Banks vulnerable to theft by staff, not just tunnel diggers

The temptation to raid banks has not only affected gangsters who dig tunnels to get to the strongrooms where money is kept.

Both senior and junior bank employees have also been entangled in the web, and while some have gotten away with it, many others have found themselves on the wrong side of the law, standing trial after they were accused of defrauding their employers.

It is estimated that banks lose up to Sh500 million every month through fraud and unethical practices by their own staff.

Often, however, little or no cash alleged to have been stolen is such circumstances is ever recovered.

In the recent past, however, there has been an increase in the number of people being charged in court over bank robbery related charges.

CYBERCRIME
The Cybercrime Investigation Unit estimates that Kenya lost more than Sh17 billion to hackers in 2016, with theft of credit or debit card data and financial scams, bank salami attacks and hacking of the mobile banking systems being the greatest targets.

Last year, the Global Threat Index placed Kenya at position 69 out of the 127 countries that are vulnerable to cybercrime.

Police reports indicate that among the hackers are programmers who approach Saccos to create financial software.

They then create “a back door” that allows them to illegally access the accounts and siphon money from unsuspecting saccos.

FINANCIAL LOSSES
In March this year, several hackers were arrested, among them KRA staff in the ICT department.

Tightly-held cybercrime records indicate that Kenyan private and public sectors lost Sh10 billion in 2015 with the financial sector losing Sh4 billion of that amount.

These cyber criminals, some of them employees, work with foreigners based in Spain, France, Moldova, and Belgium to gain access to various systems.

They work in cahoot with insiders who install malware into the banking system that makes it possible to siphon money either from the bank itself or customer accounts.

A malware is a software that disables the legitimate banking systems while enable hacking and transfer of money without detection.

Such crimes are common around the festivities when banks record an increase in transactions.

COURT CASE
Given the threats and legal suits banks have been exposed to in the pursuit of money lost through fraud, it was with a major sigh of relief to them when High Court Judge Joseph Sergon held in July that there was nothing wrong with Central Bank of Kenya (CBK) investigating the loss of Sh205 million, through fraud, in 2003.

Mr Peter Godfrey Ouma Okutoyi — a former CBK employee in the department of bank supervision — had sought orders directing the regulator to pay him Sh109,967,590.50 as special damages with interests at court rates until payment was made in full for malicious prosecution.

He also demanded to be paid the cost of the suit, claiming that he had been framed over the lost money, given the trial court acquitted him of all counts that had been preferred against him.

However, Mr Justice Sergon said it was evident that there was a loss of huge sums of money and as a result, a report was made to the police.

CBK

The officers conducted investigations and independently made the decision to prosecute Mr Okutoyi.

It could not, therefore, be said that the complaint by CBK, which led to the arrest of Mr Okutoyi, was actuated by malice.

CBK had complained to the police after two customers alleged irregular transactions of their Treasury Bonds.

“Mr Okutoyi has not disputed the fact that a colossal sum of money was lost, hence CBK was justified to complain,” Mr Justice Sergon said.

The judge, in the July 20 judgment, also said that though Mr Okutoyi had shown that his credibility had suffered a major blow, CBK could neither be held liable nor be condemned to pay damages for his loss of reputation since it had made a genuine complaint.

CHARGED
Mr Okutoyi was jointly charged and tried alongside Alex Rebiro Ngugi in whose bank account the lost money had been deposited.

Mr Okutoyi was eventually acquitted but Ngugi was convicted.

Notably, the mischievous schemes by employees have in some instances left the banks with huge losses after they were ordered to compensate innocent customers whose money was unlawfully transferred to illegitimate accounts.

High Court Judge Eric Ogola had in 2015 directed Equity Bank to pay Dyer & Blair Sh26,250,250 — plus interests at court rates — from May 12, 2008 being the time when the money was transferred into a fraudster’s account.

The fraudster had claimed to be a director of Dyer & Blair.

FRAUD
In his testimony before the court, the alleged Dyer & Blair director denied issuing instructions authorising the transfer through a phone conversation as had been alleged by the bank employee.

He further dismissed the alleged signatures on the purported letters of instructions dated May 12, 2008 as forgeries.

“In the absence of any such documentary evidence to the effect that the said director called Equity Bank to confirm the instructions in the disputed letters, it is difficult for the court to ascertain the veracity of Equity Bank’s position that the said director confirmed the disputed letters,” Mr Justice Ogola said.

The bank’s employee called Dyer & Blair’s office line but it could not go through.

The employee then called one of its directors and when the line went unanswered sent a text message.

