Safaricom has secured regulatory approval from the Central Bank of Kenya (CBK) to roll out a long-delayed data minimisation on e-payment platform MPesa that will mask customers’ phone numbers when they send money to each other, paving the way to extend the same protection when paying businesses.
The approval was granted last month, paving the way for the rollout of the feature that is meant to tighten users digital data security.
“This is to inform you that the CBK has reviewed your application and submissions in support of the solution and approves your request to implement data minimalisation for peer-to-peer transactions,” CBK said in its letter to Safaricom.
In its request to the regulator, Safaricom had sought CBK’s nod to implement a solution that partially masks the sender’s mobile phone number when transferring funds directly from their M- Pesa wallet to the mobile wallet of another customer.
The solution will also enable the recipient to query the sender’s full mobile phone number, which the sender may either consent to or decline.
Once activated, the feature will prevent merchants from seeing the payer’s full mobile number when a customer settles a bill or pays for goods using a Till or PayBill option, limiting the visibility of personal identifiers at the point of sale.
Currently, transaction notifications received by merchants display the customer’s phone number alongside the payment confirmation code and amount, exposing contact details that are not strictly necessary to complete the transaction.
Data minimisation as stipulated in the Data Protection Act 2019 only requires companies to collect only the data that is necessary for their service delivery.
In August last year, CBK released new guidelines for non-deposit-taking credit providers that, among other things, stipulate adherence to the Data Protection Act, 2019 and that they obtain clearance certificates from the Office of the Data Protection Commissioner (ODPC).
“A non-deposit-taking provider shall, where applicable, develop an information and technology policy which shall at a minimum cover data encryption standards and guidelines, information security guidelines, and application security,” explains the regulations in part.
Other checklists for service providers when developing their IT systems include network access, password security for mobile applications and web platforms, and a backup policy.
CBK directed Safaricom to undertake an extensive consumer awareness and customer education before launching the solution, monitor feedback and address concerns and complaints from customers, and submit a monthly report to the CBK.
“CBK further urges Safaricom PLC to ensure that the introduction of this service remains in compliance with the National Payment System Laws, and that any further enhancements/use cases to the solution must remain in strict compliance with the applicable legal and regulatory framework governing the National Payment System,” stated the CBK in its letter to Safaricom.
The latest data privacy decision is expected to boost efforts to cushion mobile subscribers and mobile money users from fraud and social engineering.
Last year, the Communications Authority of Kenya (CA) said it welcomes technological initiatives from service providers that are aimed at improving the data privacy of mobile money users and signaled a willingness to okay the rollout of the number masking feature.
“With the rise of digital services, including e-commerce, privacy features such as number masking on mobile payment platforms are important for digital trust and consumer protection,” stated the CA in a press statement.
“The Authority reiterates its support for innovations that uphold privacy and undertakes to roll out privacy-enhancing features consistent with the law in partnership with industry stakeholders.”
This is unfolding against a backdrop of sustained public scrutiny on telcos over data privacy and surveillance concerns.
Last year alone, Kenya’s High Court awarded more than Sh13 million in fines and damages to consumers who raised complaints against unwarranted contact or spamming from private companies without their consent.
However, many of the data privacy concerns stem from regulatory and State directives that telcos have little control over, and in most cases, the State can exercise its surveillance powers without needing telecom operators’ active involvement.
In 2024, financial services providers accounted for a third of determinations issued by the ODPC from more than 5,000 complaints coming from consumers. The complaints included improper consent management, unsolicited communication, harassment of third parties, and aggressive debt collection practices.
At the heart of many of the formal complaints is the violation of data minimisation principles as stipulated in the Data Protection Act 2019, which requires companies to collect only the data that is necessary for their service delivery.
While some banks and fintechs mask credit card numbers, account and other details not necessary in verifying a transaction, mobile money service providers have not adequately instituted data minimisation.
In a note to partners on its App developers network two years ago, Safaricom stated it would adopt data minimisation not only as a matter of compliance, but in response to customer demands for privacy on their personal information.
The firm, which counts 38 million 30-day active customers on M-Pesa, has developed a feature that masks the phone number of users when they pay to merchant Till and PayBill numbers, but is unable to deploy the same due to restrictions from the CA.
