.jpeg)
The Phone Number Was Never Just a Phone Number.
Safaricom has begun masking customer phone numbers in some M-PESA transaction contexts, presenting it as a privacy enhancement under Kenya’s data protection framework: expose only the minimum data a transaction requires. As a reading of the law, it is correct. As a description of what is happening, it is almost beside the point.
Because once you hide the phone number, you have to ask what it was doing there in the first place. And in Kenya, the answer is almost everything.
The number on an M-PESA prompt is not just a way to call someone. It is a bank account, a payment address, a customer reference, an authentication signal, a reconciliation tool and, for millions of people who have never held a formal bank account, the closest thing they have to a financial identity. Masking it is a quiet redesign of the country’s de facto identity layer, carried out by a private company, through what is formally a compliance exercise.
This matters because M-PESA is not a niche payments product. It is Kenya’s dominant retail payments rail, carrying millions of daily transactions across households, merchants, lenders, schools, utilities, and informal businesses. When a system of that scale changes what information travels with money, the consequences do not remain inside a privacy policy. They move into accounting, lending, customer service, fraud controls, merchant relationships, competition, and digital identity.
This is why Kenya’s fintech debate has changed shape without anyone announcing it. For a decade, the argument was about access: who could get data, how much, and on what terms. The digital lending scandals of the late 2010s were access problems. Apps hoovered up contact lists, location data, and SMS logs, and the regulatory response, when it finally came, was to license lenders and tighten what they could collect. That fight is no longer new.
The new argument is about control. Not how much data exists, but who gets to see it, use it and earn from it. Masking is the first visible move in that second contest, and it is worth being honest about what it costs, because privacy is never free. Someone always pays.
Who pays
Consider two everyday payments.
The first is a small merchant running a shop on a Buy Goods till. Where a payment flow exposes a customer’s number, the merchant can recognise the payer, match the payment to an order, call back if there is confusion, or resolve a dispute without escalating into a formal support process. It is a crude tool, but it works. Once that identifier is masked, the reconciliation problem does not disappear. It moves into transaction IDs, reference fields, dashboards, APIs, accounting integrations and support queues.
The second is person-to-person. A parent sends money to a child. A chama member pays the treasurer. A tenant sends rent. A customer pays a boda rider. A relative refunds fare. In these transactions, the phone number is not just personal data. It is a trust signal. It helps the sender confirm that the money went to the right person, helps the recipient identify the payer, and helps both sides resolve mistakes quickly.
This is where masking produces a real tension. On one side, exposing phone numbers in every transfer creates privacy risks: unwanted contact, harassment, data harvesting, stalking, social profiling, and the casual spread of personal identifiers. On the other side, hiding the number can increase uncertainty in transactions that depend on personal recognition. Full names are not always unique. Saved contacts are not always updated. Informal payments often happen between people who are not in each other’s phonebooks. A privacy feature can therefore become a usability problem if it removes the identifier people rely on without replacing it with something equally useful.
For developers, the issue is not philosophical. Many systems have historically treated the phone number as a database key. Once that identifier is masked, transaction matching has to move to confirmation codes, reference fields, customer tokens or API-managed identifiers. That is good privacy architecture, but it is not costless. It forces SMEs and fintechs to rebuild around a new data model.
Multiply that across SMEs, households, accountants, support desks, reconciliation software providers and small fintechs whose products make sense of payment flows, and you see the real transfer. Customers gain privacy. Some merchants and users lose visibility. And the visibility does not vanish. It pools upward, toward the party that can still see the complete transaction graph.
This is the part worth stating carefully. Safaricom already knew its customers before masking; that did not change. What changes, where masking is applied, is the line of sight available to everyone else. The asymmetry was always there. Masking can widen it. The user sees less, the merchant may see less, the platform knows the same, and the gap between them is the thing that matters.
