Rot From Within: How KCB Became Kenya’s Biggest Battleground for Insider Fraud

When Kenya Commercial Bank Group quietly released its 2025 sustainability report this month, burying the figure inside a paragraph about disciplinary processes, it disclosed something that deserved a front page. Sixty employees across KCB’s East African operations had been dismissed in the year to December 2025 for their involvement in insider fraud schemes targeting both the institution and its customers. The figure was almost double the 34 dismissed the year before, itself triple the 11 exits recorded in 2023. Three years. Three escalating purges. An institution that holds more customer deposits than any other bank in the region and describes itself as Kenya’s financial backbone, quietly bleeding from within.

The bank’s public language, as always, is disciplined. Zero tolerance. Enhanced controls. Biometric authentication. AI-driven monitoring. What the glossy sustainability report does not say is that over a period spanning nearly a decade, KCB has dismissed well over 250 employees for fraud-related conduct and that court records, DCI files, and published investigative findings reveal a pattern of schemes that range from brazen vault robbery to sophisticated digital forgery. Nor does it say what regulators, investigators, and compliance professionals who have watched the Kenyan banking sector for years say privately: that firing the caught is the easy part, and that the structural conditions producing these people have never been seriously addressed.

A DECADE OF SACKINGS — THE NUMBERS KCB WOULD RATHER YOU DID NOT ADD UP

Start at the beginning. In 2014, KCB dismissed approximately 90 employees for fraud-related conduct a figure that attracted industry-wide attention at the time and led to public commitments about tightened controls. The numbers fell in subsequent years: 33 sacked in 2015, 31 in 2016, 34 in 2017. Then they fell again to 13 in 2019, 10 in 2020. For a brief period, the trend appeared to support the bank’s narrative of maturing systems and a retreating internal threat. Then the trajectory reversed, sharply. Eight in 2022. Twenty-two in 2023, a 175 percent surge from the prior year. Thirty-four in 2024. And now sixty in 2025 the highest annual total in at least a decade.

Over the five years between 2021 and 2025 alone, the cumulative count approaches 130 dismissed employees. Add in the years before that and the total dismissed for fraud across KCB’s recorded sustainability reporting runs well past 250 individuals.

These are not hypothetical risk events. They are confirmed, disciplinary-processed, employment-terminated human beings, each representing at minimum a completed scheme, an exposed vulnerability, and a customer whose funds or trust was placed in danger.

“KCB has dismissed well over 250 employees for fraud-related conduct across the past decade. The bank describes each purge as evidence of zero tolerance. What it cannot explain is why the purges keep getting bigger.”

The bank’s own reported fraud incident volumes tell a parallel story. In 2020, KCB recorded 894 internal fraud attempts nearly double the 574 of the previous year across a total of 1,213 fraud events on its systems. By 2023, blocked fraud attempts numbered 249 and the value at risk stood at Sh362.7 million. In 2024, 339 attempts valued at Sh212.9 million were thwarted. The 2025 figure shows 201 recorded incidents and Sh141.1 million in blocked losses down in absolute volume but sharply up in human cost, with 60 dismissals to show for a lower case count. The inference is unavoidable: the bank is catching more of its own people per incident, not because the schemes are becoming less frequent, but because they are becoming more identifiable by category which means they are also becoming more systematic.

THE COURT RECORD: WHAT KCB’S SUSTAINABILITY REPORTS LEAVE OUT

The sustainability reports are sanitised by design. Court records are not. To understand what KCB’s insider fraud actually looks like in practice, you have to go to the DCI press releases, the Milimani Commercial Court cause lists, and the Employment and Labour Relations Court judgments that rarely make the headlines.

In August 2018, the Directorate of Criminal Investigations arrested four KCB employees Benson Mwai Karugu, Edmund Kirturi Mutua, Evans Kenda Kiplagat, and Macdonald Mochama Mongwe — on charges of stealing Sh72,619,951 from the bank. The method was instructive. The four had registered 37 fictitious merchant companies with KCB, submitted fraudulent point-of-sale card transaction claims through those companies, approved those same claims in their capacity as bank employees, received the settlements in the companies’ accounts, and then distributed the proceeds via M-Pesa. Each layer of the scheme required internal access: the ability to register merchant companies, the authority to approve POS claims, and knowledge of how to structure the transfers to avoid triggering early alerts. This was not opportunism. It was a constructed system, built by insiders, using institutional infrastructure.

The same year 2018 two KCB employees in Wundanyi were arrested and held at the divisional police station after Sh20.6 million disappeared from the branch’s strong room in a single week. The two suspects were the custodians of the keys to the strong room. When the bank manager was informed the safe was inaccessible, a technician was dispatched from Mombasa. When the strong room was finally broken open, the money was gone. The police, in their own words, described it as an inside job from the outset.

