The Enemy Within: How Old Mutual’s Own Staff and Rotten Systems Are Draining Kenya’s Insurance Giant

There is a peculiar art to reading an insurer’s annual report. The headline numbers go up. The CEO speaks of resilience, portfolio discipline, and accelerating digital adoption. The board photograph radiates institutional confidence. And somewhere buried in the risk management disclosures, in the fine print of a sub-section unlikely to attract the attention of financial journalists on deadline, sits a number that should have caused a boardroom crisis months ago.

For Old Mutual Holdings PLC, that number is Sh106.4 million. That is the confirmed quantum of fraud losses absorbed by the company in a single financial year 2025 drawn directly from its own disclosures.

Of that total, Sh45 million, representing 42 percent of the entire fraud bill, came not from criminal syndicates in Moldova or hackers in darknet forums. It came from the company’s own employees.

That figure is not a rounding error.

In a company whose profit after tax for the same year was Sh856 million itself barely a 2 percent improvement on the prior year’s Sh838 million a Sh106.4 million fraud hit consumes more than one in every eight shillings the company earned.

Add the hidden costs: the expense of rolling out 37 new fraud controls in a single year across Kenya and Uganda, investigative referrals for 177 cases to law enforcement, legal costs, management attention, remediation projects, and the embedded expense of belatedly automating processes that should have been automated years earlier. The real cost of this fraud problem is multiples of the disclosed figure.

“42 percent of confirmed fraud losses came from Old Mutual’s own staff not from external hackers, not from criminal syndicates, but from people inside the building.”

The mainstream narrative around these results has been relentlessly optimistic. Asset management surged. The Thrive wellness app delivered a fortyfold increase in downloads. A merger of two Kenyan life entities was executed. CEO Arthur Oginga spoke of “resilience” and “disciplined execution.”

None of that is false. What is missing from the public conversation is the equally documented story of an insurer whose internal controls have been structurally compromised for years, whose technology infrastructure carries vulnerabilities that any competent cybersecurity audit would have flagged long ago, and whose core medical insurance business is now in managed retreat, shedding Sh1.3 billion in business that has become too contaminated by fraud and inflated claims to be profitably underwritten.

A Pattern, Not an Incident

To understand the depth of the crisis, you have to look past 2025 in isolation. Old Mutual’s fraud exposure is not a sudden spike triggered by a rogue employee or an isolated external attack. It is the visible peak of a pattern that has been building across multiple reporting cycles.

In 2022 a year the company recorded an outright pre-tax loss of Sh491 million Old Mutual’s medical insurance book already contributed to an underwriting loss for the insurer, according to the Insurance Regulatory Authority’s own market data.

That same year, IRA figures showed Old Mutual recorded a medical insurance underwriting loss of Sh158.9 million, making it one of the worst performers in the sector on that metric. The company was, at that point, the largest insurer in Kenya by gross written premium, commanding a market-leading Sh14.86 billion in premiums yet simultaneously booking the kind of medical insurance losses that smaller, more cautious operators had already moved to avoid.

The turnaround to a Sh1.4 billion pre-tax profit in 2023 was celebrated internally and externally as evidence of a successful strategic reset. What it obscured was the continuing rot in the claims environment, which no rebranding, no leadership statement, and no AI deployment announcement was yet addressing at its structural root.

By the first half of 2025, the insurance service result the purest measure of whether the core underwriting business is actually making money once claims and costs are set against premiums had worsened to a loss of Sh303 million, from a Sh246 million loss in the same period the prior year.

By year end, the full-year insurance service result had swung to a Sh151 million loss from a Sh361 million profit in 2024. That is a Sh512 million deterioration in underwriting profitability in a single year. Fraud is not the only cause, but it is woven through every dimension of that decline: it inflates claims, it depresses loss ratios, and it contaminates the pricing assumptions on which entire books of business are built.

