The Bank of Uganda (BoU) is investigating a reported cyber heist where hackers, allegedly from a Southeast Asian group called "Waste," breached the central bank's IT infrastructure and allegedly stole $17 million (Shs 62.4 billion) from the Treasury account.
The incident, which occurred approximately two weeks ago, has prompted President Yoweri Museveni to direct the Defence Intelligence and Security (DIS) to take over the investigation from the Criminal Investigations Directorate (CID), while the bank has engaged a top audit firm to assess the extent of the breach and recommend new controls.
The incident raises concerns about cybersecurity at Uganda's central bank, particularly given the leadership vacuum created by the absence of a substantive governor for almost three years, with Dr. Michael Atingi-Ego serving simultaneously as governor, deputy governor, and BoU chairperson.
Sources suggest possible collusion between BoU staff and officials from the Ministry of Finance's Treasury department and Accountant General's office, though Ministry spokesperson Jim Mugunga has expressed skepticism about such a large sum being compromised.
This breach comes despite the bank's recent efforts to strengthen cybersecurity, including a workshop conducted last May in collaboration with the Macroeconomic & Financial Management Institute of Eastern and Southern Africa (MEFMI).
In related news, Post Bank Uganda has confirmed the discovery of UGX 500 million in counterfeit notes at its Mbale branch, alarming customers who fear they may have received fake currency during withdrawals.
The counterfeit UGX 50,000 notes were found on November 11, 2024, when a staff member brought cash from the vault to the counter, raising questions about their authenticity.
In a media statement on November 25, 2024, Priscilla Akora, the head of marketing and communications at Post Bank, assured clients that all transactions are secure and that customer funds are protected under the Deposit Protection Fund of Uganda.
The Elgon Police spokesperson confirmed that several bank officials have been arrested as part of the ongoing investigation into the incident.
Elsewhere, Uganda's government has introduced a cap on interest rates charged by microfinance institutions and money lenders at 2.8% monthly or 33.6% annually through the Tier 4 Microfinance Institutions and Money Lenders Bill 2024.
The regulation, announced by Finance Minister Matia Kasaija on November 8, aims to protect borrowers from excessive interest rates.
The new law empowers the Uganda Microfinance Regulatory Authority to enforce interest rate caps for the first time, addressing a previous regulatory gap that allowed lenders to set arbitrary high rates leading to loan defaults and property losses.
This new regulation aims to protect borrowers who have historically faced extremely high interest rates that often led to loan defaults and property losses.
The move comes under Section 809(1) of the Tier 4 Microfinance Institutions and Money Lenders Act, establishing the first comprehensive control over lending rates in this sector through consultation with the Uganda Microfinance Regulatory Authority.
According to Bank of Uganda data, while commercial banks charge 20-25 percent interest, microfinance institutions charge up to 50 percent, and private money lenders charge up to 30 percent monthly.
The high rates persist despite 54 percent of adult Ugandans having access to formal financial services.
Uganda's decision to cap interest rates for microfinance institutions, while seemingly a noble move to protect vulnerable borrowers, raises concerns about its efficacy.
In 2016, Kenya imposed a cap on bank interest rates, aiming to curb predatory lending. However, this intervention backfired, leading to credit rationing, particularly for small businesses and low-income borrowers, as banks became reluctant to lend to those deemed high-risk.
Uganda's microfinance sector may face a similar risk. While the cap may offer some respite to borrowers, it could also stifle lending, drive MFIs out of business, or even encourage informal, unregulated lending at even higher rates.
Finally, The Central Bank of Kenya (CBK) has issued new guidelines requiring commercial banks to increase their liquid assets above the current 20% deposit requirement to withstand potential mass withdrawals for at least 30 days, aligning with international Basel III regulations.
The guidelines, developed with IMF technical assistance, aim to strengthen banks' resilience against sudden financial shocks by ensuring they maintain adequate unencumbered high-quality liquid assets.
That can be quickly converted to cash, though the timing coincides with but is not directly related to recent social media speculation about banking sector stability.
While Kenya's banking sector currently maintains an average liquidity ratio of 51% (well above the statutory minimum), the new guidelines reflect lessons learned from global banking crises, including the 2023 collapses of Silicon Valley Bank and Credit Suisse, which exposed limitations in existing liquidity requirements.
The regulations are part of Kenya's broader transition to Basel III standards, which were first recommended in 2013 following the 2008 financial crisis, though recent global banking sector upheavals have led regulators to question whether these rules need further improvement to effectively protect against modern banking risks.