The Invisible Hand in Your M-Pesa: How Safaricom Has Been Taking Money Kenyans Say They Never Owed

Kenyans woke up last weekend poorer. Not because of a robbery, a failed business, or an economic shock. Poorer because their telecommunications provider, Safaricom PLC, had quietly reached into their M-Pesa wallets and extracted money for alleged Fuliza debts, some of which the affected customers insist they never incurred. By Monday morning, a single lawyer’s post on X had torn open a wound that goes far deeper than a billing glitch.

Eric Muriuki, founding partner of MKA Law, is not easily rattled. But he was rattled. He published a screenshot of his exchange with Safaricom Care in which the company admitted it had, as a result of what it described as a “system issue,” failed to bill him accurately for Fuliza taken between February 26, 2026, and March 20, 2026. The “correction” came in the form of a KSh 60 deduction from his account without forewarning, without an itemised statement, and without consent. Muriuki’s response was blunt: “I don’t believe you. This is theft.” He declared, with a finality that resonated across the platform, that Kenyan money was not safe with Safaricom, calling out what he described as the company’s “klepto ways.”

It should have ended there, as a single angry post from a lawyer. It did not. It became a flood.

Writer and commentator Beatrice Wanjiru, known on X as @Wordslinger__, captured the broader alarm when she described the situation as “actually a huge scandal,” noting that Safaricom appeared to be arbitrarily deducting money from M-Pesa accounts in the name of unexplained Fuliza debts, with some customers claiming to have never activated Fuliza in the first place and others insisting they had long repaid any balances. Dozens of users replied with their own screenshots. The deductions ranged from KSh 27 to over KSh 1,300. The justification in each case was virtually identical: the same vague three-week window, the same absence of exact dates, the same take-it-or-leave-it tone.

Screenshot

Screenshot

Screenshot

One user reported being charged KSh 78 despite swearing they had not activated Fuliza. Another lost KSh 213. A third was hit twice in consecutive days. Several customers noted they received no SMS notification before the deduction, only a puzzling message after the fact that referenced a date range too broad to verify against any specific transaction. “They can’t even pinpoint the exact date,” one post read, capturing a frustration shared by hundreds.

Safaricom’s official explanation, offered through customer care channels and later amplified by local media, is that a technical fault prevented the system from billing daily Fuliza fees between February 26 and March 20, 2026. A one-time catch-up adjustment was applied across all affected accounts simultaneously, and the company insisted that no further deductions would follow. “This one adjustment has been made to cover all, and there won’t be any further adjustments,” the company told at least one customer.

But the explanation invites more questions than it answers. Why was the adjustment applied without notice? Why were no itemised statements provided? If the fault was purely in the billing cycle, how do customers who claim never to have activated Fuliza appear in the affected pool? And perhaps most damning: who audits the audit? Safaricom has not offered to publish aggregate figures on the total amount recovered through this exercise, the number of accounts touched, or the basis on which individual deduction amounts were calculated. For a company handling billions of shillings in daily transactions on behalf of over 30 million subscribers, this silence is its own indictment.

This is not the first time. It will not be the last.

The Fuliza scandal of March 2026 does not exist in isolation. It is the latest episode in a long-running pattern of Safaricom controversies touching on money, data, and the accountability deficit of a monopoly that has grown too large and too politically connected for ordinary Kenyans to effectively challenge.

In February 2026, weeks before the latest deductions surfaced, Nairobi businesswoman Eunice Nganga filed a constitutional petition challenging Safaricom’s policy of automatically applying erroneous M-Pesa transfers to settle recipients’ Fuliza debts. Nganga had accidentally sent KSh 2,700 to the wrong mobile number in September 2024 and immediately initiated Safaricom’s standard reversal procedure. Safaricom refused, citing the unintended recipient’s outstanding Fuliza overdraft. The funds were automatically redirected to clear that debt without Nganga’s consent and without the recipient ever accessing or withdrawing the money. 

