Staff, merchants exploited card flaws to defraud Ecobank Kenya millions of dollars: Report 

Ecobank Kenya lost millions of dollars between 2020 and 2022 to fraud due to vulnerabilities in its card operations, as per an internal report seen by TechCabal. 

The report, commissioned by a task force in 2023, and released on September 18, 2024, uncovered lapses that allowed the bank staff and merchants to manipulate transactions, leading to significant financial losses over a two-year period.

The investigation revealed that $43.4 million (KES 5.6 billion) was erroneously posted in the bank’s system, and $162,346 was rejected by payment service providers, including Mastercard. 

The bank was also said to have failed to recover $232,464 in chargebacks, further compounding the losses.

The report highlighted severe lapses in Ecobank’s internal controls, particularly within its card operations team, noting that procedures for managing merchants’ general ledgers (GLs) were disregarded, with manual entries that were often erroneous and unprocedural. 

It added that the lack of clear operating procedures and documentation resulted in improper recording of card product transactions, exacerbating the problem.

Other findings included a residual balance of $2.1 million in one of the bank’s general ledgers, which was unsubstantiated. 

According to the report, discrepancies revealed a reduction from an initial balance of approximately $15 million as of July 2022, raising concerns about the potential connection to fraudulent activity.

The report also identified serious flaws in the bank’s internal controls, including a weak maker-checker process meant to prevent unauthorised transactions. 

Ecobank’s chargeback monitoring was deemed inadequate, leading to unaccounted-for discrepancies, while the card operations team frequently failed to upload transaction documents, causing further issues with reconciliation.

Between July and December 2021, the daily merchant ledger recorded debits of $34.8 million (KES 4.5 billion) without corresponding credits, and 11 duplicate entries totalling $16.2 million (KES 2.1 billion) were identified. 

Additionally, $11.6 million worth of transactions from March to May 2022 were uploaded only in June and July, delaying proper reconciliation and increasing the risk of undetected fraud.