On 18 June 2026, Justice Asenath Ongeri sitting at the High Court in Machakos did something Kenya’s mobile money industry has spent nearly a decade trying to prevent: she wrote, in plain legal English, that a bank cannot hide behind a customer’s PIN, and that a telco cannot hide behind the claim that it is “just the pipe.” The result is HCCA E121 of 2024, Diamond Trust Bank Kenya Ltd v Mercy Wairimu Kariuki & Safaricom PLC, and it ends with both Safaricom and DTB ordered to pay Kariuki back every shilling of the Ksh 4,418,601 that vanished from her account in February 2022 — Safaricom carrying 60 percent of the loss, DTB the remaining 40.

Both institutions appealed. DTB wanted the finding of negligence overturned entirely. Safaricom, in a cross-appeal, wanted its 60 percent share reduced, arguing that a telecommunications company has no visibility into what happens once a customer logs into their bank’s app. The High Court dismissed both appeals with costs, and in doing so produced one of the most consequential rulings yet on who pays when Kenya’s phone-number-as-identity banking model breaks down.

“A bank cannot simply rely on the fact that a

transaction was initiated using the correct PIN

if there are other suspicious circumstances.”

— Justice Asenath Ongeri, 18 June 2026

ANATOMY OF A FOUR-DAY ROBBERY

The court record lays out a sequence that fraud investigators in Kenya’s mobile money ecosystem have seen many times before, and it is worth walking through slowly, because the timeline is the entire scandal.

On 6 February 2022, fraudsters executed a SIM swap on Kariuki’s Safaricom line. She noticed almost immediately and called Safaricom customer care, who confirmed the swap had gone through an M-Pesa agent and told her to visit a Safaricom shop. She did exactly that the next day, 7 February, and her line was restored.

It made no difference. In the early hours of 8 February, at 5:23 a.m., DTB’s alert system began firing off messages confirming a stream of unauthorized withdrawals and Pesalink transfers. By the time the dust settled, Ksh 4,418,601 had left her account across three separate days, split into transfers to multiple unrelated bank accounts and mobile numbers, each one kept conveniently under DTB’s Ksh 2 million daily limit.

She had never disclosed her PIN. She had banked with DTB for years. She did everything a customer is told to do when a SIM swap happens and she still lost nearly Ksh 4.5 million, then spent over four years in court proving it wasn’t her fault.

THE BLAME-SHIFTING PLAYBOOK

DTB’s defence in court reads like a template every Kenyan bank has used at some point: the transactions were authenticated with the correct secret PIN, which the bank argued was “sufficient proof of identity” requiring no further checks; the transfers were spread across three days and never individually breached the daily ceiling; and, crucially, DTB argued the matter should have been litigated under the Data Protection Act or the Kenya Information and Communications Act instead of as a straightforward negligence claim — a jurisdictional argument clearly designed to get the case thrown out on a technicality rather than decided on the facts.

Safaricom’s cross-appeal took a different tack, insisting its role begins and ends with telecommunications infrastructure and that it has no view into, or control over, what a bank’s mobile app allows a compromised line to do.

The High Court rejected both arguments outright. On DTB, it found the bank had ignored obvious red flags rapid, large transfers to numerous unrelated destinations that should have triggered manual review regardless of whether the PIN matched.

On Safaricom, it found that permitting the SIM swap in the first place was a direct and proximate cause of the loss, meaning the telco could not outsource responsibility for compromising a customer’s digital identity simply because a third party later exploited that compromise.

The lower court’s original 60:40 apportionment, delivered by Hon. R.W. Gitau at the Mavoko Chief Magistrate’s Court on 26 March 2024, was upheld in its entirety. Both appeals were dismissed with costs to Kariuki.

THIS IS NOT AN ISOLATED RULING IT’S A PATTERN

What makes the Kariuki judgment dangerous for the industry is not that it is unprecedented. It is that it is the latest entry in a lengthening file of cases that, read together, describe a mobile-money security architecture that has been broken for years and that both telco and banking executives have known about and tolerated.

Consider the wreckage: in 2022, a senior Nairobi police officer, Peter Mwanzo, testified in the High Court that fraudsters remotely swapped his SIM and drained Ksh 597,100 from his mobile banking wallets while his phone sat in his own pocket. In the same period, Farah Bashir, a medical lab scientist, was left stranded in Johannesburg surviving on hotel breakfast yoghurt after scammers swapped his line and stripped Ksh 2.6 million from his Absa mobile banking accounts and, despite media attention, he struggled for months to get either Safaricom or the bank to accept responsibility.

