BUJUMBURA, Dec 26 (BC) – Under the tarpaulins of rural markets, in neighborhood shops and on the dusty roads of the country, the same gesture is required: a telephone turns on, a message confirms the transaction, and the money circulates without a ticket or wicket. But behind the spectacular growth of Mobile Money lies a darker reality. Accounts emptied, phones stolen and savings swallowed up in a few minutes: in 2024, over 150 million Burundi francs (BIF) have been diverted by cybercrooks; which highlights the flaws in a system that is still insufficiently secure.
Under a canvas at the Vyerwa (Ngozi) market, Claudine Irishura, a vegetable seller, receives a message on her phone. “You have received 12,000 BIF via Lumicash.” She smiles. Her client has just paid her without taking out a single note. Nijimbere never had a bank account, but her phone became her cash register, bank card and safe. “I used to hide the money in my pillow, now it’s in my phone,” she says proudly.
In Burundi, less than one in ten Burundians has a bank account; millions of people like Nijimbere are turning to Mobile Money, an innovation that has become, in just a few years, the backbone of the informal and digital economy.
In just a decade, Mobile Money has established itself, almost silently, as the main digital public infrastructure in Burundi. It is now the essential base on which salaries, savings and solidarity transfers pass on a daily basis.
However, this « people’s bank » is moving forward by leaps and bounds, much faster than the law. It is clear that, while this tool is a formidable engine of inclusion, its legal framework for data protection is still in the works, groping in an environment where cybersecurity remains fragile.
From then on, a paradox sets in: the very mechanism that allows millions of citizens to emerge from the shadows of the informal economy throws them, at the same time, into the arena of fraud and abuse. In the absence of robust recourse mechanisms for victims, the promise of technological progress is coupled with a silent vulnerability that now calls for a clear and structured response.
A banking system that remains elitist
For a long time, the Burundian banking system was the business of a minority. Agencies are concentrated in towns and urban centers, fees are high and formalities are complex. In the rural villages, the bank remained a mirage.
But with the democratization of the cell phone, the mobile service has become the first financial infrastructure accessible to everyone. Mobile network operators like Econet Leo with EcoCash and Lumitel with Lumicash have transformed the way Burundians send, receive and save their money.
The silent revolution of Mobile Money
Today, a biker in Bujumbura can be paid in one click, a mother in Rutana (Remote area) can send money to her student son without traveling, and even small merchants accept mobile payments.
The telephone has abolished distances, reduced the risk of theft and allowed everyone to have, for the first time, a digital financial identity. “Mobile Money is the people’s bank,” says Apollinaire Nsengiyumva, motorbike taxi rider in Gakungwe. “I don’t need to wait in front of a wicket, my account is in my pocket,” he says, emphasizing that sometimes customers pay him via Mobile Money after the race. However, he deplores that some customers pretend to send money. “It often happens that a customer, upon arriving at his destination, asks me for my Mobile Money number to pay me, but upon checking my balance, I realize that they have defrauded me,” he complains.
A pillar of Digital Public Infrastructure
Burundi has already laid the first cornerstone of a Digital Public Infrastructure (DPI): a public digital system based on identity, payments and data sharing.
Mobile Money constitutes the “payment” pillar of this system. It has enabled millions of Burundians to enter the digital economy, creating a bond of trust amid citizens and digital services, an essential element of any DPI.
However, this infrastructure remains fragmented: the platforms are not interconnected, payments are not always compatible, and user data is often the sole responsibility of private operators.
The figures confirm the trend
According to the Bank of the Republic of Burundi (BRB), the share of the adult population with a transactional account increased from 12.5% in 2012 to 63.7% in 2024. Non-existent in 2012, holding a Mobile Money account reached 44.04% in 2024.
According to the Telecommunications Regulation and Control Agency (ARCT), Burundi had 2.3 million active subscriptions to Mobile Money services in 2023, an increase of 140% compared to 2019. The total number of subscriptions increased from 4.1 million to 6.9 million over the same period. The Mobile Money penetration rate stood at 53%, but drops to 17.3% when only active subscriptions are considered.
As of December 31, 2023, the country recorded 8.6 million mobile phone subscriptions, for a penetration rate of 66% (ARCT).
According to INSBU, transfers received by households amounted to 128,093.9 million BIF in 2020, compared to 60,083.2 million BIF for transfers issued. Nearly 80% of transfers received concerned rural areas. These figures illustrate a growing dependence of low-income households on a still fragile financial infrastructure.
