01 / A UX leadership case study · Shiriki Pay · M-PESA

Delegated spending at scale.

Designing a system that allows people to spend on behalf of others without making shared spending feel exceptional, awkward, or risky at the moment it matters most.

Role
UX design lead
Platform
Consumer fintech (M-PESA)
Users
Sponsors & beneficiaries
Scope
Problem framing · system design · interaction model · cross-functional alignment
Status
Launched
Overview

As of today, people already delegate spending. Existing tools just weren't designed for it.

Large-scale consumer platforms often need to support situations where one person pays on behalf of another. Think of parents supporting house managers, employers enabling field purchases or families coordinating day-to-day expenses. While this behaviour is already common, most financial systems term it as an exception, forcing people into workarounds that introduce friction, social exposure and anxiety at the point of payment.

As the UX design lead on the delegated spending system built on top of M-PESA rails, I was responsible for framing the problem, defining the system model and guiding cross-functional decisions to balance autonomy, safety and dignity at scale. Instead of focusing on transactions or controls in isolation, the efforts centered on a single outcome: ensuring that beneficiaries could complete payments with the same confidence and social ease as a primary account holder, neither transferring ownership nor eroding trust.

This case study focuses on how delegated agency was modeled as a system, including permissions, boundaries, states and trade-offs, to make shared spending feel normal in everyday, public payment moments.

Context & stakes

Shared spending is already normal. Our tools just make it feel risky and awkward.

People often delegate spending in everyday situations: parents enabling household purchases, employers supporting on-site work or siblings helping manage expenses. In markets like East Africa, where mobile money underpins daily life, this behaviour is common and practical. Yet most financial platforms treat shared spending as an exception, forcing people into workarounds that technically function but feel fragile and uncomfortable in real-world use.

At the point of payment, failures are public and time-compressed. There is no opportunity to explain intent or recover socially, and even brief hesitation can expose dependency or power dynamics in front of others. Designing delegated spending therefore required more than enabling access. It required making shared payments feel normal, predictable and socially safe in the moments that matter most.

The real risk is not misuse. It's hesitation at the moment of payment.
User dynamics & mental models

Two users, two ways of thinking, and one fundamental mismatch.

Delegated spending involves two distinct roles with asymmetric responsibilities and risks. Rather than serving a single user, the system must work for people who think about money, control, and failure very differently, especially in public payment moments where confidence or hesitation is immediately visible. It was essential to design a system that could work without friction or misunderstanding.

How sponsors think (account holder)
Sponsors think in rules, limits, and accountability.
  • I want predictability without constant oversight
  • I'm accountable for this money, even when not present
  • I want control without constant interruptions
  • I fear misuse or unauthorized spending
How beneficiaries think (delegate)
Beneficiaries think in tasks and outcomes.
  • I'm just trying to get something done
  • I need autonomy to complete tasks
  • I'm sensitive to hesitation or public failure
  • Asking permission repeatedly is embarrassing
  • Friction feels like surveillance

Sponsors. Sponsors think in terms of rules, limits, and accountability. Their primary concern is predictability; knowing that spending will remain within boundaries they understand and agree to, without requiring constant oversight. Surprise, more than friction, is what erodes their willingness to delegate.

Beneficiaries. Beneficiaries think in terms of tasks and outcomes. Their confidence depends on being able to pay without hesitation, explanation, or visible failure at the point of sale. When constraints surface unexpectedly, the cost is not just inconvenience, but embarrassment and loss of dignity.

Mismatch in mental models. This creates a fundamental tension: systems optimized for sponsor control tend to surface rules at the moment of use, while systems optimized for beneficiary flow often obscure constraints. Resolving this mismatch required designing a system that could enforce boundaries invisibly, allowing beneficiaries to act confidently while sponsors retained clear authority and accountability.

Design principles & constraints

Safety, clarity and dignity shaped every decision.

The principles derived were not aspirational values but rather direct responses to real constraints. In a system where payment failures are visible and difficult to recover from in the moment, poor UX decisions can quickly surface as hesitation, embarrassment or loss of trust with consequences that extend beyond the transaction into everyday spending.

