Introduction
In Kenya’s mobile-first economy, strong fraud controls are essential. Nearly 9.8% of Kenyan mobile money users reported losing funds to scams in 2024, highlighting the stakes. This guide explains the CBK’s fraud prevention rules and practical measures (technical and operational) that banks and fintechs must adopt to protect customers and meet compliance.
The Scale of the Problem: Mobile Money Fraud in Kenya
Kenya’s mobile money (chiefly Safaricom’s M-Pesa) is enormous – the CBK data indicates roughly over 32 million monthly M-Pesa users and Safaricom handles 95% of the country’s retail payments. In 2025 M-Pesa moved KES 83.7 trillion ($650 billion), about four times Kenya’s GDP. With this scale, fraud losses can be large: the FinAccess 2024 survey finds 9.8% of mobile money users lost money to fraud.
The rapid adoption (82.3% of adults use mobile money) and high transaction volumes mean Kenya’s economy depends on secure digital payments. Common fraud trends – from SIM swaps to phishing – have become systemic challenges. As one commentator notes, “Kenya’s economy now operates through a single private payments platform” (M-Pesa), so its failure or abuse “could significantly impair the real economy”. This makes robust mobile-money fraud prevention a national priority.
CBK’s Regulatory Framework for Mobile Money Fraud Prevention
The Central Bank of Kenya (CBK) enforces a layered legal framework to counter mobile-money fraud. This includes POCAMLA (AML Act), CBK prudential guidelines, and specific mobile-money rules. Key elements:
1. POCAMLA and the FRC
Kenya’s Proceeds of Crime and Anti-Money Laundering Act (POCAMLA) (Cap 9B) is the core AML law. It applies to all reporting institutions – banks, mobile money operators, digital lenders, etc. POCAMLA/Regulations require:
1. Customer Due Diligence: Tiered KYC and enhanced due diligence for high-risk customers.
2. Transaction Monitoring: Real-time surveillance of customer activity.
3. STR Filing: Suspicious Transaction Reports must be filed with the Financial Reporting Centre (FRC) promptly. (Banking rules now expect STRs “within 3 calendar days” of detection.)
4. Recordkeeping: Maintain transaction and KYC records ≥7 years.
POCAMLA’s mandate covers all mobile money providers, including M-Pesa agents and API-based wallet services. Institutions must file STRs with the FRC even if the fraud involves a mobile wallet or agent. The CBK itself oversees these rules: the central bank “is responsible for supervising and enforcing compliance with POCAMLA” for all Payments Service Providers.
Interesting read: KYC & POCAMLA Compliance in Kenya
2. CBK KYC and AML Guidelines (2025–2026)
Updated CBK guidelines now specify how mobile-money services must verify customers and monitor transactions:
1. Tiered KYC for Wallets: Mobile wallets follow a three-tier structure. Basic Tier requires minimal ID (ID number, name, DOB). Standard Tier adds address and source of income. Enhanced Tier (highest transaction limits) demands full CDD documents. Banks/fintechs must upgrade verification as customer usage grows.
2. Transaction Monitoring Systems: All mobile-money operators must use real-time (or near-real-time) monitoring platforms that score transactions by customer risk. Alerts should trigger investigator review and STRs when warranted.
3. SIM-Swap Controls: Following CBK approval of number masking in 2026, operators must still flag SIM-swap events. High-value transactions initiated shortly after a SIM change should be held for manual review or step-up authentication.
4. Monthly Reporting: Institutions must submit monthly returns to CBK covering transaction volumes, fraud alerts raised, and STR statistics (as per CBK reporting requirements). This enables CBK oversight of mobile-money fraud trends.
3. CBK’s Digital Fraud Compensation Framework (2026)
Under Kenya’s 2025–2028 Financial Inclusion Strategy, CBK is rolling out a Digital Fraud Compensation Framework for 2026. It establishes clear rules when customers lose money to fraud. Notable features:
1. Liability Allocation: Operators may bear losses if fraud controls fail.
2. Customer Redress: Mandates digital complaint channels and strict resolution timelines.
3. Transparency and Reporting: Requires institutions to disclose their fraud rates and resolution processes.
For banks and fintechs, this means any gaps in controls now risk both reputational and financial liability. Meeting CBK’s new framework is essential to maintain consumer trust and avoid penalties.
