Are communications providers ready to take on the responsibility for delivering more advanced financial services over the phone? Bank failures have occurred all over the world, raising fears that communications providers could also begin to fail if they lend money but are not subject to rules about capital reserves and competent regulatory supervision. But it would also be a mistake for governments to suffocate services like mobile money that have transformed the lives of millions of Africans, Asians and Latin Americans who were previously unbanked. How much financial risk is it acceptable for communications providers to take, how should they upgrade their own competence to deal with those risks, and how does the increasing popularity of online and mobile banking change the risk profile for frauds like SIM swaps? These are some of the questions debated with Joseph Nderitu, a Director at Integrated Risk Services. Joseph started his telecoms career at Safaricom and has since advised many of Africa’s leading operators on the risks surrounding the delivery of mobile money services and other financial services.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hello, my name is Eric Priezkalns and this is the Communications Risk Show, the live
streaming conversation show about the risks faced by comms providers and their customers.
Every Wednesday, we discuss topical issues with experts from around the world of electronic
communications and we stream the show live so you can also join the conversation, asking
questions and making observations as we go along. To ask a question, simply type it into
the messaging field immediately beneath the streaming window on our website at
Messages are anonymous, include your name if you want me to read it out. This show is
also streamed live on LinkedIn, so you can also leave comments there. One of our team
will be keeping an eye and let me know about the questions and observations you make there
too. We'll try to read out as many as we can in the time during the show. And today's show,
we will be discussing the very fine line that now divides some telcos from financial service
providers, the risks that result from handling customers' money and how to get the regulatory
balance correct. It's a topic that has really come to the fore at Safaricom, the Kenyan
telco that started the mobile money revolution with the creation of M-Pesa faces a billion
dollar lawsuit over how it's regulated. Safaricom also faces mounting pressure over the number
of crimes where customers have had their mobile money accounts hijacked. There's no better
person to talk about these topics than our good friend Joseph Nderitu, who will join
us later. Joseph is the Director of Integrated Risk Services and one of the first men to
provide assurance of mobile money services when he was a manager at Safaricom. But first,
let's engage in some topical chat with my co-presenters, Ed Finegold and Lee Scargall.
Ed joins us from Chicago, where he's an author, analyst and strategic advisor to tech and
telecoms businesses. And Lee joins us from Manama, capital of Bahrain. Lee's career has
seen him switching between executive management and freelance consulting for a wide variety
of commerce providers in the Middle East, Europe, Caribbean and Asia. Hello, Ed. Hello,
Lee. It's great to have you both back on the show again. I will kick us off in fine style.
I'm going to pick on you first for this one, Ed. Have telcos gone too soft? That's a little
play on words there. The triumph of software makes everything cheaper. Of course, we live
in an era where everything is run by software, but having the same code over and over again
on more and more machines, well, it might be saving us money, but there's a danger here
that if there's a vulnerability, especially with a networked computer, that that vulnerability
is going to be exploited by bad actors all around the world. And it seems that telcos,
like other businesses, are increasingly at risk. There was the enormous data breach at
Optus, where the data of 10 million Australians was compromised because of a leaky API. There
has been a reported 627% increase in ransomware attacks per data security provider. Watch
out for all kinds of businesses, not just telcos. It must be something that telcos worry
about too. And hackers used a supply chain attack to insert data stealing malware into
the 3CX VoIP software system used by 600,000 organizations, including BMW, McDonald's,
and the UK's National Health Service. So, starting with you, Ed, should we be thinking
in all seriousness, this is a tech analysis problem here, in all seriousness, thinking
about the tech, thinking about the security, thinking about the risks, should we be starting
to think that actually migrating towards common platforms to save money, that might be a mistake
and we should be thinking about keeping businesses a little bit more diverse than they would
otherwise choose to be?
Yeah. I mean, I think going back, I think three years, when I started looking more at
the cyber side and talking to people that are experts in defense in depth, I think they've
been making that kind of argument as one of many items on a list of important things that
aren't always done as consistently as maybe they could be from a security point of view.
And so, again, it depends on the practitioner you talk to. It's so hard to generalize, but
I think what ends up happening is the people who are making these attacks are finding the
inconsistencies. I think that's the problem that you're pointing to. And then when there's
an inconsistency that, to your point, effectively goes viral, and the communication about it
goes viral, I think is what we've seen. You and I have talked about that before, especially
a lot of the way these groups work in information sharing and people knowing where to find the
information to go repeat a scam or hack. And we see that kind of effect in parallel finding
those weaknesses. So yeah, I mean, I think that commonality issue points to a need for
diversity, but let me throw this back to you, Eric, and Lee as well. I think for any of
these issues, what I keep coming back to is whether we like it or not, we're all living
these digital lives. We have digital selves. A lot of times they're being forced on us,
especially as more and more brands want you to go digital and not necessarily go physical
or manual, right? That whole trend. So this is being forced on you and the digital life
is under attack. And I don't want to be the, oh, it's the war on drugs, it's the war on
terror. I'm not going down that line, but I think we need to step back and say, hey,
are we thinking about things the right way to have the right structures and laws and
enforcement in place to classify these things the way they should be classified? I started
thinking about this a few weeks ago. I'll quickly say when we were talking about police
officers not recognizing an MZ scanner or sniffer, right? And only grabbing it because
they thought it was a bomb, right? And then going down that path and thinking about the
fact that like, hey, the stakes are higher than maybe we're giving them credit for. And
so I think that's some of the issue that then points back to what you were saying, Eric,
which is like, yeah, identifying where a lack of diversity creates those big gaps is absolutely
necessary, right? That's part of defensive depth, continuous monitoring, and all those
good best practices that the cyber folks, they're real smart cyber folks will talk about
Lee, do you want to jump in here?
Yeah. So, I mean, this is like one of those final year university questions on cybersecurity,
right? So, you know, I want to start by saying that no kind of exploit, right, is prevented
by diversity, right? That's the first thing I want to say. But diversity, it simply ensures
that no one can take over the entire network from just one exploit, right? So, in a way,
diversity is a good approach. However, it's a difficult question to answer. Because what
if diversity brings more vulnerabilities, right, because of bad coding or lack of security
testing, right? So, I think diversity can be a good thing, providing like software developers
and device manufacturers, if they adopt best practices, like print or principles like security
by design, and they use the security frameworks to ensure that all the vulnerabilities are
kind of ironed out before the product is launched, then we kind of get the best of both worlds.
So we get the resilience from the diversity. And we also get more robust security measures
at the same time.
Well, I've heard you say before that you tend to like situations where the telco uses multiple
suppliers and not to depend upon one supplier. So you could say that that's already an example
of some form of diversity here. But are we just are we talking at the right level here?
