The analyst cleared the alert. Then the court asked why.
In a mobile-money economy, a SIM swap is a route into a bank account. When the money is gone, the question lands on the fraud desk: who cleared the alert, and on what basis? In Kenya, that question is already a legal one.
The structural flaw is simple and well understood. In Kenya's mobile-first economy a phone number doubles as a banking username and a mobile-money account, so control of the number is control of the money. A fraudster who persuades or bribes an agent to swap a victim's number onto a new SIM can reset PINs, intercept one-time passwords, and drain accounts within minutes. The Communications Authority of Kenya and the Central Bank of Kenya have warned about it repeatedly, and a mandatory SIM re-registration exercise saw more than 124,000 cards deactivated.
The scale is documented. A World Bank survey ranked Kenya among the most exposed markets in a sample of sub-Saharan countries, with close to half of mobile users reporting fraudulent calls or messages. The losses are concrete and named: a businessman who lost 495,651 Kenyan shillings — roughly 3,800 US dollars — to a SIM-swap, and who has since brought a class action against the operator and the Communications Authority, joined by other victims including a widow defrauded in her late husband's name. The suit alleges the operator failed to provide secure services and the regulator failed in its duty.
That class action changes the character of the fraud desk's work. The analyst clearing alerts is no longer making an internal risk decision; they are creating a record that may be read in court. The desk handles a high volume of alerts — swap requests, device changes, anomalous transaction patterns — under pressure to clear the legitimate ones fast so customers are not locked out. Most alerts are noise. The cost of clearing the one that mattered is now measured in litigation, not just chargebacks.
Two failure modes sit on either side of the analyst. Block too aggressively and legitimate customers are stranded, the complaints rise, and some of them reach the regulator's consumer unit. Clear too readily and a fraudulent swap goes through, the money is gone, and the basis for the clear has to be reconstructed after the fact — usually from memory, because the alert-clearing tool logged the action but not the reasoning. Neither failure is survivable at scale once the courts are watching.
The cost of getting it wrong is not symmetric with the fraud loss, but it is real. A legitimate subscriber locked out of their line and their money — during a medical emergency, a school-fees deadline, a supplier payment — experiences the operator's caution as the failure, and a share of those cases become the very complaints that reach the regulator's consumer unit. Operators have begun deploying real-time classification against hundreds of behavioural parameters to triage suspicious activity without freezing genuine customers. But a classifier that cannot explain why it held a transaction simply moves the defensibility problem from the fraud desk to the complaints desk; the operator still cannot say why a particular customer was stopped.
The detection problem also crosses an institutional boundary. The strongest signal that a swap is fraudulent often sits on the bank's side — an account that changed devices and immediately attempted a large transfer — while the swap itself is the operator's event. Matching the two requires the telco and the financial institution to reason over the same pattern, which runs straight into the data-protection perimeter. The pattern is shared; the identities cannot be.
The fraud also has an insider dimension that pure transaction monitoring misses. Many swaps succeed not by deceiving the operator's systems but by compromising its agents — the recovered toolkits of arrested fraudsters routinely include forged identity documents, replacement SIM stock, and till-number application books. Detecting that means reasoning across agent behaviour, swap velocity, and the transactions that follow, together rather than in isolation. The global standard-setters are pushing in the same direction: the Financial Action Task Force increasingly expects mobile-money providers to demonstrate exactly this kind of monitoring as part of their anti-money-laundering obligations. The desk is being asked to find collusion, not just anomalies, and to show its working when it does.
The alert-clearing tool logged the action but not the reasoning. The reasoning is exactly what the court will ask for.
Where each sits.
Akki ingests the signals that matter — swap and replacement requests, device and IMEI changes, location anomalies, and the transaction patterns that follow — as a governed substrate rather than a tangle of point integrations. Every input to a fraud decision is logged, so the basis for a clear or a block can be reconstructed exactly, not approximately, when it is later questioned.
Solva structures the alert reasoning and, critically, refuses to auto-clear or auto-block on thin evidence. Where the signal is ambiguous it surfaces what is missing and holds, rather than forcing a decision the evidence does not support. Underneath every disposition sits the audit trail — the signals weighed, the reasoning, the confidence — which is the artefact the class-action court is reaching for. The refusal is the integrity, and here it is also the legal defence.
SyniSense is what makes cross-institution detection lawful. When the operator and a bank need to match a swap event against a suspicious transaction, SyniSense anonymises subscriber and account identity at the perimeter so the shared pattern can be found without either party exposing identifiable customer data. The fraud is caught inside the boundary; the citizen's data never crosses it.
For the analyst, the decision carries its own defence. Clearing or blocking an alert produces a reasoned record automatically, so the high-volume work no longer accumulates undocumented exposure. The pressure to clear fast no longer trades directly against the risk of being unable to explain a clear later.
For the operator's legal and risk functions, the posture shifts from reconstruction to record. In a class action that turns on whether the operator provided secure services, the ability to show a documented, refusing-on-thin-evidence decision process is materially stronger than a log of actions with no reasoning attached.
For the customer, fewer fraudulent swaps get through and fewer legitimate ones are wrongly blocked, because the desk is working a list with the noise held back. In a market where the fear of fraud is itself a drag on mobile-money trust, that is a commercial as well as a protective gain.
For the regulator — both the Communications Authority on the SIM side and the Central Bank on the money side — the operator can demonstrate a fraud process that is governed and inspectable, which is the standard the warnings and the litigation are pushing the whole market toward.
For the operator's relationship with its banking partners, a governed boundary makes collaboration possible that compliance teams would otherwise block. Banks and telcos each sit on half the fraud signal; the reason they share so little of it is the data-protection exposure of doing so. A perimeter that lets the shared pattern surface without exposing identifiable customer data turns a stalled conversation into an operational one — and closes the gap that fraudsters currently exploit precisely because the two institutions cannot see across it.