Ogowkey v1
← All articles
9 min read Ogowkey team

Mobile money onboarding in Somalia: SIM-binding, NIRA, and what actually works

How mobile-money onboarding really runs in Somalia - SIM-binding, NIRA tie-ins, KYC at EVC Plus and Sahal, and the wallet-tier model that keeps it compliant.

mobile-moneysomaliaonboardingkyc

Mobile money is not a payment channel in Somalia - it is the payment channel. EVC Plus, Sahal and Zaad collectively move more value every month than the formal Somali banking system handles in a quarter. For any fintech, telco or remittance operator planning to integrate with these rails, understanding how mobile-money onboarding actually works is mandatory.

This is a working guide to mobile-money onboarding in Somalia: who runs the rails, how SIM-binding and NIRA tie together, what wallet tiers look like, and where the compliance pressure sits in 2026.

The three rails

Three operators dominate the Somali mobile-money market:

  • EVC Plus, run by Hormuud Telecom, dominant in south-central Somalia and headquartered in Mogadishu.
  • Sahal, run by Somtel (part of the Dahabshiil group), strong in Puntland and the diaspora-remittance corridor.
  • Zaad, run by Telesom, the dominant rail in Somaliland.

There are smaller wallets, but virtually every fintech opportunity in Somalia goes through these three. Their KYC models are similar but not identical.

SIM-binding: why telco identity is load-bearing

Somali mobile-money wallets are bound to a SIM, not a separate user account. There is no "create wallet" step distinct from "have a SIM." When you register a SIM, you implicitly register a wallet.

This means the National Communications Authority (NCA) SIM-registration directive is, in practice, the KYC engine for mobile money. The directive requires telcos to collect:

  • Customer full name.
  • National ID or passport number.
  • Photo of the holder.
  • Address (district + city).
  • Biometric capture where available.

In Somaliland, the equivalent directive is issued by the Somaliland National Communications Commission.

For a fintech building on top of mobile money, this has two implications:

  1. The SIM is your identity primitive. A verified SIM number maps to a verified person, with reasonable confidence.
  2. You inherit the telco's KYC quality. If the telco was lax at SIM registration - and historically, some were - you inherit that risk. The remedy is to do your own KYC on top.

Wallet tiers and the limits regime

All three operators run a tiered wallet model. Higher tiers require stronger KYC:

Tier Daily limit (USD equivalent) KYC required
Basic ~$50 Name + phone + self-declared ID number
Standard ~$500 Above + photo capture + NIRA verification
Plus ~$2,000 Above + biometric match + address proof
Business Custom Plus + entity verification + UBO

The exact thresholds vary by operator and are revised periodically by the Central Bank. The pattern, though, is consistent: every notch up in transaction limits requires another verification step.

If you're building a service that needs higher limits - for example, a salary disbursement platform paying out via EVC Plus to merchants - your users need to be at Standard or above before you go live with them. Plan for the friction.

How onboarding actually runs

Walk into a Hormuud or Somtel agent's stand and the flow is concrete:

  1. You give your phone number (existing or new).
  2. You hand over your ID card - NIRA card preferred, passport accepted, driver's licence sometimes accepted regionally.
  3. The agent photographs the ID on both sides using a registration tablet.
  4. The agent takes your selfie at the stand.
  5. You sign on the tablet.
  6. The tablet uploads to the operator's KYC backend. NIRA verification runs server-side.
  7. You receive an SMS confirming activation, usually within seconds.

This is online onboarding, but agent-mediated. There is no self-service onboarding flow at scale yet - partly because document quality issues from unsupervised capture are too high, partly because the user base is not uniformly comfortable with self-service flows.

For a fintech, you have two paths to leverage this:

Path A: Use the operator's identity. Integrate with the wallet API, accept their KYC, and only do your own delta KYC for the specific risk your service introduces (large transfers, cross-border, lending).

Path B: Do your own onboarding. Capture documents yourself, run your own OCR, biometrics and NIRA verification, and use the wallet only as a money-movement rail. This is what most independent fintechs end up doing because it gives them control over the KYC quality and a portable customer identity.