So is it also a case that we just too many things are being done in the same way across
businesses as well, that we're turning to follow certain patterns of behavior that make
ourselves vulnerable? I mean, to give you an example, more and more businesses, they
have their call centers, the call centers aren't even in the same country as the business.
Why? Because the call centers itself a form of business model, and we just get these people
in these warehouses to just make these calls, handle these calls for us. Are we then surprised
that these people then become very easy targets for criminals? Criminals who say, look, these
people don't get paid very much money, but they have access to systems, they have access
to the data we want, they can change around the customer's profile. Is there an argument
here that we should be looking for more diversity in how we work as well as the technology we
use, Ed?
Yeah, it seems like any individual would say, oh, I'm not surprised that this logically
happens when you put people who, for various reasons, are easily turned to the negative
and to participate in schemes at various levels. Many individuals, I think, would say, oh,
we shouldn't be surprised. But as a society, or maybe even in the media, we kind of talk
about it every time, like we are surprised, like, look at this breach that happened, look
at this horrible thing that happened with this corrupt call center, or with this person
who was bribed, and we look at it kind of in the specific and say, oh my, and then walk
away from it, as opposed to recognizing this happens all the time, constantly. And what
are we doing about that aspect of it other than saying, hey, this makes for an interesting
story where we can be outraged and say, oh my, right, that's the thing that concerns
And that's why I keep saying, hey, we'll take it more seriously. You know, your digital
life is under attack, and I'm going to keep beating that drum, however annoying it might
I think you should keep beating it. Lee, it's the problem that we're not putting the right
value here. We're not pricing in risk in the correct way that we keep running towards the
cliff edge and falling over the cliff edge. You've talked before about the effect on share
price of data breaches. Is it a case here that, I mean, how does a business start putting
a value on just having some diversity, have greater strategic approach to security, even
though if it works, well, you're not going to have the hacks, you're not going to have
the problems, you're not going to have the impact on the share price. Is there some way
that we're missing a trick here in terms of appreciating the value over a longer term
in terms of changing and making our approach to securing our businesses more sophisticated?
Yeah, I mean, I've always said that businesses need to have resilience, right, no matter
whatever it's around security or whether it's around operations, you need to have resilience
in there. We've seen, you know, there's been lots of examples where resilience hasn't been
kind of, hasn't been kind of implemented in a particular organisation, and that has a
big impact on the share price. And it really can, because if you look at the statistics,
it probably goes and impact your share price by about, you know, negative 10%.
Well, this is a topic we'll come back to later in the series as well when Carson Knoll will
be telling us about security vulnerabilities we found, he found in cloud containers used
by telco operators, and of course, lots of businesses may be using the same kind of cloud
containers, making them also vulnerable to the same kinds of hacks. But now, here's a
message from our service sponsors, Bluegem. Bluegem provides testing services to telcos,
government and software businesses on a global basis. They do this using real phone devices.
That means they can generate genuine network events, including video music streaming. They
can even replicate fraudulent bypass calls using real SIMs situated across their global
network platform. These real network events allow Bluegem to advise your business about a
range of key areas including roaming service assurance, customer journey testing, SIM box
detection, and OTT and refiling fraud detection. They can detect SIM box fraud using a hybrid
developed system of automated devices and crowd testers, which means they detect a higher
rate of fraud than others. And the popularity of OTT applications like Viber, WhatsApp and
Telegram, well, that's been leading to an increase of OTT bypass fraud, which means that you
should be thinking about Bluegem's OTT solution, which automatically detects IP voice and
chat apps for any fraudulent activity. Bluegem's approach to fraud bypass is to use a
risk-based test methodology, which means they strategically target high-risk routes and
countries to detect both on-net and off-net fraud. With automated alerts, their customers
are able to profile fraudulent routes quickly, and Bluegem's flexible solution can adapt to
ensure fraudsters remain unaware of their detection. So if you want assurance of your
internet routes, and you want to tackle SIM box, OTT, or refiling frauds, or you want to
deal with a host of other issues that require proper network-based testing of how the
equipment and services run, then you should call upon the experienced team of specialists at
Bluegem. Their URL? So back to the topical chat, guys, let's continue
the theme. Leasing Manama, which rhymes with banana. And I've been thinking about
bananas because this biodiversity thing, it's not just the electronic domain, it's also the
organic domain that we can learn about the importance of diversity and biodiversity,
whether it's diseases that spread across the planet, like wildfire, and cause us all to stay
home for two years in a row, or the diseases that plague bananas, because the bananas that
we find in a typical store, it's all the same type of banana, the Cavendish, which makes it
susceptible to the disease being passed from one to another to another. So should we be
thinking about more variety in how we provide services online, so that therefore,
criminals at least have to go to the extra effort of devising different ways of attacking
different services, rather than now increasing just using the same method and
porting it from one business to the next business to the next business with the telco, the
telecommunications service being the sweet spot, and in particular, SIM swaps, SIM swaps
being the issue. Is there a way, Lee, that we could start to take a kind of diversity of
banana type theory here, and apply it to say how we identify users, how we determine or
authenticate human human being is, so it's not always the case that all you have to do is
take over their phone account, do a SIM swap, and there you go. Suddenly, now you can
pretend to be someone else who can access the older services that are built on top of them.
Yeah, so it's actually amazing how much our lives now are centered around the mobile,
right? So not only do I use mine for messaging, I also use it for banking, I use it for like
monitoring my home security, tracking my fitness, social media, all this type of stuff.
But the problem is, one of the main things that we use our mobile device for now is for
two-factor authentication, right? So that's receiving OTPs via SMS, which makes it a
target for fraudsters, right? Now, when you look at, there's actually three things, or
three common factors that are used for authentication, right? So it's something you
have in your possession, right, such as a device, something you know, right, such as a
password, or something you are, right, which is a biometric marker, so it's like a
fingerprint, facial recognition, or an iris scan, right? The problem is, is that most of
this two-factor authentication, it uses something you have, right, and something you
know. So when your mobile account is taken over via a SIM swap, right, it completely
bypasses the something you have element of that, because the device is effectively being
controlled by somebody else. Now, personally, I'd like to see more use of biometrics,
right, such as fingerprinting, you know, very easy on the phone, yeah, facial
recognition technology being used for authentication, right, instead of there's
something you have element, right, especially when it's a mobile device, right? For me, I
mean, biometrics seems like a much better way to go than OTPs sent to a mobile device.