This does not make data minimization wrong. It makes it consequential. Privacy improves one part of the system by moving effort, friction, or cost into another. If that cost is not recognised, SMEs will experience privacy as another operational burden, fintechs will experience it as restricted access, and ordinary users will experience it as one more reason to worry whether money went to the right place.
The competition question hiding inside the privacy question.
Here is where a privacy measure becomes a market-structure measure. A fintech that wants to build loyalty programs, fraud analytics, SME accounting tools, customer insight products, or CRM integrations needs to identify transactions. Strip out the field it used to rely on, and it has two options: build a more sophisticated capability itself or call an API owned by the platform.
In a market as concentrated as Kenya’s mobile-money ecosystem, that dependence is not a small inconvenience. It can become a chokepoint. Every competitor that loses direct data access becomes a little more reliant on the infrastructure of the firm it is trying to compete with. Data minimization, applied by a dominant player, does not just protect the customer. It can quietly raise the toll that everyone else pays to operate.
The honest counter-argument is that this cuts both ways, and a serious piece has to say so. Minimizing the data each party hoards is precisely the precondition for a consent-based system that redistributes it, where the customer, not the merchant or the platform, decides who sees what. Done well, minimization is the foundation of open finance. Done by the incumbent, on the incumbent’s terms, it can just as easily become its moat. Same mechanism. Opposite outcomes. The difference is governance, and governance is exactly what Kenya has not yet built.
The same argument is now playing out globally. In the United States, banks and fintechs are fighting over whether customer data should move freely or be priced as infrastructure. In Europe, financial data access has become entangled with fears that dominant platforms could use data portability to consolidate power rather than widen choice. Australia’s Consumer Data Right and India’s consent-based data-sharing architecture point in a different direction: data should move, but only through permissioned, auditable, and revocable channels. Kenya does not need to import any model wholesale. It does need to recognize that data governance is no longer a back-office compliance function. It is becoming the operating system of financial competition.
AI makes this more urgent. Transaction data is no longer valuable only because a merchant can read it, reconcile it or call a customer. It is valuable because software can infer from it spending patterns, repayment behavior, merchant performance, fraud risk, loyalty, churn and creditworthiness. The institution that controls the cleanest, most complete flow of transaction data is not merely managing yesterday’s payments. It is shaping tomorrow’s financial intelligence. That is why masking a phone number is not a small privacy story. It is an early signal of who will control the training material for Kenya’s next generation of financial products.
What actually replaces the phone number.
It is easy to gesture at the future: customer tokens, consent-based identifiers, pseudonymous digital identities, the architecture of Open Finance. And Kenya’s policy conversation is already moving in that direction, from digital identity to payment interoperability and future data-sharing frameworks. But none of that is operational at the scale this problem demands. Pointing to infrastructure that does not yet work is how policy conversations avoid the present.
The present already contains a partial clue: Kenya understands aliases. A Buy Goods number or PayBill account is not a person’s private phone number. It is a payment alias that allows money to move without exposing the merchant’s personal identity. That does not mean Till and PayBill flows are already a complete solution to payer privacy or reconciliation. It simply shows that Kenya already has the habit of using identifiers that are not raw phone numbers.
The real question is whether that logic can be extended to the customer side and, crucially, who governs it when it does. A good replacement should preserve privacy without destroying trust. In person-to-person payments, that may mean showing a registered name, a masked number, and enough confirmation detail before payment is completed. After payment, it may mean a transaction ID, a consent-based callback option, a simple reversal pathway and an audit trail, rather than exposing a full phone number permanently to every counterparty.
For merchants, the answer is different. They need transaction IDs that work for reconciliation, customer tokens that can support repeat transactions, reference fields that are actually used, APIs governed by clear rules, and consent-based identifiers where the customer agrees to be recognized by a business for a defined purpose. The aim should not be to return to a world where everyone sees everything. It should be to build one where the right parties see the right data, for the right purpose, with the customer’s permission and a clear audit trail.
