Tag Archives: banks

Sudhir’s robbery must have been in connivance with Bank of Uganda Officials

As far back as 2010, word was rife on the grapevine about the unscrupulous nature of the operations at the then high flying Crane bank. Stories abound of the existence of a duplicate set of accounts, the use of unsuspecting individuals’ accounts to launder money, intimidation of key employees that opted to leave the bank etc.

So, while Mr. Sudhir Ruparelia was being glorified by the media for his feat as a billionnaire, I remained part of those who kept insisting that the end doesn’t justify the means. Money on its own isn’t worth its salt if it has a trail of tears in its wake.

The year must have been 2001 when a friend of mine set out to open up one of the first ever internet cafes in Kampala (and by extension, Uganda). He opted to take a bank loan and as security, submitted his father’s land title in the form of a prime residential property on Luzira hill overlooking the lake. To this day, I do not understand why he ended up at Crane Bank but those I have shared the story with tell me the bank was very easy when it came to lending money. Approvals for loans weren’t as laborious as other banks and not much due diligence was needed since it’s believed their interest was eventually in attaching whatever security that had been deposited.

This friend of mine, I’ll call him Akat, got a loan of UGX 15 Million Shillings and went ahead to set up the business. As fate would have it, internet use was not yet massive and only a few elites patronised it. The loan he got unfortunately attracted interest weekly on a compound rate basis. This is how it works out, imagine a Loan principal amount of UGX 15 Million attracting a 3% compounded interest rate weekly. It implies that by the end of the first week, the loan will have grown to;

UGX 15 Million (Principal Loan Amount) + UGX 450,000/= (Weekly interest of 3%)

= UGX 15,450,000/=

Come Week 2 and the total loan sum with interest for the first week becomes the new Principal sum i.e

UGX 15,450,000 (New Principal Loan Amount) + UGX 463,500/= (Weekly interest of 3%)

= UGX 15,913,500/=

You notice that within two weeks, your loan will have grown by nearly a million shillings. By the time two months are past, the original loan amount is likely to have doubled.

Akat struggled for a couple of months trying to keep up with the repayments until he realised that the business was not in position to service this loan. He tried selling off the business but the money offered wasn’t enough to pay off the now humongous loan sum. This led him to seek for work abroad and by a stroke of luck, an opportunity opened up in Europe.

In his own words, Akat told me, “The Crane Bank loans are designed to fail you. Imagine, I toiled in Europe, earning Euros 350 per day and it took me 6 months to pay up the loan. I just thank God that I retrieved my Father’s land title.

News of Crane Bank going under therefore never came as a surprise to many. We expected it. Our only concern was when. I recall talk doing rounds at one time of how the bank’s systems run amok and account holders found millions on their bank accounts that they were never aware about. Massive withdrawals were made by the crafty ones and no prosecution ever occurred. If indeed this was true, how did it go unnoticed to the Central Bank?

Section 4 (2)(j) of The Banking Act of 2000 states, “… the bank shall – supervise, regulate, control and discipline all financial institutions and pension funds institutions;”

It therefore leaves many of us wondering how a bank that was regularly getting Banker of the Year Awards could be so rotten at the core of its operations without the awareness of the Central Bank. The kind of fraud that has been unearthed so far could NOT have been carried out solely by Sudhir Ruparelia and a few cronies. No Way!!! We all know how information tends to leak from within institutions to the outside especially within industry circles. I doubt Crane Bank employees privy to some of the fishy dealings all kept mum. They definitely shared this information and that is how some of us were able to have red flags raised on this bank as far back as ten years ago. Like a puffed up balloon soaring up into the sky, we knew that all it would take was a spiky object to deflate it and bring an end to its flight.

I am no financial expert but there are some basics that can never skip my interrogative mindset. These are some of those;

  • How could a credit facility of over 3.5 Million dollars to Infinity Investments Ltd (Sudhir’s company) be written off without attracting any attention to the case? Is it that common for companies to default on loans in millions of dollars in Uganda only to be written off? In most cases the banks usually go after these businesses. That is a flag right there.

  • How could the transfer of titles for the plots where the bank branches were located to Meera Investments (Sudhir’s company) go unnoticed in an annual review of the Bank’s operations? Another Flag.

  • How can a phony purchase for banking software of US$ 10 Million not be given a nod of approval by Bank of Uganda?

  • How could Sudhir’s amateur attempt at concealing his 100% ownership of Crane bank go unnoticed all these years? Matters are worsened when Bank of Uganda labels these efforts as sophisticated. In an interview published on 2nd April 2012, when asked whether he had business partners, to which Sudhir responded, “I don’t like to engage in partnerships. I only have one business in which I am a partner with Godfrey Kirumira ….” Couldn’t such an utterance have raised a red flag?

