The Rot Inside Absa: How Bank Insiders Are Looting Nairobi’s Customers

The Employment and Labour Relations Court did not mince words. When Justice Radido Stephen delivered his verdict in the case of Lilian Adhiambo, the former branch manager of Absa Bank Karen Prestige, the language was clinical but devastating: gross misconduct, negligence, failure of due diligence, and a senior banking officer who used her two decades of institutional authority to open the vaults to strangers.

Adhiambo was fired in November 2019 after forensic investigators linked her to a syndicate that drained Sh6.3 million from customer accounts.

The court, having reviewed the forensic reports, upheld the bank’s decision as fair and lawful. But the real story of what happened inside that Karen branch is not a story about one rogue manager.

It is a story about a bank whose internal controls are so porous that fraudsters need nothing more than an insider with a pen and access to an RTGS terminal.

Kenya Insights has reviewed court records, forensic report summaries, whistleblower testimony, regulatory filings, and the bank’s own annual disclosures.

What emerges is a pattern stretching from Karen to Nyali, from physical counter fraud to digital data theft, from branch managers approving suspicious transactions to senior executives inside the Timiza digital lending division allegedly hawking customer data on the black market.

This is not a bank that has been unlucky.

This is a bank that has, for years, harboured the conditions for fraud to thrive.

THE KAREN PRESTIGE JOB

On October 13, 2019, a withdrawal of Sh3.6 million was processed from a customer account at Absa Bank’s Karen Prestige branch.

In the days that followed, more withdrawals and electronic transfers totalling over Sh6.3 million moved through the same branch, all bearing the authorisation of Lilian Adhiambo, a woman who had spent over three decades building her career inside the walls of the institution then known as Barclays Bank of Kenya.

According to court documents, Adhiambo did not just fail to stop the transactions.

Forensic investigators found that she actively participated in their facilitation.

She approved Real Time Gross Settlement transfers despite glaring irregularities in the documentation.

She failed to verify the identification documents of individuals presenting themselves at the counter. She communicated directly with a non-customer who was a suspect in the fraud ring.

And, in what the court would later describe as perhaps the most damning detail, she advised the suspects to withdraw part of the looted funds in cash and channel the remainder through RTGS to avoid detection.

“She was required to exercise due diligence before approving any transactions, even where her junior staff had already approved them.” — Employment and Labour Relations Court

Adhiambo denied everything. She told the court that her role was limited to authorising transactions after junior officers and other departments had already verified them.

She challenged the forensic reports as speculative.

She argued the disciplinary process was unfair and that she was denied a right of appeal. She sought reinstatement, 12 months’ salary of Sh6.49 million, one month’s salary in lieu of notice of Sh500,145, and a decade of service pay amounting to Sh10 million.

The court dismissed nearly all of her claims.

The judgment found that the bank’s senior forensic investigator, Michael Ngobo, had presented overwhelming evidence.

The court awarded her only Sh575,022 for 24 days of untaken annual leave and declared everything else forfeited by her own hand.

The ruling was categorical: a branch manager with 31 years of banking experience is not merely expected to rubber-stamp what junior officers have done. She is the last line of defence. She failed it.

A SYSTEM BUILT TO BE EXPLOITED

What the Karen Prestige case exposes is a structural vulnerability that Absa Bank has refused to address with sufficient urgency.

The fraud relied on a deceptively simple mechanism: a senior officer with unilateral RTGS authorisation authority, no mandatory second-tier verification from an independent department, and a culture in which subordinates defer to rank rather than flag red flags.

Adhiambo could approve massive transfers, communicate with external contacts about those same transfers, and observe glaring documentation failures, all without triggering a real-time internal alert.

Banks in Kenya are required under Central Bank of Kenya prudential guidelines to maintain robust internal controls, including maker-checker protocols for high-value transactions and independent compliance monitoring.

In a properly functioning system, a branch manager authorising an RTGS above a defined threshold should trigger an automatic escalation to a compliance officer who has no reporting line to that manager.

The Karen Prestige transactions occurred precisely because that firewall either did not exist or was bypassed. Nobody outside the branch noticed Sh6.3 million leaving customer accounts in tranches over a matter of weeks.

This is not an isolated operational failure. It is consistent with a broader pattern that whistleblowers, court records, and the bank’s own financial disclosures have now made impossible to dismiss.

TIMIZA: WHERE CUSTOMER DATA GOES TO DIE

While the Karen Prestige trial was working its way through the courts, a separate catastrophe was unfolding inside Absa Kenya’s Timiza digital lending arm.

A whistleblower from within the Timiza credit department delivered an explosive account to investigative outlets in mid-2024, alleging that the bank’s own executives had been harvesting customer data without consent and selling it on the black market.

