By Daniel Kojo Hollie
From a 33 per cent jump in staff-linked fraud at Ghanaian banks to multi-million-dollar insider breaches in Brazil, the United States and South Korea, lenders are discovering that the most dangerous threat to the balance sheet is the one already holding a staff ID. Regulation is catching up. Culture, enforcement and recovery are not.
In August 2018, the Bank of Ghana (BoG) revoked the licences of five commercial banks in a single day. There had been no external shock, no market crash, no contagion from abroad. The cause, regulators concluded, was something more intimate: weak governance, absent risk frameworks and the slow internal rot of institutions whose own officers had been looking the other way. The episode cost Ghanaian taxpayers more than GH¢12 billion and reshaped, permanently, what West African regulators expect of bank boards and risk officers.
Almost eight years on, the ledger of lessons is still being written. Ghana’s banking system is better capitalised, better supervised and, on paper, better governed than at any point in a generation. Yet the numbers emerging from the central bank tell a less flattering story.
The BoG’s 2024 Fraud Report, released last year and still the reference document for policy debates in Accra, recorded 16,733 fraud cases across banks, specialised deposit-taking institutions and payment service providers, a five per cent increase on 2023. The total value at risk climbed 13 per cent, to roughly GH¢99 million. Most uncomfortably for the industry, the number of staff implicated in fraud rose by a third, from 274 in 2023 to 365 in 2024.
The figure matters because it cuts against the grain of how Ghanaian banks, like their peers across the continent and beyond, tend to tell the fraud story.
The standard narrative casts the bank as the victim of phishing, of mobile-money impersonation, of sophisticated offshore rings. The 2024 data force a less comfortable reframing. A growing share of the losses does not come from outside the gate. It walks in each morning wearing a lanyard.
“A growing share of banking losses does not come from outside the gate. It walks in each morning wearing a lanyard.”
A global problem wearing a local face
Ghana is not an outlier. It is a data point on a much larger curve. The 2025 Cost of Insider Risks Global Report, produced by the Ponemon Institute, estimates that the global cost of insider-driven incidents exceeded US$17.4 billion last year, with financial services among the worst-affected sectors at an annualised activity cost of roughly US$20 million per institution. Industry surveys from Fortinet and IBM suggest that more than 80 per cent of organisations experienced at least one insider incident in 2025, with North American financial institutions absorbing the heaviest per-firm costs.
The case file is long and, by now, familiar. In Brazil, a single insider sold access credentials that enabled thieves to drain the equivalent of US$140 million from local banks. In the United States, the Consumer Financial Protection Bureau disclosed in early 2025 that a departing employee had quietly forwarded confidential data on around 256,000 consumers and 45 financial institutions to a personal email account.
In the technology sector, a bribed employee was at the centre of a US$400 million breach at Coinbase. Bloomberg has catalogued a string of cases in which bank staff hired to police money laundering instead sold customer information to organised crime networks, some recruited through social engineering that targeted employees in personal financial distress.
Viewed against that backdrop, Ghana’s 33 per cent jump in staff-linked fraud looks less like a uniquely domestic failing and more like a local expression of a global structural problem. What makes the African dimension distinctive is not the existence of insider risk but the thinness of the defences built against it and the limited capacity of victims, whether retail customers or the state, to absorb the losses when controls fail.
The anatomy of insider fraud, Ghanaian edition
The BoG’s 2024 Fraud Report is unusually candid about the shape of the problem. Of the 365 staff implicated in fraud at banks and specialised deposit-taking institutions last year, 274 roughly three out of every four were connected to cash theft.
A further slice involved unauthorised transfers, forged instruments and collusion with external parties. Only 155 of those 365 staff, about 43 per cent, were ultimately dismissed. The remainder were either exonerated, subjected to lesser sanctions or retained while investigations dragged on.
That enforcement gap is more consequential than it appears. It means that, in more than half of recorded cases, an employee credibly linked to fraud remained on the payroll, in some form, after the fact. For an industry whose entire operating model rests on customer trust, that is a signalling problem of the first order.
The Ghana Association of Bankers acknowledged as much earlier this year when it announced that ethics certification would be made mandatory for every employee in the sector, and that banks intended to escalate enforcement through dismissals, prosecutions and, after due process, public disclosure of individuals found culpable.
The underlying typologies are not novel. They are the same temptations that have shadowed retail banking since the invention of the ledger: tellers skimming cash in small, unremarkable amounts; relationship managers exploiting dormant accounts; back-office staff waving through transactions in return for a fee; systems administrators granting themselves privileges the audit trail will never see.
What has changed is the environment in which those temptations now operate. Digital channels have multiplied the surface area. Real-time payments have collapsed the window in which a fraudulent transaction can be reversed. And the sheer volume of daily transactions has made manual review, the traditional last line of defence, mathematically impossible.