Several realities defined the design space from the outset. Delegated spending needed to function across uneven power dynamics, informal relationships, and diverse contexts without training, contracts, or constant oversight. The system also had to operate at national scale, where predictability and clear accountability matter more than supporting every possible edge case.

These constraints shaped the design principles that followed. Designing for only one mental model proved insufficient: prioritizing sponsor control introduced friction and awkwardness for beneficiaries, while prioritizing beneficiary flow eroded sponsor trust and predictability. The system therefore needed to enforce boundaries invisibly, thereby protecting confidence and dignity at the moment of use, while preserving accountability and control behind the scenes.

Constraints define responsible design
Five principles, derived directly from the system's real constraints rather than from aspirational values.
01
Ownership must remain unambiguous.
Responsibility for funds should always be clear, regardless of who executes a payment.
02
Boundaries should protect confidence, not surface control.
Constraints must operate invisibly at the moment of use, preventing public hesitation or embarrassment.
03
Prevention is better than recovery.
It is preferable to make unsafe actions impossible than to rely on reversal, correction, or explanation after the act.
04
Predictability outweighs flexibility.
Consistent behaviour builds trust more effectively than supporting every possible edge case.
05
Dignity requires clarity, not opacity.
Beneficiaries should feel trusted and capable without being exposed to hidden or shifting rules.
System & interaction model

Separating ownership, authority, and execution to preserve trust and normalcy.

Rather than transferring funds or sharing credentials, we designed the system around a delegated agency model. Ownership of money, authority to define boundaries, and execution of payments were treated as separate verticals, each with clear responsibility. This separation made it possible to extend spending access without exposing sponsors to surprises or beneficiaries to hesitation at the moment of payment.

Sponsor (account holder)
  • Owns funds
  • Defines spending boundaries
  • Remains accountable
Defines permissions and limits
M-PESA platform
  • Enforces boundaries
  • Authorizes payments
  • Prevents misuse before execution
Payment execution
Beneficiary (delegate)
  • Executes payments
  • Operates within allowed space
  • Does not own funds

Delegated agency system model: ownership and accountability remain with the sponsor, while execution is delegated through the platform within clearly enforced boundaries. This structure allows shared spending to feel normal at the point of payment without transferring control or responsibility.

The thesis
Ownership ≠ execution.
Sponsors retain ownership and accountability. Beneficiaries hold execution authority within a defined boundary. The platform enforces that boundary invisibly at the moment of payment.

By separating ownership from execution, the system avoids common failure modes such as credential sharing, blind transfers, or public uncertainty at checkout. Sponsors retain confidence that outcomes will remain predictable, while beneficiaries can act without hesitation or explanation. The platform acts as the enforcing layer, absorbing complexity so that everyday payments feel ordinary rather than exceptional.

Safeguards, boundaries & lifecycle

Designing guardrails that disappear at the moment of payment.

To make shared spending feel normal at the point of payment, safeguards needed to operate before a transaction was ever attempted. Rather than relying on approvals or corrections, the system defines a clear action space in advance. This ensures that beneficiaries only encounter situations where payments are expected to succeed. This approach protects dignity while giving sponsors confidence.

Sponsor-defined permissions
  • Spending limits
  • Duration of access
  • Who can spend
  • Ability to pause or revoke
System-enforced boundaries
  • Withdrawals blocked
  • Only approved payment types allowed
  • Real-time authorization
  • All actions auditable
Beneficiary action space
  • Execute payments
  • Act without approval
  • No ownership of funds
  • Actions outside this space are impossible

This boundary-first approach ensures that beneficiaries are never put in a position where they must guess whether a payment will work. By constraining the action space ahead of time, the system absorbs risk invisibly and prevents socially costly failures at checkout. Sponsors benefit from clarity and predictability without needing to monitor or intervene in real time.

Explicit lifecycle states

Modeling access as clear states avoids ambiguity and ensures predictable behaviour as permissions change over time.