That's like comparing a banana to an apple, isn't it? Whereas instead of like the
disease attacking a banana, now we've got a different kind of fruit, and it's got to be a
different kind of attack, and therefore, we now have to take over, we have to replicate how
your voice sounds, or we have to replicate how your face is, and of course, this can be
done, but it adds another layer. Do you agree, Ed, that we're not putting in enough layers,
enough variety into the way that we're authenticating people, and that's making us
Yeah, I mean, I definitely agree with Lee in the way that he characterised the way that
the something you have tests are consistently being defeated. There is, I think, a
critical mass of something you are, like sensors and what have you built into devices
out there to start to really not just make that a good argument, but make it an
implementable argument on a wide scale pretty quickly, right? So it would be good. I
agree that biometrics is definitely helpful in the solution, but the other piece we
talked about that's a fundamental weak link in this, and Eric, forgive me if I jump the
gun here, but the phone number, the relationship with the phone number in all of this,
and the fact that a phone number is not really something you typically own, but it is a
core part of your digital identity that a lot of other tests link off of, or a lot of
other communications paths for authentication tests ride over, that's a problem that we
created for ourselves, right? We kind of painted, accidentally painted ourselves into a
corner as an industry, and that's, I think, one of those elephants in the room that
really needs to be addressed and discussed. We can do a whole show on why nobody wants
to talk about that too much. If you look at SMS and A to P type revenues, things like
that, right? But, yeah, I think that that relationship, that underlying relationship of
the digital identity to the phone number and the fact that no one really owns the phone
number, which is why it can therefore be hijacked at all in a similar swap in various
ways, whether it's technical or bribe or coercion or whatever it is, there's just a
fundamental problem that can be attacked in the system that I think needs to be addressed
much better to solve some of these problems.
Now, here's the thing that I find strange. We had the guys on from Latro on last week,
and of course, a lot of effort is put in to identify where people are when a crime
occurs. Why are we not putting any effort into working out where people are when
they're using their phones? Because surely one of the most straightforward ways of
indicating that you are the genuine person that you are and not somebody who's taking
over your phone account is where your phone is when you're trying to engage in some
kind of transaction. A criminal doesn't live in my house. They could take over my
phone number, but they're not going to live in my house. You can see from my patterns
of movement and behavior. What I find strange is that whenever I go abroad and I get
my credit card out, almost certainly straight away, the credit card company will say,
oh, you've never been in that country before. We won't let you use your credit card
abroad, which kind of is super annoying because the whole point of me taking a credit
card is that I wanted to use it abroad. But at the same time, it seems as though phone
companies, who should have a lot more granular data about location, don't seem to be
making any use whatsoever of location. Is that correctly? Am I painting the industry
wrong here? Is there more being done to take advantage of location data? Another
source of data that we should have on users, but doesn't seem to get much use at all
whenever you hear about SimSwap fraud.
Well, it's actually interesting you mentioned this because a couple of months ago I was actually reading an article that there is actually an Australian
company which are actually trialing this right now. So with banks. So when you go to an ATM,
you put your ATM card in, it actually checks to see your location to see if you're actually
within that cell site, within that vicinity of the ATM. So some companies are doing it.
Check out the ones in Australia who are doing it. But I think I think it's a good approach
to go. Yeah. So comment here from Marcus. For me, this comes back to KYC. If you understand
what you have sold, who you've sold your SIMs to, bypass fraud becomes very difficult,
even with modest detection capabilities, because the fraudsters lose the ability to replace
their cancelled SIMs. Also a critical challenge in the payments. Well, that's a fascinating
point of view. I will come back to it in a second. Because next, I need to do another one of our
adverts. And this is our Symmetry Prism Fact of the Week. Now, each week, the Symmetry Prism
team supply me with an interesting fact to read out to the rest of you. And that fact will be
about the fraud intelligence that they gather by combing through the underworld and discovering
the things that they're doing to trick and deceive us all the time. And here's a fascinating
fact that they've given me to share with you this week. Bad actors are advertising services
that would allow criminals to send over 100,000 fraudulent SMS messages for the very low price
of just 40 US dollars a week. Not only do they get all those messages for that cost,
but the customers of those services can also choose whichever call ID they want to be the
apparent source of those messages. And to make life really easy for bad actors, they let their
customers, the criminal customers, run the entire process from an app installed on their own phones.
How hysterical is that? That you can use an app on your phone to commit crime with other phones.
So contact Symmetry Solution and their Prism Fraud Intelligence team if you want to learn
more about methods used by criminals and the ways you can anticipate and prevent them from
succeeding. Reach out to them at Now, Ed, obviously, we're
going to have Joseph on in a little while here. And we, in some ways, Safaricom are a great example
of a business that's taking the lead. We're trying to deal with some of these issues. For example,
they've agreed with six Kenyan banks that Safaricom's API will be used to check if a SIM
has been replaced recently. Because if you check that it's been replaced recently, then the bank
doesn't necessarily have to allow a big transaction to go through. It's a common sense way of maybe
filtering out the most obvious kind of crime and giving the customers some chance to get back
control of their account, report that something's happened to their account before a crime is taken.
However, a French anti-fraud service claims that 51% of mobile-based transactions in Kenya
are flagged as suspicious. And Safaricom has for years now adopted a policy of including in their
annual financial reports the number of staff fired for mobile money fraud. It fell to 24
in the last financial year, which we've got a report for, which ended in March 2022. But it
was 52 back in 2017. So it's coming down. But nevertheless, they've been trying to eradicate
the problem. There's still going to be staff who attempted to commit and abet crime. And it's
difficult to work out what's going on sometimes because of all this flagging of suspicious
transactions. Ed, thinking about the privacy aspects as well as the security aspects here,
is it time for telcos to start implementing more rigorous monitoring of their own staff in order
to stop these crimes? I think that I have to unpack that. I mean, the obvious answer is yes.
But is it? I mean, I don't know, because now you've got a spy on your computer,
people are monitoring your behavior at work. I mean, there's privacy issues here too. So
that's why I'm saying it may not be obvious. I would say this, that having done a lot of work
in the last few years on the banking side and seeing how technologies like analytics and real
time communication are used, it's not over engineered. These things can be used very
effectively to do detection and warning or triggering of a process. It's capable if the
technology exists in the world to go do this kind of thing pretty effectively. And so the same,
I think more or less, it's the same suppliers in many cases to telecoms in the fraud space who do
these kinds of things. And so I think it makes sense. Again, forgive me, I'm going to keep beating
that drum, but if you take a step back from it, it's that greater conversation of saying, okay,
we see what the scammers are doing, not just looking at it as a million pinpricks,
but looking at it like as the entire threat surface and saying, okay, we see attacks,
for example, on the scenes between telecom and banking, because that's where the money's at,
and that's where identity is at. That's why we see phone numbers get attacked,
which then lead to bank accounts being taken over. So those are the really big, obvious pieces that
you can start with that probably impact the most people and start to say, well, what are we doing
wrong? And there's endless literature on what's being done wrong, which is why we then get into
these conversations about is there enough action? Is it time to take action? It is past time to
take action. People are being attacked. There's not enough teeth. And that was why I came back
to what you were saying about to stop these crimes. I'm not sure the powers that be yet
care about stopping the crimes if they're not liable to do so. So what's the soft spot that
gives them a reason to act to solve the problem? I think that's really the question that probably
everybody's challenged to find. Anyone who's trying to sell them something is trying to figure
out as well. To sell a solution to this is trying to figure out as well. Yes?