Dominant Mobile Money Fraud Typologies in Kenya (2026)
Kenya’s mobile-money ecosystem faces several high-risk fraud types. Understanding each helps tailor controls.
1. SIM-Swap Fraud
SIM-swap fraud is among Kenya’s most damaging scams. Attackers take over a user’s phone number (used as M-Pesa ID and banking username) by tricking or bribing a mobile agent to transfer the number to a new SIM. With control of the number, fraudsters reset OTPs/PINs and drain mobile money and linked bank accounts.
SIM-swap fraud has cost Kenyans millions. For example, a Nairobi fintech thwarted a SIM-swap heist by integrating Safaricom’s SIM-swap API: after detecting a recent SIM change on a customer’s number, the system automatically held a large transfer until the user verified it, preventing a KES 1 million loss.
Required controls: Banks should use multi-layered defenses beyond M-Pesa’s masking. Integrate with Safaricom/Airtel SIM-change alerts in real time. Impose a 24–48 hour hold on large transactions following any SIM-swap. Enforce step-up authentication (video call, branch visit) for transfers after a SIM change.
Read Also: Fraud Prevention for Fintechs in Africa: A Compliance Guide to Protecting Your Platform in 2026
2. Social Engineering and Impersonation
Scammers often impersonate trusted figures (bank agents, CBK officials, or M-Pesa agents) via calls or spoofed SMS to trick users into revealing PINs/OTPs. These phishing-style attacks exploit low tech barriers.
Required controls: Financial institutions should run in-app or USSD education campaigns warning customers about such scams. Collaborate with telcos to block spoofed sender IDs. For high-risk transactions, trigger extra authentication steps (e.g. one-time codes sent via a different channel).
3. M-Pesa Agent Fraud
Fraudsters can corrupt the large M-Pesa agent network. Rogue agents may inflate withdrawal amounts, fake reversals, or collude with customers on fraudulent deals. Given Kenya’s ~300,000 agents, this is a major vector for internal fraud.
Required controls: Monitor agent transactions closely. CBK guidelines mandate clear agent agreements and compliance checks. Implement velocity and ratio checks (e.g. abnormally high cash-out vs. deposits). Run background checks and ongoing screening of agents against criminal databases. Use analytics to flag agents with unusual activity patterns.
4. Mobile Banking Account Takeover
This occurs when fraudsters hijack mobile banking apps linked to M-Pesa (via phishing, credential stuffing, or malware). Once inside, they quickly add new beneficiaries or initiate transfers.
Required controls: Deploy device-binding (flagging logins from new devices or locations). Use behavioral biometrics (keystroke/swipe analytics) to verify account holders. Force strong multi-factor authentication for high-value payments or new payee setups.
5. Synthetic Identity Fraud at Onboarding
Increasingly, AI tools generate fake IDs and deepfake selfies to open mobile wallets under false identities. These synthetic accounts (often tier-1 KYC) become “mule accounts” for laundering fraud proceeds.
Required controls: Use biometric liveness checks at signup (passive face/ID match). Cross-verify identity details against Kenya’s Integrated Population Registration System (IPRS). Employ AI-powered document verification to spot forgeries. These checks stop fraudulent IDs before account creation.
Technical Architecture for Mobile Money Fraud Prevention
Banks and fintechs should build layered systems to stop mobile money fraud:
1. Identity Assurance at Onboarding: Every wallet must open under a verified identity. Integrate with IPRS for real-time ID validation (national ID, passport). Use biometric liveness checks (e.g. selfie vs. ID photo) to deter fake accounts. Screen names against PEP and adverse-media lists. Youverify’s platform, for example, includes Kenya-specific IPRS connectivity and passive liveness options.
2. Real-Time Transaction Risk Scoring: Every transaction (M-Pesa or mobile banking) should be scored before completion. Key factors: deviation from the user’s normal behavior (30-day average), new device or location, recent SIM-swap, transaction size vs account age, etc. High-risk scores trigger alerts or blocks.
