In the antiseptic corridors of Absa Bank Kenya’s headquarters, the end came without ceremony. On or around June 28, 2026, Abdi Mohamed, the veteran Managing Director and CEO who had spent more than three decades rising through the Barclays-to-Absa ranks from a Garissa branch teller to the corner office, placed the call to Johannesburg. The message was clinical: he was resigning to pursue other opportunities, with the standard three-month notice attached.

Two hours of silence followed. Then Group CEO Kenny Fihla rang back. The instruction was brutal and immediate: clear your desk. Hand over to CFO Yusuf Omari. No notice period. No farewell tour. No graceful choreography that Tier-1 banking usually demands. By the next day, Absa’s official line was out. Hours later, I&M Bank announced Mohamed as its new chief executive. The speed was surgical. The message unmistakable.

This was not a routine transition.

It was the detonation of a pressure cooker that had been building since at least March 2026 inside one of Kenya’s most strategically important banks. And it has now lifted the lid, the younger or rising internal operator suddenly thrust into the spotlight of a boardroom circus, directly into the centre of a storm that combines strategic warfare between Nairobi and Johannesburg, a Sh31 billion ownership consolidation play, collapsing quarterly profits, and a lengthening trail of internal fraud, data betrayal, and governance failures that regulators and investigators are already circling. These issues sit squarely in the crosshairs of Kenya’s maturing Data Protection Act enforcement regime.

The Strategic Clash That Masked Deeper Rot

Kenny Fihla and the Absa Group centre wanted liquidity yanked out of government securities and pumped aggressively into the loan book. “Lend,” was the mandate. Mohamed’s defence, according to those familiar with the exchanges, was pragmatic and local: large, genuinely bankable projects in Kenya are not lying around waiting for eager capital. The private sector credit environment carries real recovery risks, court processes drag, and NPLs bite. Parking in high-yielding government paper had been the safer, more profitable play for years.

The result under his three-year tenure (he took over May 1, 2023): Absa Kenya lost ground in corporate banking market share. Growth stalled. Then the numbers turned ugly. In Q1 2026, profit after tax dropped 13.9% year-on-year to Sh5.3 billion, the first first-quarter decline in nine years. Net interest income fell 7.9%. Non-interest income slipped 5.2%. Operating revenue contracted for the second straight year, something not seen in at least two decades. The rate-cutting cycle exposed hedging shortcomings and a diversification strategy that had not delivered.

Johannesburg saw a defensive local CEO protecting margins at the expense of the growth mandate. Nairobi saw an insider who understood that aggressive lending into a high-fraud, high-recovery-risk environment without ironclad controls was professional suicide. The bridge burned. The desk was cleared. And the ownership clock was already ticking.

The Sh31 Billion Consolidation Play

Just days earlier, Absa Group announced a Sh31 billion (approximately $238-239 million) voluntary tender offer to lift its stake in the Kenyan subsidiary from 68.5% to as much as 85%. Priced at Sh34.50 per share, a premium to recent trading levels, the offer runs roughly from June 30 to August 11, 2026, subject to regulatory nods. Charles Russon, the group’s Africa executive, has been explicit: Kenya is strategically vital for East Africa ambitions, but the current structure is “not set up appropriately.” The parent carries consolidated risk without full ownership. The fix is deeper control.

A leadership vacuum or a CEO seen as misaligned with the new aggressive posture was never going to survive the consolidation window. Mohamed’s exit was the reset button. What it has exposed, however, is that the house Absa Group is betting another Sh31 billion on has termites in the walls, including data governance weaknesses that Kenya’s Data Protection Act 2019 is increasingly scrutinising through the Office of the Data Protection Commissioner (ODPC).

The Fraud Trail That Made the CEO Expendable

While the boardroom debated loan books versus T-bills, a different battle was being fought in branches, on digital platforms, and in courtrooms. Multiple strands of internal fraud and control failure have surfaced under Mohamed’s watch, enough that the Central Bank of Kenya is understood to be examining a cluster of insider fraud and ethical misconduct complaints.
The pattern is not isolated incidents.

