Telcos engaged in providing mobile money services, such as Safaricom, Airtel, and Telkom Kenya, have received a stern warning from the Central Bank of Kenya (CBK) regarding the mounting threat of fraud associated with remote customer registration.
In a circular issued last November and disclosed this week, the CBK urged financial institutions to fortify their anti-money laundering and counter-terrorism financing (AML/CFT) measures to counteract the escalating risks tied to virtual onboarding of customers.
Gerald Nyaoma, the Director of Banks Supervision at CBK, unequivocally emphasized the vulnerability of platforms enabling virtual onboarding, such as mobile money services, to fraud through document forgery and identity theft.
"Platforms that facilitate virtual on-boarding such as mobile money platforms have been the subject of fraud due to forgery of documents and identity theft. MMSPs should address this vulnerability as a matter of urgency," Nyaoma stated.
Mobile money services, exemplified by Safaricom's M-Pesa, have witnessed substantial growth in the financial services sector, closely intertwined with banks, micro-finance banks, and SACCOs.
Read More
The impact of any vulnerabilities in these services could potentially ripple through broader financial institutions.
In the financial year ending March 2023, M-Pesa transactions surged by 21.4 per cent to Sh35.86 trillion, with the number of transactions increasing by a third to 21.03 billion, underscoring the growing reliance on this service in Kenya's economy.
The CBK, in September of the preceding year, responded to increased usage by raising the daily mobile money wallet size from Sh300,000 to Sh500,000 and the daily transaction limit from Sh150,000 to Sh250,000.
As of November last year, Kenya boasted 77.12 million registered mobile money accounts.
Nyaoma reiterated the duty of financial institutions, including MMSPs, to effectively identify customers during remote or virtual onboarding.
He emphasized that requesting and receiving photocopies of identification documents should not be synonymous with identifying the person.
Airtel and Safaricom had heavily relied on online portals for customer registration and updates following the regulatory threat in 2022 to deactivate SIM cards lacking compliance.
Despite regulatory rules mandating telcos to record full names, ID numbers, dates of birth, gender, and physical addresses of subscribers, the use of virtual registration tools has left telcos with limited means to verify the authenticity of submitted documents.
The adoption of virtual registration tools initially helped telcos avoid long queues witnessed across the country as subscribers rushed to comply with regulations and prevent deactivation.
However, the recent warning from the CBK underscores the urgent need for mobile money service providers to address associated vulnerabilities and bolster security measures in response to the rising threat of fraud.