Briefly

Press-Statement-on-Forensic-Audit-on-SIM-Card-Registration1

Briefly
Communications Authority Kenyaenforcement
enforcementKenya·Communications Authority Kenya·Briefly Analysis

Abstract

The Communications Authority of Kenya (CAK) frequently undertakes forensic audits of SIM card registration processes to ensure compliance with regulatory frameworks and combat digital fraud. These audits are critical enforcement tools aimed at verifying the accuracy and authenticity of subscriber data held by Mobile Network Operators (MNOs). This article examines the legal underpinnings of SIM card registration in Kenya, primarily the Kenya Information and Communications Act and its subsidiary regulations, alongside the Data Protection Act, 2019. It delves into the implications of such audits, highlighting past findings, regulatory directives, and the persistent tension between national security objectives and individual data privacy rights, as illuminated by recent judicial pronouncements.

Introduction

The rapid expansion of digital services in Kenya has brought with it an increased imperative for robust regulatory oversight, particularly concerning the registration of Subscriber Identity Module (SIM) cards. The Communications Authority of Kenya (CAK), as the primary regulator, is tasked with ensuring that all SIM cards are properly registered to curb a range of illicit activities, including mobile money fraud, identity theft, and terrorism. This ongoing effort is crucial for maintaining the integrity of the telecommunications sector and safeguarding national security.

However, achieving universal and accurate SIM card registration has been a persistent challenge, necessitating periodic enforcement actions by the CAK. One such critical mechanism is the forensic audit of SIM card registration databases maintained by Mobile Network Operators (MNOs). These audits serve to identify non-compliance, expose vulnerabilities, and compel operators to rectify deficiencies in their registration processes. The implications of such audits extend beyond mere regulatory compliance, touching upon fundamental rights, particularly data privacy.

This article provides a comprehensive overview of the legal landscape governing SIM card registration in Kenya, examines the historical context and findings of forensic audits, and analyzes the intricate interplay between regulatory enforcement and data protection principles. It aims to equip legal professionals with insights into the evolving obligations of MNOs and the rights of subscribers in this critical area of digital governance.

Background

The legal framework for SIM card registration in Kenya is primarily established under the Kenya Information and Communications Act (Cap. 411A) and its subsidiary legislation, notably the Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015. More recently, the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, published through Legal Notice No. 90 of 2025, have introduced enhanced protocols and stricter data protection measures. These regulations mandate that only licensed telecom operators and their approved agents can register subscribers, prohibiting proxy registrations except for minors under specific conditions.

The Communications Authority of Kenya (CAK) is empowered by the Act to regulate the telecommunications sector, including ensuring adherence to SIM card registration requirements. The core objectives of mandatory SIM card registration are to create a comprehensive registry of subscribers, enhance national security, combat cybercrime, prevent financial fraud, and deter activities like SIM-boxing and identity theft. Operators are required to verify subscriber details against government databases, and no registration is valid without document authentication.

Historically, the CAK has undertaken several initiatives to enforce SIM card registration, including directives for mass disconnections of unregistered lines in 2013 and 2018. These efforts have often been accompanied by forensic audits to assess the extent of compliance by MNOs. The Data Protection Act, 2019, further overlays this framework, imposing strict obligations on telecommunications operators regarding the collection, processing, and storage of personal data, requiring adherence to principles such as explicit purpose, data minimization, and secure handling of subscriber information.

Analysis

Forensic audits on SIM card registration are a critical enforcement mechanism employed by the CAK to ensure the integrity of subscriber databases. A notable audit in 2018, for instance, revealed significant loopholes in adherence to registration laws by MNOs. Findings from such audits have consistently pointed to issues like incomplete and inaccurate data in subscriber databases, rampant hawking of SIM cards by agents, and insufficient verification of identification documents at the point of sale. In response, the CAK has issued directives requiring MNOs to review their databases, immediately deactivate non-compliant SIM cards (including unregistered, partly registered, improperly registered, fraudulently registered, and those with multiple ownerships), and implement robust systems for verifying identification documents, potentially through integration with the Integrated Population Registration System (IPRS).

