How banks’ staff collude with fraudsters to steal billions from Kenyans

By MARK KAPCHANGA

Kenyans lose Sh15.5 million averagely every day in a multifaceted fraud that threatens the growth of the banking sector.

The shocking revelations by independent analysts and bank insiders show that innovative fraudsters use the most sophisticated technology to steal from banks.

The ring of former bank employees, in collusion with bank staff, incessantly conceives new tricks, making it hard for regulators to effectively monitor and check the scam.

They fleece banks through Automated Teller Machines (ATMs), suppression of customer deposits, fraudulent conversion of cheques and deceitful transfer and withdrawal of deposits.

In some cash machines in Nairobi, Mombasa, Nakuru and Eldoret, the fraudsters use tampered credit or debit card readers to copy the magnetic stripe from a payment card while a hidden camera captures the numbers on the face of the card.

The data recorded by the cameras and card stripe readers are subsequently used to produce duplicate cards that are used to make ATM withdrawals from the victims’ accounts.

Cheque truncation

Possibly, it is cheque fraud that could drain banks of their much-needed revenues. Through the newly-conceived cheque kiting, a cheque is deposited to a bank account and the money is made available immediately even though it is not removed from the account on which the cheque is drawn until it clears.

It involves intentionally writing a cheque for a value greater than the account balance from an account in one bank, then writing a cheque from another account in another bank, also with non-sufficient funds, with the second cheque serving to cover the non-existent funds from the first account.

The magnitude of the sting could balloon with the implementation of a new clearing cycle that will see cheque payments settled within a day. Known as T+1, the technology gives fraudsters a chance to make quick deals within a short time.

The Central Bank of Kenya (CBK) says that within two hours of receiving customer’s instruction, commercial banks must execute it. The no-delay plan means banks would have to strengthen their internal controls if they are to beat the fast rising fraud cases.

Interestingly, cheque transactions are not controlled by banks. As a result, fraudsters could collude with rogue printers to alter important security features.

“Since cheques are truncated, it means the corresponding bank does not receive the real cheque but its image. It therefore gives a smooth avenue to cons,” said a CBK insider.

Cheque truncation is the conversion of physical cheque into a substitute electronic form for transmission to the paying bank.

Major banks with a large customer base could be the most affected as their capacity to contact their customers individually to verify certain transactions is limited.

But it is the coming into play of Straight-Through Processing (STP) that will give banks sleepless nights. STP enables the entire payment transactions to be conducted electronically without any kind of manual intervention. Ideally, STP paves way to a same day settlement, or even less.

Traditionally, swift transactions involve the inputter, verifier and the authoriser. The input level involves keying in of all information for a transaction to be effected. They include the amount, currency, receiver, sender, account number and addresses.

For big banks, input functions are carried out at the branch level. In small banks, all the three functions are done at the head office.

The verifier independently checks and validates the information fed into the transaction before it is directed to the authoriser. This is a senior level role carried out by operations or forex managers. In other banks, this is the duty of the chief operating officer.

Dormant accounts

With the launch of STP, inputting, verification and authorisation will need a keener and accurate eye. “Fraud will definitely be hatched at the input level. However, the transaction must have the authoriser’s and verifier’s blessings,” a bank dealer told The Standard on Sunday in confidence.

The most common scam in swifts, experts say, involve bank insiders opening dormant accounts with virtually similar names as those of customers who frequently carry out the transactions.

Take Xavier Yzee with account number 101112 in a local bank. A bank insider may opt to open an account in the same bank as Mr Yzee, with account number, say 161920. The new account will have an almost a similar name, say Xerox Yzee.

At the input level, instead of putting X. (Xavier) Yzee, the inputter feeds in the system X. (Xerox) Yzee. With blessings from the verifier and the authoriser, the money will eventually land into account number 161920.

In most cases, the amount put will be the one Mr Xavier frequently sends. This is aimed at minimising suspicions in the transaction. “This is the harvesting ground for fraudsters,” said an Anti-Banking Fraud Unit officer.

According to CBK’s Banking Fraud Investigations Department (BFID), financial institutions lost Sh1.5 billion from customers’ accounts between April 2012 and April 2013. However, critics say the figure could be about 30 per cent of the total loses banks encounter through fraud.

 “Banks are cautious when it comes to reporting on fraud. They seldom disclose fully what they have lost. Instead, they deal with them internally. That is why the figure is as small as it is despite the rising number and scale of theft in banks,” said a member of BFID.

Perhaps, this explains why, despite our multiple requests for fraud statistics from CBK, our emails and telephone calls went unattended to.

The grim picture in the banking sector is painted by our investigations which reveal that fraud has been rising almost in tandem with the expansion of banks.

Sophisticated cartels

Deloitte’s Director of Forensic and Litigation Support Robert Nyamu says the sophisticated cartels of fraudsters, some of them operating outside Kenya, are working day in, day out to beat anti-fraud walls erected by banks.

“They are determined to succeed. They have invested heavily in these criminal acts. They even hold conferences and seminars to discuss how to defraud banks,” said Mr Nyamu.

A local bank fraudulently lost Sh7.53 million through an international money transfer outfit. Sources at the bank say the money was paid out in a European country.

In this case, a total of 22 money transfer deposit transactions were purported to have been made in three days running between April 5 and April 7. Some Sh356,875.95 was blocked on the system due to “compliance issue”.

Our indepth investigations indicate that the deposits were made into the system using a terminal ID belonging to local owners whose names we have in our possession.

The money transfer logins seen by The Standard on Sunday show that the transactions were executed at three Internet Protocol (IP) addresses; the bank branch, a nursing school and a city cyber café.

The cyber café deal was sealed on a Sunday using an individual’s password. Yet it is alleged that he was not on duty.  The branch transaction was executed using a certificate installed in by another individual who later claimed to have been off work.

 “This is indicative that the machines used to perpetrate fraud were not those in the bank’s premises. It only confirms how sophisticated fraudsters are evolving,” says a bank source knowledgeable with the fraud.

The Standard on Sunday has established that five members of staff at the bank were dismissed as a result of the incident. They include managers and officers at the bank’s Money Transfer Services.

Hidden trail

According to Mr Nyamu, most fraud cases arise due to the fact that bank insiders collude with technologically-rich hackers. “There are minimum cases of robberies in banks or theft of cash-in-transit. Today, 99 per cent of frauds involve technology,” he said.

The most common one is the use of dormant accounts. Here, funds are moved from one point to another until it leaves the bank to confuse the system. The inactive accounts are also used as conduits in the transfer of stolen funds.

“It is unusual for the loot to be cashed in on the same bank because the fraudsters want to hide the trail of where the money has ended up,” Mr Nyamu said.

Experts say the money is normally cashed in regions with weak banking regulatory regimes such as South America, Asia and West Africa.

According to Kenya Bankers Association CEO Habil Olaka, individual banks should put in an elaborate internal control system to ensure that the system is not interfered with.