How NCBA Software Engineer Opened Floodgates For Mobile Banking System Fraud

Software developer exploited access to bank’s codebase, enabling unauthorized withdrawals in Rwanda

A software contractor hired to upgrade NCBA Bank’s mobile banking platform has been detained on charges of defrauding the financial institution of Ksh 57.5 million through sophisticated system manipulation.

Evans Harry Nandwa, a developer with Nairobi-based Ronford Digital Limited, was contracted on June 6, 2025, to conduct system maintenance and upgrade the mobile banking infrastructure for NCBA Bank’s Rwandan subsidiary.

However, investigators allege that Nandwa exploited his privileged access to compromise the bank’s security systems.

The fraud scheme

According to court documents presented before Milimani Magistrate Benmark Ekhubi, Nandwa made unauthorized amendments to the bank’s codebase during what was supposed to be routine system maintenance.

The fraudulent modifications involved logic alterations that enabled integration services allowing unauthorized withdrawals from the Rwandan banking system.

The breach specifically targeted NCBA Bank Rwanda’s mobile banking platform, which operates through the MTN mobile network.

The fraudulent modifications reportedly allowed 70 NCBA Bank customers in Rwanda to carry out 260 transactions, resulting in a total loss of USD 446,000 (approximately Ksh 57.5 million).

The scope of the fraud became apparent when investigators discovered that the unauthorized transactions were facilitated by deliberate code changes that bypassed normal security protocols.

This allowed customers to withdraw funds they were not entitled to access, creating substantial losses for the bank.

Officers from the Banking Fraud Investigations Unit presented Nandwa before Milimani Magistrate Benmark Ekhubi, seeking a 10-day custodial period to complete investigations and forward the case to the Director of Public Prosecutions.

The magistrate granted police five working days to hold the suspect as investigations proceed.

The case highlights growing concerns about insider threats in Kenya’s banking sector, where contracted developers and IT professionals often have extensive access to critical financial systems.

NCBA Bank has been particularly vulnerable to such incidents, with previous cases involving mobile banking fraud schemes totaling hundreds of millions of shillings.

Companies involved

Ronford Digital Limited describes itself as “a nimble and innovative technology house” that specializes in “the design, development, and deployment of state-of-the-art APIs and applications, meticulously crafted to meet the unique needs of our clients”.

The company’s LinkedIn profile indicates it focuses on translating complex processes into intuitive applications for seamless transactions.

NCBA Bank Rwanda operates as a subsidiary of the NCBA Group Plc, one of Kenya’s largest financial services providers with operations across East Africa.

The bank is among the Kenyan-owned subsidiaries that launched operations in Rwanda, with total assets valued at RWF 30.23 billion (US$32.44 million) as of September 2019.

Banking fraud concerns

This incident adds to a troubling pattern of banking fraud cases involving NCBA Bank. In February 2023, eight young men were charged with stealing Sh449.6 million from NCBA Bank through the Fuliza mobile overdraft facility, highlighting vulnerabilities in mobile banking platforms.

The current case is particularly concerning because it involves a trusted contractor who was given legitimate access to sensitive banking systems.

This breach of trust underscores the need for enhanced vetting procedures and monitoring of third-party developers working on critical financial infrastructure.

System security

The fraud method employed in this case—altering system logic to enable unauthorized transactions—represents a sophisticated understanding of banking software architecture.

The fact that the changes were implemented during what appeared to be legitimate maintenance work suggests that insider threats pose significant risks to financial institutions.

The cross-border nature of the fraud, affecting customers in Rwanda while being orchestrated from Kenya, also highlights the challenges banks face in securing their regional operations and ensuring consistent security protocols across different jurisdictions.

The Banking Fraud Investigations Unit continues to investigate the full extent of the fraud and whether other individuals or systems were compromised.

The case will be forwarded to the Director of Public Prosecutions for further legal action.

NCBA Bank has not yet issued a public statement regarding the incident or outlined steps being taken to prevent similar breaches.

The bank’s customers in Rwanda have likely been notified of the security breach and any necessary account protections.

This case serves as a stark reminder of the evolving nature of financial crimes and the critical importance of robust cybersecurity measures in an increasingly digital banking environment.

As banks continue to expand their digital offerings and rely on third-party contractors for system maintenance, the need for comprehensive security protocols and continuous monitoring becomes ever more crucial.