When bank charges exclude, Mobile Money opens door to the inclusion
In Burundi, opening and maintaining a bank account remains a real challenge for a large part of the population. A survey carried out among banks reveals that these accounts are not free: in addition to opening costs, there are monthly management charges which, for very low-income households, can seem simply exorbitant.
However, some banks try to ease these constraints for certain categories of people, such as students or those without a fixed income. But, for many, access remains reserved for a wealthier minority, leaving behind an excluded and frustrated majority.
According to information provided by the banks themselves, opening costs can climb up to 50,000 or even 100,000 BIF, while monthly fees vary between 1,500 and 7,500 BIF, with Interbank being singled out as the most expensive. These amounts, although modest for some, represent a real obstacle for families already struggling to make ends meet.
By way of illustrating this reality, the graphs below present the account opening and maintenance fees applied by certain banks and microfinance institutions.
It is this gap that explains why so many Burundians do not have a bank account. Therefore, the latter remain excluded from the formal financial system. Fortunately, solutions like Mobile Money are gradually changing the situation: everyone can now open an account for free and without maintenance fees, offering a breath of hope and concrete access to financial inclusion.
Stories of transformed lives
On the heights of Nyabibuye, in Matongo, Goreth Ndagijimana sees her business take on new life. Mother of three children, for a long time forced to travel 200 km to get supplies in Bujumbura, she talks about how her life has taken a new turn. “I don’t waste time on the road anymore,” she says. She sells drinks almost all from the capital, but now she pays via Lumicash and waits for delivery to her home. Better yet, she benefits from commissions linked to transactions. “These 250,000 BIF that I earn in addition, I cannot let them go,” she says with pride.
This transformation is also felt in the management of one’s savings. Long queues at COOPEC (microfinance institution) are no longer a concern. Thanks to the interoperability between Lumicash, EcoCash and banks and microfinance institutions, everything is done using phone. “I save time. And this time, I devote it to my children and my business,” she adds.
In Kayanza, Apollinaire Niyongabo recounts the same revolution. A graduate in biochemistry but unemployed, he started selling potatoes. At the beginning, everything was difficult: exhausting travel, transportation expenses, and wasted time. Then Mobile Money arrived. “Today, everything is done on my phone. Three million! I’ll send him the goods later,” he smiles. Mobile Money has secured his business: the customer pays first, then ships.
In Ngozi, Venancia Nijimbere shares the same feeling of liberation. A shopkeeper for several years, she saved for a long time in fear. “I lived with fear every night,” she reveals. Today, she saves through Mobile Money account, without going through banks or microfinance institutions, which are often too expensive for her. She can also obtain her goods without leaving her shop. But she remains worried: “Many fall into the trap of fraudsters who pose as Lumicash agents. They ask for the OTP (One-Time Password) code and then they empty your account. It’s horrible,” she says.
Thus, whether it is Ndagijimana, Niyongabo or Irishura, the same reality emerges: Mobile Money is not only a financial tool. It’s a life booster; a way to work better, save easily and protect oneself. But it remains fragile: limited interoperability, fraud and lack of a solid data protection framework. They call for vigilance and urgent action. For it to become a truly inclusive Digital Public Infrastructure, Burundi will need to consolidate this infrastructure and build reliable public governance.
A DPI at the heart of inclusion, and put to the test of trust
In Burundi, Mobile Money has established itself as a de facto digital infrastructure, essential to the daily life of millions of people excluded from the traditional banking system. Payments, transfers, informal income: these platforms today fulfill the functions of a Digital Public Infrastructure (DPI), by offering almost universal access to financial services. But this centrality raises a rarely debated question: who protects the user?
On the morning of Thursday October 30, 2025, Anette Hamenyimana’s phone rang. At the other end of the line, a man introduces himself as an agent of the Lumitel Company. His voice is calm, with a professional tune. He speaks of “technical problems” being resolved; an operation intended to improve the efficiency of the Lumicash service. The speech is well-crafted, reassuring. Nothing, absolutely nothing, and does not imply any hidden agenda.
Hamenyimana listens. Then she cooperates. After all, this is a company to which she already entrusts her money, her savings, and her trust. The questions keep coming. She responds, without suspicion, convinced that she is speaking with a legitimate representative.
A few moments later, a message appears on his screen: a six-digit code. The interlocutor asks her to dictate it to him. She does so. It is at this precise moment that everything changes.