Regulators sharpen their teeth
The regulatory response, both in Ghana and across West Africa, has shifted markedly in tone over the past eighteen months. At an inter-agency security engagement at Bank Square on 15 April this year, BoG Second Deputy Governor Matilda Asante-Asiedu declared that the integrity of the financial system was a matter of national security and called for deeper coordination between the central bank, the Economic and Organised Crime Office, the Financial Intelligence Centre, the Cyber Security Authority and the police. The choice of words was deliberate. Framing insider fraud as a national security concern rather than a private-sector nuisance imports a different set of tools and a different set of political expectations.
That reframing is backed by concrete instruments. The BoG has ordered all unlicensed mobile loan applications and digital credit providers to regularise their activities by 30 June this year or face suspension or closure.
Its 2025 AML/CFT/CPF Agency Banking Guidelines, issued under the Anti-Money Laundering Act, 2020 (Act 1044) and the Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930), require principals to approve formal risk assessments of their agency networks, to refresh those assessments on a biennial cycle and to ensure agents report incidents of fraud and suspicious activity within twenty-four hours.
A comprehensive review of the central bank’s Consumer Recourse Mechanism is also under way, in recognition of what Mrs Asante-Asiedu has described as an erosion of trust visible in the volume of complaints that ought to have been resolved at the institutional level.
Across the border, the Central Bank of Nigeria has gone further still. In January this year, it imposed an operational directive requiring banks to reduce fraud response times to under thirty minutes, layered on top of a sweeping recapitalisation programme whose March 2026 deadline has concentrated risk-management minds across Lagos and Abuja.
Heritage Bank’s licence was revoked on grounds of insolvency; Fidelity Bank was fined 555.8 million naira for data-privacy breaches; over 4,000 bureau de change licences were withdrawn for failures in anti-money-laundering and counter-terrorism-financing compliance.
The message from Abuja, as from Accra, is that operational risk — the unglamorous, people-centred work of controls and culture — is now a first-order supervisory concern, not a footnote in the annual report.
“Operational risk is now a first-order supervisory concern, not a footnote in the annual report.
The legal architecture and its fault lines
Ghana’s statutory arsenal against insider banking fraud is broader than is often acknowledged. The Banks and Specialised Deposit-Taking Institutions Act, 2016 (Act 930) vests extensive supervisory and sanctioning powers in the BoG, including the ability to remove directors and key management personnel, direct restitution and revoke licences.
The Anti-Money Laundering Act, 2020 (Act 1044), read alongside the Economic and Organised Crime Office Act, 2010 (Act 804), criminalises the laundering of the proceeds of fraud and provides for asset tracing and confiscation.
The Electronic Transactions Act, 2008 (Act 772), addresses a growing share of digital-channel conduct, including the unauthorised access, modification and interception of electronic records on which so much insider fraud now depends. The Cybersecurity Act, 2020 (Act 1038) adds a further layer, requiring critical information infrastructure operators, including banks, to adopt defined security standards and report incidents.
The deficit, as practitioners will privately admit, is not primarily one of statute. It is one of enforcement and recovery. Criminal prosecutions of insider fraud in Ghana are rare, slow and frequently abandoned when civil recovery becomes uneconomic. Internal disciplinary action is often settled by quiet dismissal or a negotiated resignation; implicated staff move to another institution and, in some documented cases, resume fraudulent conduct elsewhere.
The result is a system in which the marginal expected cost of insider fraud, to the perpetrator, remains low relative to the potential gain. Until that calculus is disrupted through prosecution, disqualification and a shared industry register of individuals dismissed for integrity failures directives alone are unlikely to bend the curve.
There is also a quieter jurisdictional question. The Supreme Court’s reasoning in Daniel Ofori v Ecobank, on the interaction between contractual obligations, regulatory duty and the doctrines that allocate risk when performance becomes impossible, is a useful reminder that the legal architecture for financial misconduct in Ghana is still being built case by case.
The more the courts are asked to adjudicate the consequences of insider failures, the more important it becomes that the foundational statutes, Act 930, Act 1044, Act 772 and their companions, are read together, coherently, by lower courts and tribunals. That coherence cannot be assumed.
Technology: ally, accelerant and blind spot
No discussion of modern insider fraud is complete without an honest account of technology’s double-edged role. On one side of the ledger, digitisation has dramatically improved the detectability of certain kinds of misconduct.
Transaction monitoring systems can flag behavioural anomalies in near real time. Access-management tools create audit trails that would have been unthinkable in the paper era. Behavioural biometrics, properly deployed, can distinguish between a legitimate user and a colleague who has borrowed her login.
On the other side, the same digitisation has dissolved many of the natural frictions that once slowed fraud down. A dishonest teller in 1995 could steal only what she could physically carry. Her 2026 equivalent, with the right privileges, can move value at the speed of a switched payment rail and, in a ransomware-enabled insider event of the kind recently documented at a Ghanaian financial institution, can disrupt an entire data estate in the process.