It is systemic weakness in verification, escalation, data governance, and accountability. These lapses directly implicate obligations under the DPA, which the ODPC has enforced with growing vigour, including through complaints handling, investigations, enforcement notices, penalty notices with fines up to KSh 5 million (or higher exposure via turnover references in some contexts), compensation orders to data subjects, and audits. Digital lenders, including products like Timiza, have historically dominated complaints to the ODPC.

Consider the branch-level cases already tested in court.
A senior manager at the Karen Prestige branch was dismissed for authorising Sh6.3 million in unauthorised withdrawals from customer accounts. The Employment and Labour Relations Court upheld the termination for gross misconduct and negligence, noting that system alarms failed to trigger or were ignored.

Another senior manager at the Nkrumah Road branch was removed over irregular and unauthorised overdraft facilities extended to customers. That same manager later won Sh5 million in damages against the bank, not for the misconduct itself, but because Absa’s internal investigation breached his privacy rights. The bank was found to have gone too far while trying to clean house.

Such privacy violations align with patterns the ODPC has penalised elsewhere.

Then there is the parliamentary record. On 24 February 2026, Kiambu MP John Waithaka rose under Standing Order 44(2)(c) to ask about the unexplained disappearance of approximately Sh3 million from two accounts belonging to customer Kennedy Karanja Macibu. The customer had locked his accounts, reported the unauthorised transactions to Nairobi Central Police Station, and followed every protocol.

Months later, he still had no resolution and no money. Parliament was told the institution had failed. That failure sits at the top and echoes thousands of DPA complaints the ODPC has fielded, many involving unauthorised access or debits.

The digital front is uglier still. Whistleblower accounts from inside the Timiza digital lending division allege that since 2023, customer data, national IDs, email addresses, full names, credit card details, mobile banking information, has been harvested without proper consent and, in some cases, monetised internally or sold. One senior technical lead is accused of personally acquiring over 100,000 customer records.

At Sh1,000 per record, the incentive structure is obvious. The consequence was predictable: in October 2024, at least one customer had their account emptied after receiving a call from what appeared to be official Absa customer care, using personal details that only an insider or someone who bought the data could possess. This is not abstract cyber risk. This is the bank’s own customer trust being weaponised from within, precisely the type of consent and security failures the ODPC has targeted aggressively.

Official Absa privacy policies state that data is collected primarily for service provision (such as credit assessment in Timiza), with consent required for additional uses, and sharing limited to legitimate partners like credit bureaus and regulators. App disclosures confirm collection of financial and contact information. However, independent analyses of digital lending apps, including Timiza, have long flagged broad permissions (contacts, potential SMS access, diagnostics) raising concerns about data minimization, purpose limitation, and transparency under the DPA.

Whistleblower claims go further, alleging the Timiza app scrapes SMS content (financial transactions and personal messages) and sends it to external servers without proper consent or anonymization, with data allegedly extracted at Absa’s Westlands data centre and treated as a tradable commodity. These allegations, reported in outlets like Kenya Today and Kenya Insights, remain unverified in mainstream regulatory findings but tie into CBK and internal probes into Absa’s operations.

Vetlab and the High-Value Account Heist

The most recent and perhaps most embarrassing exposure involves Vetlab Sports Club, the century-old private members’ club on prime Kabete land with annual revenues approaching Sh150 million. In a bitter internal leadership dispute between rival factions, one side alleges that Absa unilaterally and improperly altered signatories on the club’s main operating account (which held around Sh26 million as of early May 2026). Withdrawals exceeding Sh5 million were executed before the elected leadership even knew the mandate had changed.

The Directorate of Criminal Investigations’ Economic and Commercial Crimes Unit obtained court orders compelling Absa (and other banks) to produce all mandate documents, signatory change records, statements, and transaction histories from January 2025 to May 2026. Investigators are tracing fund flows and examining potential money laundering angles. The club’s elected officials have sued Absa, accusing it of effecting the changes “fraudulently, illegally and with material non-disclosure.” Whether the bank was duped by forged documentation from one faction or exercised poor judgment in a contested environment, the outcome is the same: a major institutional account was allegedly looted while the bank held the primary operating treasury. CBK is watching this one closely as part of the broader insider fraud cluster. Such mandate and access control failures could also trigger DPA scrutiny around lawful processing and security obligations.

