Panic As Coop Bank Systems Experience Downturn, Amid Fears Of Hacking

Dubbed “Co-op Akili Kali Innovation,” the challenge “is a call for passionate innovators to collaborate with Co-operative Bank of Kenya in building the next generation of financial solutions beneficial to the Co-operative movement and its membership of over 20 million Kenyans.”

NAIROBI, Kenya, October 30, 2020 – Just as two university students were being arraigned at Milimani Law Court for allegedly stealing KSh25 million from NCBA Bank through hacking, panic gripped Cooperative Bank’s account holders after the Bank’s systems collapsed countrywide amid fears of cash siphoning through hacking.

On Tuesday, October 27, 2020, the Bank’s internet and mobile banking services system collapsed.

To allay fears of the clientele, which was already in a panic mode, the Bank moved fast to reassure by posting a message on its social media platform: “APOLOGIES FOR THE INCONVENIENCE: We sincerely apologize that our mobile and internet banking services are currently unavailable. Our teams are resolving the challenge. Transactions at ATMs, Branches, Agents and at Merchant Outlets are available. We apologize for this inconvenience.”

Amid speculations that the Bank’s system had been breached by external hackers and internal collusion since the previous evening, efforts by The Sun Weekly to establish the cause of the system outage were futile as the management remained tightlipped even after demanding a questionnaire.

To allay fears of the clientele, which was already in a panic mode, the Bank moved fast to reassure by posting a message on its social media platform

This comes in the wake of heightened fraud and cyber risks targeting banks and e-commerce merchants. In the recent past fraudsters have adapted techniques to use more sophisticated tactics against consumers, banks and merchants.

On the same day, two second-year students at Jomo Kenyatta University of Agriculture and Technology (JKUAT) appeared before Senior Resident Magistrate Carolyne Muthoni. They were accused of hacking NCBA Bank’s system and stealing KSh25.4 million from its Upper Hill head office.

It is worth noting that this is not an isolated case with Coop Bank. A couple of months ago, the bank’s systems went on a complete shutdown, paralyzing operations with customers only carrying out minimal deposits and withdrawals through agents stationed inside banking halls.

System failure at the institution has largely been blamed on internal collusion. Sources within the Coop Bank intimated to The Sun Weekly that among the cause of the weaknesses in IT systems is the quality of systems used by the bank, some of, which were supplied by a vendor connected to a senior director.

“In the bank, you have the software, which is the backbone, but this has to run on the hardware which the bank procures differently,” said the source, who shared internal reviews by the bank indicating, for instance, that queues at its ATM booths are usually the longest of any bank due to slow speeds.

Though mostly never publicised for fear of hurting the brand reputation, Co-operative Bank has suffered spiralling employee fraud and IT system malfunctions. The Bank has been a victim of fraud perpetrated by employees who work in cahoots with external persons to obtain money from the bank.

This comes in the wake of heightened fraud and cyber risks targeting banks and e-commerce merchants.

Impeccable sources divulged that the Bank’s internal investigations have established a link between employees who know about malfunction in some of the bank’s IT systems and account holders who take advantage of the system.

While some of the cases have ended up in the court and others remain under police investigation, the bank, keen to protect its image, has hardly reported the full extent of the problem to authorities and has on occasions refrained from pressing charges against account-holders implicated in the fraud.

Last year, an employee at the bank’s Eldoret Branch was accused of stealing KSh40 million from customers who had invested in stocks under accounts he was handling.

The bank’s marketing manager said that the matter was being handled by the Criminal Investigation Department of the police and that several employees had recorded statements over the matter.

The Bank’s credit card section has also been hit by a systemic problem known to staff whereby when a customer conducts a transaction using their card, the credit and debit accounts are not settled in real-time. The Bank’s staff then manipulate entries on the Credit Card Debit Suspense Account that has to be reconciled manually.

Like many banks, Co-op Bank runs bank and card systems, Bank Master and Trans Master, separately. When the bank closes operations at the end of the day, the Bank Master goes to sleep, but the Trans Master that supports ATMs and connects the bank’s account-holders to international card system works 24 hours.

Group chief executive Gideon Muriuki

Every new workday, the Bank Master should automatically take on board all transactions a customer may have made on Trans Master during the night.

However, due to the Bank’s malfunctioning systems, sometimes transactions from the Trans Master have to be entered manually on the Bank Master, according to information the bank provided to the Milimani Commercial Court in a case lodged against it by a customer the bank later accused of abusing its systems.

Given the malfunction, some bank staff worked in cahoots with account-holders, mostly from the Nairobi Business Centre Branch along Ngong Road, who took advantage of the system to net decent amounts from the bank through gambling activities on the credit card that were performed mostly at night but, as the court established, also during the day.