Industry analysts at Trust Decision, Veriff and others are consistent on the point: rule-based detection systems, designed for a slower and more predictable fraud landscape, are now chronically behind the curve. They generate false positives that exhaust investigative capacity while missing the subtler behavioural signals that mark genuine insider compromise.
The answer, increasingly, is artificial intelligence applied to employee behaviour as well as to customer transactions. Ghana’s e-Crime Bureau has called publicly for financial institutions to implement AI-driven digital monitoring solutions capable of detecting unusual employee behaviour patterns in real time.
The logic is sound, but the implementation is fraught. Employee monitoring raises legitimate privacy and labour-law questions, particularly under Ghana’s Data Protection Act, 2012 (Act 843). Deployed carelessly, it risks trading one integrity problem for another. Deployed thoughtfully with clear policies, proportionate scope, union engagement and independent oversight it may be the most consequential control upgrade available to banks in the short term.
The culture question
Beyond statute, technology and supervisory tempo lies the question that senior Ghanaian bankers are most reluctant to discuss on the record: culture. Every major post-mortem of an insider event, in Accra as in London or São Paulo, returns to the same diagnostic checklist.
Were warning signs ignored because the employee in question was commercially productive? Were whistleblowers protected or quietly marginalised? Did compensation structures reward short-term revenue at the expense of long-term control? Were compliance officers seen as partners or as obstacles?
The 2025 Cost of Insider Risks report draws a careful distinction between negligent, compromised and malicious insiders. Negligent insiders, employees who click the wrong link, reuse passwords, or fail to follow control procedures account for the largest share of incidents by volume.
Compromised insiders, whose credentials have been stolen or coerced from them, are the most costly on average. Malicious insiders, those who deliberately monetise their access, are the smallest category but the most damaging in reputational terms. A mature fraud-prevention posture addresses all three, and recognises that the boundary between them is porous, today’s stressed, negligent employee can be tomorrow’s bribed target.
Ghanaian banks, like many of their African peers, have historically invested heavily in the third category investigation, prosecution and dismissal of the deliberately dishonest and comparatively little in the first two. The Ghana Association of Bankers’ new ethics certification programme is an important, if belated, move in the right direction. Its success will depend on whether it is treated as a compliance tick-box or as the first visible layer of a genuinely different conversation about integrity.
What a credible response looks like
A credible, sector-wide response to insider banking fraud in Ghana would rest on four pillars, none of them revolutionary on its own but powerful in combination. The first is data. Ghana needs a consolidated, regularly updated industry register of banking and SDI staff dismissed or sanctioned for integrity-related conduct, accessible to hiring institutions under clear data-protection rules. The second is prosecution.
Where the evidentiary threshold is met, criminal cases must be pursued to conclusion, and the BoG, the Attorney-General’s Department and EOCO must be resourced to see them through. The third is recovery. Civil asset-tracing and restitution processes need to be faster and cheaper than the legal industry currently makes them, or the economics of pursuit will continue to favour quiet settlement. The fourth is technology paired with rights-respecting governance: AI-enabled behavioural monitoring deployed under transparent policies and credible oversight.
None of this is beyond Ghana’s institutional capacity. The BoG’s willingness to publish granular fraud data, the Ghana Association of Bankers’ move on ethics certification and the central bank’s explicit framing of financial-system integrity as a national-security concern are all signs that the policy conversation has moved to where it needs to be.
The harder test is execution, and the harder test is political. Prosecutions that name senior figures, registers that survive legal challenge and monitoring regimes that withstand privacy scrutiny are not built overnight.
A question of trust
Banking, in Ghana as elsewhere, is ultimately a promise, that money entrusted to an institution will be there, intact, when the depositor returns. Every insider fraud, whether it involves GH¢500 skimmed from a village account or GH¢50 million wired offshore, is a small breach of that promise.
Aggregated over a year, across hundreds of cases, those breaches become something more serious than a line item in a regulatory report. They become the quiet, corrosive drip that erodes confidence in the system itself and confidence, as the 2018 episode reminded Ghanaian taxpayers, is the most expensive asset on any bank’s balance sheet to rebuild.
The good news is that the direction of travel, measured by regulatory tone, industry rhetoric and supervisory posture, is clearly correct. The harder truth is that the 33 per cent figure at the heart of the BoG’s 2024 report is not, by itself, evidence of progress. It is a test.
How Ghana’s banks, its regulators, its courts and its legislators respond to that number over the next eighteen months will determine whether insider fraud becomes a manageable feature of a maturing financial system or a chronic drag on the country’s most important non-commodity sector. On current evidence, the case is still open.
Daniel Kojo Hollie is a writer covering Ghanaian law, business, and economic policy. He contributes to the Business & Financial Times. The writer welcomes correspondence at [email protected]
Discover more from The Business & Financial Times
Subscribe to get the latest posts sent to your email.