I’m sure there is a lot more to this web of intricate theft than what has surfaced already into the public domain. It’s a shame that BoU kept a blind eye to all the rumors that have been surrounding Crane Bank all these years. This is another strong reason for us naysayers to advance as proof of collusion.

The times I have had bank transactions of substantial sums of money, I’ve always received calls from the bank with requests to furnish proof of why the transaction is being carried out. When I did ask why this was always the case, a bank official told me that transaction amounts over a certain limit need to be reported to the Central Bank and sometimes State House. There is therefore NO way Sudhir would have engaged in such financial fraud without some key people at BoU being in the know.

It is upon this premise that I believe heads have to roll at the Central Bank. The first action I would advise the Governor of BoU to do is resign from his position. This is not because he is guilty of having carried out the act, but a sign of remorse to show the public that stuff went wrong under his watch and he is taking responsibility since the buck starts and stops with him. We call this vicarious liability.

His action should be followed by the line managers stepping aside to pave way for an internal investigation to take place. It’s a matter of ethics here. No form of whitewashing can redeem their professional integrity at this stage, just like no amount of lipstick can turn a pig into a beauty queen.

All said and done, the people my heart goes out to are those that have been fooled for long into believing that crooked business personalities are the epitome of success. The thousands of youths and upcoming entrepreneurs that have attended Pakasa Forums whose panels are lined with star studded so-called business success stories that are as shallow as temporary graves will now be forced to rethink whatever knowledge they attained.

The biggest learning point from this saga and many more to come is that achievements without integrity are as useless as rains without good soils.

It’s time to rethink our basic morals, values and aspirations. Why would you build a multi-million dollar residence yet fail to remit Social Security contributions for the thousands of employees under your payroll? At this rate, Joseph Kony might appear a saint.

By the way, let us not always wait for people to fall out of political favour before doing the right thing. There are many more ‘Crane Banks’ in Uganda today that we need to get rid of.

For God and My Country !!!!

James Wire is a Small Business and Technology Consultant based in Kampala, Uganda

Follow @wirejames on Twitter.

Email lunghabo [at] gmail [dot] com

Advertisements

The disregard for Data Privacy in Uganda

In the late 90s, as a Systems Administrator for Starcom, one of the pioneer Internet Service Providers in Uganda, I had the privilege of managing the Email server and in the process got to know which email accounts were used by StateHouse as well as the Kabaka of Buganda. Out of pure professional ethics, not even once did I snoop to find out what kind of communication they were undertaking. As the overall administrator of the server, I had unlimited privileges that I could have chosen to abuse at will or in exchange for a few pieces of silver. That was then.

Close to eight years ago, I got to learn about this couple. They were so much in love with one another until the entry of the other girl turned things around. Rita couldn’t stomach it any longer and quit the relationship. Meanwhile, her boyfriend had other ideas. After failing to convince her to reverse her decision, he turned to stalking her. Philip had friends who worked for the Telecom company that his ex girlfriend was subscribed to. With their help, he tracked down her phone interactions in a manner that eventually proved disastrous to her new relationship. To-date, these scenarios are still common with telecom employees willfully playing the role of Judas. I have been told that for as little as UGX 50,000/= one can get phone records for any person of interest without needing a Police or Court order.

When it comes to the banks, someone I will call Mark has had banking records involving his credit cards and other transactions given to his wife without his approval. How she accesses the information is still a mystery to him. The bank in question is a leading international bank whose professionalism you would ordinarily not put to question. He is now scared because if his wife can easily get such information, then what happens in the event that someone who has ill motives makes a move for the same?

The case of Bank connivance in the death of an Eritrean Businessman in Uganda is very telling. The Inspector General of Police came out decrying the presence of a Mafia Network in the banking system. Airtel was recently too accused of abetting number plate theft. These are matters not to be taken lightly.

There has been a fresh demand by the Uganda Communications Commission to ensure that sim card registration is adhered to. In a recent press release, the to-do list had among others a requirement that, database reconciliation/verification to be done by operators in liaison with NIRA (National Identification and Registration Authority). This has caused a lot of concern. The depth of information that NIRA has about individuals is so much and if shared carelessly with other providers whose lackluster approach to confidentiality is well known, the threat on individuals is likely to be made worse. Whereas thugs have always had only phone records to contend with, now they are likely to have residential information, next of kin thereby making it easier for them to plan kidnaps for ransom.

I have a bone to pick with UCC for the haphazard manner in which some interventions are undertaken. After huffing and puffing about sim registration and fines to Telcos that do not comply, many of us were under the impression that this matter had been settled as far back as 2015. It is a shame (a very big one) to realise that it had to take the death of a high profile individual for the same institution to bring this matter to a close. I cant shake my head enough to show my disappointment. However, that is a story for another day.