Nganga’s central legal argument is that her contract with Safaricom does not extend to settling another customer’s debts using her funds, particularly where no valid transaction existed between her and the Fuliza debtor.  The case, assigned to Justice Lawrence Mugambi, was scheduled for mention on March 25, 2026. She is seeking a declaration that the policy is unconstitutional and unlawful, a refund of the KSh 2,700, broader restitution for other affected customers, and KSh 50 million in general and punitive damages.  It is a case of profound public interest. Many Kenyans have never heard of it.

Before Nganga, there was a class-action suit that shook Safaricom’s boardroom in 2023. Three M-Pesa users, Gichuki Waigwa, Lucy Nzola, and Godfrey Okutoyi, sued Safaricom, Vodafone Group, the Central Bank of Kenya, and the Communications Authority of Kenya, alleging that the Fuliza overdraft facility illegally used money belonging to non-borrowing M-Pesa users and that Safaricom was effectively engaged in banking business without being licensed as a bank under the Banking Act.  They further claimed that the trust account into which M-Pesa funds were collected was a “sham trust,” and that Safaricom and M-Pesa Holding had commingled funds, resulting in Vodafone Group owing M-Pesa account holders KSh 305 billion.  The case, still winding through the courts, represents perhaps the most sweeping legal challenge to M-Pesa’s financial architecture.

In September 2025, Safaricom was forced to temporarily suspend Fuliza following a technical disruption that halted repayment transactions. Customers were left uncertain about their loan status, with some worried that fees would accumulate unnoticed before normal billing resumed.  That fear, it turns out, was not unfounded. Five months later, Safaricom was telling customers that fees had indeed been accruing unseen in the background, and was now reclaiming them in bulk.

Even Fuliza’s criminal underbelly has been documented. The Directorate of Criminal Investigations alleged that a syndicate of eight young men in Nakuru and Trans-Nzoia defrauded Safaricom of close to KSh 500 million by using fraudulently registered SIM cards to take Fuliza loans with no intention of repayment.  Over 123,000 new mobile numbers opted into Fuliza in a single month before being switched off or vacated, leaving no trace of the borrowers.  The scale of that fraud raises its own disturbing question: if the Fuliza system was penetrated so comprehensively by outside actors, what assurance do ordinary subscribers have that the billing infrastructure tracking their personal balances is accurate?

Bonga Points, Vanishing in the Night

As if the Fuliza scandal were not enough, the very same weekend it erupted, a second alarm was going off inside Safaricom’s ecosystem. On March 29, reports surfaced of Bonga Points being transferred to unknown recipients in a series of early-morning transactions, with message logs showing multiple redemptions occurring between 2 a.m. and 7 a.m., draining account balances without user authorisation. 

Safaricom confirmed on Sunday, March 29, that it had detected irregularities involving unauthorised redemption of Bonga Points, indicating that some users may have had their points accessed without consent.  The timing of the Bonga fraud, arriving in the same news cycle as the Fuliza deductions scandal, is devastating for a company already under intense public scrutiny. Two separate incidents, both involving Safaricom customer value being removed from accounts without consent, surfacing within 48 hours.

The Bonga Points story also carries its own deeper history of bad faith. In 2022, Safaricom attempted to expire Bonga Points accumulated before December 31, 2019, citing liabilities of KSh 4.5 billion sitting on its books. A High Court judge later quashed the move, ruling that Bonga Points, once awarded, become the customer’s property and Safaricom ceases to have any right over them.  The court’s declaration was unambiguous. That Safaricom attempted such a seizure in the first place, targeting KSh 4.5 billion in customer-owned value through a clause change, speaks to a corporate culture comfortable with taking from subscribers when the legal landscape appears permissive.

A Company That Ignores Parliament

What makes Safaricom’s accountability crisis truly remarkable is its apparent contempt for the oversight institutions meant to hold it in check. The Senate Standing Committee on Information, Communication and Technology had convened a meeting on March 17, 2026, specifically to hear from Safaricom’s Chief Executive Officer on matters of service delivery and data protection. Safaricom did not appear. 

