Kenyan court SIM swap fraud ruling holds Safaricom and DTB jointly liable for a $34,000 theft, dismantling standard liability defenses.
In a landmark judgment that fundamentally reshapes corporate liability for digital banking theft, Kenya’s High Court has ruled that both telecommunications operators and commercial banks can be held jointly liable for losses resulting from SIM swap fraud.
Justice Asenath Ongeri upheld a previous ruling from the Mavoko Chief Magistrate’s Court dismissing separate appeals filed by telecom giant Safaricom and Diamond Trust Bank (DTB) Kenya. The court ordered both corporations to collectively compensate the customer Mercy Wairimu Kariuki, whose account was systematically drained of Ksh4.42 million (~$34,000) over a three-day period following an unauthorized SIM swap.
The High Court rejected arguments from both companies trying to displace blame onto each other, ruling instead that both entities independently breached their respective duties of care to the customer. The court distributed the financial liability via a 60:40 split.
The court found that Safaricom’s internal security failures were the direct, proximate cause that enabled the fraud. Kariuki had actually flagged suspicious alerts and reported the unauthorized swap to Safaricom on February 6, 2022 yet the telco permitted the fraudulent swap to process regardless. Safaricom argued its responsibility was limited to providing telecom infrastructure without visibility into banking transactions, but the court dismissed this cross- appeal.
Even though the fraud originated outside the bank’s network, DTB was penalized for failing to flag and halt a highly anomalous transaction pattern. Over three days, the fraudsters used DTB’s mobile app and the PesaLink network to run rapid, staggered transfers to multiple unrelated accounts and phone numbers to deliberately avoid hitting single-transaction velocity ceilings.
The ruling sets a massive legal precedent for the African fintech and banking ecosystems by systematically dismantling the traditional defenses used by financial institutions during fraud litigation.
“A bank cannot hide behind a customer’s PIN when it is presented with a series of transactions that are so glaringly out of the ordinary that a reasonable banker would have been put on inquiry.” — Justice Asenath Ongeri, Kenya High Court
DTB strongly argued that its infrastructure functioned exactly as engineered because every single disputed transfer was authenticated using Kariuki’s correct secret PIN. The bank also asserted that the SIM swap constituted an intervening act (novus actus interveniens) that legally severed its chain of liability, and that some transactions occurred over a non-business day outside manual oversight.
The court completely rejected these points. The judgment explicitly stated that compliance with automated transaction thresholds and correct PIN entry does not absolve a bank of its broader common-law duty to protect customer capital. Furthermore, because modern banking architecture runs on an automated, 24/7 basis, lenders are legally obligated to deploy real-time algorithmic fraud detection capable of intercepting obvious velocity and behavioral anomalies, regardless of the day of the week.
See also: ASIC Fines Deutsche Bank $2m Over Systemic Reporting Breaches
For years, telecom operators and banks in East Africa have operated in separate regulatory and legal silos, frequently passing the buck to one another when subscribers fell victim to social engineering and identity theft.
This ruling aggressively closes that loop. Moving forward, a security system that passively waves through an unusual transaction pattern simply because a PIN matches is no longer a valid legal defense in Kenyan courts. Lenders and telcos will be forced to deeply integrate their risk engines, introducing stricter multi-factor identity checks at the point of SIM duplication and real-time behavioral monitoring across mobile banking rails to mitigate shared legal exposure.