Now that private data is being aggregated with the potential for sharing it with providers in future, what should be done to ensure that we minimise its abuse?

  • Enact a Data Protection law

This is a law that prohibits the disclosure or misuse of information held on private individuals. The cases cited in this article can easily be pursued legally once the appropriate laws are in place. The Data Protection and Privacy Bill 2014 already has the desired provisions. These include;

Section 27 Unlawful obtaining and disclosure of personal data

(1) A person shall not knowingly or recklessly –

(a) obtain or disclose personal data of the information held or processed by a data controller; or

(b) procure the disclosure to another person of the information contained in personal data.

(2) A person who contravenes this section commits an offence and is liable on conviction to a fine not exceeding one hundred and twenty currency points  or imprisonment not exceeding five years or both.

Section 28 Sale of personal data

(1) A person shall not sell or offer for sale personal data of any person.

(2) A person who contravenes subsection (1) commits an offence and is liable on conviction to a fine not exceeding one hundred and twenty currency points or imprisonment not exceeding five years or both.

NB: Please note that One Currency Point is equivalent to UGX 20,000/=

  • Limit the amount of information shared with third parties

UCC should ensure that going forward, NIRA does not share all users’ information with the Telcos or any other third parties. This can be made possible through the use of software interfaces which limit the kind of access one can have to the National ID database. This is something within the means of NIRA to achieve in a short a time as one week.

Other than that, I look forward to the day when employees as well as companies whose staff are involved in illegal use of private consumer data are made accountable for their ill deeds. Many are suffering out there silently having been victims of this unprofessional conduct. Others have had to pay for it with their lives. We cannot afford to wait any longer.

James Wire is a Small Business and Technology Consultant based in Kampala, Uganda

Follow @wirejames on Twitter.

Email lunghabo [at] gmail [dot] com

Other articles of interest:

ATM Fraud hits Ugandan Banks – Customer Beware

Shamira (Name not real) received the long awaited call confirming her proggie with some friends that evening. Excitedly, she jumped into her Vitz and raced off to the nearest ATM for some money. On arrival, she inserts her card in the ATM, executes her transaction and leaves smiling, looking forward to a fun filled evening.

A few metres from the ATM, a silver Subaru Forester with tinted windows is parked by the roadside and seated inside is a one Kasoma (Name not real). With a laptop and WiFi connection, he’s monitoring the card Skimmer he had just inserted in the ATM machine’s card entry slot. As Shamira inserts her card, the skimmer is able to extract relevant card data which he gets in real time. Then aided by a micro camera mounted inside the ATM closet, he’s able to see the pin code Shamira types to access her money. That’s all he needed.

Kasoma proceeds to make a duplicate card which he feeds with data from Shamira’s Card. He then uses the duplicate card to withdraw money from Shamira’s account and upon her next visit, she gets welcomed by the famous message, “Unable to proceed with transaction due to insufficient funds on your account.”

For as low as US$ 200 you can buy an ATM skimmer on the internet and using a regular WiFi enabled laptop, all you need is identify ATMs that aren’t tightly monitored and you’re good to go.

This is the reality the banking customer is faced with today. A group of Bulgarians was convicted in 2012 after orchestrating this scam in Kampala thereby defrauding many ATM users.

The recent fiasco with Centenary Bank that led to the nullification of all ATM card PINs  followed by the Bank CEO’s statement aimed at calming down the general public as well as silencing the speculation that arose shouldn’t be taken lightly.

In a well calculated and crafted video message, the CEO attributed the bank’s extreme action to a software update process that is ongoing. However, as someone who has dealt with Software and Hardware systems for many years, I am more than convinced that the bank is not being generous with the information it avails the public.

It is a fact that numerous banks are falling victim to electronic crime in Uganda and while some cases have been reported, most are dealt with under the hood for fear of alarming the public as well as diminishing their already strong brands based on trust. The situation is further complicated by the high level of insider dealing.

What is ATM Card Skimming? The copying of encoded information from the magnetic stripe of a legitimate card, making use of a card reader for fraudulent purposes.

Card skimming seems to be the most wide spread form of ATM fraud going on but there are others like;

  • The Card Trapping devices; Where a thin ribbon of Xray tape is inserted into the card slot. The loop it has traps your card and makes it appear like the bank has repossessed it. A ‘Good Samaritan’ then offers to help you and advises you to type in your PIN Code in order to have the ATM card returned. When it fails, you walk away believing that your card has been captured. He then proceeds to remove your card and withdraw your money using the pin he saw you punch in.

  • The Exit Shutter Manipulation Fraud; In this one, you insert an ATM card and punch in the pin in order to get money, select the amount you need and as the dispensation of the funds begins, you place your hand on the money exit shutter for a few seconds triggering the message that there is a fault with the shutter. This then causes the machine to reverse the transaction at the ATM switch by the amount requested thereby crediting your account once again. However, on release of the exit shutter after a few seconds, the ATM dispenses the amount previously requested since it was manually halted during the dispensation process.