The whistleblower, who feared retaliation but was determined to speak, named Christine Marandu, identified as Head of Credit, and Chiera Waithaka, identified as Credit Risk, as the architects of what was described as a culture of data abuse inside Timiza.

The allegations are specific and verifiable by digital audit: since 2023,

Timiza has allegedly been extracting SMS content from customers’ phones, including financial transaction records and personal messages, and transmitting the data to a third-party server identified as PNGME, without anonymisation, without customer consent, and without any disclosure in the product’s terms and conditions.

Collins Ouma, Timiza’s technical lead, is said to have acquired in excess of 100,000 customer records for personal use.

Waithaka reportedly explored avenues to monetise the stolen dataset during internal meetings.

The extracted financial data was subsequently used for targeted marketing and, in some cases, sold directly to competing financial institutions. Attempts by staff to raise concerns internally were met with intimidation.

Forensic officials inside Absa are accused of demanding bribes to suppress internal investigations. One executive is named as being under DCI scrutiny in connection with the Sh179 million Equity Bank heist.

The Timiza scandal did not emerge in a vacuum. It followed on the heels of a formal investigation by the Central Bank of Kenya into a growing volume of complaints against Absa Kenya, encompassing sexual harassment, insider fraud, and systemic ethical failures.

Absa Group in South Africa had separately launched an internal probe into its Kenyan branches, driven by what insiders described as the alarming frequency and gravity of complaints.

A source familiar with that probe described an environment of coercion in which junior employees were expected to pay bribes to supervisors for promotions, and in which sexual favours were used as currency for advancement.

The Nyali branch carries its own grim footnote. An employee, Oscar Owino, died in August 2023 under circumstances his colleagues found suspicious, in the immediate orbit of a romantic dispute involving a fellow member of staff. The matter was not widely reported. The bank has not publicly addressed it.

THE NUMBERS ABSA DOES NOT WANT YOU TO READ TOGETHER

Absa Bank Kenya is required by the Nairobi Securities Exchange to publish annual sustainability and fraud disclosures.

Those disclosures, read in isolation, are presented as evidence of the bank’s vigilance. Read together, they tell a different story.

FRAUD EXPOSURE TRACKER

2022: Sh107.7 million lost to fraud; Sh59.1 million recovered

2023: Sh49 million net fraud loss; Sh32 million recovered; Sh498 million in potential losses thwarted

2024: Sh58 million net fraud loss; Sh227 million recovered; Sh334 million in potential losses stopped

2024: Absa Kenya reported blocking Sh306 million in fraud attempts; Sh169 million still lost

2024 (CBK): Banking sector cyber fraud losses rose to Sh1.5 billion nationally, nearly quadrupling in one year

2024: TransUnion ranked Kenya 10th globally for suspected digital fraud exposure

Timiza (2018): Sh180 million vanished under allegations of insider-linked loan defaults

Timiza (2022): Sh20 million lost under suspicious circumstances

The bank’s narrative is that its systems are improving, that recoveries are rising, and that its fraud detection investments are bearing fruit.

What the disclosures do not explain is why, if the systems are so much better, net losses are still climbing year on year.

They do not explain why a bank that publicly warns customers against social engineering is simultaneously alleged by its own employees to be facilitating data theft that makes social engineering trivially easy.

And they do not explain why a senior manager could drain Sh6.3 million from a prestigious Nairobi branch over multiple weeks without a single automated alert reaching an independent compliance desk.

The gap between Absa’s public messaging and its internal reality is not measured in millions.

It is measured in the complete absence of accountability that has allowed a carousel of fraud, both physical and digital, to persist across multiple branches and multiple product lines over multiple years.

THE BROADER BANKING ROT

Kenya’s banking sector is not singling out Absa as uniquely corrupt.

The Central Bank of Kenya’s Financial Sector Stability Report for 2025 documented that cyber fraud cases in the sector more than doubled in 2024, rising from 153 to 353 incidents, with total losses jumping from Sh412 million to Sh1.59 billion in a single year.

Mobile banking bore the heaviest toll, with Sh810.68 million stolen, a 344 percent increase. Card fraud surged sixteen-fold to Sh263.29 million. Identity theft rose six times to Sh199.08 million.

The Communications Authority of Kenya reported 7.9 billion cyber threats in the first eight months of 2025 alone, double the volume recorded across the entirety of 2024.

Yet the CBK’s official position remains that Kenya’s banking sector is resilient.

Former compliance officers speak of a shadow industry centred in Nairobi suburbs like Utawala and Ruiru, where rings of insiders and external fraudsters coordinate attacks in real time on mobile banking platforms.

Equity Bank confronted its own existential insider crisis most dramatically in 2024, when a manager on leave orchestrated a Sh1.5 billion heist through 47 seamless inter-account transfers, with his own father implicated as a co-conspirator.