Without knowing it, Hamenyimana has just delivered his OTP code, the unique access key to his Lumicash account. In just a few minutes, everything disappears. His entire balance, 2,430,000 BIF, has evaporated: an immense sum in a country where purchasing power is low, where each franc saved is often the result of months, sometimes years, of sacrifices.
“I gave the OTP code without realizing what it would trigger,” she says. A few seconds later, the phone vibrated, and again. I looked at the screen. The balance showed zero. The 2,430,000 BIF had disappeared. Speechless, I stayed there for a long time. I didn’t understand. I stared at the phone, as if it would correct itself, as if the message might erase itself. This amount resulted from months of work, sacrifices accumulated, projects put aside. In a country where every franc counts, the silence that followed was heavier than the loss itself. I had no more words. »
What Hamenyimana did not know then was that the OTP code that she had just transmitted refers to as the central element of a now well-established operating procedure. Such a fraud has become commonplace in the Mobile Money ecosystem in Burundi, exploiting user trust, ignorance of security mechanisms and persistent flaws in digital consumer protection.
After the shock, she turns to Lumitel, hoping for protection and support. But operator intervention remains limited. “My complaint to Lumitel was only limited to the revelation of how my money was transferred to different Lumicash accounts,” she testifies. No clear repair mechanism, no responsibility assumed; only a technical observation.
The paradox is disturbing. A company supposed to secure transactions and defend the interests of its users appears absent at the most critical moment. This institutional invisibility raises many questions: how far does the responsibility of Mobile Money operators extend?
Hamenyimana’s story is not an isolated case. It illustrates a silent reality: in a rapidly expanding digital environment, the speed of innovation often exceeds the strength of protection mechanisms. And when fraud strikes, it is the users alone who face the music.
Cybercrooks stole more than 150 million BIF in 2024
According to the Commissioner General of the Judicial Police (PJ), Police Brigadier General Joseph Kenyatta, from January to December 2024, cybercrooks (digital fraudsters) embezzled more than 157 million BIF through Lumicash and EcoCash mobile transactions. During the same period, 4,270 cell phones were also stolen.
Kenyatta also specifies that the police have the necessary means to investigate the issue, identify and arrest cybercriminals. “For example, of the 157 million BIF stolen, over 111 million BIF was recovered and 480 phones were returned to their owners,” he said.
However, these efforts remain insufficient, to the extent that the role of mobile telephone companies in preventing and combating these cyberscams remains little visible, particularly in terms of securing mobile payment services and protecting subscribers.
Between awareness and call for vigilance
Faced with the increase in digital fraud, Lumitel, through its spokesperson Hervé Nkunzimana, specifies that the fight cannot be waged with Lumitel alone. For the operator, the eradication of this scourge relies on a tripartite synergy: the action of the Regulator (ARCT), the commitment of the operator and the vigilance of users.
A national campaign draws near
A vast awareness campaign led by the ARCT, in collaboration with telecom operators, is currently in the preparation phase. Scheduled for the first weeks of January 2026, this pilot initiative aims to educate users on the security behaviors to adopt to thwart theft attempts.
The OTP code, a safe key that can never be shared
Lumitel recalls golden rules often ignored by victims, emphasizing through the voice of Hervé, its spokesperson, that the OTP Code is strictly personal and that the company never asks its customers for it. No technician is authorized to claim it; users must not disclose it under any pretext, even to an individual posing as an official agent. Furthermore, in case of doubt, confusion or suspicious message, customers are urged to contact customer service through the toll-free number 100.
This response from Lumitel, although pragmatic, leaves a taste of unfinished business. By emphasizing the user’s responsibility (the refusal to give their OTP code) and an awareness campaign to come in 2026, the operator seems to be moving the blame cursor towards the victim. If awareness is necessary, it does not answer the fundamental question raised by the experts: the proactive technical protection of systems and the compensation of users harmed by flaws that go beyond simple human error. Until January 2026, subscribers remain on the front line, with their own vigilance as their only weapon.
User slip or master’s skip?
However, this discourse centered on individual vigilance appears rather fragile when set against the marble pillars of Law No. 1/10 of March 16, 2022 on the prevention and repression of cybercrime.
Indeed, where caution is merely advised, Article 5 of the same law brandishes the sword of obligation. Service providers are no longer mere spectators; they are entrusted with a genuine watchdog mission.