FORMAL COMMUNICATION

This according to the judge, did not appear as the usual official way of conducting business in a bank, and especially in the matter where the sums of money involved were colossal.

“In addition, the unexplained sense of urgency in getting Dyer & Blair to confirm the instructions is rather curious,” he said in his ruling.

“It is not clear why the Equity Bank’s employee did not stick to the official line.

"Due diligence demanded that Equity Bank’s operations manager or any other responsible official should have done an e-mail or a letter with regard to confirming the said instructions.”

CHASE BANK
Evidence presented in court had also showed that the monies were paid into the accounts of certain beneficiaries, and one of them was charged and convicted of stealing by a magistrate court.

The other fraudster was never apprehended.

Controversy over loss of huge amounts of money has also not spared the bank directors either.

For instance, the directors of the collapsed Imperial Bank, Chase Bank, and Dubai Bank, have separately been charged in court over the loss of millions from the banks they headed.

And as opposed to the 1980s and 1990s where armed robbers would storm into a bank and walk away with sacks full of money, today’s bank robbers are well informed and are armed information and technology tools that make it easier for them to breach bank security measures.

Some also rely on personnel within the financial institutions to achieve their criminal goals, which often gets discovered when the money is long gone, and untraceable.

BREACH
As a result, the custodians of the law, from magistrates to Appeal Court judges, have not only made decisions aimed at mitigating further losses occasioned to banks as a result of the unlawful conduct, they have also caused some banks to pay dearly for the roles played by their employees in aiding such crimes.

In some instances, bank staff have also been penalised for failing to point out or prevent breaches that led to loss of money from their employers.

Earlier this month, for instance, Appellate judges Alnashir Visram, Wanjiru Karanja and Martha Koome upheld a decision by Cooperative Bank of Kenya Ltd to send home one of its employees who had failed to report that his colleague had taken more than Sh500,000 from the bank for personal use.

Although the amount was not colossal, the judges found that the principle behind the crime warranted the dismissal.

“We are satisfied that Cooperative Bank was justified in dismissing Samuel Njoroge for the reasons outlined in the dismissal letter.

"Besides, the bank’s own disciplinary code sets out what amounts to gross misconduct and subject to summary dismissal,” the judges ruled on December 8.

They also overturned a Labour Court decision that had ordered the bank to reinstate Mr Njoroge.

BUSINESS VENTURE
He had been designated as an ATM custodian together with Mr Jacob Kalama at the Cooperative Bank’s Mariakani Branch, in Kilifi County.

They were in charge of two ATMs. On December 2012, Mr Njoroge noticed that Sh576,000 was missing from one of the ATMs.

When he asked Jacob about it, Jacob confessed that he had taken the money to facilitate a business venture and would repay it.

However, he failed to fulfill his promise. Mr Njoroge did not report him because Jacob had pleaded with him not to.

As a consequence, Mr Njoroge was fired from his job and the Court of Appeal upheld the decision to sack him.

WITNESSES
The challenge in the fight against fraud in banks has been the fact that in many of the cases taken to court, the accused are freed for lack of evidence.

In many instances, trials are terminated before hearing is complete mostly because witnesses fail to turn up or the evidence is not available.

Theft from financial institutions cannot be fully eradicated but can be reduced significantly.

One way to do this is through risk mapping, where all the vulnerability areas are identified and measures put to avoid them are identified.

Done correctly, this can significantly reduce the threat that has caused most of banks to record losses running into millions of shillings.

ICT
Data from the Banking Fraud and Investigation Department (BFIU) indicates that cases relating to computer, mobile and Internet banking are on the rise.

To ensure that Information Technology (IT) systems within banks are safe, layers of security features must be put in place before a transaction is authorised.

The banks must also thoroughly vet their employees and regularly conduct a lifestyle audit on all of them.

“Some bank employees could be earning less but live a life beyond their known source(s) of income,” Mr Apollo Mboya, a lawyer, said.

Early this year, Central Bank of Kenya (CBK) introduced cyber security guidelines aimed at helping banks deal with cybercrimes and prepare for emerging threats.

SECURITY
The regulations require banks to compile and file with the regulator detailed reports of how they plan to curb cybersecurity threats.

The banks were mandated to review their cybersecurity strategies, policies and frameworks regularly based on each institution’s threat and vulnerability assessment.

In October last year, the Communication Authority of Kenya (CA) also established a Cyber Coordination Centre, where attacks on critical infrastructure can be reported.

This was a response to actual online attacks or threats.

Increased surveillance by this and other institutions has led to an increase in online insecurity.