Path B is more work but more durable. It's what Ogowkey is built for.

The NIRA tie-in

In 2024–2025, all three operators integrated with NIRA's verification API. When a customer presents a national ID card at SIM registration, the operator's tablet sends the ID number plus a captured selfie to NIRA. NIRA returns match or no_match against the registered biometric.

The headline effect: SIM-registration fraud dropped sharply in 2025 because the simple attack of "register a SIM with someone else's ID number" stopped working - the selfie now has to match the registered face on NIRA's side.

For your own onboarding, you can replicate this. If you're a licensed entity (and most fintechs operating in Somalia are required to be, under the CBS 2022 directive), you can integrate directly with NIRA. If not, you can use a service like Ogowkey that handles the NIRA call as part of an identity-verification API.

Either way, the principle is the same: selfie + ID + NIRA lookup is the modern Somali KYC primitive.

The OTP / phone-binding step

The customer's verified Somali phone number is your second strongest identity signal. Every onboarding flow should end with an OTP sent to the phone - both to confirm they actually own the number and to bind the wallet to a device they control.

Two practical notes:

  • OTPs over SMS are unreliable to some networks at peak times. Build in a resend with a 30-second cool-down, and consider a voice fallback for repeat failures.
  • Don't let the customer change the phone number without re-doing KYC. A common fraud pattern is to KYC a wallet, then change the phone number out from under it. Lock the number to the verified identity, and require fresh selfie + ID for any change.

The address problem

Somalia does not have a uniform street-addressing system. A customer's address is "Hodan district, Mogadishu" or "Berbera, Saaxil." Trying to force a US-style line1/line2/city/state/zip will frustrate customers and produce garbage data.

The pragmatic approach:

  • Capture city and district (degmo) as mandatory.
  • Capture a landmark (mosque, market, school) as a free-text optional field.
  • For higher-tier onboarding, capture a utility bill or rental agreement as supporting evidence - but be aware that many customers live in housing without formal documentation.

SIM swap risk

The other side of "the SIM is the identity primitive" is that SIM-swap fraud is a real attack vector. A criminal who can socially-engineer a telco agent into reissuing a SIM gains effective control of the victim's wallet.

The telcos have tightened this in 2025, but as a fintech you should not rely on the SIM alone for high-value operations. Your defences:

  • Device fingerprinting - a sudden change of device should trigger step-up authentication.
  • Behavioural signals - first-time large transfer after a long history of small ones should trigger a callback.
  • Selfie step-up for high-value transfers - even a brief liveness check raises the cost of attack dramatically.

We touch on the broader screening picture in AML compliance for East African fintechs.

Putting it together

A defensible mobile-money onboarding flow for a Somali fintech in 2026 looks like this:

  1. Capture phone number, send OTP.
  2. Capture ID document (NIRA card, passport or accepted alternative) with guided framing.
  3. Capture selfie with passive liveness.
  4. OCR + MRZ validation of the ID - see our deep-dive on verifying Somali IDs.
  5. Face match ID portrait vs selfie at 0.80 threshold for retail.
  6. NIRA verification for licensed flows.
  7. Sanctions / PEP screening on the verified name.
  8. Bind wallet to verified SIM and device.
  9. Signed audit log of every step.

All of this can run inside 30 seconds end-to-end on a modern Android phone. Slowness is no longer a competitive defence - your users will defect to whoever's faster, given equal trust.

Closing

Mobile money in Somalia is mature, profitable and dominant. The KYC infrastructure around it has caught up in the last 18 months - NIRA integration changed what was possible, and the major operators have all moved. The opening for fintechs now isn't "do mobile money exists." It's "what verified-identity-backed service can you build on top of these rails." Onboarding is the gating step. Get it right.

If you're working on this and want to compare notes, the playground is the fastest way to feel out the API surface. Or [say hi](mailto:olow304@gmail.com?subject=Ogowkey%20 - %20mobile%20money).