Introduction
During a recent trip to Ghana, I saw something that should genuinely trouble regulators, telecom operators, and anyone who cares about the integrity of financial crime controls. It wasn’t some sophisticated cyberattack or a dark-web scheme. It was an ordinary SIM registration agent, doing what had apparently become a completely normal thing, and offering me a shortcut that gutted the entire logic of the system in a single sentence.
Before I get to that moment, a little context.
In the global fight against financial crime, policies are necessary but they’re never enough on their own. Implementation is what actually decides whether a control works or just looks good on paper. The Financial Action Task Force sets the international standards for anti-money laundering, laying out principles that countries are expected to adapt to their own situations. And they purposely avoid dictating specific tools, because what works in one place may not work in another. That flexibility is sensible, but it also means that when execution is weak, the whole thing can quietly fall apart.
One of the tools many developing economies have pinned a lot of hope on is SIM registration. The idea is simple and powerful: if you can tie every SIM card to a verified identity, you strip away the anonymity that enables fraud, terrorism, social engineering scams, and the coordination of illicit financial flows. You build in traceability and accountability, which are two pillars of any effective AML system. SIM registration, on paper, supports AML compliance, fraud prevention, and national security all at once.
But here’s the catch: it doesn’t work if the execution is broken. And right now, in too many places, it is.
Most African countries don’t limit people to a single SIM because there are perfectly legitimate reasons for having more than one, such as parents or guardians registering SIM cards on behalf of minors, separating work and personal life, juggling different providers for better coverage or cheaper data, and using a dedicated SIM for a tablet or a modem. Regulators try to strike a balance between convenience and control. They usually set a cap.
In Ghana, for instance, citizens can register up to 10 SIMs[i] across all networks, and foreign nationals are limited to three. Businesses can have more, but each SIM has to be linked to a responsible individual, someone who carries the liability if that number is used for fraud.
Nigeria is stricter, generally capping it at around four[ii]. Kenya[iii] and Uganda[iv] don’t enforce a fixed cap but lean on rigorous identity checks instead. South Africa relies on its broader ID laws. The numbers vary across the board. However, the real issue isn’t the quantity. It’s the quality of enforcement. A well-policed system can manage higher limits just fine. A poorly policed one fails even with the tightest caps, because people simply find ways around them, like registering SIMs in someone else’s name.
That brings me back to Ghana. On paper, the country’s SIM registration framework has been significantly strengthened. Reforms between 2021 and 2022 made the Ghana Card mandatory, introduced biometric verification with fingerprints and facial capture, and integrated everything with national identity databases. It sounds like a model system: unique identity binding, reduced anonymity, better oversight of the mobile money ecosystem that functions as a de facto banking system for millions. The theory is sound.
But theory isn’t what I encountered on the ground.
I was registering a SIM, and the agent casually asked if I’d like to use my Ghana Card to register another SIM for a close family member who was with me right there and was there to get a new SIM as well. They just needed my “consent.” They’d issue a new SIM in my name, and this family member, of the opposite sex, no less, would then use it. It was presented not as some shady backroom deal but as a routine, perfectly normal option. In that moment, the entire concept of “know your customer” was reduced to a box-ticking exercise. Identity was no longer about who would actually be using the number; it was about whose ID was convenient to borrow.
And the consequences of that blink-and-you-miss-it breakdown don’t stop at registration. I later saw a man using SIM cards linked to mobile money accounts registered under female names to cash out money at a local agent location. The agent did not question it. No one batted an eye. Yet when that same individual tried to do the exact same thing at an official telecom office, he was rightly turned away because of the identity mismatch, but neither the SIM nor the related mobile money account was blocked. The formal channel did its job. The last-mile agent network didn’t. It must be noted that this striking inconsistency at the agent level is possible despite identity mismatches because many agents:
• Rely primarily on PIN verification, not identity checks
• Do not rigorously match the user to the registered SIM owner
So, they skip steps. And the system lets them, until something blows up.