The courts have not always sided with victims. In 2024, the High Court dismissed a SIM swap case brought by a customer identified as Wanjiru, ruling in Safaricom’s favour on the question of blame. That same year, in Wachira v Safaricom, the court dismissed a separate claim after finding the plaintiff had not proven the SIM registration itself was handled negligently a ruling Safaricom has since tried to use as authority for the position that telcos and banks occupy entirely separate legal lanes, an argument the Kariuki bench explicitly declined to accept.

But where courts have found telcos or banks at fault, the pattern of institutional failure repeats with uncomfortable precision. The Kenya ICT policy think tank KICTANet has documented a High Court ruling holding Safaricom liable for Ksh 751,680 in mobile money losses caused by a delayed response to a SIM deactivation request the same delayed-response failure mode at the centre of the Kariuki case. Safaricom’s own disclosures show it fired 33 employees for fraud-related offences in the year to March 2023, and 24 the year before that, with roughly a third of those dismissals tied directly to SIM swap fraud evidence that the vulnerability is not purely external but has, at times, been assisted from inside the company’s own agent and staff network.

THE DATA BREACH THAT MAKES THIS WORSE

The Kariuki ruling does not exist in isolation from Safaricom’s broader data governance record and this is the part of the story the telco would prefer stayed buried. On 13 May 2026, the High Court’s Constitutional and Human Rights Division, under Justice Bahati Mwamuye, delivered judgment in Constitutional Petition E095 of 2026, confirming that Safaricom employees had systematically extracted the personal, financial and location data of an estimated 11.5 million subscribers over roughly seven years and trafficked it to third-party betting companies, including Odibets a scandal the company had spent years trying to characterise as the actions of rogue individuals rather than a systemic governance failure.

The court awarded eleven named petitioners Ksh 900,000 each and, more significantly, established a constitutional record of failure that a separate class action covering all 11.5 million affected subscribers — still pending — is now positioned to draw on.

Put the two rulings side by side and an uncomfortable picture emerges: a telecommunications company that has been found, in the same twelve-month window, to have both failed to secure the SIM-based identity layer that underpins Kenya’s entire mobile banking system, and to have allowed its own employees to harvest and sell the personal data of millions of the same subscribers it claims to protect. These are not unrelated scandals. They are two symptoms of the same underlying disease: a company that treats subscriber identity and data as an operational afterthought rather than the core trust asset its entire M-Pesa-linked business model depends on.

“Privacy ceases to be an abstract constitutional promise

and becomes a lived vulnerability… the Constitution does not

permit such vulnerability to be normalised.”

— Justice Bahati Mwamuye, HCCHRPET E095 of 2026

THE PLUMBING SAFARICOM WON’T FIX

Safaricom is not blind to the problem. The company rolled out a SIM-Swap-Check API to partner banks as far back as 2023, specifically because the swap-then-drain fraud pattern had become systemic enough to threaten confidence in mobile banking generally.

Yet the Kariuki case happened in February 2022, and the judgment upholding the customer’s win was only delivered in June 2026 meaning the industry has had more than four years, and a purpose-built anti-fraud tool, and still could not stop a textbook swap-and-drain operation from succeeding against a customer who did everything right.

The uncomfortable truth Justice Ongeri’s judgment forces into the open is this: Kenya’s mobile banking revolution was engineered for convenience first and security second, and when the model fails, the default corporate reflex from both telco and bank has been to treat the customer as the point of failure and litigate for years rather than pay promptly. DTB tried to hide behind terms and conditions and a jurisdictional technicality. Safaricom tried to hide behind the claim that it is merely infrastructure. Neither defence survived contact with the facts.

Mercy Wairimu Kariuki reported her SIM swap the same day it happened. She followed every instruction she was given. She never shared her PIN. She still lost Ksh 4.42 million and had to fight for more than four years to get it back. Meanwhile, the same phone number that betrayed her is, for millions of other Kenyans, still treated as near-conclusive proof of identity across banking, mobile money, credit and government services a single point of failure that fraud syndicates have professionalised into a business model, and that neither Safaricom nor the banking sector it partners with have yet been forced to fundamentally re-engineer.

The question the industry now has to answer is not whether another Mercy Kariuki exists. Court records make clear she already has several predecessors. The question is whether Safaricom and Kenya’s banks will treat this judgment as the cost of doing business, the way they have treated every ruling before it or whether a regulator, or the next class action, finally forces the plumbing itself to change.

Reporting for this investigation draws on the High Court judgment in HCCA E121 of 2024 (Diamond Trust Bank Kenya Ltd v Mercy Wairimu Kariuki & Safaricom PLC), the underlying trial record from Mavoko CMCC E182 of 2022, and contemporaneous reporting and case records referenced throughout.