Yeah, I hear you. Lee, have you looked at alternative ways of trying to address these
frauds? And in particular, what can be done in terms of keeping an eye on your own staff?
Well, I'm hearing a lot more stories these days, Eric, that customer service agents are actually
being contacted via direct messages over LinkedIn and attempting them to perform SIM swaps and
offering anything up to about $50,000. So that's a lot of money, right? And would probably tempt
most people in the kind of situation, right? So long gone are the days when fraudsters
used to hang around car parks, the contact sensors. These days, what they do is they just
connect directly and they can connect from anywhere in the world. So if you don't believe
how simple it is, just go on to LinkedIn, type your telcos name and type customers name
and put customer services in and you might be surprised what you find, right? So just prior
to coming on here, I actually did it and I did it for AT&T in the US and that returned 51,000
results, right? So, you know, you've only got to get lucky once by contacting these people.
Just to be fair, I did it for Vodafone in the UK as well. That returned five and a half
thousand results, right? But this is the interesting thing. When I researched for T-Mobile in
Germany, it only returned 17 results and a lot of those profiles, they were all restricted
views. So I couldn't see who they were and I couldn't connect to them, right? So maybe
T-Mobile, they might have a policy in place which kind of restricts their employees from
doing that, which I think is a good thing. Maybe, maybe, maybe it's a language difference,
I don't know. It could be, it could be. This could come back to the diversity point again.
Maybe T-Mobile don't have many people working in customer services anymore, I don't know,
but I doubt that's the case, right? I'm sure this is a policy of T-Mobile.
Well, it's fascinating that you mention AT&T because of course they've got a terrible
reputation for SIMS rock fraud. I'm sure that they wouldn't like me saying it but the newspaper
headlines speak for themselves. They're always being named over and over and over again by
celebrities, famous people, wealthy people. There's been a string of
lawsuits involving them. In fact, they got off one recently, a big case where a cryptocurrency
investor had initially sued them for 224 million US dollars. And you talk about how cheap it is to
find people. They did catch in the end the thief who stole, the leader of the thieves who stole
the money, a kid, Ellis Penske, who was just 15. I know what we said last week. Young man, again,
despite you insisting it's the women doing it, Lee. Another young man, Ellis Penske,
he agreed in the end after he was caught to pay 22 million dollars in restitution, but he would help
his victim, Michael Turpin, to sue AT&T. And he was helping him by pointing out how easy it is to
bribe the staff of AT&T and other telcos. He was talking about, you only need $200 to bribe these
people in order to get them to do the SIMS rock fraud. But in the end, the judge throughout the
case said that AT&T weren't liable, which I don't know if that sets a bad precedent in terms of
your staff being bribed and then no one being held accountable for that. That seems to me to be
opening the door to encouraging a lot more bribery, which is why I say maybe you need to be thinking,
Lee, about putting spies inside the technology that your staff are using, keeping an eye on their
behavior, keeping on their movements, because the legal system doesn't seem to be up to speed with
supporting or assisting companies in doing this. But we are at risk as telcos of being sued for
enormous amounts of money because somebody relies upon their phone, the home gets hacked,
and you don't know about how much is held in their cryptocurrency wallet or how poor the security is
around that. But they're going to look and want somebody to reimburse them. Who are they going
to turn to? They're going to turn to the telcos. The telcos got a deep pocket. Comment here from
Mahmoud Farouk. He says, relationship checks would help flag suspicious transactions. That's a good
point as well. We've continued the chat, but now another little ad break, but this isn't really
like an ad break because this is from our good friends at OneRoute. Now, each week, Jeffrey Ross
of coal authentication, fraud prevention, and geolocation specialist OneRoute takes us on a
trip around the world via our phones. And this week, Jeffrey is going to take us on the journey
to Italy. So producer, James Avanti. Hey everyone from OneRoute. I'm Jeffrey Ross, and this is the
world in your phone. Let's talk about Italy. Now, as we say in Texas, Italy. Now there's a lot of
fun facts about Italy as it is one of Europe's most visited countries with a long history, rich
culture, and really good food. How much do you know about this amazing country? Did you know that
Italy is actually one of the world leaders in protecting our kids online? In fact, in 2021,
Italy ordered TikTok to block underage users after the unfortunate death of a 10-year-old girl
while trying to film a viral challenge. So now TikTok has been ordered to block access to users
whose age cannot be confirmed. Italy also has the Italian Safer Internet Center, which promotes
safer and better use of the internet among children, parents, and teachers. It also helps
students to be informed about important matters, to get in touch with influencers, journalists,
and politicians through live video chats. Pretty cool. But did you know that Italy is actually one
of Europe's, Western Europe's, youngest countries? Now Italy's been around for thousands of years,
but it's actually only been a country since 1861. And did you know that Italy is one of the
world's largest cities in the world? Did you know that 13 of Shakespeare's 38 plays are set in Italy?
And one more fun fact, Texas has cities named Italy, Rome, Naples, and Florence. Go figure.
Be sure to subscribe to One Route on YouTube to catch up on all of our episodes, and watch the
shows and companies making a positive difference in the telecom industry. Now, Eric, back to you
and more of this great communications risk show. Cheers.
Now let's welcome back one of the recurring guests on our show, Joseph Nderatu. Joseph is a
director at Integrated Risk Services, a consulting business providing advice about corporate
governance, forensic investigations, and business assurance. He's worked with many of the biggest
telcos across East Africa. Prior to becoming a consultant, Joseph worked at Safaricom, where he
was one of the first revenue assurance managers who had to tackle the new challenge of assuring
mobile money services. As well as being an expert on risk for comms providers, he's also a pilot,
a farmer, a part-time journalist, and a thoroughly good chap. Hi, Joseph. It's great to have you back
there. Hello, Eric, and I'm happy to be back. How are you doing? I'm doing good, Joseph, and I'm
always enjoying our conversations because I always learn so much. And you are the perfect person to
ask about what the heck is going on in Kenya. Now, last time we had you on the show, we didn't have
the time to discuss all this fuss that's occurring in Kenya surrounding the regulation of Safaricom,
and whether it's M-Pesa service should be split off into a separate company. For my benefit,
for the guy's benefit, for the benefit of all the viewers, can you please explain to us what is
happening, what is the significance of M-Pesa to Kenya, to Kenyans, to the Kenyan economy,
and who is wanting M-Pesa to be split from Safaricom, and why they want it split?
