CBK warns of mobile money fraud risk on unverified SIM cards


A sim card registration exercise. PHOTO | FILE | NMG

The Central Bank of Kenya (CBK) has warned mobile money service providers (MMSPs) and banks of the rising risk of fraud from remote registration of customers.

The CBK said in a circular that virtual onboarding of customers was denying mobile money players, including Safaricom, Airtel and Telkom Kenya, a chance to verify that the people sending and receiving money are the same ones that registered on their platforms.

In the circular issued last November and made public this week, the regulator reminded financial institutions to tighten their anti-money laundering and counter-terrorism financing (AML/CFT) checks to reduce the risks involved in remote onboarding of customers.

“Platforms that facilitate virtual on-boarding such as mobile money platforms have been the subject of fraud due to forgery of documents and identity theft,” said Gerald Nyaoma, the director of banks supervision at CBK, in the circular.

“This vulnerability is due to the fact that MMSPs do not identify the customer and verify that the customer who registered the SIM with the service provider, is the same one seeking to access mobile financial services. MMSPs should address this vulnerability as a matter of urgency.”

Mobile money services such as Safaricom’s M-Pesa have grown in stature in the financial services sector and are interlinked with banks, micro-finance banks and saccos, meaning that any risk on their end can find itself into the rest of financial institutions.

M-Pesa transactions grew by 21.4 percent to Sh35.86 trillion in the financial year ended March 2023 when the number of transactions increased by a third to 21.03 billion, pointing to the increased reliance on the service in the economy.

The CBK in September last year increased the daily mobile money wallet size from Sh300,000 to Sh500,000 and also increased the daily transaction limit from Sh150,000 to Sh250,000 in line with increased usage. Kenya had 77.12 million registered mobile money accounts at the close of November last year.

Mr Nyaoma said financial institutions such as MMSPs have a duty to properly identify customers during remote or virtual on-boarding and adds that requesting and receiving photocopies of identification documents cannot be synonymous with identifying the person.

Airtel and Safaricom relied heavily on online portals to register and update customers’ details after the regulator in 2022 threatened to deactivate SIM cards whose owners did not comply.

The rules require telcos to record full names of customers, ID number and date of birth, gender and physical address of subscribers. But the use of virtual registration tools has left the telcos with little room to know if those registering are using their own documents or not.

The use of virtual registration helped telcos to avoid the long queues that were being witnessed across the country as subscribers rushed to avoid deactivation.

Safaricom, for instance, says in the latest annual report that the use of automated know-your-customer update increased compliance from 55 percent in February 2023 to 97 percent in March 2023, resulting in savings of Sh50 million.

The CBK says that while some institutions have employed biometric verification for remote on-boarding, they should devise other affordable methods to enable them to identify customers to be on-boarded virtually or remotely.

It says financial institutions, including MMSPs, should guard against individuals who seek to use other people’s fraudulently obtained identification documents for purposes of opening accounts.

Financial institutions rely on national identity cards or valid passports to identify customers, mostly in the forex bureaus and money transfer services. However, the CBK has cautioned mobile money transfer firms from applying this method.

“This should not apply to MMSP. MMSPs should not apply simplified customer due diligence to all individual customers without any regard to the varying risks posed by them,” said Mr Nyaoma.

The CBK circular, which also roped in banks, has reminded financial sector players to strictly implement the AML/CFT (Amendment) Act 2023, Proceeds of Crime and Anti-money Laundering Regulations 2023 and Prevention of Terrorism Regulations 2023 that set in last year.

Kenya went through a mutual evaluation of its anti-money laundering and combating of terrorism financing and countering proliferation financing regime by the Eastern and Southern African Anti-Money Laundering Group from October 2021 to July 2022.

The country was referred to the Financial Action Taskforce's International Cooperative Review Group process due to poor results in its mutual evaluation and was under a period of observation for one year to October 2023 during which it was required to take action to address deficiencies.

PAYE Tax Calculator

Note: The results are not exact but very close to the actual.