The replacement for the phone number cannot simply be silence. It has to be a better identifier: transaction IDs that reconcile cleanly, customer tokens that preserve privacy, consent-based aliases that can be revoked, and APIs governed by rules that do not leave every merchant and fintech dependent on private discretion.
An identifier issued and controlled only by the dominant platform solves the privacy problem while deepening the dependence problem. An identifier that is portable, consent-based and usable across providers solves both. The technology may look similar. The power implications are not.
That is the choice Kenya is actually making, whether or not anyone frames it that way. Masking a phone number looks like a privacy setting. It is really a decision about where identity sits, who controls the rails of reconciliation, and whether the next decade of fintech competition happens on open ground or on infrastructure rented from a single landlord.
From data protection to data governance.
The data protection framework asks whether we are collecting and exposing the minimum necessary. It is the right question for privacy and the wrong question for the system. The system’s question is the one almost nobody is asking out loud: not how little data can we expose, but who ends up holding what remains?
That distinction matters because Kenya’s digital finance ecosystem is entering a more complex phase. Digital lenders forced the first data-governance reckoning by collecting more than they needed. Mobile-money masking now shows the opposite problem: what happens when less data is exposed, but the replacement architecture is not yet governed. One problem was excessive access. The next may be concentrated control.
Open Finance will force the third question by asking who can move financial data, with whose consent, and at what cost. AI will force the fourth by making transaction intelligence more valuable than the transaction itself.
This is why Kenya should resist the lazy binary. It is not privacy versus innovation. It is not Safaricom versus fintechs. It is not customers versus merchants. The real task is to design data governance for a market where privacy, competition, interoperability, and customer agency all have to coexist.
For regulators, that means moving beyond general principles into operating rules. What data must remain visible for reconciliation? What data should be masked by default? What identifiers should replace phone numbers? Who can issue them? Can they be ported? Can they be revoked? What must APIs expose, and on what commercial terms? What happens when a customer wants to share transaction history with a lender, accountant, insurer or loyalty provider? What prevents a dominant platform from turning privacy into proprietary control?
For industry, it means accepting that compliance alone is too small an ambition. A market that merely hides more data without building better consent, tokenisation and portability may become more private but less competitive. A market that keeps everything visible in the name of innovation may become more usable but less trustworthy. The next generation of digital finance will be built by those who understand that trust and utility are not opposites. They are infrastructure.
The question Kenya should ask now.
The question Kenya should ask is not whether masking is good or bad. It is what we are breaking while trying to fix privacy.
That is not a cynical question. It is the adult question. Because data minimisation, done well, protects people from unnecessary exposure. Done badly, it pushes dependence upward into the platform and leaves the rest of the ecosystem with less room to compete, build and serve. Open Finance, done well, gives customers meaningful control over the movement of their own financial information. Done badly, it turns every useful data stream into another field for extraction, profiling and AI-driven discrimination.
Kenya therefore needs a new vocabulary. “Ownership” is too blunt. Very few legal systems treat personal data like property in the ordinary commercial sense. The more useful language is rights of access," "portability," "permissioning," "revocation," "accountability," and "benefit." Who can move the data? Who can use it? Who can stop its use? Who can monetize the insights that come from it? And when privacy and competition clash, who decides the balance?
That is why this moment matters far beyond one telecom or one payments flow. Kenya’s next phase of digital-finance regulation will not be won by whichever side shouts loudest about innovation or privacy. It will be won by whoever can build a governance model that does both: minimize exposed personal data while preserving competition, interoperability, and customer agency.
The future of data governance in digital finance will not be decided by who has the biggest database. It will be decided by whether the customer can make data move safely, selectively and intelligibly, without surrendering dignity, without crippling usability, and without handing permanent strategic advantage to whichever platform happened to get there first.
Kenya answered the access question the hard way, through scandal and belated regulation. It still has time to answer the control question on purpose.