Banks are splurging billions of shillings on updating and acquiring new software, retraining staff, and hiring new talent, highlighting the increased anti-fraud war amid rising threats on the sector that holds nearly Sh6 trillion in customer deposits.
Top commercial banks including KCB, Equity, Co-operative Bank of Kenya, NCBA, Stanbic Bank of Kenya and Absa Bank Kenya have all reported heightened attempted fraud, pushing them to invest in systems and people to fortify defences to detect, prevent and manage these threats.
NCBA, for instance, spent $31 million (Sh4.04 billion) in a modernising system to “fortify its cybersecurity infrastructure” while Absa, which last year lost Sh49 million to fraudsters and thwarted attempted fraud worth Sh498 million, says it was forced to purchase new fraud systems as well as upgrade.
Other lenders stepped up training of staff on the ever-evolving trends in fraud and dismissed employees aiding theft. KCB handled 48 disciplinary cases related to fraud in which it dismissed 22 employees as 26 resigned during the investigation, noting that its disciplinary process is “an effective means of deterrence of fraudulent activities.”
Banks say last year was particularly bad with incidents related to fraud, data privacy, cyberattacks and cybersecurity threats increasing. This manifested in different forms including social engineering, phishing, and ransomware attacks.
“Cyber risk continues to increase within the financial industry with more sophisticated attacks being meted on banks by exploiting vulnerabilities within the banks’ network and core banking systems to facilitate fraud or disrupt business operations,” said Stanbic Holdings in the latest annual report.
Diamond Trust Bank (DTB) said two of its “most challenging” customer experience issues for last year were service dilution and fraud, adding that the year presented increased incidents of reputational risk exposures related to cybersecurity and fraud, particularly around social engineering and ransomware attack.
DTB said prevalent and emerging trends are now centred on “loan and mobile banking fraud and embezzlement.”
“For mobile banking fraud, individual customers proved to be the vulnerable link, inadvertently sharing confidential information with fraudsters posing as representatives of banks or mobile service providers,” said DTB.
Banks have had to respond through new investments from markets such as the US and India, with the likes of Cooperative Bank of Kenya (Co-op Bank) and Stanbic migrating to new core banking systems. Co-op Bank rolled out a $50 million (Sh6.5 billion) system dubbed Finacle to, among other things, cut downtime incidents and enhance the security of transactions.
“Acknowledging the escalating threat of cyber risks within the industry, we have fortified our defences to detect, prevent and manage these threats. To enhance our staff’s ability to mitigate emerging threats, we conduct regular trainings on anti-money laundering/combating the financing of terrorism (AML/CFT), with over 7,100 trainings having been conducted in 2023,” said Co-op Bank in the annual report.
The increased investment in the anti-fraud war has also come on the back of regulators imposing stricter guidelines and enforcement mechanisms that expose banks to huge financial fines when fraud or customer data leakages occur.
KCB said it last year frustrated 249 fraud incidents but did not mention the amount of money at stake. The lender reacted through training in the areas that had process lapses and improved controls on app sign-ups and Vooma wallet deposits. These efforts, it says, significantly reduced the number of social engineering cases.
KCB says it has now restricted Vooma mobile wallet top-ups to their own number and enhanced security features on the mobile banking app activation such as the use of one-time PINs, which has cut exposure of customers to social engineering.
“In 2023, exposures to successful fraud reduced by 70.5 percent compared to 2022, with the main drivers being internal and mobile banking-related frauds. The reduction was attributed to our continuous actions to reduce fraud losses through the constant review and enhancement of control standards,” said KCB.
The lender says it has invested in a new anti-fraud system that has automated the detection of fraud across banking systems by enabling the identification of unusual behaviour.
In July and August last year, Kenya’s digital infrastructure became the target of cyberattacks through a series of distributed denial of service attacks (DDoS) that affected both public and private institutions.
KCB says the wave of cyber-attacks in the region has heightened its focus on building a defence against “nefarious threat actors” by investing in people, processes, and technologies.
“The organisation has and continues to make significant investments in cybersecurity controls across the various layers of technology, to ensure that the organisation can prevent, detect, respond to, and recover from cyber threats and attacks,” said KCB.
The growing threat and sophistication of cyberattacks, coupled with the increasing digitisation of banking products and services as well as the use of third-party partnerships have served to increase the sector’s exposure to security risk.
DTB said it invested in advanced fraud detection tools and monitoring systems for real-time transaction monitoring, fraud analytics, and customer verification procedures to help identify and prevent fraudulent activities promptly.
“We also rolled out a defence-in-depth strategy, anchored on zero-trust architecture, which is a security architecture built to reduce a network’s attack surface, prevent lateral movement of threats, and lower the risk of data breaches,” said DTB.
The lender also developed a cloud computing policy to govern migration to and adoption of cloud technology. It expects to continue to invest in cyber and operational resilience this year.
The race to improve systems has also triggered a talent war in specialised roles such as information technology as the banking sector spends millions of shillings on upskilling existing employees but lose them to competitors.
Equity, which in mid-April this year suffered theft of Sh179.68 million by 551 account holders who received and fraudulently transferred the money to 11 banks and several M-Pesa accounts within seven days, has responded by beefing up its anti-fraud team.
The lender last month opened recruitment of key roles including a senior fraud manager for payments, a senior fraud manager in charge of insurance and investment, senior manager for security, and a fraud risk analyst.
Equity Group CEO James Mwangi said: “It has been embarrassing seeing our customers being social-engineered and losing money.”
NCBA says it has invested in “cutting-edge” technology such as cloud migration, data quality management, server upgrades and robust protocols.
The lender says investing in the utmost protection of customers’ financial data and personal information is one step ahead in addressing cyber security threats.
NCBA says stricter guidelines and enforcement have left banks with no option but to significantly invest in technology, personnel, and infrastructure to avert erosion of trust and fines that come when customers lose money or information leaks to the public.
“Financial institutions found themselves grappling with the complexities of compliance, as non-compliance posed severe financial and reputational risks, prompting a fundamental reevaluation of risk management strategies,” says NCBA.
Absa says it targets to overhaul its backend processing by not only automating it but also augmenting the automation with machine learning and artificial intelligence to drive operational efficiency and enhance early fraud detection.
“Fraud and cyber-insecurity remain potent challenges for financial institutions, exacerbated by social engineering challenges and ever-shifting fraud trends requiring increased vigilance and responsiveness,” notes Absa.
Anti-money laundering (AML) and fraud prevention have become a focal point for regulatory compliance efforts, with authorities such as the Central Bank of Kenya and the Financial Reporting Centre ramping up efforts to combat financial crimes and illicit activities. This is especially after Kenya was last year grey-listed by the Financial Action Task Force (FATF) — the global money laundering and terrorist financing watchdog.
Banks were required to implement robust AML controls using advanced technologies to enhance transaction monitoring and detection capabilities.
Kenya closed 2023 as one jurisdiction under increased monitoring by FATF and is working with the watchdog to address strategic deficiencies to counter money laundering, terrorist financing, and proliferation financing (ML/TF/PF).
Lenders are projecting that Kenya’s efforts to get itself out of the grey list countries—jurisdictions under increased monitoring due to strategic deficiencies in countering ML/TF/PF risks—will see deeper regulatory scrutiny amid increased exposure to fines and penalties for non-compliance.
“Given this reality, we expect regulators to impose stringent requirements for safeguarding customer data and infrastructure, mandating comprehensive cybersecurity frameworks and regular assessments. This will likely increase the cost of compliance for NCBA Group, particularly given our broad relationships with global financial partners,” said NCBA.