New-school bank robbers causing sleepless nights for bank managers

NAIROBI: In the 1990s mean-looking, gun-toting thugs would breach a bank’s ultra-secured strong rooms and execute a mind-boggling heist. The finesse with which the theft was carried out, left little doubt of an insider’s involvement.

In Kenya’s capital city, Nairobi, robbers ran amok that its name was corrupted into ‘Nai-robbery.’ It was the period when some of Kenya’s most feared robbers operated. It was the time of Anthony Ngugi Kanagi alias Wacucu, Gerald Wambugu Munyeria alias Wanugu, Benard Matheri Thuo alias Rasta and Edward Shimoli.

Nairobi’s reputation for bank robberies filtered across the Atlantic ocean with the American newspaper Loss Angeles Times in 1998 noting in an article that in the last quarter of 1998, at least one bank a week was held up in Nairobi. Banks were estimated to have lost more than $8.3 million (Sh846 million at current exchange rate) to robbery in that year, according to the article.

Just how did these robbers do it? To most observers, it was collusion. Every other bank robbery was described simply as an inside job.

John Busunkwi, a regional director at anti-fraud software company NetGuardians East Africa says that bank robbers would do thorough investigation on who held and kept the strong room keys, the time when he left the bank and then they would lay ambush at most vintage point. But that was not all.

Moreover, “they (the thugs) would befriend a bank staff who [would] give them the information then plan together for a strategic ambush,” says Busunkwi. It is natural for human beings to want more, and bank employees cannot be an exception.

By the difficult economic environment of the 1990s aggravated it. According to the then police-spokesperson, Mwangi King’ori, the wide-spread lay-off of bank employees in 1998, for example, might have had something to do with the increased robberies in that year.

Physical Cash

These disgruntled employees, King’ori said, might have colluded with thugs to steal from  banks. “One or two of these may have a grudge to sort out with the bank,” said Mwangi. “We are not saying for sure that these are the ones. But you can almost see a similarity between the time the banks started retrenching and when the robberies started,” he added.

And then, to the bank robbers’ dismay, technology came like an earthquake. To most of these robbers the earth beneath them just caved in.

Unlike before when banks stored money at branches in hard currency, banks stopped relying on physical cash. And the fact that now police worked more closely with financial institutions complicated things for the old-school robber. 

“Whereas in the 1990s, most of the value was in hard currency stored in the vaults of bank branches which were targeted by the gun-toting thugs of the era, the society now is relying less on physical cash, hence the banks need not keep as much currency in their vaults,” according to Eric Owino, a manager of forensic services at audit firm Pricewaterhouse Coopers (PWC).

Banks, according to Mark Bunyi, an associate director at audit firm KPMG, “tightened up their defences against physical threats such as robbery.” So much that if the 1990s robbers that used to terrorise the city were to rise from the underworld, their old tricks would not serve them.

Alas! Banks are still losing money, perhaps more than before. Only, where the ‘90s’ robber chose brute force and machine guns as their weapons, the 21st bank ‘robber’ has his mind and technology as his tools of trade. Stealing from banks today is more digital than physical.

“Violent bank robberies are not as lucrative and bear more risks as compared to the more sophisticated cybercrime. The robber is exposed to potential physical harm, and the legal ramifications are also punitive (death sentence for robbery with violence),” says Owino.

A cyber criminal is less likely to be arrested, and the chances of him getting killed while on ‘duty’ are almost nil. Perpetrators of a cyber crime, for example, are usually in some safe area in front of computer screens going about their business, probably in a different country, according to Owino.

According to data from Banking Fraud Investigations Department (BFID) in the first nine months of 2013, banks lost about Sh1.6 billion to fraud, compared to Sh655.6 million in the first nine months of 2012.

Audit firm Deloitte East Africa in a report titled Financial Crime Survey 2013 found that financial institutions in the East African region lost in excess of $30 million (Sh3.06 billion). And this is just but a tip of the ice-berg as most of the fraud cases that occur in banks are kept under wraps.

“Banks thrive on reputation, and as the case was recently of Chase and Imperial Banks, the moment the confidence in the bank’s reputation is eroded, customers will move their money,” says Owino.