OLD MUTUAL AT A GLANCE: THE FRAUD LEDGER

2025 Confirmed Fraud Losses: Sh106.4 million

Internal (Staff) Fraud: Sh45 million (42%)

External Fraud: Sh61 million (58%)

Fraud Losses Averted by AI/Analytics (2025): Sh193.6 million

Fraud Losses Averted by AI/Analytics (2024): Sh253 million

New Fraud Incidents Recorded (2025): 69 incidents, reported value Sh50 million

Cases Referred to Investigative Authorities: 177

New Fraud Controls Implemented (2025): 37 controls across Kenya and Uganda

Medical Claims Processed (2025): 1,312,217 claims totalling Sh10.7 billion

Medical Business Shed (2025): Sh1.3 billion in contracts rejected

2025 Insurance Service Result: LOSS of Sh151 million (vs. Sh361m profit in 2024)

2025 Profit After Tax: Sh856 million (+2% from Sh838m in 2024)

System Vulnerabilities: A Hacker’s Invitation

What makes Old Mutual’s fraud crisis categorically different from a standard insurance industry fraud disclosure is the specific and damning list of system vulnerabilities the company has chosen or been compelled to publish.

The risk drivers listed in its 2025 disclosures read as follows: weak customer data validation, duplicate vendor records, ineffective anti-money laundering screening, one-time password control weaknesses, credential exposure, system override capabilities, and inadequate segregation of duties.

Parse each of those terms individually and you have a portrait of an enterprise technology environment that fell behind industry standards some years ago and has been playing expensive catch-up ever since.

OTP control weaknesses mean the one-time passwords used to authenticate high-value transactions fund redemptions, policy changes, large claim approvals are either interceptable, reusable, or capable of being bypassed through social engineering.

This is a vulnerability that banks eliminated from their core processes years ago under pressure from the Central Bank of Kenya’s cybersecurity directives. That a regulated insurer processing Sh10.7 billion in medical claims annually was still carrying OTP weaknesses into 2025 is, to put it plainly, inexcusable.

Credential exposure is the term insurers use when employee login details usernames, passwords, system access tokens have been compromised through phishing, keyloggers, or the kind of social engineering attacks that have become the primary entry point for financial sector cybercrime in East Africa.

The OCCRP has documented how sophisticated Kenyan cybercrime syndicates, including those responsible for large-scale attacks on banking sector systems, rely precisely on insider credential capture as their first point of penetration. Credential exposure at an insurer with the regional footprint and data holdings of Old Mutual is not a theoretical risk. It is an open door.

System override capabilities refer to the existence of manual processes that allow authorised or compromised users to bypass automated fraud detection flags.

Legacy insurance platforms commonly retain these override functions as operational necessities during system transitions or exception handling. The problem is that over years, these overrides become informal tools for processing claims that the system would otherwise reject, whether legitimately or not. When the company’s own data shows that 42 percent of confirmed losses are internal, the inference is unavoidable: some of those system overrides were being used by staff who understood exactly what they were doing.

“Duplicate vendor records, OTP weaknesses, credential exposure, system overrides Old Mutual did not discover these vulnerabilities in 2025. It disclosed them. The difference is everything.”

Duplicate vendor records and inadequate segregation of duties are the oldest and most elementary fraud vectors in corporate finance. Duplicate vendor records allow a hospital, pharmacy, or ghost provider to appear multiple times in the payments system under different identifiers, enabling multiple billing for the same service or billing for services never rendered.

Inadequate segregation of duties means the same employee, or small cluster of employees, can initiate, approve and process a payment without independent review.

Together they create a corridor of almost frictionless internal theft, particularly in a high-volume medical claims environment where millions of transactions move through the system each year and individual oversight of each claim is operationally impossible.

These are not exotic vulnerabilities. They are the first things any basic internal audit programme should identify and flag for remediation. The question that Old Mutual’s board risk committee, its internal audit function, and its external auditors must now answer publicly is: when were these risks first identified internally, what recommendations were made, and why were they still present and unresolved in 2025?

The Internal Enemy

Old Mutual Office.

The Sh45 million internal fraud figure is, in many ways, the most troubling disclosure in Old Mutual’s entire annual report. It is not a large number in absolute terms. It is devastating in what it implies about the company’s culture, its detection capabilities, and the duration over which insider compromise may have been operating.

Insurance insiders who commit fraud do not typically operate alone.

The academic and forensic literature on financial services fraud consistently shows that internal fraud at scale requires either collusion between multiple staff members, or a single employee in a position of sufficient authority to override controls unilaterally.

In a medical insurance context, the most common pattern involves staff members with access to the claims processing system colluding with external providers hospitals, pharmacies, brokers to process inflated or fictitious claims, sharing the proceeds.

The duplicate vendor records and override capabilities that Old Mutual has now acknowledged publicly are precisely the infrastructure this kind of collusion requires.

