Court backs NCBA in insider fraud case, exposing uncomfortable truth about bank security

A recent court ruling has upheld NCBA Bank’s decision to dismiss a former employee accused of serious internal misconduct, shedding light on a reality many customers would rather not think about: sometimes the biggest risk to your money isn’t a hacker, but someone inside the bank.

The Employment and Labour Relations Court ruled that the bank acted lawfully in firing an assistant operations officer after investigations linked him to unauthorized access to customer accounts and suspicious financial activity.

What the employee was accused of

Court records paint a troubling picture.

The employee accessed customer accounts without instruction, sometimes after official banking hours
Viewed sensitive data like balances and account mandates without justification
Was linked to a suspicious KSh 890,000 transfer attempt that the customer denied authorizing
Interacted with suspected fraudsters inside the bank premises and received small cash kickbacks
Used internal systems to track and engage in transactions later flagged as fraudulent

Digital evidence including system logs, account access histories, and CCTV footage placed him at the centre of the activity. In one instance, he accessed an account in an empty banking hall after hours, raising further suspicion.

The court ultimately found that the bank had valid grounds to dismiss him and had followed a fair disciplinary process.

This isn’t an isolated problem

If you think this is a one off case, you’re not paying attention.

Kenya’s banking sector has seen multiple similar incidents.

Another case involving Access Bank Kenya saw an employee linked to over KSh 11.6 million in irregular transactions, with the court still upholding dismissal despite procedural flaws

The data regulator has previously fined NCBA Bank KSh 250,000 for exposing customer transaction details to the wrong recipient, highlighting weaknesses in data handling

Investigations have also flagged cases where even former employees retained or accessed customer data improperly

This pattern matters. It shows the issue isn’t just about one rogue employee, it’s systemic risk tied to human access inside financial institutions.

The uncomfortable truth

Banks will tell you your money is protected by encryption, firewalls, and fraud detection systems.

All true.

But none of that eliminates this reality.

Someone inside the bank can still see your account.

Internal policies clearly state that customer data must only be accessed for legitimate purposes. But policies don’t enforce themselves, people do.

And people can abuse access, bypass procedures, and collaborate with outsiders.

Why this matters to you

You don’t get alerts when someone inside casually opens your profile
You don’t get notified if someone checks your balance without reason
You won’t know if your data is viewed but not altered

Most internal access leaves no visible trace to the customer.

So when you ask whether you would even know if someone inside your bank was snooping, the honest answer is probably not.

What the court ruling really says

The court didn’t just uphold a dismissal, it reinforced a standard.

Banks are expected to rely on digital audit trails
Employees are held to extremely high integrity standards
Internal misconduct is treated as serious as external fraud

But here’s the flip side.

The system only works after something suspicious is detected.

The bigger picture

This case highlights a gap most people ignore.

Technology protects systems
Regulations protect structure
But trust still rests on human behaviour

And that’s the weakest link.

Bottom line

Your money is relatively safe from random hackers.

But it is not invisible inside the bank.

It exists in systems that employees can access, insiders can exploit, and institutions must constantly monitor.

So the real question isn’t whether your bank is secure.

It is how well your bank controls the people who already have access.