Okay, cool. As to the first question, what the significance of M-Pesa, I think suffice it to say
that it's become a way of life. I was just telling someone the other day that in the past,
you would be afraid of forgetting your wallet in the house if you went out. Nowadays, it's not a
big deal. I'm more worried in case I run out of battery power because then I would not have access
to money. So I know I can transact as long as I have money. I can go on public transport, go to
any restaurants, go to any hospital, pay for anything on the way, pay for fuel, anything really
I can do using M-Pesa. And therefore, the service has grown since the launch was done back in
January of 2007, has achieved a lot of growth over the years. The product suit has grown from
just basic money transfer to really lending services, overdrafts, and things like that. So
a story of growth, that's a good part. But as you know, there's always the good, the bad,
and the ugly. Complexities have come with that. And the complexities were, of course, not envisaged
in the launch. At the time, there were no regulations about the service coming on board.
And the Central Bank of Kenya actually gave what is called a letter of no objection, allowing the
service to go because there was really no law to regulate it. By leaps and bounds, the service
has grown. And now there are questions as to, are we regulating it as we should? And especially
with the risks that are being seen, as I'm affecting customers, is all that needs to be done,
is it being done? And that's where we are. So as to the split, that's a whole story that has
been going on for quite a number of years, has been fought, or rather has been fronted, even
in parliament. As late as 2021, there was a member of parliament who raised the motion
of splitting Safaricom and having M-Pesa as a separate company. Our members of parliament,
however, not quite known as being the sharpest tools in the shed, did not see the merit in
discussing that topic. And therefore, it did not progress far beyond parliament. But the
question as to whether Safaricom should be split has been there, has been raised through parliament,
has been raised by industry analysts, and has also been raised by consumer protection groups.
But here's the thing I don't understand, Joseph. Is there not now a lawsuit about the fact that
Safaricom has not been regulated like a bank? And I'm not clear as to why Safaricom would be sued.
Wouldn't you sue the regulator instead for not making a decision to regulate like a bank?
How can you blame the business for not being regulated sufficiently? What's really going
on with this lawsuit? Who's bringing it? Why are they bringing it? Why is Safaricom being sued?
Yeah. Okay. That's a good question. And I think you're right. So the lawsuit has been brought
by an individual who claims that Safaricom, by the fact that he's engaging in lending services
and has also shown sometimes not the best of due diligence in conducting
those lending services, should be sued. I think I share your sentiment.
You know, really, the lawsuit should be directed towards the regulatory bodies for not putting in
the required laws. And, you know, it's not exactly correct to say that the required
laws have not been put in place. Back in 2011, the National Payment Systems Act
was actually drafted. However, again, through basic complacency of parliament, it was not
enacted or made into law for quite some years. So there has been that drug. And in the
meantime, the challenges with things like fraud happening while growing up, the public awareness
also growing up, as you know, also with the proliferation of social media. Right now,
there's quite a bit of spotlight on anything that happens, not just in Safaricom, but also
in any large corporate organization operating in this part of the world. And I think there were
also concerns, especially as the service grew, and cross border transfers started happening,
whether we were actually having a safe monetary system, because now a lot of our transfers will
happen through mobile money. And especially within the period of 2011, let's say, 2014,
there are quite a number of terrorist attacks in Kenya, through the Al-Shabaab terrorism group
based in Somalia. And at least on one occasion, at least in January 2019, it was established that
part of the money for financing that terrorism attack had actually been moved via Safaricom's
mobile money, M-Pesa, in conjunction with the Diamond Trust Bank, and the Diamond Trust Bank
branch manager responsible for not highlighting that was arrested. The question then became,
okay, but you have arrested the bank manager, what did you do about Safaricom? So these concerns
have been there. And I think they are valid concerns, they are valid concerns, they need to be
addressed. But I think the question is, do we then use this as an opportunity to have a conversation
about properly regulating mobile money services, and annual digital payments? Or do we then go
after Safaricom and say, hey, we're coming after you, even though there is no regulatory
framework for, for enabling, or rather for guiding a lot of these things. So that it's, we are caught
up in a situation where the concerns are there, they are valid, but the legal framework has
dragged far behind the innovation that has happened on the service.
These issues are serious. And I'm, you know, I'm not going to argue with you about the seriousness
of wanting to pursue a regulatory framework to protect customers from crime, to protect
shareholders in the bank from the collapse in the bank, because it's lending the money. Therefore,
if telcos is lending the money, where's the money coming from to be led, that it doesn't
stretch itself too far. We've seen plenty of banks collapse recently. And we've seen plenty of blanks
collapse in the past as well. We don't want to see telcos collapsing, because they're starting
to do the same things as banks, but without regulation. However, we're going to have to
do that regulation. However, although the topics are serious, is this specific lawsuit serious?
It seems to be generating a lot of interest in the Kenyan press. But do people take this lawsuit as
being serious as having a real chance of victory? Or is it more just a talking point that's making
people think about the same issues again? And if the issues are gaining traction, if people care
about the issues, why are the government getting involved? Why isn't the regulator offering
these guys? Is there a reason why they haven't been more proactive in this space?
Yeah, so in terms of the seriousness of the lawsuit, if I were to hazard a guess, I think
the lawsuit will be thrown out. I don't see it going far. As to why the government has not
done much, I think there was always this, and I think you touched on it in an article
spoke about a data breach that happened in Optus, where you talk about the fact that we have
kind of prioritized the good news so much and not looked at the reliability and asked the
hard questions. I think if I'm paraphrasing something, it's it. So I think the story of
success is very well known. And I think Kenya has been touted as a very successful case of mobile
money. Inclusion of the poor has been one of the things that government has also been very proud
of. We see during campaigns, you know, politicians, or people running for presidency talking about
some of the things that they are going to do to make sure that even more people are included in
the economic system. So it's, you know, success has many fathers, and everybody wants to be
associated with that, with that success. So I would say that then the government has not
has not treated the service, has treated the service more as a bragging points thing,
as opposed to really taking the responsibility for regulating it. Now, it's not to say that the
service is not entirely looked at. Certainly, the Central Bank of Kenya does get returns from mobile
money service providers. There is a financial reporting center where companies or telcos can
file suspicious transaction reports regarding anything happening on the mobile money system.