Concretely, they have the duty to enlighten their clients about lurking threats, to build smooth reporting channels, and to shed light on fraud mechanisms. More importantly, the law compels them to break the silence by disclosing abuses, both to victims and to the competent authorities.
In other words, we are no longer in the realm of suggestion, but in that of constraint. The law transforms simple awareness into an armor of legal responsibility. It does not merely wait; it demands proactive action, procedures carved in stone and crystal-clear transparency.
It is precisely here that the gap widens. While operators focus the spotlight on user behavior, the legal text points instead to the provider’s duty. Thus, the center of gravity of the debate shifts: the question is no longer whether the customer properly locks the door, but whether the operator has built walls that comply with the law.
Therefore, if the announced campaign resembles a first stone laid in the building, it is far from being the roof. It leaves unresolved the pressing expectations of experts who, beyond words, call for impregnable technical safeguards and a financial safety net to compensate those who, despite everything, would have fallen into the trap.
When cybersecurity fails the user
In each case of Mobile Money fraud, operators almost systematically invoke user awareness and individual vigilance. It is a necessary wink, but largely insufficient, believes Ildegard Christian Bimeneyimana, information systems security expert. He is today a system administrator at REGIDESO (Water and Electricity Supply Authority), trainer and consultant in IT security, with several years of experience in higher education.
First and foremost, the expert makes it known that continuing to present the OTP as a sufficient security barrier is a dangerous illusion. According to him, technology already offers solutions capable of protecting the user, even when they have been deceived.
When the code meant to protect becomes the fraudster’s weapon
Bimeneyimana explains that, on a technical level, OTP is often known as the last security lock in Mobile Money systems. Once this code is validated, he specifies, the system automatically considers the transaction to be legitimate. This is precisely where the main flaw lies.
A fraudster pretends to be an agent of the operator through social engineering; tricks the user into disclosing their OTP code, then immediately executes several successive transactions such as transfers, merchant payments, and withdrawals before any detection, reveals the expert. Without dynamic limits, time limits or intelligent monitoring mechanisms, he says, an account can be emptied in minutes.
The expert mentions that, in the majority of documented fraud cases, the OTP is obtained through social engineering, notably through fake calls and pretend agents. He also specifies that SIM swapping is on the rise, sometimes facilitated by internal complicity or insufficient controls, while network breaches remain rare, although possible in poorly secured systems.
Behind human error, systems turn a blind eye
However, Bimeneyimana wishes to clarify: responsibility rests neither exclusively on the user nor solely on the system. He points out that it is clearly a combination of the two. The user remains the weak link due to a lack of awareness, but the system, he insists, is often insufficiently intelligent.
According to him, many current systems do not have behavioral analysis, do not include security delays and do not automatically block operations that are clearly abnormal. He recalls that, contrary to popular belief, an operator can technically block a transaction even when the OTP is correct. Advanced systems, he says, use anti-fraud rules, risk scores and additional confirmations.
He indicates that automatic detection mechanisms should include the analysis of user habits, the detection of unusual amounts, inconsistencies in geographical location, burst transactions, the appearance of new suspicious beneficiaries or even recent changes of SIM or telephone.
Blocking fraud is possible: the technology exists, the will is lacking
Beyond awareness, Bimeneyimana calls for concrete measures: dynamic limits based on risk, validation times for sensitive transactions, automatic blocking after suspicious attempts, biometric authentication when possible, reinforced training of Mobile Money agents and regular security audits.
He specifies that these measures are technically realistic in the Burundian context and already exist in several comparable African countries. The real challenge, he emphasizes, is above all organizational, budgetary and regulatory, much more than technological.
For users with low literacy or living in rural areas, the expert indicates that adapted solutions are essential: voice messages in local languages, simplified menus and restriction of sensitive transactions to agencies, voice or biometric confirmations and community campaigns involving local leaders.
When fraud occurs, he finally insists, the speed of reaction is decisive. He specifies that the immediate blocking of the victim account, that of the beneficiary accounts, the analysis of transaction logs and cooperation with law enforcement can make it possible to trace and sometimes recover the funds. The main problem, according to him, is not the technical impossibility, but the slowness of reaction, with every minute worsening the dispersion of funds.
On an institutional level, Bimeneyimana believes that the Burundian framework remains insufficient. He says that the ARCT, the BRB and the State should require minimum cybersecurity standards, regular independent audits, maximum response times and clearly defined accountability. If this responsibility must be shared, he specifies, it must be increased for the operators, because they are the ones who master the technology.