Equity CEO James Mwangi subsequently announced the mass firing of 1,500 staff, making the declaration with the directness banks rarely summon: he was being ruthless, and he did not care how many people he lost.

Absa Kenya has made no equivalent public declaration. It has fired staff quietly, upgraded systems on paper, and continued posting sustainability reports that describe the problem without confronting it.

WHAT ABSA’S OWN CUSTOMERS HAVE REPORTED

In October 2024, a customer shared a detailed account of how his Absa Bank account was emptied in what he described as a coordinated inside job.

The attack followed a pattern that forensic cybersecurity experts now classify as a hybrid vishing and insider-enabled breach.

He received a call from a number he could verify was Absa’s official customer service line, 0722 130120.

The caller claimed an unauthorised withdrawal attempt had been made on his account and urged him to confirm his account number to protect himself.

Trusting the official number, he complied.

What the customer did not know was that the caller already possessed his national identification number, his registered email address, and his full name, information that could only have been sourced from within the bank’s own customer database.

When he logged into his account shortly after the call ended, his balance was effectively zero. “Little did I know they were working together,” he said. The case is illustrative of precisely what the Timiza whistleblower alleged: that stolen customer data is weaponised to give external fraudsters enough personal detail to bypass the suspicion threshold of even vigilant account holders.

This is the terminal consequence of insider data theft. It does not merely expose customers to a generic scam. It creates fraudulent encounters so specific, so laden with private detail, that customers have no rational basis to distrust them.

A REVOLVING DOOR WITH NO INDUSTRY BLACKLIST

One of the most alarming structural failures in Kenya’s banking sector is the absence of a shared database of employees dismissed for fraud and ethical violations.

When Absa fires a branch manager for fraudulent RTGS authorisations, that manager’s name does not appear on any list that KCB, Co-operative Bank, NCBA, or any other lender can access before hiring them.

They walk out of one bank and into the interview room of another.

The CBK has acknowledged the problem.

Its supervisory reports note that players in the industry are now deploying artificial intelligence and machine learning to monitor their own employees, an astonishing inversion of what internal controls were designed to do: instead of systems that prevent fraud before it happens, banks are building surveillance architectures to catch employees after the fact.

Absa has specifically committed to overhauling its back-end processing with machine learning and AI-driven early fraud detection. It has been making that commitment for three years. Sh6.3 million disappeared from Karen while that commitment was being made.

PR NIGHTS AT THE BANK

Absa Bank Kenya is not unaware of its image problem.

It runs the Kaa Chonjo consumer education campaign in partnership with the Kenya Bankers Association, now in its fifteenth year, advising customers never to share PINs, verify unexpected calls through known numbers, and treat unsolicited links with suspicion. It publishes fraud and scam tips on its website, warns against vishing, phishing, smishing, and quishing, and reminds customers with bureaucratic regularity that the bank will never ask for an OTP over the phone.

What Absa does not publish is a frank account of how many of the frauds its customers have suffered were enabled not by customer negligence but by the bank’s own insiders. It does not tell customers that the person calling from an official Absa number with their ID number and email address may have obtained that information from inside the bank’s own systems. It does not disclose how many employees it has dismissed for data-related offences, or whether any of those employees have been prosecuted. It does not explain what disciplinary action, if any, was taken against the executives named in the Timiza whistleblower report. It has not publicly addressed the death of Oscar Owino at the Nyali branch.

The bank’s sustainability reports speak of commitment to customer protection, robust controls, and a secure banking environment. They are written for shareholders and regulators. They are not written for the customer whose account was emptied by someone who already knew his name.

Absa publishes annual sustainability reports. It does not publish the number of customers whose data was stolen by its own staff.

A High Court in Mombasa has already ordered Absa to pay Sh1.5 billion to a transport firm for leaking confidential financial statements to third parties without the client’s consent, a judgment that the bank had to be forced to defend. The pattern of legal exposure, regulatory scrutiny, internal whistleblowing, and documented physical and digital fraud has reached a scale that corporate communications campaigns can no longer contain.

Absa Bank Kenya did not respond to Kenya Insights’ requests for comment on the specific allegations outlined in this report, including the Timiza data theft allegations, the death of Oscar Owino at the Nyali branch, and the adequacy of its internal controls in the wake of the Karen Prestige fraud judgment.

The Employment and Labour Relations Court’s judgment in the case of Lilian Adhiambo versus Absa Bank Kenya is publicly available on the Kenya Law database. The forensic investigation was conducted by Michael Ngobo of Absa Bank’s internal security division. The whistleblower accounts referenced in this report were originally disclosed to investigative platforms in mid-2024 and have been corroborated by separate sources familiar with CBK’s inquiry into the bank.