Kenyan banks lose Sh1.7bn to fraudsters in 3 months


Central Bank of Kenya. File

Banking fraud more than tripled in the third quarter of 2010, to Sh1.7 billion, with Kenya’s banking system emerging as a stealing ground for staff who see working at the banks as a licensed opportunity to collect cash for themselves - even as the country breaks records for the pace at which Kenyans move from being unbanked to banked.

With most fraud still not being reported, the soaring volume of banking crime being investigated by the police is a direct result of the lack of action by banks to correct the problem, reports the Banking Fraud Investigations Department (BFID).

A confidential report by the BFID last month revealed Sh390 million worth of reported frauds within Kenya’s banks from April to June this year, up Sh20 million on the previous quarter. But figures for the third quarter, show fraud during the 12 weeks from July to September this year, up at Sh1.7 billion.

Around half a billion of that amount was the result of a single attempted fraud through a transfer at Co-operative Bank of Kenya targeting a National Housing Corporation account.

The anti-fraud police department recovered close to a billion of the quarter three losses, including the Co-operative Bank transfer, but that leaves more than Sh700 million still untraced.

In the first months of the year, 108 suspects involved in 102 bank fraud cases were arrested and charged in courts. But only 8 cases were finalised, with 5 convictions, and 2 cases withdrawn.

Industry insiders say reported cases also represent only a fraction of the actual fraud.
“Many banks do not make full disclosures of what has been stolen because they think it is bad publicity,” said the head of security of one of the banks.

Of the reported frauds, a high percentage relate to electronic transfers and embezzlement, while cheque frauds also shot up in the third quarter, to Sh266 million, compared with Sh23 million in the second quarter. With bank staff able to access account details and see the number of the last cheque cleared, many are now having forged cheques drawn up, which they are then presenting for encashment, often on dormant accounts.

Bank tellers admit colluding with outsiders and even with their supervisors to defraud the banks they work for. A teller at Postbank reports how in a span of one year his colleague managed to defraud the bank in cohorts with the supervisor and the head cashier, depositing money to his wife’s bank account, since the tellers’ own accounts are constantly monitored. “He quit working after he had enough money.

“We knew he was doing it and we also feel tempted to do it. I handle so much money every day as deposit. Today, for example, I have just handed in Sh900,000 but I get peanuts as my pay. Give me one reason why I shouldn’t steal,” said the teller, who spoke on condition of anonymity.

PostBank has been organizing a series of anti-money laundering workshops to train its staff on detecting cases of bank related fraud and desisting from fraud.

Says another cashier from Equity Bank: “I have been doing it for the last 18 months, with the help of senior managers here. I need money, they pay me so little and expect me to handle so much money. I have a family to take care of.”

Staff report that many only join banks with the intention of defrauding customers. The methods used also keep evolving. In a bid to cap the amounts being stolen, CBK directed in September last year that cheques must be written only for amounts less than Sh1m, and introduced the Real Time Gross Settlement (RTGS) electronic clearing system to be used for amounts above Sh1m.

“This system eliminates the opportunities for fraud that could emanate from paper-based instructions such as cheques,” said CBK governor, Njuguna Ndungu and Richard Etemesi, in a joint commentary.

However, cheque frauds have since increased more than ten-fold in the total sums involved, while RTGS, combined with ETRs and SWIFT transfers, is now the largest means of frauds.

‘’The instantaneous and rapid nature of RTGS makes the system susceptible to fraud attacks,’’ said one banking fraud expert who did not wish to be named.

Her views were supported by Jimmy Mwithi, Security Manager at Consolidated Bank. ‘’We are now dealing with younger employees who are very sharp and IT savvy and after some time they learn how the system works and how to crack it,’’ he said.

The police unit has identified 15 ways through which staff are finding loop holes, including card fraud, identity theft, forgery and counterfeiting. Industry experts say around 80 per cent of the money stolen involves bank staff.

‘’No one is immune to fraud. Organisations should start appreciating fraud and put in place effective fraud risk assessment,’’ says Faith Basiye, Head of Group Forensic Services at Kenya Commercial Bank.

A manager at another bank faults flawed recruitment and vetting procedures, arguing it’s the number one cause of the frauds. 

The bank, according to the manager, recruits secondary school leavers awaiting university admission for cashier jobs, while giving them very basic banking training.

“They always mess with the accounts, they don’t know how to detect fake currency, how to spot a suspicious customer and are easily gullible, always being used as puppets by their supervisors and head clerks,” the manager said.

BFID - the police arm that investigates banking fraud – also expressed concern in the report over cases where banks do not act on warrants issued to them, in the process giving fraudsters more time to continue. Contrary to CBK regulations, the report also found that some ATM lobbies do not have CCTV cameras essential in deterring and investigating crime.

BFID further says that forensic auditing sections often fall under either internal audit or security department in some banks, which compromises their independence and integrity. It recommends setting up of independent forensic units within the banks.

Commercial banks are, however, now working to introduce in-house mechanisms to arrest the fraud. Equity Bank, Kenya’s biggest financial institution by customer base, recently signed a deal with a Belgian business partner EMV (Europay-Mastercard-VISA) for a card management system that speeds up transaction points to curb fraud.

The implementation of the Credit Reference Bureau system has also been hailed as a stepping stone to curbing the deluge of fraud, by helping address fraud by customers as banks share information on previous banking records.

The banks have yet to move to any formal sharing of information on banking staff.

However, the provisions of the Anti money Laundering Act, which came to effect on 28th June this year, should also now help in tracking down fraudsters. The Act requires financial institutions to submit suspicious transactions and Cash Threshold Reports to the Financial Reporting Centre, which will then be used to facilitate the gathering of financial intelligence for analysis. 

Some banks are also moving internally to curb the problem. Consolidated Bank has put in place a set of measures that include multi-level access points, where staff have different access rights in the system, password management and a rigid recruitment process.

‘’The fact is, a combination of security measures including CCTV cameras, access control and system checks minimize fraud opportunities,’’ said Mr Mwithi.

One of Kenya’s leading regional banks has in recent months separated the sending of ATM cards and pin numbers, which were previously sent to the card centre together. Another has introduced a system where customers set their own PIN numbers, rather than it being issued.

At a broader level, the forensic department set up by one of the banks in 2008, and made up of eight investigators, is now concentrating on fraud detection and prevention, using data mining software, rather than fraud investigation, as before. It has also conducted 150 training sessions this year, including for staff in Tanzania, Rwanda and Uganda, to help tellers and cashiers detect fraudulent transactions.

However, says BFID:  “Frauds involve misappropriation of assets and manipulation or distortion of data and most frauds result from basic failure and inadequacies of internal controls. Most frauds are committed by insiders usually in collusion with outside third parties and mostly are discovered by accident or tip offs rather than internal and external auditors.”

“The policies should stress the cardinal principles of separation of duties to ensure that one person does not originate and complete an assignment or entry. The policy should also emphasize dual control of sensitive areas such as strong rooms and locks to security documents and accounts.”