The Kenya Gazette
4notify Kenya · Published by Authority
GAZETTE NOTICE · CBK · M-Pesa · PesaLink
Gazette No
KG-KE-001
Date
2026-05-27
Status
In force
Category
Banking & payments

Strong authentication, M-Pesa and PesaLink instant: one-time code delivery to Kenyan banks over Safaricom, Airtel and Telkom

The Central Bank of Kenya (CBK) oversees a payments market built on M-Pesa and the bank-to-bank PesaLink rail. Every mobile-banking confirmation and every high-value transfer demands a second factor. 4notify delivers one-time codes with a P50 under 4 seconds across Safaricom, Airtel Kenya and Telkom Kenya through tier-1 international A2P gateways — the code lands before the window closes.

SMSPushEmail
Preamble

Section 1 — IN EXERCISE of the powers conferred by the Central Bank of Kenya Act (Cap. 491) and the National Payment System Act, 2011, this Gazette Notice is issued concerning the delivery of one-time strong-authentication codes over the Kenyan mobile networks.

Statutory basis
Central Bank of Kenya Act (Cap. 491)

Mandate of the CBK over the banking system and the National Payment System.

National Payment System Act, 2011

Operation of payment instruments including M-Pesa and PesaLink, and authentication of electronic transactions.

CBK Guideline on Cyber Security for the Banking Sector

Duty of regulated institutions to apply multi-factor authentication on digital channels.

Implementation
01

CA registration + tier-1 gateway

4notify routes through tier-1 international A2P gateways to Safaricom, Airtel and Telkom, and is a recognised messaging provider for authentication traffic.

02

OTP generated in the bank HSM

The one-time code is generated in the bank's hardware security module; 4notify receives only the hash and the MSISDN.

03

60-second window + fallback chain

The SMS is delivered in under 60 seconds; if the DLR fails, push follows, then email. Grey-route latency is avoided.

04

Seven-year audit custody

Each delivery is signed and retained for seven years, in line with CBK and anti-money-laundering record-keeping expectations.

Delivery envelope
json
{
  "event": "bank.mpesa.otp",
  "bank_id": "KE-XXXX",
  "transaction_id": "TX-2026-05-27-948210",
  "amount": 45000.00,
  "currency": "KES",
  "delivery": {
    "channel": "sms",
    "fallback": ["push", "email"],
    "window_seconds": 60,
    "template": "mpesa_otp_ke_v3"
  },
  "audit_signature": "https://4notify.net/sig/bank/948210"
}
Sample message
SMS

Equity Bank: your code to confirm a PesaLink transfer of KES 45,000 to J. Otieno is 482193. Valid 5 min. Do not share it with anyone.

Compliance checklist
  • Recognised messaging-provider registration with CA in force
  • Tier-1 gateway reach to Safaricom, Airtel and Telkom active
  • OTP P50 ≤ 4 seconds measured per quarter
  • Seven-year audit custody documented
The 4notify difference

4notify is the only A2P provider that simultaneously reaches Safaricom, Airtel and Telkom for M-Pesa and PesaLink strong-authentication with seven-year signed audit custody aligned to CBK record-keeping rules.

Frequently asked questions
Does 4notify deliver direct to Kenyan banks or via aggregator?

Tier-1 international A2P gateways reach Safaricom, Airtel Kenya and Telkom Kenya. We do not use grey-route aggregation for authentication traffic.

Do push notifications count as a second factor?

Yes — an app-bound push is a recognised possession factor. But because the app cannot guarantee a durable medium, we always pair it with SMS or email.

Published
4notify Operations Department
2026-05-27 · KG-KE-001

Start free

14 days, no card. English support on weekdays. Karibu.

Other notices in this edition