So there's that oversight. The missing link, at least in my view has been that we are in a
situation where we see all these bad things happening along with a good, we are seeing a
lot of same swaps and people complaining. We are seeing scam artists using mobile money.
We have cases of even prison prisoners in maximum security prisons, working together with guards
to get cell phones in, and then running a whole call center from prison. That is actually enticing
people to send money for, you know, to donate to this other charitable cause. So there's this nasty
and inconvenient stories there, but they have, the missing link is whatever Safaricom or whatever,
even Airtel, because they also have a money service running, whatever action that they do
take in conjunction with the law enforcement agencies, there's not much communication as to
how the close looping of that is happening. And therefore, there's this perception
and much well deserved among the people that is everything in control. And therefore, that kind
of creates a lot of anxiety around the service. And it's not helping that then we are not seeing
much coming through the media from the various telcos saying, you know, this is what we did.
You know, the law was applied in this case. These are the number of people who actually went to
jail and all that. So there's a communication problem. And that is really, I think that's,
that's a danger, because I know they're, they're probably, I'm not probably, they're, they're,
they're 100%, they're people working hard in this technical cause in Safaricom trying to fight
fraud. Safaricom also does the publishing of people, internal staff who are found to have
committed these things. But you know, there is something missing in terms of informing the public
and providing actual metrics that things are going in the right way with regard to fraud management.
And I think that's an opportunity for Safaricom, for Airtel, and for the law enforcement agencies
to make sure that people get that conflict. Because otherwise, what we know is everybody
knows somebody who has fallen victim to a same-swap or some other type of thing.
Now, we talked about Kenya's situation, because obviously, you're in Kenya, and you know all
about the Kenyan situation, but you've also worked in a lot of the countries that surround
Kenya as well. So when we say that perhaps the regulatory environment isn't as tough as it might
be in Kenya, how does that compare to the regulatory environment, the legal environment,
and other countries in East Africa? Yeah, so I say Africa kind of seems to run on extremes.
And so we have a very permissive or understanding regulatory environment in Kenya.
So there's quite a bit of leeway provided or given to the telcos. And then you have on other cases
where the regulators have taken a very sort of almost very restrictive approach to mobile money.
I think I would, for example, mention the case of Tanzania, where it's become really a surveillance
tool, or at least in the years under the previous presentation, it was a surveillance tool where,
you know, the telcos had to send every bit of transaction data to the regulators' servers.
And we know that that data was not really just being used for assuring quality of service or
for checking adherence to their laws, but also being used to profile, you know, opposition
members and things like that. So that is there. So striking a balance is not exactly very evident
in a lot of countries. But I think the challenges are known in terms of its opportunity for mobile
money in all the African countries, because banks, you know, traditional mortar and brick banks are
not serving the people, they have not served the people for a long time. But then there are these
real concerns as to what are we doing to make sure that the service is running as it should,
we are protecting consumers as we should. So Tanzania, I've mentioned that one. The other
thing is, of course, security in terms of the integrity of the mobile money system,
and the risk of it being used in things that I mentioned, for example, terrorism,
we know also the security situation in DRC, where again, mobile money is really growing up,
growing very fast. And where there's an insurgency from the rebels who are claimed to have been
sponsored by different countries. So again, we've seen especially in the case of DRC, Vodacom,
they are putting in measures to make sure that they're able to monitor transfers in areas where
those insurgents are known to be operating and making sure that the level of transaction
monitoring is high. So I think there's a mix and match of approaches, but that you will be struck
that on some levels, there's quite a bit of lax approach. And then on others, there's quite a bit
of restrictive approach. In both cases, I think the consumer is still not served well. So those
two extremes, you need to get a balance, where we actually serving the consumer by making sure that
there's a proper legal framework, the telcos adhering to it, where they're not adhering to it,
they are being penalized, or rather, they're also being supported in case they have valid reasons
as to why they cannot comply. Great observations. Now, there's a couple of observations coming from
some of the viewers as well. So I'll share them with everybody who's on the show and who's
watching as well. Lorenzo Francisco from Mozambique says, Hi, Joseph, he's glad to see you again on
the show. He's concerned that there's a risk that regulators will apply fines for M-Pesa mobile
money providers in other countries too, so we'll come back to do. Marcus Bryant is backing up your
point by saying, from his experience at MTN Group, that there are some countries that require banking
licenses for mobile money, others that don't. Now, Lee, I want to bring you up on this point,
you've dealt with mobile money as well. Do you find that when you're dealing with international
groups and mobile money, there really is a lot of inconsistency in how different countries deal
with the regulation of whether they're treating telcos like banks, or they're basically giving
telcos free rein to do what they like? Yeah, I mean, each different jurisdiction has its own
set of rules, right? So you're always going to find that. From my experience, most of the
countries that I've worked in, a lot of the telcos needed to have a banking license, they were
treated as a bank. And I mean, you mentioned a point earlier, you were talking about, there's
lots of banks going bust, and you were concerned about some of these telcos might end up going bust.
Now, one of the things that we, when we set these up in the past is, you'd obviously set a firewall
up. So you'd set up a separate company, which has the banking license. So if anything happened to
that, obviously, that provides a bit of protection for the telco. Here's the thing that frustrated
me. When we travel down to Nairobi to hold the RAAC conference there, I would have loved to
been able to get a Vodafone SIM and been able to use mobile money because Vodafone's in the UK,
we've got Vodafone affiliated telcos all around Africa, why wouldn't I want to have the advantage
of using mobile money as I go from country to country? It is mobile after all, this stuff is
supposed to make life easier. And yet somehow or other, in the Western countries, in Europe,
in the USA, in Canada, and the rest, we don't seem to want mobile money. I don't understand it. Why
would I not want mobile money? And this makes me wonder, I'm going to blame the Americans.
So this is why I'm going to bring you in here, Ed, so I'm warning you now.
Is this really a problem here that we don't have leadership in regulation in this area? Because
the United States of America, which tends to be the leader in international banking regulation,
doesn't want to have mobile money for poor people in the United States of America.
They've already frozen out people who are unbanked in the USA. And as a result,
they see no need to get involved. They only want to get involved in the over-the-top banking.
They don't want to get involved in this calm stuff. And are they making a mistake by doing that,
Ed? Why am I talking nonsense?
Thanks for asking a really loaded question, Eric. Are they making a mistake by not taking
up the banner of the poor and marching to the... I don't know, man. The US, for better or worse,
is a capitalist country, and its banks are permitted to act in all kinds of
unbelievable and heinous ways that hurt lots and lots of people, right? So that's a whole
different show that we could...