The company’s decision to refer 177 cases to investigative authorities suggests it has identified a substantial population of potential fraud incidents across its operations. Not all 177 will result in prosecutions or convictions. The Kenyan criminal justice system’s track record on financial crime prosecutions is mixed at best.

But the volume of referrals is itself a signal: this is not a situation where one or two bad actors were caught and removed. It is a systemic problem affecting multiple individuals, multiple processes, and potentially multiple markets across the group’s Kenya and Uganda operations.

Old Mutual processed 1,312,217 medical claims in 2025. Across the industry, fraudulent and inflated claims are estimated to constitute roughly one fifth of all filed claims.

If Old Mutual’s medical book is consistent with that industry average and there is no reason to believe it is an outlier in a positive direction then somewhere between two hundred thousand and three hundred thousand of those claims carry some degree of fraudulent inflation. The Sh106.4 million in confirmed losses represents only the fraction that fraud investigators were able to definitively verify and quantify. The true leakage is substantially higher.

The Medical Retreat: Fraud Tax in Action

The most concrete evidence that Old Mutual has internalised the severity of its fraud problem is the strategic decision it has taken with its medical insurance book. In 2025, the company rejected contracts worth Sh1.3 billion that it deemed inadequately priced, exposing it to losses. This is not normal business selectivity. This is an insurer concluding that significant portions of its core product line the same product line it was marketing aggressively to corporates and individuals across East Africa have become too contaminated to carry at prevailing market rates.

Medical insurance loss ratios at Old Mutual have been running stubbornly between 70 and 80 percent once fraud, claims inflation, and operational costs are factored in.

An 80 percent loss ratio means that for every Sh100 collected in premiums, Sh80 is going out in claims alone, before administration expenses, reinsurance costs, and fraud-related remediation are counted. That is not a viable business. It is a structural loss engine.

The company has been explicit about the driver.

CEO Arthur Oginga told analysts earlier this year that the medical business “drops sharply” because “the pricing wasn’t right.” That is corporate language. The fuller translation is: the claims experience in the medical book, inflated by fraud and by providers exploiting weak controls, has made it impossible to write this business profitably at rates the market will accept. The insurer is retreating from a segment it should dominate, because its control environment has allowed the fraud tax to make that segment economically untenable.

“Old Mutual is retreating from Sh1.3 billion of medical insurance business it should dominate because fraud and system rot have made it impossible to write that business at a profit.”

The Governance Crisis Behind the Numbers

The fraud crisis does not exist in isolation. It sits alongside a separate and equally serious governance controversy that has been playing out in the Kenyan courts since 2024 and has drawn in the Capital Markets Authority.

Minority shareholder Joel Kamau Kibe the sixth largest investor in the company with 1.54 million shares purchased between 2014 and 2015 for Sh290.9 million has filed a petition alleging mismanagement, oppression of minority shareholders, and misappropriation of assets.

Kibe has told the High Court that Old Mutual failed to deliver on its promise to list on the Nairobi Securities Exchange, rendering his investment illiquid. He has contested a proposed conversion of a shareholder loan that escalated from $15 million to $48.18 million into equity, a transaction he argues constitutes a fraudulent dilution of minority holdings by approximately 40 percent.

He has further challenged the sale of the iconic Old Mutual Tower in Upper Hill and other properties valued at approximately Sh19.4 billion, arguing that the proceeds are not being managed transparently.

The company has denied the substantive allegations. Old Mutual obtained court permission to proceed with the Tower sale on condition that Sh500 million of the proceeds be held in escrow a condition subsequently suspended by the Court of Appeal in November 2025. Kibe has escalated to the CMA, demanding investigation into the takeover process and the approval of the preference share issuance.

The High Court, for its part, dismissed Old Mutual’s attempt to have the petition thrown out on technical grounds, allowing it to proceed to a full hearing on the merits.

These are serious governance failures regardless of how the litigation ultimately resolves. An insurer simultaneously managing a fraud crisis of this scale, a core insurance service result in the red, a strategic retreat from its highest-volume product line, and a contested shareholder lawsuit alleging mismanagement is a company under multidimensional stress.

The fact that these crises are being managed concurrently, rather than in sequence, raises the legitimate question of whether the board’s bandwidth and the management team’s attention are adequate to the task.

The Comparison That Should Embarrass

Perhaps the most uncomfortable data point in Old Mutual’s fraud disclosure is not the size of its losses. It is the contrast with the banking sector.