In November 2017, before either of those cases, KCB had already been the subject of what remains one of the most audacious bank robberies in Kenyan history the Thika tunnel heist. Three men, two of them engineering graduates from Jomo Kenyatta University, set up a bookshop in the Thika City Friendly Stalls directly adjacent to the KCB branch on Kenyatta Highway. Over several months, they dug a 30-metre-long, 10-metre-deep tunnel from the bookshop into the bank’s strong room, directly opposite the Thika police station. When they were done, they walked out with Sh52.65 million in cash and foreign currency. Part of the loot Sh17.1 million was recovered at a house in Juja. Police have maintained that the precision of the entry, the knowledge of the strong room’s precise location, and the operational silence that surrounded the dig for months point to intelligence gathered from inside. Two suspects described as the masterminds were never apprehended.

“The precision of the Thika tunnel, the structure of the Sh72 million POS scheme, the Wundanyi vault disappearance — each scheme required something only an insider could provide: institutional knowledge.”

THE SECTOR BENEATH KCB: A SYSTEMIC ROT

KCB does not sit alone in this. It sits at the top of a sector-wide crisis that Kenya’s banking establishment has spent years managing rather than confronting. The Central Bank of Kenya’s own data makes uncomfortable reading. Fraud cases across the banking sector more than doubled in 2024, rising from 173 to 353 reported incidents. Losses nearly quadrupled, from Sh412 million in 2023 to Sh1.59 billion in 2024. Mobile banking fraud alone surged by 344 percent, with Sh810.68 million siphoned through digital channels more than half the sector’s total losses. The Communications Authority of Kenya reported 7.96 billion cyber threats in the twelve months to June 2025, more than double the year before. The CBK has warned in formal published language that successful attacks could push some banks below the statutory minimum capital threshold.

But the headline cyber-threat framing obscures what investigators and compliance professionals say is the real driver: the insider. Techcabal’s reporting in September 2025 cited a Banking Fraud Investigations Unit officer who said bluntly that most fund losses are inside jobs, and that the CBK’s loss figure of Sh1.59 billion was itself an understatement, given that most victims never report out of embarrassment or distrust of the system. That same officer described a typical scheme as multi-layered: phishing text as the initial hook, bank teller as the data-passing intermediary, mobile money as the laundry mechanism, and, in some cases, law enforcement contacts as the protection layer. “Each stage blurs the line between cyberattack, insider theft, and organised racketeering,” the report noted.

Equity Bank’s experience in 2024 illustrated precisely how catastrophic the insider dimension can become. David Muchiri Kimani, a manager at Equity’s Group Processing Centre in the Salary Processing Unit, used his IT system credentials to process over 40 transactions totalling Sh1,499,465,831 just under Sh1.5 billion transferring the payroll funds to rival banks before the theft was detected. Investigators arrested Kimani and his father, Joseph Kimani Machiri, alleging the pair had colluded to set up business accounts to receive the transferred funds.

This single event a manager on leave, using his still-active credentials, targeting the payroll cycle triggered the most dramatic governance response in Kenyan banking history.

Equity CEO James Mwangi launched a sweeping ethics audit across all 14,000 staff. By May 2025, the bank had issued show-cause notices to 1,200 employees in a single wave, citing suspicious inflows into their personal bank accounts and M-Pesa wallets from customers and linked entities.

Termination letters described the conduct as “gross misconduct” and “acts contrary to the Group’s code of conduct.” Mwangi was uncharacteristically blunt: “It doesn’t matter how many I will lose. I don’t even care. I will clean the bank and I will be ruthless. This is not a toll station.”

The Equity purge, the CBK figures, the KCB escalation they form a coherent picture. Between 2018 and 2024, Equity’s Ugandan subsidiary alone was engulfed in a scheme involving UGX 65 billion in unsecured loans disbursed through the Eazzy Stock digital lending platform, with employees channelling funds to fictitious companies, unqualified relatives, and ghost borrowers.

Safaricom dismissed 113 employees in its fiscal year to March 2024 the highest in recent company history for fraud offences including SIM swap facilitation, identity theft, and asset misuse. Absa Kenya disclosed it blocked Sh306 million in fraud attempts during 2024 while absorbing Sh169 million in actual losses. Standard Chartered Kenya, having deployed ThreatMetrix and automated detection systems, still cited “mobile, cards, and internet banking external fraud events” as its most significant financial crime exposure for the year.

THE STRUCTURAL PROBLEM NOBODY IN NAIROBI’S BANKING HALLS WILL NAME

There is a question that none of KCB’s sustainability reports, none of Equity’s press releases, and none of the CBK’s formal publications answer directly: why do banks keep hiring the people who then defraud them, and why, when those people are dismissed, do they find employment at the next institution down the road?

The answer is structural, and it has been sitting in plain sight for years. Kenya’s commercial banks have no shared staff blacklist. There is no industry-wide mechanism by which a KCB employee dismissed for orchestrating a POS settlement scheme in 2018 is flagged before being hired as a credit officer at a microfinance institution in 2019 or a tier-two bank in 2021. The Business Daily has reported this gap explicitly: “Commercial banks do not have a staff database to tag employees who are fired due to ethical issues, which has seen fraudulent persons remain in the industry.” This is not an oversight. It is a design failure, one that the Kenya Bankers Association and the CBK have acknowledged in general terms without resolving in specific ones.