Separately, a Sh4.5 billion facility originally advanced under the Barclays brand has spawned criminal charges against businessman Benson Sande Ndeta and an American co-accused. Conspiracy to commit fraud, obtaining credit by false pretences, forgery, and uttering forged documents are among the twelve counts. Arrest warrants were issued in March 2026 after the accused failed to appear. The case predates or straddles the rebrand and leadership change, but it lands squarely in the accountability ledger of the current regime.

The Boardroom Circus and the Kid Lifted Into It

Abdi Mohamed’s defenders will argue he was a prudent local banker who refused to chase Johannesburg’s growth targets into a minefield of weak credit culture and internal control failures. His critics, and they appear to include the parent group, will say he presided over three years of compounding institutional rot: profit contraction, market share loss, repeated court and parliamentary embarrassments, and a fraud trail that now risks tainting the Sh31 billion consolidation bet. All this unfolds against the backdrop of Kenya’s DPA enforcement, where the ODPC has received over 9,000 complaints since inception, issued hundreds of determinations and enforcement notices, levied tens of millions in fines and compensation (with 184 compensation orders in January 2026 alone), and registered over 15,000 entities while targeting consent breaches, unauthorised data use (especially images and minors’ data), and digital lending abuses.

His abrupt defenestration has created exactly the kind of power vacuum and reputational heat in which ambitious internal players thrive or perish. The kid, the younger or rising figure suddenly elevated or exposed by the musical chairs, now operates in a boardroom where every lending decision, every digital product launch like Timiza, every high-value account mandate, and every whistleblower allegation will be scrutinised under the new ownership structure and under active regulatory and criminal investigation, including potential ODPC oversight.

Yusuf Omari, the long-serving CFO who has twice stepped into the interim CEO role (first after Jeremy Awori’s 2022 departure, now again from 1 July 2026), is the immediate beneficiary of the vacuum. Whether he is “the kid” in this drama or merely the steady hand holding the fort while a permanent successor is found, he inherits a bank whose Johannesburg owners have just doubled down financially while its local franchise is leaking trust, data, and cash through multiple holes, at a time when the ODPC is ramping up structured accountability with more determinations, audits, and remedies.

The Uncomfortable Truth

Absa Group is pouring another Sh31 billion into a Kenyan operation that, on current evidence, has serious questions to answer about internal fraud controls, data governance in its digital channels, branch-level authorisation failures, and its willingness or ability to protect high-value institutional clients from signatory manipulation. Customers have watched money vanish despite following every security protocol. Parliament has demanded answers and received silence. Courts have both upheld sackings for negligence and punished the bank for privacy breaches in its own investigations. DCI probes are active. CBK is examining a cluster of complaints. Meanwhile, the ODPC has demonstrated teeth through cases like Oppo Kenya’s KSh 5 million fine for unauthorised social media use of images, Roma School’s near-max penalty for minors’ data without consent, and multiple actions against entities for spam, contact scraping, and consent failures, with total fines exceeding tens of millions and substantial compensation payouts.

This is not lazy banking versus aggressive banking. This is a bank whose internal plumbing has been leaking while its executives debated asset allocation and its parent plotted deeper ownership. Mohamed’s exit did not create these problems. It simply removed the man who could no longer contain or explain them away as the ownership music stopped and the regulatory spotlight intensified, including under the DPA framework that continues to evolve with heightened enforcement in 2025-2026.

The kid now on the stage of this circus has a narrow window to demonstrate that Absa Kenya can fix its controls, restore customer trust, and deliver the growth Johannesburg is paying for, before the next whistleblower, the next court order, the next parliamentary question, or the next ODPC determination makes the Sh31 billion bet look like throwing good money after compromised governance.

The facts are uncomfortable because they are documented in court records, parliamentary proceedings, DCI filings, whistleblower testimony, the bank’s own declining financials, and the ODPC’s growing enforcement record. Absa’s customers, regulators, and now its majority owner deserve answers that go far deeper than a press release about “pursuing other career opportunities.” The circus has only just begun.