KCB Group, the largest bank in Kenya by asset base, wrote off just Sh760,000 in fraud and forgeries in 2025, down from Sh4.5 million the year before. Equity Group and Standard Chartered have both reported material declines in fraud losses, attributing the improvement to AI-powered transaction monitoring. The banking sector’s fraud trajectory is moving sharply downward. Old Mutual’s is not.

The standard defence offered by insurers when this comparison is made is that insurance fraud is structurally more complex than banking fraud: it involves clinical judgment, provider networks, human discretion in claims assessment, and a broader surface area of potential manipulation. That is true. But it is also true that Jubilee Holdings, the only other Kenyan insurer to publish comparable fraud data, recorded actual losses of Sh47.25 million in 2025 on a considerably smaller premium base and it averted Sh1.28 billion in fictitious claims through AI deployment. Jubilee’s fraud losses are rising, but they are rising from a materially lower base and against a much larger ratio of detected-to-averted fraud.

Old Mutual averted Sh193.6 million in fraudulent claims through analytics in 2025. In 2024, the same tools averted Sh253 million. The detection figure is falling while the confirmed losses continue to materialise. Something in the fraud intervention architecture is not working the way the company’s communications suggest it is. You can save more through detection and still lose more through the gaps the detection fails to close.

What Must Now Be Answered

Old Mutual’s disclosures are, to their credit, more transparent than most Kenyan insurers manage. The specific quantum of fraud losses, the breakdown between internal and external, the list of risk drivers, the number of investigative referrals this level of specificity is unusual and reflects either genuine regulatory pressure or a deliberate decision to own the problem publicly. It deserves acknowledgement.

What the disclosures do not answer and what the company’s communications team will work hard to ensure are never publicly answered are the harder questions.

How long were the duplicate vendor records present in the system before they were identified and flagged? When was the inadequate segregation of duties first noted in an internal audit report, and what was the board risk committee’s documented response? Which specific business lines, geographies, or claims categories account for the bulk of the internal fraud losses? Have any of the 177 cases referred to investigative authorities resulted in arrests or prosecutions? Are there former employees who exploited these vulnerabilities and left the company without criminal accountability?

The governance infrastructure of a regulated, South African parent-backed insurer should be capable of answering every one of those questions internally. The public is entitled to know why the systems that were supposed to prevent these answers from ever becoming necessary failed so completely for so long.

Old Mutual’s South African parent faces its own pressures on capital allocation and African subsidiary performance.

A Kenyan operation posting Sh106.4 million in fraud losses, a negative insurance service result, declining premiums, and ongoing litigation from a minority shareholder is not the strategic asset the group would wish to present to its own institutional investors.

The question of how long the parent continues to treat the Kenyan operation’s governance failures as a regional problem rather than a group-level risk is one that will increasingly concentrate minds in Johannesburg.

The Reckoning

Old Mutual Holdings has spent much of the past year telling a story about digital transformation, wellness apps, and asset management growth. The Thrive App downloads. The Anchor360 intermediary portal. The 34 percent growth in assets under management. These are genuine achievements and should not be dismissed.

But they exist alongside, and in some ways conceal, a core insurance business that is structurally compromised by fraud at a scale that exceeds one shilling in every eight that the company earns after tax. They exist alongside a governance controversy that has required multiple court hearings, a CMA complaint, and escrow conditions on a landmark property sale. And they exist alongside a management control environment that tolerated duplicate vendor records, OTP vulnerabilities, credential exposure, and system override capabilities in a system processing billions of shillings in medical claims annually.

The 37 new controls implemented in 2025 represent real investment and real effort. The automation of policy processes, improved vendor validation, and enhanced segregation of duties are precisely what should have been in place years ago. They will help. They will not be enough, on their own, to close the gap between what Old Mutual’s fraud detection machine is catching and what is still slipping through.

Until the internal fraud share currently 42 percent of total confirmed losses is visibly and sustainably declining, until the insurance service result returns to profitability without relying on asset management to carry the group, and until the legitimate grievances of minority shareholders receive a credible judicial resolution, Old Mutual Holdings remains a company navigating multiple concurrent crises with tools that are still, on the evidence available, not fully adequate to the task.

The Sh106.4 million is not the whole story. It is the part of the story that Old Mutual chose to disclose. The rest remains inside the building, inside the vendor master files, inside the override logs, and inside the fraud referral files now sitting with Kenyan law enforcement. This publication will be watching to see how much of it eventually comes out.