The most vulnerable aspect of Kenya’s digital economy is not payments or transactions; it is the onboarding process. Every day, millions of users open accounts, register for services, and access platforms remotely. This moment—when a system verifies a user’s identity—sets the stage for everything that follows. If this decision is incorrect, the entire system inherits the associated risks.
Kenya’s digital growth has made this moment more critical than ever. Mobile money penetration has reached approximately 82.3%% of the population, while financial inclusion stands at 84.8% of adults. Access is no longer the constraint. The challenge is verifying identity at scale, in real time, across services that operate independently.
The data shows where the pressure is building. Fraud cases in Kenya’s banking sector increased from 173 in 2023 to 353 in 2024, with reported losses reaching approximately KES 1.5–1.6 billion. More importantly, risk is shifting earlier in the digital journey. Around 4.4% of account creation attempts are now suspected to be fraudulent, making onboarding the most exposed stage of the customer lifecycle.
This issue is not just about increased fraud; it highlights a fundamental weakness in how digital systems establish trust at the start of a user relationship. In reality, the onboarding process often depends on methods that were not designed for remote and high-volume settings. Document uploads, manual verification, and static database checks can validate information, but they cannot effectively confirm whether a real person is present during the registration process. Therefore, they are unable to verify identity reliably.
This leads to a predictable outcome: a fraudulent identity that successfully passes the onboarding process is treated as legitimate throughout the system. All transactions, access requests, and account activities rely on that initial decision. By the time any suspicious behavior is detected, the damage has already begun.
Kenya’s mobile money ecosystem illustrates how scale amplifies this risk. Transaction values reached approximately KES 8.7 trillion in 2024, reflecting the extent to which digital financial services are embedded in everyday activity. At the same time, mobile banking fraud exposed over KES 981 billion, with losses exceeding KES 810 million. These figures do not point to a failure of digital adoption. They point to a gap in how users are verified at entry.
The overall increase in threat activity further supports this pattern. The Communications Authority of Kenya reported 7.9 billion cyber threat events in the first eight months of 2025, more than double the amount recorded during the previous year. As digital services continue to grow, the number of attempts to exploit identity vulnerabilities rises.
Source:
https://www.techcabal.com/2025/09/17/kenya-central-bank-blames-hackers-mobile-banking-fraud
The issue isn’t that systems fail after onboarding; rather, they rely too heavily on a single, often unreliable verification step at the beginning. This is where AI and biometric verification come into play. The goal during onboarding is straightforward but challenging: to confirm that a real person is present and that they match a trusted identity.
Biometric verification enhances this process by leveraging facial recognition and liveness detection to distinguish a real user from a spoof attempt. Additionally, AI strengthens verification by identifying inconsistencies, detecting manipulations, and adapting to emerging fraud patterns in real time.
The benefits of these technologies are not merely theoretical; they are practical. They significantly reduce the likelihood of accepting fraudulent identities at the point of entry, thereby decreasing downstream risk across the entire system. However, improving onboarding involves not only enhancing accuracy but also ensuring consistency.
Today, users often repeat the same verification process across multiple platforms. A person verified by one institution may still need to start from the beginning at another institution. Each new onboarding process creates another opportunity for error or exploitation. When systems do not recognize previously verified identities, they increase friction for legitimate users and expose them to fraud.
Addressing this requires a shift in how onboarding is designed. Verification should not start from zero each time a user interacts with a new service. It should build on trusted identity signals that can be applied across platforms, while still meeting regulatory requirements.
This is the context in which Identy.io operates. The focus is not on identity in the abstract, but on improving how identity is established during onboarding. By combining biometric verification with AI-driven analysis, the approach enables organisations to remotely confirm user identity using standard devices, without specialized hardware or manual processes.
In practical terms, this allows institutions to strengthen onboarding without adding unnecessary friction. Users can be verified quickly, while systems gain greater assurance that the identities being created are legitimate.
Regulatory expectations in Kenya are continually evolving. The Data Protection Act (2019) and the Computer Misuse and Cybercrimes (Amendment) Act (2023) outlines specific requirements for the collection, processing, and storage of personal and biometric data. This legislation holds organizations accountable for ensuring their onboarding processes are not only secure but also compliant with principles such as consent and data minimization.
Any approach to digital onboarding must operate within this framework. Security without trust will not be sustainable, and establishing trust relies equally on both governance and technology. Kenya’s digital economy has already shown the possibilities that arise when access barriers are lowered. The next phase will hinge on how effectively systems can build trust at the point where users first engage with them. Onboarding is no longer just a routine step; it is the moment when digital relationships are established.
What makes Identy.io’s approach distinct in the Kenyan market is on-device biometric processing: identity verification occurs on the user’s own smartphone, with no biometric data transmitted to or stored in a centralized cloud server. This directly addresses Kenya’s dual challenge of cybersecurity risk and patchy connectivity. While conventional identity architectures depend on centralized databases and often require specialized capture hardware, Identy.io runs on standard Android and iOS devices—the phones already in people’s pockets. In a market where M-Pesa’s dominance was built on the universality of the feature phone, the ability to enroll and verify on any smartphone is not a technical detail—it is a go-to-market advantage. For Kenyan fintechs and banks looking to extend reach to the unbanked last mile, on-device processing lowers both the infrastructure cost and the data sovereignty risk in a single architecture decision. In 2025, the U.S. Department of Homeland Security ran an independent test to find out how well identity verification systems could tell a real person from a fake one. Eighteen technology vendors were evaluated. Identy.io’s system was the only one to block every single spoofing attempt — whether attackers used printed photos, video replays, or sophisticated masks — on both iPhone and Android. It also completed each verification in under 18 seconds.
“Kenya’s mobile-first economy has leapfrogged traditional banking infrastructure before. The same opportunity exists for digital identity,” said Antony Vendhan, Co-founder of Identy.io. “When identity verification runs on the device already in every Kenyan’s pocket, it becomes possible to enroll and authenticate securely at scale—without the cost, complexity, or data concentration risk of centralized biometric systems. That is the model Africa’s digital economy needs.
The writer is a Senior Sales Manager at Identy.io
DISCLAIMER: Opinions expressed in this article do not necessarily reflect those of the Corporation.