But this is what I mean. Why are American telcos... 7% of Americans are underbanked
per the survey that's done by the FDIC, the insurance business that basically underpins
banking in the USA. 7%? 7% of 300 million people is a lot of people. Why are there not
businesses like telcos, like small regional mobile providers who are saying to themselves,
we could learn a lesson here from Safaricom, we could provide a service? Or are they just
being frozen out because the regulatory environment is so hostile to anything like that,
it wouldn't make sense for them to even start down that road?
I think there's probably a certain percentage of that, probably a pretty large percentage
of that, that's like, I don't trust the bank, right? Or I never have any money to be banked
in the first place, right? There's a lot of... There really is. I think if you broke down
that mix from a statistical point of view, there's probably a lot of really odd reasons
for why those people are unbanked, including some of them being, oh, I want access and
don't have it, right? Is probably one of them. I'd want to see the data around that to comment
on it, but I don't think it's a safe assumption that there's this large number of this market
of people that are unserved. I find it a little bit hard to believe it. If they are, then
they're being served now by things like Cash App and Venmo is starting to fill that gap.
But what it brings us to, right, is more of this question of how do you regulate this
stuff? Because there's a dissolution of like, well, what's a bank versus what's mobile?
Are you regulating this as a mobile thing or a banking thing? It's like, well, there's
money moving around. So, some of the things, and Joseph referred to this before about,
look, M-Pesa was a pioneer in this, and I think that they should be lauded for breaking
ground where others could not, like way before anybody else started getting into all digital
banking for it, right? I mean, I remember covering it when it launched and very few,
if maybe nobody else was doing those kinds of things. So, I think there's a lot of positive
lessons to be taken from it. But one of them, coming back to the point, Eric, is that, yeah,
there is this like blurring of the lines between what's mobile and what's banking. And
it's being further blurred if you look at all the regulations and rules around open
banking and all the APIs that will be introduced for different types of over-the-top banking,
which also, if you have the time to go do a research deep dive on the regulatory regimes
around the world on open banking, and I don't recommend it, there are resources to read
about these things. They do break down the different categories of responsibility based
on the type of transaction. And a lot of those things come back to stuff like is that making
sure you're checking for money laundering, you're doing money laundering checks, you're
doing terrorism funding checks, and those kinds of things that are kind of standard
on the banking side. So, if you're dealing with money on the mobile side or on the telecom
side, why wouldn't you, just by common sense, not be held to the same type of standard,
right? I mean, I think all those gaps, to me, automatically make sense. And so, to look
at those things as like separate categories does not make sense at baseline. And we keep
doing it in technology and thinking that it's, you know, this is a horizontal thing. It's
not a vertical thing. And these things are separate from each other, if that makes sense.
Ross Coulthart Absolutely. I just get upset because people say,
telcos, how do they turn their business model around? How do they start to generate new
revenues again? Safaricom, they want to split up Safaricom because they've done so well
at finding a new source of revenue. And Marcus makes a point here, again, another comment
from Marcus. He says, a major issue with the US and Europe is the arrogance of the West
refusing to learn from the African example. They find it very hard to accept they have
anything to learn from Africa. I would turn it around and say, where's the lack of, why
isn't there more entrepreneurialism here? Why isn't an American telco providing mobile
money type service to the 7% of customers, the 7% of people who probably do have phones,
but probably don't, as we've said, have a bank account because they don't trust the
banks or they can't get an account or they've had a bad history or whatever. And why isn't
Vodafone in this country? Why are they not giving me the option to get mobile money?
It may be a niche play, but it could also be a very profitable play. Why are we being
pushed onto other banking services and other apps and stuff like that?
Marcus Levenson In defense of the US, I'm going to insult the
US. In the US's defense, when I get to do deep data studies on adoption of all kinds
of tech, like mobile money and real-time payments and all those kinds of things,
or smarter ways to secure your digital identity, the US is almost always a laggard, right?
Americans behaviorally like credit cards and text messages. No matter how archaic they
start to become or how much they're attacked by fraudsters, credit cards and text messages,
don't ask me to change. So look elsewhere for leadership is my point.
Daniel Disney I will give the Americans
a little kind of one-up here. Living in Canada and sending checks, whoa, that drove me crazy.
Pieces of paper. I go to Nairobi and everybody's on their phone sending money backwards and
forwards. And in Canada, you have to send pieces of paper across the country because that's how
they still transfer money from one place. So it could be worse. Canada is probably the worst I've
ever had to deal with in terms of dealers. But let's get back to the serious stuff because we
haven't talked about the fraud side of things as well, though you brought it up there a little bit
tangentially there, Ed, in mentioning Venmo and Cash App. And the same issue is now occurring
in Safaricom, where a service like this becomes so popular, it attracts a lot of fraud, it attracts
a lot of crime. Joseph, if you mentioned about the issue with international transfers, though,
but what's been big in the Kenyan press recently is reports of ghost accounts. Criminals taking
over a dead person's phone account to make purchases using M-Pesa. And this has become
possible because Safaricom allows customers the equivalent of an overdraft facility. So even if
we don't have money in the wallet, they can still make purchases using M-Pesa. In your opinion,
Joseph, I know you're an ex-Safaricom employee, so you perhaps don't want to be rude about your
former employer, but is Safaricom taking the appropriate steps to mitigate the risks involved
in lending money to customers in general, and in particular, to the risk that criminals will abuse
these lending-based services? Yeah, so I'm aware of some of the measures that are carried out,
not just in Safaricom, but also in other telcos. So for example, basic ones keeping putting limits
on what can be done on the account, putting dormancy on the account and all that.
But obviously, those are not enough. I think, was it Lee or Ed who mentioned something like
vicinity checks? And those are some of the things that we are seeing now being deployed, for example,
making sure that you cannot have a SIM swap happen in this location, and then money is withdrawn
in a location that is more than X number of kilometers away. So that technology does provide
ways to do that. However, you're right, we are still seeing these things being reported in the
media. And of course, it's easy for me to do a bit of Monday quarterback analysis and say,
that should have been easy to catch. That should have been easy to catch. So I'm careful,
I'm choosing my words carefully. But I think overall, we are not seeing information as to
what is being done about these types of things and whether the solution is getting better or worse.
That I think is what is creating a lot of this outside. So for example, cash advances or
fleas, which is really an overdraft facility that you can carry on your line. All that it requires
is that that line has been active on M-Pesa for X number of days, has carried this number
of transactions. There's quite a bit of threshold on what qualifies you to a certain limit.