According to Deloitte the figure could be as high as $89.41 million (Sh9 billion) as most financial institutions opt not to report fraud cases. Even worse is the inability of anti-fraud unit to recover the loot exposing financial institutions to huge losses. Of the Sh1.6 billion stolen in 2013, only Sh460 million was recovered.

However, there is a constant in the violent bank robberies of 1990s and the bloodless cyber-crime of the 21st century. More often than not, both criminals need a man from the inside.

The fact is 20 years later the mind-set of the bank employee-that which the 1990s bank robber exploited-has barely changed. Bank employees, as most human beings, are gullible. Even the tech-savvy cyber-criminals in China who wires exploits this naivety.

Kenya Bankers Association (KBA) CEO Habil Olaka agrees that employees remain one of the banks’ main vulnerability. Employees are vulnerable because they have access to the system, and according to him:  “You can not avoid the idea of employees having access to the system.”

It was the 19th century French critic Jean-Baptiste Alphonse Karr who said: “The more things change, the more things stay the same.” Theft from banks today just as in the 1990s remains largely an inside job.

Mark Bunyi, an associate director at audit firm KPMG, says that fraudsters typically tend to be insiders with knowledge and opportunity, who sometimes collude with outside parties. According to the 2016 KPMG Profile of a fraudster report, 62 per cent of frauds were perpetrated through collusion.

Recently, Equity Bank confirmed that two of its staff would be prosecuted for colluding with some KRA officials to defraud the taxman of about Sh124 million by manipulating the taxman’s Simba system to fake clearance.

Technology is as much a God-send to bankers as is to fraudsters. Unlike before when the employee had to collude with external players to have a robbery executed, today he only needs to be tech savvy and the loot is all his. “Having younger, tech savvy employees working for older, less tech-savvy (though they may not readily admit it) middle and senior management in banks is also a risk, and with the less severe consequences facing fraudsters, there is an incentive to experiment on fraudulent schemes by these junior staff members,” said Owino.

Bunyi agrees that most internal fraudsters are younger employees who understand IT and can evade older controllers less conversant with IT systems and concepts. According to the KPMG report most of the internal fraudsters, 37 per cent, are men aged between 36 and 45 years. And another 14 per cent are aged between 26 and 35 years.

Financial hardship

Early in the year, KCB CEO Joshua Oigara was quoted in one of the local dailies saying that in 2014, KCB lost close to Sh300 million to fraud. About 40 per cent of this fraud was perpetrated by employees, while the rest through collusion with external players. Oigara noted that employees had a desire for a high lifestyle.

Busunkwi says that bank employees are an easy target because of peer pressure or pressure from the society. Most of them would love to live on the first lane as their friends, own a house and drive a fancy car.

“Some face pressure from their homes because of their background. This leads to temptation to stealing from the banks through whichever means. The urge to fulfill these needs is very high,” says Busunkwi.

Thus, for most fraudsters the main objective is financial gain. KPMG’s Global Profiles of Fraudster report notes that for 66 per cent of fraudsters their overriding motivation was financial gain or greed.  However, some do it for far subtle reasons. According to KPMG’s report, 27 per cent of the fraudsters said they did it because, well, they could.

This is true given that most internal fraudsters are not the kind that would fit the description of being in financial hardship. A good number of them fall in the mid-level management, according to a PWC report.

Solutions, as always, have come in terms of creating a robust firewall.

According to Olaka, while banks cannot really prevent employees from accessing the system they can “put in place controls to ensure that unauthorised access to the system is detected and prevented.” He also wants banks to have a ‘know your employee’ policy just as they have one on customers. 

Busunkwi advises banks to be vigilant as fraudsters can “hide in the smallest actions.” He calls for the establishment of “robust enterprise fraud management systems.”

Head of Forensic, KPMG East Africa, Simon Dwyer and Mark Bunyi vouch for an “effective fraud risk management network that addresses fraud risk assessment, prevention, detection and response.”

And Owino cautions banks against changing their systems too fast so as to keep with up technology, because by doing that they increase the risk of being attacked before the bank staff have been well acquainted with the changes. Such measures were made, and the problem never went away.

It is not the forest that is the problem, it is the monkeys. The problem is not necessarily that the system is defective, but that human beings, by nature will always want more.  And so far, technology has not been a very effective deterrent against human greed.