On a Thursday afternoon, the liquidity report was clean. By Monday morning, UGX 4.7 billion had moved out of the institution without triggering a single alert, no external breach trails, and no malware. Just approved transactions that looked normal because the people approving them were trusted. That is the moment the case came to my attention. I was the investigator assigned to answer one question: did this money move within policy, or did policy simply fail to see it?
The mechanics, minute by minute
- At 10:12 a.m., a temporary limit increase was applied to a dormant corporate account. The request cited “urgent supplier settlement.” The approver was authorized, and the reason field was vague but acceptable.
- At 10:18 a.m., the account received three inward transfers from internal suspense accounts. Each amount was below the threshold that requires second-level review.
- At 10:27 a.m., the funds were split. Some went to mobile money, some to two newly onboarded accounts, and one went to a cooperative SACCO with a clean history.
- At 11:03 a.m., the temporary limit was reversed.
- By lunch, the system showed nothing unusual; the trail was cold by the close of business.
Modern fraud does not fight controls. It walks between them.
Why did the controls not stop it
The institution had policies; Strong ones, Credit policy. Transaction approval matrix. KYC procedures aligned with regulations. On paper, it was solid.
In practice, three things broke. First, trust had replaced verification. Senior staff overrides were rarely challenged. The system logged them, but no one reviewed the logs daily. Second, speed had become a performance metric. Staff were rewarded for turnaround time, not for clean documentation. When speed wins, evidence loses.
Third, technology was treated as neutral. It is not. Every system has blind spots. Fraudsters study those blind spots better than most IT teams.
The legal reality
From a legal standpoint, this case hinged on intent and duty. The transactions were authorized, which meant criminal liability was not automatic. To prosecute, we had to prove conspiracy, abuse of office, and intent to defraud under financial crimes statutes.
That required evidence beyond numbers. Emails. Chat logs. Patterns of behavior. The timing showed coordination.
Until that threshold is met, the law is clear. The institution carries the loss, and the ball stays in your court until you can prove otherwise. This is where many cases die. Not because fraud did not happen, but because evidence was collected too late or handled poorly.
The technology angle, stripped of hype
When it comes to investigations, evidence is everything. Preservation of evidence is critical, else, everything else collapses. We did not use artificial intelligence. We used discipline. We pulled raw transaction logs, not reports. We rebuilt the sequence manually. We mapped user IDs to physical terminals. We compared working hours to transaction timestamps.
One detail mattered: the same approvals happened when one specific supervisor was on duty, even when different staff appeared to be involved. That told us where to look.
We also reviewed system access reviews. Two users had retained privileges they no longer needed after role changes. That gap alone breached internal policy and strengthened the case. Technology does not catch fraud. People who understand how systems behave do.
The human layer
One suspect was not greedy. He was cornered. Medical bills, school fees, and a loan denied by the same institution he worked for. Another was opportunistic. He saw the gap and monetized it.
This matters because prevention is not just about blocking bad actors; it is about removing conditions that make bad decisions easier. Rotate staff, enforce leave, and review overrides daily. These are not HR rituals. They are control mechanisms.
What regulators should take from this
Do not ask for frameworks. Ask for evidence of use, request override logs for random weeks, ask who reviewed them and when, and demand proof of follow-up. When you rely on annual reports, you regulate history. Fraud happens in real time.
Also, fix accountability. When losses occur, responsibility should not stop at the teller or officer. Senior management decisions create the environment where fraud either survives or fails.
If you are a banker, this is what you should do tomorrow morning
Stop waiting for perfect systems. Start with habits. Review exceptions daily, separate speed from reward, document intent, not just approval, protect staff who raise concerns early, and understand this: if you cannot explain a transaction clearly to a prosecutor, you do not control it.
Why this work matters
When fraud happens, money moves first. Trust follows slowly, if at all. In Uganda, every failure in a financial institution pushes people back into cash, into informality, into risk. That cost never appears on the balance sheet, but it is real.
This case ended with partial recovery, disciplinary action, and one criminal file ready for court. It was not perfect. It was sufficient.
Fraud risk is not about heroics; it is about seeing clearly, acting early, and knowing when the law says the ball is in your court. That is the job.
Copyright IFIS and Summit Consulting forensics team, 2026. All rights reserved.