The incentive structure inside branches compounds the structural gap. KCB, like every large commercial bank in Kenya, runs performance targets tied to deposits mobilised, loans disbursed, and accounts opened. Branch managers and relationship officers live and die by quarterly scorecards. The same pressure that produces growth also produces the tolerance for ethical compromise that is the precondition of the kickback culture. A customer services officer who facilitates a loan for a shell company in exchange for a cut is not operating in a vacuum. They are operating inside an institution where the incentive to process is always louder than the incentive to question.

The digital transition has not neutralised this dynamic. It has amplified it. As Equity’s CEO noted after the Sh1.5 billion payroll theft: “We pushed digital. We moved 98 percent of transactions online. And then we discovered that the person sitting in front of the terminal is still human.” KCB’s own fraud numbers confirm the shift in attack surface. The POS manipulation of 2018 required physical branch presence. The credential abuse at SBM Bank — where an IT officer left her workstation unlocked and remotely accessible, allowing malware to be planted across multiple machines before Sh9.5 million was drained through the Mfukoni mobile channel required only a moment of negligence and an external co-conspirator. The methods evolve. The insider advantage remains the constant.

“Kenya’s banks have no shared blacklist. An employee dismissed from KCB for a POS scheme can walk into a tier-two bank the following year. The CBK has acknowledged the gap. Nobody has closed it.”

WHAT KCB’S OWN NUMBERS ACTUALLY SAY ABOUT THE FUTURE

Read KCB’s 2025 sustainability report carefully and the numbers reveal a paradox the bank has not publicly addressed. Actual losses written off in 2025 fell sharply: just Sh760,000 against Sh4.5 million the year before. Blocked fraud value also fell, from Sh212.9 million in 2024 to Sh141.1 million in 2025. On the surface, these are the numbers of a bank that is winning. But 60 people were dismissed to produce those numbers more than in any recent year. The number of fraud incidents fell from 339 to 201, yet the number of people caught and removed nearly doubled.

There are two possible readings of that combination. The optimistic reading is that detection has improved so dramatically that the bank is catching its insiders earlier, before they execute full schemes, which is why the value of losses and blocked attempts is lower even as the dismissal count is higher. The pessimistic reading and the one that the bank’s longer history supports is that the actual population of compromised insiders is larger than the dismissed cohort suggests, and that the apparent reduction in fraud volume reflects a shift in tactics rather than a reduction in intent. Smaller, faster, harder-to-detect schemes produce fewer flagged incidents and lower blocked values, but require more insiders to execute at scale.

The geographic concentration reinforces the concern. Of 60 dismissed in 2025, 50 were based in Kenya and 10 in Rwanda. Of 201 fraud incidents, 188 occurred in Kenya. KCB’s other subsidiaries Uganda, Burundi, South Sudan, and the Democratic Republic of Congo reported no fraud attempts at all. That is not because those environments are cleaner. It is because the reporting, the detection infrastructure, and the disciplinary culture are less developed. The fraud that appears in the Kenya numbers is the fraud that has been found. The fraud that does not appear in the other country numbers is not necessarily absent.

CONCLUSION: ZERO TOLERANCE IS NOT ENOUGH

KCB Group has Kenya’s largest customer base, the most ATMs, the widest branch network, and the deepest penetration into the country’s payroll, government agency, and retail deposit ecosystem. It is not a peripheral institution. It is the financial infrastructure. When 60 of its employees in a single year are confirmed to have exploited that infrastructure for personal gain, the question is not whether KCB has a fraud problem. The question is whether the problem is being managed or being solved.

The evidence accumulated across a decade points firmly toward managed. Sustainability reports are published. Ethics training completion rates are disclosed. Termination figures are shared in the same paragraph as blocked fraud values and biometric authentication rollouts. The framing is always of a bank in control of a challenge, not a bank being overtaken by one. But the challenged institution is the same one that lost Sh52 million through a tunnel dug opposite a police station. The same one whose employees constructed 37 phantom companies to siphon Sh72 million through POS settlements. The same one whose Wundanyi strong room was looted by the two people who held the keys to it.

The CBK, for its part, has deployed the language of concern fraud cases doubled, losses quadrupled, capital adequacy at risk without deploying the structural remedy that would make the most difference: mandatory cross-bank disclosure of fraud-related terminations, enforceable integrity screening before hire, and a published, real-time registry of employees dismissed for financial crime. Eleven banks were fined by the CBK in 2024 for exceeding insider lending limits, echoing the same governance failures that destroyed Imperial Bank a decade ago. The regulator fined them. It did not name them publicly. That is the template: consequence without accountability, sanction without deterrence.

KCB’s 60 dismissals in 2025 are not a sign of failure. Detection is better than it was. But detection without prevention is a treadmill. The bank and its regulator have been running on it for ten years. The belt is moving faster. The people on it are not.