Safaricom customers will no longer receive monthly transaction reports.  From July 1, 2022, Safaricom customers will only receive M-Pesa transaction reports on request. 

However, they can receive reports by requesting them using Safaricom's M-Pesa USSD, short code, M-Pesa app, or other means.

Earlier, Safaricom would send automated monthly reports that users could access using their identity card number, passport, or alien ID number

Business and individual M-Pesa users will no longer see the full name and mobile number while making M-Pesa transactions.

"With the increasing relevance of mobile phones, it has become critical to further safeguard customer data that can be linked to a person's identity, especially their phone number," Safaricom said. 

Instead, they will only see the first name and a few digits of the mobile phone number. Other mobile number digits will be masked with crosses like 2547XXXXX789. These changes would start the new Daraja (V2) API from March 17, 2022.

Accordingly, Safaricom changed the old SMS form to accommodate the requirements of the Data Protection Act 2019. Below is the new SMS format. 

O87X2NNFY You have received Ksh 2,000.00 from James 2547XXXXX789 on 6/9/22 at 9:45 New M-PESA balance is Ksh8,500.00. Transaction cost, Ksh0.00. To reverse, Forward this message to 456.

According to notifications sent to API users, developers should implement the new changes limiting personal information shared during transactions in compliance with Data Protection Act 2019.

"Equally, the Data Protection Act 2019, which came into law on 25th November 2019, requires all organizations that handle such data, including Safaricom and our Lipa Na M-PESA Partners, to take action to minimize the use and transfer of sensitive customer data such as name and phone numbers during the processing of a transaction," Safaricom said in an email. 

Safaricom also intended to limit the exposure of its customers' information to its merchants. However, integration challenges forced the mobile communications provider to extend the deadline. 

"As such, partners will continue to receive customer phone numbers through the M-PESA API beyond the earlier communicated deadline of 30th June 2022.

"This will ensure partners can continue to adequately process payments as we assist them to resolve resulting technical challenges."

Some call identity apps could use M-Pesa SMS to create personal profiles that can identify people. This happens whether you have installed the app or not. 

Suppose you send money via M-Pesa to anybody who has installed some of the caller identity apps. In that case, the apps could extract your name and phone number from M-Pesa messages and allow strangers to identify you.

While some caller identity apps explicitly warned users that they would access financial SMS, others did not disclose this prospect. However, some apps have already removed the ability to access M-Pesa messages.

Strangers could also determine people's names by sending M-Pesa to strangers and canceling the transaction. Safaricom introduced these features to prevent users from sending money to the wrong people.

Safaricom introduced changes to limit exposure of information that could be linked to personal information. This information has been abused by apps, strangers, and scammers to identify people.