Gone in 12 months: How fraudsters stole $17m from Kenya’s banks

Tech-savvy employees stole at least Ksh1.5bn ($17.64m) from Kenyan banks between April 2012 and April 2013. Investigators managed to recover only Ksh530m ($6.2m). FILE

What you need to know:

  • Fraudsters have stolen at least Ksh1.5 billion ($17.64 million) from Kenyan banks in the past one year, in schemes hatched by technology-savvy bank employees.
  • Financial institutions reported Ksh1.49 billion ($17.52 million) stolen from customers’ accounts between April 2012 and April 2013.
  • Investigators managed to recover only Ksh530 million ($6.2 million). Several cases are pending in court or are still under investigation.
  • Kenya’s top five banks by profitability — Equity, Co-operative, Standard Chartered, KCB and Barclays — were the worst hit by fraudsters.

In public, banking executives in Kenya exhibit optimism that white-collar crime rates will soon come down, but in private, they are a worried lot. Latest statistics on banking fraud explain why:

Fraudsters have stolen at least Ksh1.5 billion ($17.64 million) from Kenyan banks in the past one year, in schemes hatched by technology-savvy bank employees.

According to data from the Banking Fraud Investigations Department (BFID), financial institutions reported Ksh1.49 billion ($17.52 million) stolen from customers’ accounts between April 2012 and April 2013. Investigators managed to recover only Ksh530 million ($6.2 million). Several cases are pending in court or are still under investigation.

The data indicates that between November 2012 and April this year alone, a total of Ksh952 million ($11.2 million) was stolen. Of this, only Ksh345 million ($4.05 million) was recovered.

Security experts say the amounts reported reflect only a small portion of the real losses suffered since banks prefer internal disciplinary measures in cases involving thieving employees.

“Of all the risks, reputational risk is the worst. Most banks would rather keep cases of attempted fraud or actual fraud under wraps to avoid the damage disclosure would do to their reputation,” said a security director at a top financial institution. “Most of these cases involve bank employees,” he added.

The BFIB data shows at least half of the crimes reported had a bank employee involved.

A top banker estimates the amounts lost could be more than triple what is reported, suggesting banks may have lost close to Ksh2 billion ($23.52 million) in the six months to April.

Growing cases of fraud and cyber crime mean that financial institutions need to urgently invest in detection and preventive mechanisms as today’s fraudsters are increasingly sophisticated.

The investigation agency, in its monthly crime reports seen by The EastAfrican, cited identity theft, electronic funds transfer, bad cheques, credit card fraud, loan fraud, forgery of documents and online fraud as some of the ways used to defraud financial institutions.

Of the 20 cases taken to court in April this year, six involved cheque fraud and five forgery.

Most of these crimes keep recurring, raising questions over the ability of financial institutions to seal loopholes in their systems.

Kenya’s top five banks by profitability — Equity, Co-operative, Standard Chartered, KCB and Barclays — were the worst hit by fraudsters.

Of the 20 cases taken to court in April, 15 are shared among the top five banks as complainants. Most of the attempted or actual fraud involved amounts between Ksh500,000 ($5,880) and Ksh4 million ($47,000).

Late last year, Standard Chartered customers fell victim to the scam when they found anomalies, where withdrawals had been made from their accounts without their knowledge. The bank had to send cautionary messages to customers.

“Active accounts are the worst hit since most people are not keen to keep track of the transactions,” said Benjamin Nkungi, chief executive officer at the Association of Microfinance Institutions. “Financial crimes have become a huge risk to institutions. The losses are substantial,” he added.

Since the beginning of the year, the amounts involved have been falling while the amount recovered has been on the rise, pointing to light at the end of the tunnel.

However, recovery rates have over the past one year oscillated below half of the amounts involved, which risk and security analysts said was an indicator that financial institutions were detecting fraud long after the felonies were committed. Of the Ksh102.2 million ($1.2 million) reported stolen in April, only Ksh45.2 million ($531,300) was recovered, representing a 44.2 per cent recovery rate.

The number of reported cases since November has been averaging 50 each month, with only half of them successfully investigated, a signal of how fraudsters are becoming more adept at covering their tracks.

In April, for example, of the 58 cases reported — the highest number since November — only 20 were successfully investigated and the accused persons charged before various courts.

Kenya is not alone in battling bank fraud. A 2012 report by audit and advisory firm Deloitte shows that East African banks lost an estimated $48.3 million (Ksh4 billion) to fraudsters last year, exposing the weak security mechanisms of regional banks that make them vulnerable to criminals.

Although the adoption of technology and automation of systems have improved efficiency in the banking sector, it has also exposed banks to fraud as criminals hack into their systems and quickly transfer funds from accounts.

Ironically, the Real Time Gross Settlement System (RTGS) and other electronic money transfer modes, which were invented to deal with fraud, are the most vulnerable.

The system was expected to curb fraud in cheque payments over Ksh1 million ($11,600). The RTGS is a system where transfer of money or securities takes place from one bank to another without being subjected to any waiting period. The transactions are settled as soon as they are processed.

It is projected that financial crimes could rise as the more people turn to cashless transactions.

Central Bank of Kenya data shows that the value of card transactions rose by 74.74 per cent to Ksh1.009 trillion ($11.74 billion) in the 12 months ended December last year, compared with Ksh577.85 billion ($6.71 billion) transacted for the period ended December 2011. Over the same period, the value of transactions through mobile phones, which are mostly used by retailers, hit Ksh1.54 trillion ($17.96 billion), a 32.13 per cent increase from the previous year’s Ksh1.16 trillion ($13.59 billion).

The increased incidence of fraud has prompted banks to individually or jointly craft initiatives to stem the crimes.

Consumers are, for example, set to benefit from the adoption of anti-fraud chip-PIN technology to be rolled out by all local banks in six months. Bankers, through the Kenya Bankers Association, in consultation with CBK, joined hands earlier this year in an industry-wide approach which hopes to end banking fraud on automated teller machines.

Skimmers in the hall

In the recent past, consumers have grappled with losses, caused by criminals who counterfeit ATM cards. The criminals place readers in the ATM slots (skimmers) that steal card details that are later used to duplicate the card and fleece the owner’s account.

The CBK in its Bank Supervision Report 2012 released on Monday, says that, to stem the increase in fraud, banks have introduced SMS and e-mail alerts to keep customers appraised of any entries to their accounts.

Risk experts said a growing number of technology-savvy bank employees and increased access to the Internet have opened Kenya up to fraud. A 2011 survey by financial services consulting firm Deloitte shows a young technophile, who has worked for one organisation for several years, is the possible mastermind of fraud cases.

Deloitte said companies, especially those dealing with huge sums of money like banks and supermarkets, are ill-prepared to fight this onslaught, which is costing them millions of dollars annually arising from information security breaches and corporate theft.

Risk experts said while rising cases of fraud are motivated by personal greed, there are increasing cases which are driven by pressure on individuals to achieve higher profit and budget targets.

They argued the average fraudster is no longer a ghostly outsider probing the organisation for vulnerabilities, but an insider.

The EAC is considering adopting uniform laws to fight cyber crime, covering electronic transactions, signatures and authentication, data protection and privacy. The initiative has already been approved by the EAC Council of Ministers.