A new M-Pesa privacy feature is set to go live across Kenya on Tuesday, March 24, 2026, marking one of the most significant shifts in mobile money transparency since the platform’s inception. Following official approval from the Central Bank of Kenya (CBK), the country’s leading telecommunications provider will begin masking mobile phone numbers in transaction confirmation messages. This update is specifically designed to enhance user data protection and curb the rising tide of digital marketing spam that has plagued millions of subscribers.
Understanding the Number Masking Rollout
Under this new security protocol, the standard SMS notification you receive after sending or receiving money will no longer display the full 10-digit mobile number of the other party. Instead, the system will implement a “masked” format, typically showing only the first few and last few digits (e.g., 0722XXX456).
Additionally, the notification will be stripped down to show only two names—the first and last name—rather than the full three-name string that Kenyans have grown accustomed to over the last decade. This move is a direct response to the Data Protection Act of 2019, which mandates that companies limit the exposure of “Personally Identifiable Information” (PII) to only what is strictly necessary to complete a service.
Why the CBK Approved This Change
The Central Bank of Kenya’s endorsement of the M-Pesa privacy feature stems from a growing concern over “number harvesting.” For years, unscrupulous individuals and rogue digital marketers have used transaction logs to build databases of active phone numbers. These numbers are then sold to third parties or used for aggressive telemarketing and “Wash-Wash” scams that target unsuspecting users.
By hiding the middle digits, the link between a person’s name and their contact information is effectively broken. This makes it significantly harder for scammers to build a comprehensive profile of a user based solely on a single transaction at a local shop or via a Peer-to-Peer (P2P) transfer.
The Impact on Small Businesses and Chamas
While the update is a win for individual privacy, it presents a new challenge for SMEs and informal investment groups (Chamas). Many small shopkeepers rely on the SMS notification to manually record customer numbers for loyalty programs or follow-ups. Similarly, Chama treasurers use full numbers to distinguish between members with similar names.
To address this, a secondary verification layer has been introduced. If a recipient needs the full details of a sender for legitimate accounting purposes, they can initiate a request via a dedicated USSD menu. However, the sender must explicitly grant permission through a pop-up prompt on their phone before the full details are released. This “Consent-First” model ensures that privacy remains the default setting for all users.
Technical Adjustments for Merchants
Large-scale merchants using Lipa na M-Pesa “Buy Goods” or “Paybill” services have already seen iterations of this masking in their backend systems. However, from tomorrow, the change will be universal. Developers using Safaricom’s Daraja API are encouraged to use the Transaction ID (e.g., QRC123456) as the unique identifier for reconciliation, rather than relying on phone numbers, which will now be inconsistent across different notification channels.
Security Tips for the New Era
As we transition to these new protocols, users should remain vigilant. Scammers may try to exploit the initial confusion by sending fake “masked” SMS messages that look like official alerts. Always check your balance via the official App or by dialing the standard USSD codes to confirm that funds have actually landed in your account. Remember, the provider will never ask you for your PIN to “unmask” a transaction or verify a payment.
