On June 18, 2026, Justice Asenath Ongeri of Kenya's High Court delivered a ruling that quietly did more to define SIM-swap fraud liability in Kenya than either of the country's two relevant statutes have managed in years of drafting and amendment. Upholding a chief magistrate's decision, Ongeri found that Diamond Trust Bank (DTB) and Safaricom bear "concurrent and independent duties of care" to a customer whose line was hijacked in a SIM swap, and split responsibility for the resulting KES 4.4 million (~$34,000) theft 60:40 between the telco and the bank (TechCabal; TechWeez).
What Happened to Mercy Kariuki
The underlying facts, now four and a half years old, are a case study in cascading failure. In February 2022, fraudsters hijacked Mercy Wairimu Kariuki's Safaricom line through a SIM swap she had already reported and believed resolved. Over the following days, they moved KES 4.4 million out of her DTB account via mobile banking and PesaLink in staggered transfers designed to dodge limit alerts. Ongeri rejected both companies' attempts to point at the other: Safaricom's swap failure was "a direct and proximate cause of the loss," while DTB could not hide behind a correctly entered PIN when its own systems should have flagged transaction patterns "so glaringly out of the ordinary that a reasonable banker would have been put on inquiry." The bank's argument that transfers occurred outside business hours fared no better — the court noted that 24/7 automated banking cannot excuse 24/7 blind spots.
A Duty of Care With No Statutory Author
What makes the ruling notable is what it is not built on. Kenya has two statutes that plausibly speak to this fact pattern, and neither one created the liability standard the court just applied. The Data Protection Act, 2019 obliges data controllers like Safaricom and DTB to maintain "appropriate technical and organisational measures" against foreseeable risks to personal data, including encryption and incident-recovery capability, enforced by the Office of the Data Protection Commissioner (ODPC) (Kenya Law — Data Protection Act 2019, §41; ODPC). That is a regulatory compliance duty owed to the Commissioner, not a mechanism that compensates a defrauded customer. Separately, the Computer Misuse and Cybercrimes (Amendment) Act, 2025 — assented to on October 15, 2025 — inserted Section 42A, criminalising unauthorised SIM-swap takeovers with a fine of up to KES 200,000 or two years' imprisonment (Parliament of Kenya — Computer Misuse and Cybercrimes (Amendment) Act, 2025; CM Advocates). That punishes the fraudster, not the institutions whose gaps let him through the door — and it says nothing about victim compensation. Between a data-protection statute that regulates process and a cybercrime statute that punishes criminals, there is a gap: who pays the customer back, and on what basis? The High Court answered that question using ordinary negligence doctrine, not a rule either regulator wrote.
The Case for Letting Courts Do This
There is a real case for the opposite approach — for the ODPC and the Communications Authority to write an ex ante rule instead of leaving this to litigation. Kariuki waited over four years, through a magistrate's court and then an appeal, to get paid; that is not a realistic remedy for the ordinary M-PESA user, and a single High Court judgment does not bind every bank and telco the way a regulation would. A prescriptive rule — mandatory real-time swap-alert sharing between telcos and banks, or a fast-track reimbursement scheme modelled on how other markets now handle authorised-push-payment fraud — would give every future victim a faster, more predictable path to recovery than another multi-year suit.
But a prescriptive technology mandate carries its own cost: fraud tactics evolve faster than rulemaking cycles, and a rule specifying today's detection method risks being obsolete, or worse, treated as a compliance ceiling rather than a floor, well before the next amendment. Ongeri's negligence standard is technology-neutral by design — it asks whether conduct was reasonable given what each institution knew or should have known, the same test the Data Protection Act's Section 41 already applies to security safeguards. That consistency is not an accident; principles-based standards let both courts and regulators calibrate to actual fault as attack methods shift, rather than locking in a fixed technical checklist that fraudsters will route around.
The sensible middle path is for the ODPC and the Communications Authority to convert this judgment into guidance rather than new legislation: codify the "concurrent duty of care" standard so telcos and banks know the bar before they are sued, without freezing the specific controls that meet it. That gives Kenya's mobile-money ecosystem — still the deepest in the world — the predictability regulation is supposed to provide, without trading away the flexibility that let it become that deep in the first place.