  • The Matchstick hack: By inserting a matchstick in one of the keys on the ATM keypad like the Asterix (*), Clear or even Enter keys, a customer will come, insert their card, punch the PIN but fail to transact successfully since the keypad is kind of disabled. Meanwhile the criminal is nearby observing your PIN. Upon failing, the customer withdraws their card and moves on giving the criminal a chance to go to the ATM, remove the matchstick and punch in the customer’s PIN. He then transacts on the ATM account even with the card withdrawn since the machine retains the card’s details for some time.

  • By pressing a special sequence of buttons on the ATM keypad, some ATMs can be placed in the privileged ‘Operator Mode.’ While in this mode, numerous variables can be altered with the most prominent one determining the denomination of the bills loaded into the machine’s currency cartridges. Once done, one then proceeds to make the ATM withdrawal and by fooling the ATM into dispensing Ushs 50,000/= notes instead of Ushs 10,000/= notes, one is able to get more money from the ATM than their actual recorded funds transaction request.

There are many more frauds out there and as their complexity increases, so does the pressure on the financial institutions increase too. Ugandan banks need to wake up and start protecting their customers.

The largest perpetrators of these ATM scams are organised criminal gangs from Western Europe and as they find it ever harder to penetrate banking systems in Europe and America, they are going to shift their focus onto softer targets in Africa where the uptake of technology is spiralling albeit haphazardly.

How can you protect yourself from ATM fraud as a customer?

  • Familiarise yourself with the ATM machines of your bank especially the card slot entry area. This will help you notice anything that is out of the ordinary before you transact. Keenly observing the ATM machine and its surroundings should be top on your priority list before transacting.

  • As you punch in your PIN, shield your hand and the keypad with your body or the other hand to ensure that any installed cameras do not capture your PIN details. In some cases, heat sensitive thermal Cameras are used which can detect the keys you punched long after you’ve finished putting in the PIN. So, to be safe, you can go the extra mile and cover some form of tissue or cloth on your finger as you input the details.

  • Use familiar ATMs. Be careful which ATM machines you go to. In case you’re not comfortable with the area an ATM is located, then do not transact. ATMs in dimly lit areas or visited late in the night might be more susceptible to fraud.

  • When distracted during an ATM transaction, immediately cancel your transaction and collect your card before responding to anyone who has distracted you.

  • Always change the Card’s PIN from the original number given to you (this number may sometimes be part of the data on the magnetic strip and could be discovered by thieves who have stolen your card).

  • Do not accept assistance or guidance form anyone however helpful they may seem.

  • If your card is trapped or swallowed by an ATM, do no leave the ATM immediately. Call the bank or even better wait until you can see someone else successfully transact from the very ATM machine you’ve used before you can prove that it wasn’t a mere fabricated blockade.

  • Feel the Card entry slot. If you detect anything loose around it, then you have reason to suspect that a skimmer could have been inserted. Call and report your findings to the bank.

In case you’ve already fallen victim, try any of the following;

  • When you discover a card reader or card-trapping device, don’t remove it. Call the bank authorities or Police ASAP because the crooks may be watching the ATM and want to recover their equipment.

  • In case of a lost card, immediately notify your bank and terminate any further transactions on your account.

  • When approached by someone suspicious at the ATM, calmly observe them and keep track of whatever possible detail you can come up with then proceed to submit a report to the bank or the Police.

As for the banks, there is a need to;

  • Setup a Joint ATM Security Team: ATM fraud can’t be addressed in isolation. Ugandan banks need to appreciate this and swallow humble pie. The more they work together to confront this challenge the higher the chances of registering success. Such an effort needs to be complemented by other agencies like the Police CyberCrime unit, the National IT Authority among others.

  • Train ATM Fraud Experts: From basic card skimming to malware use, ATM hacking is scaling greater heights by the day. The banks need to avail specialised training to some of their staff to tackle ATM fraud.

  • Install Machine Alarms. These help alert when the ATM shell is tampered with.

  • Upgrade Cards. From the simple magnetic ATM cards, banks need to make upgrades to the Chip and PIN technology since currently most fraudsters can only compromise the magnetic stripe on the card and not the chip.

  • Raise Customer and Staff awareness of ATM Fraud. This can be done through posters, screen messages and inserts in mailings to customers. Just like openness worked a great deal in combating the HIV/Aids scourge in Uganda, the same could apply to the ATM fraud challenge which is likely to grow in leaps.

Shamira and You can help avert the looming ATM hacking crisis but above all, we need the banks to cooperate and be more open about this problem.

Twitter: @wirejames