3. SIM-Swap Detection Integration: Before approving large transactions, query MNO APIs (Safaricom/Airtel/Telkom) about recent SIM changes for the phone number. If a swap occurred in the last 24–48 hours, flag or hold the payment for extra verification.
4. Agent Network Anomaly Detection: Apply specialized monitoring for agent channels. Check each agent’s deposit/withdrawal patterns (velocity checks). Analyze network graphs to spot collusive sub-networks. Flag agents with unusually high cash-outs or repeated transaction reversals for compliance review.
5. Case Management and FRC Reporting: All fraud alerts and investigations should flow into a case-management system. This system tracks analyst reviews, evidence, and ensures Suspicious Transaction Reports are auto-generated in FRC format. It should enforce the 3-business-day STR filing SLA and keep audit trails for CBK audits.
Compliance Checklist: Mobile Money Fraud Prevention
| Requirement | Regulatory Basis | Status |
| Tiered KYC for all wallet holders | CBK KYC & AML Guidelines (2025) | Mandatory |
| IPRS identity verification at onboarding | POCAMLA & CBK Guidelines | Mandatory |
| Real-time transaction monitoring | CBK AML Guidelines (2025) | Mandatory |
| SIM-swap detection controls | CBK M-Pesa number-masking approval (2026) | Required |
| STR filing (within prescribed timeframe) | POCAMLA, s.44 (2010) | Mandatory |
| Monthly reporting to CBK | CBK reporting requirements (NPS Act) | Mandatory |
| Digital fraud compensation readiness | NFIS 2025–2028 (CBK framework) | In Progress |
| 7-year record retention | POCAMLA | Mandatory |
Key Regulatory References on Mobile Money Fraud Prevention
1. Proceeds of Crime and Anti-Money Laundering Act (POCAMLA), Cap. 9B: Kenya’s primary AML/fraud law (requires due diligence, STRs, record-keeping).
2. National Payment System Act (2011): Empowers CBK oversight of payment service providers, including mobile money.
3. CBK KYC and AML Guidelines (2025): Updated rules on tiered verification and monitoring for all financial channels.
4. CBK Digital Fraud Compensation Framework (2026): New rules on liability and customer redress for mobile money fraud.
5. FATF Mutual Evaluation of Kenya (2022): Kenya’s AML assessment identifies mobile money fraud as a priority risk.
Taking Action: Strengthening Mobile Money Fraud Controls
Kenyan banks and fintechs should prioritize these steps in 2026:
1. Audit SIM-Swap Coverage: Ensure real-time API integration with Safaricom, Airtel, and Telkom for all customer phone numbers. Test that alerts trigger holds on suspect transactions.
2. Deploy Biometric Liveness at Onboarding: Roll out passive face/ID checks with IPRS cross-match. This reduces synthetic identities at the source.
3. Automate STR Filing: Move off spreadsheets. Implement a compliance system that auto-generates FRC-formatted STRs and tracks the 3-day filing deadline.
4. Train Agents on Fraud Indicators: Provide annual fraud-awareness training for all M-Pesa agents, covering common scams and red flags.
5. Prepare for CBK Liability Framework: Review your customer-complaint workflows and data retention (7-year logs) to meet the upcoming Digital Fraud Compensation rules.
6. Monitor Continually: Keep rules dynamic. Update risk rulesets in response to new fraud patterns (e.g. AI-generated scams).
Youverify’s fraud prevention platform offers built-in Kenyan integrations (IPRS checks, M-Pesa APIs, FRC reporting) to simplify compliance.
Youverify clients report a 60%+ reduction in fraud losses, 90%+ faster onboarding, and 50%+ fewer false positives, while maintaining full POCAMLA, FRC, and CBK compliance.
Ready to safeguard your mobile payment network? Book a free demo to see how we help Kenyan banks and fintechs meet CBK requirements and stop fraud.
About the Author
Victoria Okere is a compliance writer and at Youverify. She specializes in East African financial regulation, mobile-money fraud prevention, and POCAMLA compliance for banks and fintechs. Connect on