ACTIVATE ACCESSLIMIT REACHEDPAUSE ACCESSREVOKE ACCESS
Configured
Permissions defined. Access not yet active.
Active
Payments allowed. All boundaries enforced.
Exhausted
Limits reached. No further spending.
Paused
Access temporarily disabled.
Revoked
Access permanently removed.
Trade-offs & edge cases

Choosing predictability and dignity over maximum flexibility.

Not every legitimate edge case was supported. In a system involving real money and social exposure, flexibility often introduces ambiguity at the moment of use. Trade-offs were therefore made intentionally to preserve predictable behaviour, clear accountability, and confidence at checkout, even when this meant accepting friction in less common scenarios.

  • No discretionary overrides at the point of payment.
    Ad-hoc exceptions were avoided to prevent pressure-driven decisions and public uncertainty.
  • Limited support for urgent over-limit scenarios.
    Exceeding predefined boundaries requires deliberate reconfiguration rather than automatic escalation.
  • Restricted action scope for beneficiaries.
    Some technically possible actions were intentionally blocked to avoid ambiguous responsibility after the configuration.
  • Consistency over personalization.
    The system favours a small set of clear rules over highly customized configurations that are difficult to reason about.

These constraints were accepted as part of designing a system that people could trust without constant attention. By narrowing what was possible, the system made everyday use more reliable and socially comfortable for the majority of scenarios it was designed to support.

Collaboration & influence

Aligning teams by reframing the problem, not negotiating features.

Designing delegated spending required close collaboration across product, engineering, and risk teams, each with different incentives and concerns. Product teams pushed for broader scenario coverage, while risk and compliance emphasized the dangers of ambiguity and misuse at scale. These tensions surfaced early and repeatedly as the system took shape.

I influenced alignment by shifting discussions away from individual features toward system behaviour and responsibility. By articulating mental model mismatches, failure modes, and accountability flows, I helped the team see how certain forms of flexibility would surface as public uncertainty or misplaced responsibility at checkout. This reframing allowed teams to agree on clear boundaries without framing constraints as compromises.

As a result, the group aligned on a boundary-first system model that balanced usability with predictability and safety. Design acted as the connective tissue between user experience, technical feasibility, and organizational risk tolerance, enabling decisions to scale consistently as the product moved into UAT.

Outcomes & learning

Measuring success through confidence, predictability, and normal use.

1.2M+
customers opted in, first 1.5 months
KES 350M+
value shared through the system
Live
as Shiriki Pay on M-PESA

Following public launch, the delegation system, now called Shiriki Pay by M-PESA, transitioned from a conceptual system into a live, market-facing product, with over 1.2 million customers opting in within the first 1.5 months and more than KES 350M in value shared. This early adoption validated that delegated spending is not an edge case, but a real and recurring behaviour, now formalized within the M-PESA ecosystem.

Beyond adoption, the more meaningful signal was behavioural. Customers were able to initiate and complete shared payments without the coordination, hesitation, or workarounds that previously defined these scenarios. The system's boundaries proved understandable in practice, with users anticipating outcomes as limits were reached or access changed, indicating that predictability, not feature breadth, was driving confidence.

The launch also reinforced that designing delegated systems is as much about distribution and integration as it is about interaction design. Embedding the experience within core payment journeys and aligning go-to-market efforts across different customer segments proved critical to adoption. More importantly, it confirmed that systems handling shared financial actions succeed when they prevent failure upfront, protect dignity at the point of use, and remain legible even as they scale across millions of users.

Interfaces

Live on the new

Two iPhone mockups showing the Shiriki Pay shared spending dashboard and the Lipa na M-PESA Paybill flow with a Shiriki Pay funding source.
Next case study
Hustler Fund. Designed for anyone with a phone.
Read the case →
Let's talk

Always open to ambitious conversations.

Book a call
Schedule on Calendly →
Elsewhere
LinkedInADPListEmail
Kelvin Mutiso · Nairobi, Kenya© 2026