Time flies with great content! Renew in to keep enjoying all our premium content.
Prime
DTB, Safaricom to pay client Sh4.4m for fraud loss
The High Court has upheld a trial court's ruling that Safaricom and Diamond Trust Bank were found liable for a SIM-swap fraud that saw a customer lose Sh4.4 million.
Diamond Trust Bank (DTB) and Safaricom have been jointly held responsible for a SIM-swap fraud that saw a customer lose Sh4.4 million. A court ruled that both institutions failed in their separate duties to protect the client from the fraud.
Dismissing an appeal by DTB and a cross-appeal by Safaricom, the High Court affirmed a magistrate's finding that the telco and the lender were negligent, as their failures enabled the fraud.
The court upheld the trial court's apportionment of liability, which found Safaricom 60 percent liable and DTB 40 percent liable for the loss suffered by customer Mercy Wairimu Kariuki.
In a judgment on June 18, the court also upheld the order requiring DTB to pay Kariuki Sh1,788,601, together with general damages for negligence and breach of confidentiality, costs and interest.
"This court finds that the trial court's apportionment of liability was neither perverse nor erroneous in law. Both the bank and the mobile service provider had concurrent duties of care to Mercy Kariuki," the court ruled.
The court held that Safaricom breached its duty of care by completing the SIM swap despite Ms Kariuki's prompt report that it was unauthorised.
"The customer promptly reported the suspicious activity on the day of the swap, yet the fraud was still executed, and her line was only reinstated the following day. This constitutes a breach of its duty of care and a failure to protect her data," the judge said.
The court also said that DTB independently failed in its obligation to protect the customer's money by processing a series of unusual transactions that should have immediately raised suspicion.
The court rejected the bank's argument that it could rely solely on the correct PIN to validate the transactions.
"A bank cannot hide behind a customer's PIN when it is presented with a series of transactions that are so glaringly out of the ordinary that a reasonable banker would have been put on inquiry," she said.
The dispute stemmed from events that began on February 6, 2022, when Ms Kariuki received alerts indicating that her Safaricom SIM card had been swapped without her authority.
She immediately contacted Safaricom's customer care, where she was informed that her SIM had already been replaced through an M-Pesa agent. She was assured the line would be blocked and advised to visit a Safaricom shop.
Although she reported the suspicious activity the same day, the SIM swap was not stopped. Her line was only restored the following day after she visited a Safaricom customer care centre.
The following morning, at about 5.23am on February 8, 2022, Kariuki woke up to a series of debit alerts from DTB notifying her that Sh4,418,601 had been withdrawn from her account through the bank's mobile banking application and Pesalink.
The money had been transferred in multiple transactions to different bank accounts and mobile numbers without her authority.
Kariuki sued both DTB and Safaricom, arguing that Safaricom negligently allowed the unauthorised SIM swap while DTB failed to stop a series of highly suspicious transactions despite obvious warning signs. She maintained that she had never disclosed her mobile banking PIN to anyone.
DTB denied liability, insisting that every transaction had been authenticated using Ms Kariuki's correct secret PIN. It argued that under its banking terms and conditions, successful entry of the PIN was sufficient proof that the account holder had authorised the transactions.
The bank also argued that the disputed transfers were spread over three separate days and therefore did not exceed its daily transaction limit of Sh2 million. It further maintained that the fraud originated from the SIM swap and that Safaricom alone should bear responsibility.
Safaricom, on its part, maintained that the SIM replacement followed its verification procedures after the person requesting the swap correctly answered security questions. It argued that it merely provides telecommunications infrastructure and has no control over transactions conducted through DTB's mobile banking platform.
The telecommunications company also argued that Ms Kariuki had regained control of her line on February 7, before the disputed withdrawals occurred, and therefore the financial loss could not be attributed to it.
The court rejected both arguments, finding that the fraud resulted from a continuous sequence of failures by both institutions.
"A bank is expected to flag suspicious transactions. In this case, the withdrawals from multiple unrelated accounts and mobile numbers in quick succession constituted significant red flags that the appellant ought to have heeded,” said the court.