Between the years 2020 and 2022, Ecobank Kenya experienced significant financial losses amounting to millions of dollars due to vulnerabilities in its card operations team. These vulnerabilities opened the door for potential fraudulent activities by both merchants and staff members, according to an internal report obtained by TechCabal.
The report, which was the outcome of an investigation conducted by a task force established in 2023, highlighted severe deficiencies within Ecobank Kenya’s card operations. These deficiencies allowed for the manipulation of transactions by employees and merchants, leading to fraudulent activities that remained undetected for a span of two years. This situation brought to light concerns regarding the bank’s supervisory mechanisms and technological safeguards.
Although the exact financial impact was not fully disclosed in the report, it was revealed that there was an erroneous posting of $43.4 million (KES5.6 billion) within the bank’s system. Additionally, $162,346 was rejected by payment service providers such as Mastercard, and the bank was unable to recover $232,464 in chargebacks.
The report criticized the bank’s handling of procedures related to the operation of merchant acquiring product general ledgers (GLs), noting that many manual entries were unprocedural or erroneous. It also pointed out the absence of well-documented operating procedures and accounting entries for various card products, leading to the indiscriminate grouping of different entries into the merchant acquiring GL.
The investigation further revealed control gaps and a lack of adequate training for the teams responsible for processing transactions, exacerbating errors and leaving the bank’s card operations susceptible to vulnerabilities. At the time of reporting, Ecobank Kenya had not provided a response to requests for comments.
The task force discovered a concerning $2.1 million balance in the bank’s GL that lacked supporting documentation, raising questions about the origin of these funds and their potential connection to fraudulent activities. The report also criticized the bank’s maker-checker process, an essential internal control mechanism designed to prevent unauthorized transactions, as being weak. Additionally, it found the bank’s chargeback monitoring process to be insufficient, allowing for discrepancies and potential financial losses.
It was noted that the bank’s card operations team failed to upload transaction source documents on several occasions. For example, between July and December 2021, the daily merchant general ledger recorded a debit of up to $34.8 million (KES4.5 billion) without corresponding credits. Furthermore, eleven entries totaling $16.2 million (KES2.1 billion) were found to be duplicated.
The task force concluded that these omissions and delays in detecting or flagging issues made it challenging to ascertain the amounts payable to merchants, receivable from schemes, and the service commission receivable from merchants on the affected days.
Additionally, certain transaction files were uploaded months after the funds had been transferred, complicating the reconciliation process. For instance, transactions valued at $11.6 million (KES1.5 billion) from March to May 2022 were uploaded between June 30 and July 1-4, 2022.
