Telecoms operator Safaricom says it will review its legal commitments to M-Pesa customers who opt to use Equity Bank’s overlay SIM cards, pointing to a new battleground in the mobile money wars involving the two companies.
Safaricom’s warning follows a decision by the telecommunications regulator to approve a one-year trial of Equity Bank’s thin SIM cards in order to assess Safaricom’s security concerns. The move could discourage money transfer service users anxious about what legal protection they stand to lose should their terms and conditions change.
“In the interim, Safaricom will review some of its legal commitments to its customers and banking partners with the view of addressing the legal exposures that could be created by the use of the SIM overlay technology, particularly in relation to mobile banking activities,” said Nzioka Waita, Safaricom’s director for corporate Affairs.
Safaricom has previously said that M-Pesa users’ cash is insured up to a sum of Sh100,000 as per central bank’s regulations. A second hurdle to the trial is the threat of the overlay SIM cards being withdrawn within the trial period if any security weakness is reported.
The Communications Authority of Kenya (CA) board yesterday said it had given Finserve Kenya, an Equity Bank subsidiary, the go-ahead to roll out its services using the technology for one year, during which a technical audit of the trial would be conducted.
In a media briefing, also attended by Central Bank of Kenya (CBK) governor Njuguna Ndung’u, the CA said it approved the use of Taisys’ thin SIMs by Finserve as the cards comply with all minimum mandatory international standards and that no evidence was presented to warrant blocking them.
Finserve, which was given a Mobile Virtual Network Operator licence in May, will, however, need to get approval from the CBK to ascertain that it complies with the National Payment regulations, Prof Ndung’u said. The approvals will allow the bank, with more than 8.7 million customers, to distribute the thin SIMs, which users would overlay on their current SIM cards and access two different networks using the same handset.
It also lays the ground for a battle in the mobile money transfer business that is currently dominated by Safaricom that has more than 19 million subscribers on its M-Pesa platform.
“Following on the outcome of (an) investigation… the Board of Directors of the Communications Authority of Kenya has decided that there is no sufficient evidence to block in the Kenyan market the entry of the thin SIM,” said Ben Gituku, the CA chairman, during the media briefing yesterday.
“During this period, we will not allow any other thin SIM manufacturer in the market,” added Francis Wangusi, the CA director-general. “We don’t want to create confusion or a situation where we won’t be able to detect any security vulnerabilities on time.”
Safaricom responded by asking the CA to fast track the security review and to publish the guidelines for the use of the SIM cards in the interests of protecting consumers and financial institutions who, they claim, will remain vulnerable to potential ‘man-in-the-middle’ attacks.
“If any adverse impact… is detected on account of the use of the overlay SIM technology, Safaricom will use all prudent and practical means to protect the confidentiality of its customers’ information and… financial transactions.”
Although Safaricom did not divulge the nature of legal reviews it intends to take, experts said that Safaricom may warn merchants and customers it will not bear any risks for any M-Pesa transactions conducted on a dual SIM phone.
Safaricom, the country’s largest telecoms operator, sparked the current battle with Equity Bank, the leading lender by customer base, when it wrote to the telecoms market regulator on June 26 claiming that Equity’s thin SIM technology poses a security threat to mobile subscribers. Equity responded by saying that it intends to source the thin SIMs from a reputable technology company, Taisys of Taiwan, which has clients such as the International Finance Corporation — the investment arm of the World Bank.
The approval follows several meetings with the mobile network operators — Safaricom, Airtel, Orange and yuMobile — Taisys, and the global association of mobile operators, GSMA on the international best practices. Mr Gituku added that, based on the opinion of the GSMA, save for the inherent vulnerabilities of all SIM cards, there are no specific and confirmed vulnerabilities arising from the use of the thin SIM.
The CA said it also found during its investigation that no major complaints on interception of traffic of the primary SIM card had been reported, dismissing Safaricom’s claims that the introduction of the technology may interfere with its SIM cards and leave its M-Pesa subscribers vulnerable to fraud.
Laboratory tests conducted on Taisys thin SIM by China national computer quality supervising test centre as well as the Bank Card Test Centre of China showed that it complies with applicable international engineering and security standards.
Earlier, the GSMA had written to Kenyan authorities warning of the risks that use of the slim SIM cards pose to the integrity of the mobile telecommunications platforms. But the warnings were not specific to the Taisys SIM cards.
Equity’s Finserve was granted an MVNO licence in April alongside Mobile Pay Ltd and Zioncell. The bank expects lower tariffs and the thin-SIM technology, which allows users to join without leaving Safaricom, to help them break Safaricom’s grip on customers with M-Pesa’s walled garden of services.
The bank also expects three million of its mobile banking customers to move to its network and has begun distributing 300,000 smartphones to retailers.