And then the limit then is about for some, maybe up to 300,000 kilo shillings or something like
$1,500, let's say. That's a lot of money in this part of the world. And therefore, this motivation
for people to actually get, if somebody is dead, and that same kind is not well secured,
you know, really performing the same sort of piece is not a big deal. And in some cases also
there's internal staff involvement, where they're able to identify accounts that have not been
active for a certain period of time. But again, you could put all those controls in your phone
management system or your transaction monitoring system and be able to block them. So what I would
say in summary is that I think there's a lot that is done. I'm sure there's a lot of good
work that's being done, but there's a lot more that could be done. We'll be talking a lot about
machine learning and all these types of fancy analytics, but are they being applied correctly
to prevent some of these scenarios? The article that I think Commsrisk published today, an article
on where somebody, a journalist has reported that over 51% of Kenyans have experienced mobile
management. Not true. I mean, I think the articles, your article really also identifies that
quite clearly. But the question is, by the time we are reaching a situation where such publications
are picking up such statistics, we need to be able to show what is actually happening in the
telcos to manage that. And I think there's somewhere that we are not communicating effectively.
Whether we are doing good work, we are not communicating or we are lagging behind,
we are struggling and we are not letting the public know that we are struggling and what
more needs to be done. Now I've seen a lot of awareness campaigns being done to customers,
how to guard their SIM cards, how to prevent against SIM swap. Lee also mentioned biometrics.
Safaricom also has a biometric solution where your SIM swap, before a SIM swap is done,
there's a biometric check. You could actually record your voice and then before your SIM swap
is done every time, then you'll receive a callback and then once you answer and say a few words,
then it authenticates and does a SIM swap. But is that very well known across all the subscriber
base? I think not. I don't see much about it except that I think it was a very good service
to have been launched. So there are definitely areas for improvement and I think not just
Safaricom but all the other telcos, they need to be very clear in how they are communicating.
The sustainability report that you mentioned where, you know, stuff that are caught doing
internal fraud, they are fired and then reported. That's a good thing but I think we need more
metrics than that and I think the boards, the auditries, committees in these companies, they
need to step up the game. I think there's a lot more that can be done and I don't get the feeling
that we are there yet. I think you're being perhaps a little bit, you're not being generous
enough I think sometimes to the telcos like Safaricom because when you talk about something
like vicinity check, I'd love to see a lot more telcos doing things like vicinity checks in order
to determine whether a fraud has taken place and they're not doing it. Yes, there may be an issue
about credit limits, whether the credit limit is too generous, especially right at the beginning,
whether you should be just ramping up the credit limit a lot more slowly. But some of the things
you're talking about are quite sophisticated. Lee, I want to bring you in here. There's not this
sounds quite sophisticated and wouldn't you get a bit suspicious of you in a telco that the reason
you're getting this class action lawsuit is that customers are basically just jumping onto a
bandwagon to try and make money by suing you when they haven't necessarily had any loss.
Some dead persons had their account taken over. Yeah. So, you know, it doesn't just happen on
mobile money, right? So, I mean, this happens in real life in real banks, right, where somebody's
died and then somebody carries on using their bank account, right? So, I don't think it's just
specific to mobile money. But yeah, you're probably right, Eric. It sounds like people
are just jumping on the bandwagon here. Joseph, what do you think? Do you think then
this is another class action lawsuit here, people wanting to sue Safari come over these
ghost accounts? Does it have any merit or is it just an attempt to get a cash grab out of
what's a big and very successful company in Kenya? Yeah. As I said at the onset is, first, I don't
think the lawsuit has much merit. And my guess would be that's going to be thrown out.
But I think it would be tragic if with the case being thrown out, we then kind of, you know,
let the conversation go away. I think that's not my concern, that the fact that this lawsuit may
not go through, and I think in all likelihood it will not go through, I think does not excuse us
from starting to really interrogate ourselves as telcos offering mobile money in this part of the
world and asking ourselves the financial inclusion that we are driving, at what cost is it coming to
some of the poor people walking on the street, for example. And I think this lawsuit has that
the merits of the lawsuit, as it's being discussed, should bring that to board. I am hoping that the
telcos will then take that as a moment of introspection and say, hey, you know, is there
something more we could be doing? I'm hoping also the regulators also ask themselves, is there
something we could have done about this? I'm hoping our parliament starts, you know, getting
a proper set of regulations in place. And I'm hoping that there's going to be, you know, constant
enforcement of these things. So I see it as an opportunity, not in the sense that there'll be
much coming by way of the lawsuit, but rather in the debate that's going to be there.
Unfortunately, I see our media the way they are covering the case. Obviously, they don't have the
subject matter expertise that, for example, comms risk would have in covering it.
And therefore, there's a lot of just, you know, reporting the big value that Safaricom is likely
to pay in case this lawsuit goes through. Whereas I think we should be examining how did we get
to the point that we are taking a big corporate to court and claiming such a huge amount
because of something that could have been prevented or could have been managed by a
set of actors who have clearly not done what they should have done. I think that's for
me where the debate should lie. Well, I think you're absolutely right,
Joseph. And the point I would re-emphasize there is keeping the conversation going.
It needs to keep going in real life. And that's what we're trying to do on this show.
And we will be keeping the conversation going with you in future, Joseph. If you keep coming
back on this show, we definitely want you back. Though now we're going to have to stop the
conversation because we've massively overrun today's show. So thank you so much for your
insights, Joseph. It's a pleasure to have you on the show. And if you're willing to come back,
we'll keep having you back, Joseph. No doubt about that.
My pleasure, Eric. See you next time. Thank you so much, Joseph. Well, we've
reached the end of the show. Ed, Lee and I will return next Wednesday when our special guest will
be Silke Holtmanns, an expert and advisor on 5G security to INDISA, European Union cybersecurity
agency amongst others. Join us live on Wednesday, April 19 at 4pm UK, 6pm in the East Africa and
Standard Arabia time zones, and 10am US Central. Listing time zones though, I find it super boring
to do it every week. So why don't you avoid making mistakes by adding the show to your diary using
the link at the Communications Risk Show webpage. And you can even subscribe to the Communications
Risk Show broadcast schedule, which means every weekly broadcast is added to your diary
automatically in the right time zone for you. Thanks again to today's guest telecoms
consultant, Joseph Nderitu. Thanks to my co-presenters, Ed Finegold and Lee Scargall
for their thoughtful and entertaining insights. And to the hardworking producers of the show,
James Greenley, who was assisted by Matthew Carter. That's a wrap for episode five
of the Communications Risk Show. I've been your host, Eric Priezkalns. Visit the Communications
Risk Show website at to catch up with past episodes in this series. Stay up to
speed with industry news by visiting our main site And if you're looking for free
RAFM guidance, including the most comprehensive catalogs of revenue leakages and frauds,
then check out the Risk and Insurance Group at
Thanks for watching. We'll see you next Wednesday.