
A former systems administrator at Equity Bank Kenya Limited has been charged with stealing Sh1.2 billion from customer accounts over a period of approximately 26 months using his privileged access to the bank’s core banking software — a case that investigators describe as the largest insider fraud ever prosecuted in Kenya’s banking sector and one that has prompted urgent questions about internal audit controls across the country’s financial institutions.
The accused, identified as Kevin Mutisya Musau, 38, of Syokimau, Machakos County, who served as a Senior Database Administrator at Equity’s Upperhill technology hub until his dismissal in March 2026, appeared before the Milimani Anti-Corruption and Economic Crimes Court on Monday. He denied twenty-seven counts of fraudulent access to computer systems, theft, and money laundering under the Computer Misuse and Cybercrimes Act, the Banking Act, and the Proceeds of Crime and Anti-Money Laundering Act.
How the Fraud Was Executed
According to investigators from the Assets Recovery Agency and the DCI Economic Crimes Unit, Musau exploited his database-level access to Equity’s T24 core banking system — a platform also used by several other East African financial institutions — to identify dormant accounts with significant balances and execute small, irregular debits ranging from Sh2,000 to Sh45,000 per transaction. By keeping individual transactions below automatic fraud-detection thresholds and spreading them across thousands of accounts, he is alleged to have evaded both the bank’s automated monitoring system and its internal audit function for over two years.
The funds were transferred through a web of sixteen shell companies registered in Kenya, Uganda and the United Kingdom, and subsequently moved into real estate assets and fixed deposit accounts in the names of family members. ARA investigators identified and froze assets — including four residential properties in Nairobi’s Syokimau and Athi River suburbs, two commercial plots in Nakuru, seventeen vehicles, and cash balances totalling Sh280 million — before arresting Musau on 14 March 2026.
“The perpetrator’s understanding of the bank’s internal monitoring logic was sophisticated,” said ARA Chief Executive Muthoni Ngugi. “He was not a rogue actor stumbling into an opportunity. This was a meticulously planned, long-running scheme by someone with intimate knowledge of where the system’s eyes were not looking.”
How He Was Caught
The fraud was uncovered not by Equity’s internal audit function but by a complaint from a retired teacher in Embu who noticed a small, unexplained debit on a savings account she had largely stopped using. Her branch manager escalated the query to the bank’s fraud investigations team, which, upon deeper analysis, identified a pattern of similar micro-transactions across 9,341 customer accounts. The bank alerted the CBK and the DCI in October 2025, and a five-month investigation followed before the arrest.
Equity Bank in a statement said it had immediately reimbursed all affected customers upon identifying the compromised accounts, and that it had commissioned an external forensic audit of its IT security controls. “The bank takes full responsibility for the security of customer funds and has acted swiftly to address the vulnerabilities that were exploited,” said Group CEO James Mwangi. He declined to detail the specific control failures that allowed the scheme to persist for 26 months but said the bank had already implemented additional layers of privileged-access monitoring.
Regulatory Fallout
The Central Bank of Kenya confirmed it had opened a supervisory inquiry into Equity’s internal controls and that the findings would inform an industry-wide directive on privileged-access management in banking IT systems, expected to be issued by October 2026. CBK Governor Kamau Thugge said that while Equity had acted responsibly upon discovery, the case raised “systemic questions about the adequacy of real-time privileged-access monitoring across Kenya’s banking sector.”
The Kenya Bankers Association said it was convening an emergency working group to review internal control frameworks, noting that the T24 platform is widely used across the region and that similar vulnerabilities could theoretically exist in other institutions. Kenya’s 2026 national cybersecurity strategy, published in April, had identified insider threat as one of the three highest-priority risks to the financial sector — a classification that this case appears to have dramatically vindicated.
Musau’s case is scheduled for a pre-trial conference on 28 July. The prosecution has indicated it will be seeking full recovery of the Sh1.2 billion through confiscation orders under the Proceeds of Crime Act. If convicted, he faces a maximum sentence of twenty-five years in prison. Four former colleagues are under investigation for suspected complicity, though no charges have yet been filed against them.

0 comments