The committee had also sought to deliberate on a statement from Migori Senator Eddy Oketch regarding alleged breaches of confidential subscriber information by Safaricom. Senators warned that continued failure to honour parliamentary invitations may attract further action and expressed concern that the company’s absence undermines the oversight mandate on matters directly affecting millions of subscribers. 

That snub sits within a broader pattern of parliamentary frustration. Senators have been trying for over a year to extract answers from Safaricom on data privacy. The central question is whether Safaricom shares subscriber data, including location information, with government agencies without customer consent.  Safaricom has denied doing so without court orders. But two former senior managers at the company were accused of harvesting personal data on 11.5 million subscribers, including names, ID numbers, phone contacts, betting histories, and geolocation data, and attempting to sell the trove to a sports betting firm.  At the time the court case was filed, Safaricom admitted it had been unable to access or delete the compromised data from the Google Drive where it had been stored. 

In other words: the private information of nearly a quarter of Safaricom’s entire customer base was floating somewhere on the internet, and the company that collected it could not even reach it to delete it.

The Economics of Micro-Theft

Commentators on X this week raised the darkest arithmetic of the Fuliza billing scandal. If Safaricom deducted an average of KSh 100 from each of even one million accounts through this “adjustment,” that is KSh 100 million recovered without court order, without notice, and without the possibility of meaningful individual challenge. Few Kenyans will file a consumer complaint over KSh 60. Fewer still will sue. This is precisely why the amounts are small. The aggregate sum, however, is not.

Safaricom’s Fuliza book is enormous. It disburses the equivalent of tens of millions of US dollars daily. Even fractional billing irregularities, applied across that base, generate material sums. The company has offered no aggregate disclosure of the total recovered through the March correction, no explanation of why the system failed to bill for three full weeks, and no independent audit. It has, instead, offered apologies.

For millions of Kenyans, M-Pesa is not a convenience. It is the only financial infrastructure they have. Their rent, their children’s school fees, their hospital payments, their small business cash flows, all of it moves through Safaricom’s pipes. The question being asked on the streets of Nairobi and in the replies of thousands of X posts is the same one lawyers are now beginning to formalise into court papers: who gave Safaricom the right to help itself?

What Must Happen

The Communications Authority of Kenya has a mandate. The Office of the Data Protection Commissioner has teeth. The courts have, when pushed, sided with consumers. What is missing is the political will to push. Safaricom is part-owned by Telkom South Africa through Vodacom, is listed on the Nairobi Securities Exchange, and its M-Pesa operations are so deeply embedded in Kenya’s financial architecture that destabilising the company is not an option anyone in authority wants to pursue. That very indispensability has become its greatest protection against accountability.

But indispensability is not impunity. The Senate ICT Committee must compel Safaricom’s CEO to appear and answer, under oath if necessary, for the Fuliza billing collapse, the Bonga Points fraud, and the data protection failures. The Communications Authority must formally investigate whether the mass deductions of March 2026 comply with Section 83C of the Kenya Information and Communications Act. The Central Bank of Kenya, whose M-Pesa oversight role was explicitly criticised in the KSh 305 billion class-action suit, must explain what safeguards exist to prevent Safaricom from conducting bulk account adjustments outside the normal consumer consent framework.

And every affected Kenyan, whether they lost KSh 27 or KSh 1,300, should file a formal complaint with the Communications Authority. The CA’s complaint registry is a public record. Volume is evidence. Evidence is leverage.

For now, the most honest thing that can be said about Kenya’s relationship with Safaricom is this: millions of Kenyans trust it with their money, their identity, their location, and their communication. Safaricom, on the evidence accumulated across years of litigation, regulatory evasion, and parliamentary no-shows, has not earned that trust. It has merely inherited it, in the absence of any viable alternative.

That is not a business model. That is a hostage situation.

Kenya Insights will continue tracking the Fuliza deductions case, the Eunice Nganga constitutional petition, and the Senate ICT Committee proceedings. Affected subscribers are encouraged to document their deductions and file formal complaints with the Communications Authority of Kenya via their website or by calling 0800 221 772.