I followed up with a major mobile money provider’s customer service desk, and an officer openly acknowledged that they’re aware their local agents often don’t enforce strict identity verification. When they find out about a mismatched SIM and account, they block it and shut it down. But that’s reactive, after the damage may already be done, and it depends on being made aware. The local agents themselves are wired differently; they’re driven by commissions, focused on volume, and lightly supervised. Hence, speed and sales numbers matter to the local agents more than verification steps. “Consent” has been wrongly elevated into a substitute for identity.
Why This Breakdown Matters
This pattern creates a two-tier compliance reality: formal banking and telecom channels maintain strong controls and high integrity, while their local agent networks, the very access points most people use daily, operate with dangerously weak controls and massive exposure. And because mobile money is, in practice, the banking system for a huge portion of the population, these weaknesses aren’t minor footnotes. They’re direct threats to the entire AML framework.
When identity traceability collapses, when a single person’s ID can spawn multiple SIMs used by different people, when mismatched names and genders are ignored during transactions, law enforcement can no longer confidently link a number to its true user. Fraud and impersonation become trivial. Bad actors can register SIMs with someone else’s identity, operate mobile money accounts under false names, and disappear without a trail. Illicit funds flow through unverified accounts, money laundering risk climbs, and terrorist financing channels become harder to spot. This directly eats away at the standards FATF advocates.
The bigger picture is sobering.
When practices like this become widespread, and I suspect they already are, SIM registration becomes ineffective in reality, while regulators may still be operating under a false sense of compliance. Fraud networks thrive on the gaps, and public trust in digital financial systems quietly erodes.
Root cause?
It’s structural, not accidental. As stated earlier this is because the incentives are misaligned, agents are incentivized by commission thus, commissions are prioritized over compliance. This is not just a training issue, it’s a systemic risk
So, what needs to change?
We have to shift focus from policy design to enforcement or implementation quality. That means risk-based supervision of agents, genuine audits, and mystery shopping. It means redesigning incentives so that compensation is tied to compliance quality, not just transaction counts. It means real-time monitoring that can flag anomalies, like multiple SIMs registered to one ID but actively used by completely different biometric profiles. And it means enforcing strict penalties for improper registrations, not just on agents but on the operators who employ them.
Consumer awareness matters too
People need to understand the risks of letting someone else use their ID, and they should periodically check how many SIMs are registered in their name. Until that kind of enforcement becomes the norm, individuals have to protect themselves. Never let your ID be used for someone else’s SIM, no matter how harmless it sounds. Use official telecom centres for sensitive transactions. Report suspicious agent behaviour when you see it.
Conclusion
At its core, SIM registration works on one simple principle: one person, one verified identity. Anything less, like the casual “just give consent” offer I witnessed, undermines the whole thing. That moment wasn’t a failure of policy. It was a failure of execution, multiplied across countless agent interactions every single day. And strong AML systems aren’t built on well-crafted documents alone. They depend on consistent, disciplined implementation at every level. Right now, that consistency is exactly what’s missing.
How We Can Help
Our latest blog on SIM registration gaps, written by Nana Mantey, Founder and Lead Consultant at Opsel, explores how weak controls are creating significant AML and fraud risks across Africa. It highlights the key threats and practical steps institutions can take now. If your business needs AML or broader financial crime advisory support tailored to African markets, get in touch via our contact page or reach us directly by phone at +447950377849 or email at nana.mante@opselcompliance.com.
References
[i] https://moc.gov.gh/wp-content/uploads/2022/10/press-statement-on-SIM-registration..pdf
[ii] https://thenationonlineng.net/ncc-updates-sim-reg-nin-linkage-rules/
[iii] https://www.ca.go.ke/sites/default/files/2025-09/The%20Kenya%20Information%20and%20Communications%20%28Registration%20of%20Telecommunications%20Services%20Subscriber%29%20Regulations%202025.pdf
[iv] https://uccinfoblog.com/2020/12/05/the-uganda-communications-commission-operational-guidelines-on-sim-card-registration-in-uganda/?utm_source=chatgpt.com
