit. Masking this information introduces a layer of protection without dismantling the transparency that underpins peer-to-peer trust.
At Techparley, we see this as more than a product update; it is a structural shift in how digital financial services in Kenya approach data minimalisation. As fraud tactics become more sophisticated, privacy-by-design features must become standard rather than optional.
The rise in SIM-swap fraud and impersonation scams, often enabled by harvested phone numbers highlights why this reform matters. Curtailing easy access to personal identifiers could significantly reduce phishing attempts and social engineering attacks.
However, technology alone will not eliminate fraud. Stronger customer awareness, rigorous SIM registration enforcement and continued collaboration between regulators, telecom operators and law enforcement agencies remain essential.
As Safaricom implements the new framework, the broader opportunity lies in rebuilding user confidence. If effectively executed, this move could reinforce Kenya’s position as a global leader in mobile money innovation, not only in scale, but in security and consumer protection.
——————-
Bookmark Techparley.com for the most insightful technology news from the African continent.
Follow us on Twitter @Techparleynews, on Facebook at Techparley Africa, on LinkedIn at Techparley Africa, or on Instagram at Techparleynews.
