Safaricom is set to introduce a landmark data minimization feature for its M-PESA money transfer service, a move designed to shield millions of customers from fraud, spam messaging and the unintended exposure of personal details.

Safaricom, which now facilitates over 37 million person-to-peer (P2P) transactions per day valued at about Kes27 billion is set to overhaul what transactional data is visible to users starting 24th March, 2026. 

According to the telco giant, these changes on data privacy will help bring its business practices in sync with privacy regulations and consumer expectations from global peers.

“We have an obligation to ensure maximum digital security for our customers. Protecting customers' information is extremely important. Trust is the currency we really want to continue to value as a business,” Safaricom CEO Peter Ndegwa stated, adding that the new feature is a major step in the right direction towards fighting against fraud.

What’s changing: From full visibility to ‘need-to-know’

Effective Tuesday 24th March, M-PESA users sending money will notice that their full mobile phone number is no longer displayed on the recipient's transaction notification. Instead, the 10-digit number will be partially masked, displaying only the first four and last three digits, for instance, 0722***000.

To balance privacy with the practical need for verification during transactions, Safaricom has introduced a consent-based lookup system. 

This means that for mobile money recipients, who require to see the sender’s full details, say to confirm an unexpected payment will now be required to forward their transaction message to short code *334*. 

This SMS prompt will trigger a request to the sender, who then has the liberty to approve or decline the release of their full name and number.

According to Safaricom, the verification window is limited to 24 hours after a transaction has been made and the sender has a two-hour period to respond to the request.

In the event the request is declined, the recipient will receive a notification informing them of the sender’s decision, ensuring that data sharing remains firmly in the hands of the user.

This move is designed to extend a data privacy strategy that Safaricom has been building for years. 

Sharon Holi, Head of Customer Privacy and Data Protection, noted that the journey began in 2020 with Pochi La Biashara and has progressively expanded to internal staff access, M-PESA statements, and API integrations.

Why masking matters now

The scale of M-PESA’s integration into the Kenyan economy makes this update timely. With 14.1 million daily active P2P users on mobile money, Safaricom's M-PESA platform is increasingly becoming a prime target for fraudsters and data harvesters.

The company outlined five key benefits of the new feature in its briefing on Wednesday, noting that masking numbers is part of a core security enhancement measure. By limiting the visibility of full phone numbers, Safaricom aims to reduce the risk of:-

• Unwanted contact: Preventing recipients from easily capturing mobile phone numbers for potential spam calls, fraud, unsolicited marketing messages or harassment.
• Social engineering: This new feature cuts off a key vector for fraudsters who scrape transaction messages to build profiles for scams.
• Regulatory compliance: Initiative will also see Safaricom align with data minimization principles as enshrined in Kenya's Data Protection Act of 2019, which mandates that only necessary personal data be processed.

Regulatory green light and industry context

The Central Bank of Kenya (CBK) formally approved Safaricom’s application for the P2P masking feature earlier this year, following years of advocacy for improved data protection in mobile money and digital payments.

In its approval, the CBK cited the importance of consumer education and compliance, requiring Safaricom to conduct extensive customer awareness campaigns and submit updates on the feature's performance. 

Safaricom's new data protection measure also reflects a broader shift in Kenya's financial services sector, which accounted for a third of all determinations issued by the Office of the Data Protection Commissioner (ODPC) in 2024, often related to improper consent management and unsolicited communication.

According to Esther Waititu, Safaricom’s Chief Financial Services Officer, by ensuring customers' personal information is handled with care and sharing only what is absolutely necessary, the telco seeks to build a safer and more inclusive digital economy.

[email protected]