And to conclude bluntly: “Operators must stop considering the OTP as sufficient proof of legitimacy and put in place intelligent systems capable of blocking fraud even when the OTP is correct.”
An engine of growth in a legal desert
Mobile Money has radically transformed the daily lives of Burundians. Indeed, in Burundi, traditional banking access remains limited. A simple telephone is now enough to pay, send or receive money, making this tool the main or the unique gateway to financial services for millions of citizens.
However, behind this meteoric growth and this infrastructure that has become vital, lies a more fragile reality. The system today seems to run faster than the law. As digital transactions intensify, responsibilities in the event of fraud, technical malfunction or financial loss remain trapped in gray areas.
For Francine Kankindi, a lawyer specializing in business law and doctoral student in digital law at the University of Burundi, this discrepancy is alarming. A teacher and researcher, she highlights the legal and institutional flaws of a normative framework that struggles to effectively protect the end user. Between legislative void on data protection and contractual imbalance between operators and users, her analysis deciphers the challenges of a sector where innovation should no longer undermine legal security.
The legal vacuum trap
There is no law specifically dedicated to Mobile Money. The expert explains that operators are navigating between Law No. 1/22 of August 22, 2024 on the Electronic and Postal Communications Code, and Law No. 1/07 of May 11, 2018 on the national payment system. If this is enough to launch the technical service, this legislative “patchwork” leaves user protection aside. Direct consequence: fundamental digital rights are not clearly defined and the responsibilities of operators remain elusive in the event of a problem.
Your data, an unprotected treasure
The mobile service generates a considerable amount of sensitive data: Identity, transactions, history, to name but a few. Kankindi highlights the glaring absence of an independent law on the protection of personal data. Existing texts on cybercrime only protect indirectly. The user has no guarantee of consent, transparency or right of appeal regarding the use of their personal information.
The fragility of users faced with the transfer of responsibility in the event of theft
Telephone scams (“social engineering”) are commonplace. Faced with these risks, the legal situation is unbalanced: operators often discharge their responsibility through contractual clauses. “Recourses exist, but remain inaccessible, long and sometimes dissuasive, particularly for vulnerable populations,” warns the lawyer.
To secure the vital Mobile Money ecosystem in Burundi, Kankindi calls for urgent reforms including the adoption of a modern law on personal data, legal clarification of operators’ responsibilities, and improved access to remedies for victims. The expert is categorical: « tech development must not come at the expense of citizens’ rights, and Mobile Money needs a protective framework to guarantee the trust and security of all. »
Towards stronger digital governance
Faced with challenges related to transaction security and data protection, Burundian authorities say they are working to lay the foundations of a secure digital economy.
Bienvenue Irakoze, Executive Secretary of Information and Communication Technologies (SETIC) at the Ministry of Finance, Budget and Digital Economy, explains that the government, through the Support Project for Digital Economy Foundations (PAFEN), financed by the World Bank, supports the adoption of a law on the protection of personal data, currently in the process of ratification.
According to him, the project also develops a national cybersecurity strategy as well as a data hosting and management strategy, including studies for the creation of a national data center intended to ensure the secure storage of public information.
Furthermore, PAFEN prepares the deployment of a biometric digital identity, in collaboration with the Ministry responsible for the Interior. This identity must allow citizens to securely access digital services, digital payments and online public services. The goal, he specifies, is to guarantee security, reliability and digital inclusion for the entire population.
Beyond the figures, the announced reforms and the institutional promises, a reality remains: the future of Mobile Money now depends on trust. The mobile service has opened the doors to financial inclusion for millions of Burundians. In the absence of proper protection, this revolution risks, however, leaving the most vulnerable alone against cyberpredators. Thus, the urgency is no longer for adoption, but for protection, because, in the end, a digital economy that does not ensure the security of its citizens ends up betraying them.
For Nijimbere, the phone is still her safe. But each message received is now a bet between hope and fear. As long as trust is not guaranteed, each notification is a fragile promise that can make or break a future.
Burundi has already laid the groundwork for its Digital Public Infrastructure, one SIM card at a time. It’s a silent revolution. However, law, governance, and technology are still struggling to keep pace with this rapid innovation. The reality is that unless these frameworks catch up quickly, what was meant to be an engine for financial inclusion could dangerously turn into a breeding ground for fraud and abuse. Ultimately, the future of millions of Burundians now rests on one thing: the ability of authorities and operators to transform this digital promise into real-world protection.