The intersection of SIM card registration with data protection and privacy rights has been a contentious area. While the CAK's stated aim is to enhance security and prevent fraud, the methods of data collection have often raised concerns. There has been public outcry and legal challenges regarding the mandatory collection of biometric data, such as photographs, during re-registration exercises. Although some telcos previously sought to collect such data, the CAK has clarified that the Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025, do not mandate the collection of biometric data, despite defining it within the legal framework. The Data Protection Act, 2019, stipulates that data processors, including MNOs, can only process personal data for explicit, specified, and legitimate purposes, and in a manner that is not incompatible with the original purposes of data collection.

Recent judicial pronouncements have further shaped the landscape. In *Law Society of Kenya v Communications Authority of Kenya & 10 others [2023] KESC 27 (KLR)*, the High Court declared the mandatory collection of International Mobile Equipment Identity (IMEI) numbers unconstitutional, affirming the primacy of privacy and data protection against mass surveillance. Similarly, the High Court in *Erastus Ngura Odhiambo v State Law Office & Others (Constitutional Petition No. E290 of 2024)*, delivered on March 19, 2026, held that a registered mobile phone number constitutes a central component of an individual's digital identity, deserving constitutional protection under Article 31. This ruling mandates informed and verifiable consent for the reassignment of deactivated numbers, fundamentally altering how MNOs handle dormant lines. These cases underscore the judiciary's role in balancing national security interests with individual rights, particularly when data collection extends beyond what is strictly necessary and proportionate. Furthermore, while MNOs are not automatically liable for unauthorized lending or adverse credit listings arising from SIM cards if they have complied with registration requirements, cases like *Eunice Wanjiru Mburu* highlight the potential for fraud due to improper registration and the need for robust verification.

Non-compliance with SIM card registration regulations carries significant penalties. Providing false information for registration is an offence punishable by a fine of up to KES 1 million, imprisonment for up to six months, or both. Hawking SIM cards is also an offence, attracting a fine of up to KES 500,000 or 12 months imprisonment, or both. These penalties underscore the seriousness with which the CAK views adherence to the regulations.

Conclusion

The Communications Authority of Kenya's commitment to conducting forensic audits on SIM card registration reflects an ongoing effort to fortify the nation's digital infrastructure against fraud and security threats. These audits serve as a vital mechanism for ensuring MNOs adhere to the stringent requirements laid out in the Kenya Information and Communications Act and its associated regulations, including the recently enacted 2025 Regulations. The findings from such audits consistently highlight the need for continuous vigilance and improvement in registration processes and agent oversight.

For legal practitioners, it is imperative to advise telecommunication operators on the evolving compliance landscape, particularly the heightened emphasis on data protection under the Data Protection Act, 2019. MNOs must implement robust internal audit mechanisms, ensure strict adherence to verification protocols, and respect subscriber privacy rights, especially concerning the collection and processing of personal data. Subscribers, in turn, should be educated on their rights and responsibilities regarding SIM card registration and data privacy. The ongoing judicial scrutiny, as seen in cases defining mobile numbers as digital identity and challenging mass data collection, signals a growing emphasis on constitutional rights in the digital sphere. Practitioners should closely monitor further developments in data protection jurisprudence and regulatory clarifications, particularly regarding biometric data, to ensure their clients remain compliant and their rights are protected in Kenya's dynamic digital ecosystem.

Citations

  1. 1.Kenya Information and Communications Act (Cap. 411A)
  2. 2.Kenya Information and Communications (Registration of SIM-Cards) Regulations, 2015
  3. 3.Kenya Information and Communications (Registration of Telecommunications Service Subscribers) Regulations, 2025 (Legal Notice No. 90 of 2025)
  4. 4.Data Protection Act, 2019
  5. 5.Law Society of Kenya v Communications Authority of Kenya & 10 others [2023] KESC 27 (KLR)
  6. 6.Erastus Ngura Odhiambo v State Law Office & Others (Constitutional Petition No. E290 of 2024)