Agents the weak link in the fight against SIM card fraud

CA Director for Universal Service Fund Christopher Kemei. [Stafford Ondego, Standard]

Agents hired by mobile service providers to register subscribers are the weak link in the war on fraud carried out through SIM cards.

Even as the Communications Authority of Kenya (CA) pushes for proper registration of customers, agents continue to disregard regulations such as those barring SIM card hawking as telcos look the other way.

CA Director for Universal Service Fund Christopher Kemei said in an interview with Financial Standard yesterday Safaricom, Airtel Kenya and Telkom Kenya have been resisting taking responsibility for the misdeeds of their agents and sub-agents.

“When we had this conversation with operators, we discovered they didn’t want to take liability for what their agents were doing. They claimed that they sign agreements with agents and they (agents) should take responsibility,” said Mr Kemei.

“We had a long debate and agreed MNOs (mobile network operators) take the first responsibility but also extend this to agents, so we now hold both responsible.”

With telecommunications services now intertwined with financial services, thanks to mobile money, the regulator agrees that more focus will now have to be on agents and sub-agents contracted by telcos.

CA has now had to ask the firms to keep it updated on the list of agents, their names, registration details and associated sub-agents and location as well as a copy of their agreements with them.

This has allowed the regulator to monitor the activities of the agents, even as it emerges that they are now seen as the weak link in the fight against mobile network-related ills such as fraud, impersonation and terrorism.

“In our surveillance, we are now able to monitor how this is done. We did this in many cases and found they were breaching the process,” said Mr Kemei.

He added that many agency shop owners have not been educating their employees on what is expected of them, leading to breaches as they chase after commissions.

The lack of proper trickling down of information on how SIM cards should be registered is being blamed for the rush by subscribers to comply with the 2015 regulations that all of a sudden look new.

“In terms of percentage of registered numbers that don’t have all the necessary details, the figures range between 30 to 40 per cent of the total subscribers,” said Mr Kemei.

This could mean that millions of subscribers risk being switched off come Friday unless they update their details.

But the same agents, whom CA flags as the major point of weakness in fighting SIM card fraud, are being relied on now, with CA expecting them to match ones’ face with that on their ID card to avoid impersonation.

“The fact that we are enhancing our surveillance on the contractual arrangement [between MNOs and agents] is evident enough that this is something we have identified as a major concern,” said Mr Kemei.

Days after the Westgate Shopping Mall terrorist attack in September 2013, Fred Matiangi, the then ICT Cabinet Secretary, threatened to arrest CEOs of Kenyan telcos.

Authorities were piecing together how the terrorist attack was planned and executed but ran into a dead-end when tracking and tracing the mobile phones used by the suspects.

Accompanied by the then CA boss Francis Wangusi and the Inspector General of Police David Kimaiyo, the now Interior CS accused telcos of violating the law by allowing unregistered SIM cards to continue operating on their networks. “Even the CEOs of these companies are criminally liable, and they will be arrested,” said Mr Matiang’i during a press briefing at the time.

Less than two years later, the government passed the Kenya Information and Communications (Registration of SIM-cards) Regulations, 2015.

The regulations mandated telcos to record the full names, ID number, date of birth, gender and physical address of subscribers. It also mandated telcos to sell SIM cards at officially designated shops and deactivate un-registered subscribers.

Last month, CA said subscribers who have registered their SIM cards without providing their photo IDs face disconnection by April 15.

Earlier this week, CA Director-General Mr Ezra Chiloba appeared to backtrack on the regulator’s earlier directive and instead faulted mobile network operators for having incomplete subscriber records.

“The history of record keeping has not been consistent and at some point, we were using the Integrated Population Registration System (IPRS) to verify the authenticity of subscribers,” said Mr Chiloba.

“This is not 100 per cent compliance, according to us,” said Mr Chilloba. “We need to come to your place and establish that you have at least a copy of the subscriber’s ID,” he added.     

According to the latest Sector Statistics Report, the number of mobile subscribers in the country stood at 65 million as of December 2021. This puts the country’s mobile penetration rate at 133 per cent, indicating that many subscribers hold multiple SIM cards.

Deactivating SIM cards that are idle or not fully registered is likely to considerably trim the subscriber numbers that local telcos report, and this could affect their bottom line.

Telkom Kenya and Airtel have since clarified that the photo ID on the subscriber’s ID document is sufficient and users are not required to have their photos taken by the Friday deadline.

“The blanket statement that telco operators are taking photos is not correct,” said Telkom CEO Mr Mugo Kibati.

“The photograph is not a requirement, and Telkom has never asked, added Mr Kibati.

“Nothing but the photo of the ID is to be taken, and that also applies electronically where you do not need to submit a photo,” said his Airtel Kenya counterpart Prasanta Sarma. 

Safaricom, on the other hand, insists it requires a photo ID as part of strengthening security features on M-Pesa.

“The photo is not a legal requirement, but we have always thought its better to continue to keep our customers much safer, and what we are looking at is completely eliminating the menace of M-Pesa fraud, and that is why we take more stringent decisions,” said Safaricom Director of Risk Management Mr Nicholas Mulila.

The telco’s digital lending products M-Shwari, KCB M-Pesa and Fuliza register the highest usage among subscribers, and there has been concern over the fate of subscribers who have existing facilities and will not have registered by the Friday deadline.      

“Fuliza is a partnership, so we will be seeking guidance from both the CA and CBK and our partner banks to see how we handle the issue,” said Mr Mulila.

CA has declined to extend the registration deadline past April 15, citing incidences of SIM-boxing, financial fraud, kidnapping, terrorism and related crimes facilitated by unregistered SIM cards.

There are concerns, however, that the registration process is contrary to the Data Protection Act, 2021.

Some have also questioned why the government continues to mandate numerous registration processes instead of harmonising the information already collected into one database.

According to Privacy International, mandatory SIM card registration by governments facilitates surveillance, discrimination and exclusion.

“In countries with political and ethnic tensions, pairing data with political activity might result in physical risks for the people involved,” said the lobby.