Under the fraud, the bank was required to make payment to merchants from whom the customer had purchased goods or services (normally in foreign currency for internet-based transactions), in this case betting companies, even where there were no records of the customers having placed bets. The customers’ accounts were also credited with huge sums of money.

One such customer, Anthony Kimani Chege, who operated Account Number 01109127579300 at the Nairobi Business Centre Branch, went to court in May 2011 to press for KSh14 million the bank had deposited in his account through the fictitious betting wins but, which the bank discovered and froze before he could withdraw the money.

The account-holder used his debit card No.4407830011038792 for gambling online.

After a series of activity, by May 7, 2011, his account had a credit balance of KSh4,829,965.15. On May 9, 2011, the bank informed him that his account had a debit balance of KSh14,235,121 but refused to provide him with a copy of his Bank Statement.

He went to court seeking orders for Coop Bank to be compelled to un-freeze his account and release him the KSh4,829,969.15 being the credit in his account when it was frozen. While he lost the case, the hearing unearthed massive impropriety on Coop Bank staff members and negligence from senior management that refused to take action for months according to the court.

Though mostly never publicised for fear of hurting the brand reputation, Co-operative Bank has suffered spiraling employee fraud and IT system malfunctions.

Investigations by the bank’s security department showed that Mr Chege was one of seven account holders who all opened their accounts at the same branch, having been introduced by one employee of the bank. The bank found that some of its employees were aware of the malfunction in the IT systems and had encouraged account holders to take advantage of the system. While the employees were identified, some were not punished.

Neither did the bank improve its systems, which according to insiders remain among the weakest in the industry even in 2017.

The Judiciary also continued to receive cases of employee fraud originating from the bank, including a number from the same Nairobi Business Centre where the gambling racket was discovered, long after Coop Bank said it had corrected the system.

In December 2012, bank staffer Magdaline Wanjiku Makara was arrested and charged with stealing more than KSh49.6 million from the bank between March 26 and October 27 of that year.

In the ruling on Mr Chege’s Civil Suit No 373 of 2011 delivered on February 20, Commercial Division Judge Fred Ochieng censured Coop Bank for not only not taking remedial measures after the scandal became known, but also for smoothing questions of employee fraud.

“I find absolutely no evidence that either the plaintiff knew that the banking system had malfunctioned, or that he worked in cahoots with any employee of the bank….In any event, the bank made it clear that it was not making any allegation against the plaintiff….that he was guilty of conspiracy (jointly with some employees of the bank) to defeat the systems of the bank”.

The Bank’s defence in the case showed how the fraud was perpetrated. It said that as at February 28, 2011, Mr Chege’s account had a credit of KSh19,745, and that thereafter, “the deposits into the account increased dramatically, without any correlation to its previous conduct or to the plaintiff’s disclosure of his income.”

Upon the account-holder’s demand for the money, the bank conducted an internal investigation and found, among other things, that between October 2010 and May 6, 2011, some seven customers had run up debits totalling KSh115,869,566, which had not been debited into their respective.

The bank said Mr Chege was one of the seven customers, and that the debits attributable to him totalled KSh19,065,090. All those debits were described as being in relation to internet transactions, connected to gambling.

According to our sources within the bank, the account holder’s decision to sue was made in confidence that Coop Bank, while pressing to recover its own money, would not place a counter-suit for fraud as criminal lawyers would have advised.

“The bank was aware of its own weaknesses and the best they could do was defend their decision,” said a source at Coop Bank who revealed that the weaknesses persist to this day.

The first witnesses who testified in support of the bank was IT expert John Murrey, who provided the court with a detailed summary of all the debits and credits, totalling of KSh5,800,529/15, and that debits of KSh20,036,120.50 respectively.

Edwin Karuri, the investigation manager, testified that his investigations revealed that between October 2010 and May 6, 2011, debits totalling KSh115,869,566 transacted by the suspicious seven customers had not been debited to their respective accounts.

But Mr Karuri’s testimony that all the transactions under the case were carried out after 6.00 pm contradicted that of Mr Murrey and the bank’s own documents under review that showed that some of the transactions were carried out during the regular working hours. This slight variation, said our bank source, was to minimise the extent of malfunction in the bank’s system.

Besides, Justice Ochieng expressed concern that the bank did not review its systems or stop the fraudulent transactions four months after the investigations department had raised the red flag. “Considering that the plaintiff had opened his account in January 2011, the bank could have stopped the bleeding of the account if it had taken appropriate action in a timely manner.

“By failing to act appropriately and in a timely fashion, the bank negligently contributed to continued debiting of an account which did not have requisite funds to meet such debits,” the judge held, in declining the bank’s demand for Sh14 million from the plaintiff.

“As the bank was contributorily negligent, to such a degree that it allowed the transactions to continue for a whole four months, I find that the losses should lie where they have fallen,” the judge ruled.

Facebook comments