Hello

Your subscription is almost coming to an end. Don’t miss out on the great content on Nation.Africa

Ready to continue your informative journey with us?

Hello

Your premium access has ended, but the best of Nation.Africa is still within reach. Renew now to unlock exclusive stories and in-depth features.

Reclaim your full access. Click below to renew.

Caption for the landscape image:

BoU, Ministry of Finance lock horns over audit on money heist

Scroll down to read the article

Inset is BoU Deputy Governor, Michael Atingi-Ego and finance minister Matia Kasaija while right is President Museveni. PHOTO/COMBO

It was a brazen bank heist, but the Hollywood-inspired type, in which the criminals never wore ski masks, set foot in the Central Bank vault, or kidnapped a close family member of the bank staff and coerced them to hit the send button else their loved one dies.

But in two precision requests for debt servicing payments; $6.134m (Shs22.3b) to the World Bank’s International Development Association (IDA), which extends confessional credit line to the world’s poorest countries, was rerouted to a bank account in Tokyo of a private company, Roadway Company Ltd, and $8,596,824 (Shs31.2b) to the African Development Bank’s African Development Fund (AFD) was instead wired to a bank account in London for a private company, MJS International.

The $6.134m was wired on September 10, and the $8.596m transaction effected on September 26, according to a highly confidential December 3 information systems audit report shared with the BoU Deputy Governor, Michael Atingi-Ego.

BoU ordered the audit to examine the extent of the plunder and also guide management on controls.

The report, highly placed sources indicated, has since been shared with the top brass at the Ministry of Finance and President Museveni, who is the de facto Minister of Finance.

The audit report implicitly puts origins of the scam somewhere at the Ministry of Finance. However, sources indicated, that the ministry’s honchos have called into question a BoU sanctioned audit apportioning culpability, it at all any, to the Central Bank and are stalling on the independent probe findings.

Rather, the Ministry of Finance, sources indicated, have insisted on waiting on findings by a separate ongoing probe by the Auditor General, as the supreme in-country audit institution, mandated to audit and report on all public accounts as per Article 163 of the Constitution.

The heist, according to the information systems audit codenamed “Project Tai” undertaken by PricewaterhouseCoopers (PwC), involved computer experts and accountants manipulating financial information inside the government’s digital cash transaction portal, the Integrated Facility Management System (IFMS), with the stroke of a few keys on the computer.

The audit recommended that BoU engages with the Auditor General and police to undertake further procedures aimed at assessing the culpability of individuals involved.

“We were unable to undertake these procedures, including analysis of the ministry of Finance IFMS application-level access logs to determine who may have accessed the application to extract the genuine payment instructions, due to some limitations,” PwC wrote.

The limitations, according to the report and insiders, included the Ministry of Finance denying the system auditors legroom to flashlight in the dark corners of the digital systems via which payments are generated for BoU to effect payment.

“They (Finance) want the Auditor General’s report as their point of reference…..for obvious reasons including the strings they can pull to leave out certain aspects. PwC has a reputation to protect—not so our auditors— to be compromised, so it was tactical to frustrate them,’’ sources familiar with the matter told Monitor.

Mr Jim Mugunga, the Ministry of Finance spokesperson, however, defended that “this is a months-old incident” and related facts are still under investigations by the relevant bodies.

“As soon as there is clarity the Ministry of Finance, will as usual, share an official update,” Mr Mugunga said at the weekend, adding: “I am not aware of a final report that has been shared in this respect…but that doesn’t exclude the possibility that the multiple government responses that are involved have a right to deploy their internal and external arms to establish what could have happened.”

MoFPED scheme?

The first heist; the spiriting away of $6.134m (Shs22.3b) happened in early September, but the ministry of Finance, by omission or commission, kept lid on the matter until IDA flagged the late payment in early October. Even then, according to sources, it took another month for the ministry to call in the Auditor General’s office.

Monitor late last month lifted lid on the heist, and that President Museveni had ordered Police’s Criminal Investigations Directorate (CID), with involvement of counterintelligence sleuths from the Defense Intelligence and Security (DIS), formerly Chieftaincy of Military Intelligence (CMI), and the Auditor General’s office, to inquire into the matter.

The junior minister for Finance, Mr Henry Musasizi, confirmed to Parliament on December 1 of the heist, which he labeled “a hack.”

“Our accounts were hacked into, but not to the extent of what is being reported. We instituted an audit and an investigation. The Auditor General is conducting the audit, while the Criminal Investigation Department (CID) is investigating,” Mr Musasizi said.

The PwC audit report, on the other hand, suggested the origins of the scheme as at the ministry of Finance and pointed to several persons of interest [names withheld for legal reasons] who should be interrogated and pinned further.

The audit recommended collaboration with telecom companies and other state agencies to identify communication between directors of Roadway Co Ltd and MJS International and their co-conspirators in Kampala.

“Following assessment of culpability, work with the relevant government agencies such as the Director of Public Prosecution to initiate legal proceedings and action on the culpable individuals,” PwC detailed.

The said persons, under whose docket in the ministry lies responsibility of triggering payments and receiving payment confirmation receipts, manipulated the requests for payments for payments and changed the particulars of the payees, i.e., from IDA to Roadwork Co. Ltd, and AFD to MJS International.

Furthermore, the audit established that even after the payee particulars in the September 26 transaction were changed, from AFD to MJS International, the quality assurance team at ministry of Finance did not redflag to BoU of the wrong payee, but they went ahead and downloaded the statements and put them on file.

“Payee details of the payment instruction file were edited between assembly and formatting of the file,” the audit established.

It is upon basis of the audit report that Dr Atingi-Ego, who since since January 2022 has been holding forte simultaneously as Governor, deputy Governor, and BoU chairperson, broke silence on the incident, telling journalists on December 5 that: “I can tell you with confidence that there is no evidence of anauthorised access to the BoU IT systems.”

“These fraud incidents were initiated outside the BoU IT systems to divert the funds. BoU is a paying entity. You get instructions to pay, and we pay as instructed. So let me repeat: the fraud incidents were initiated outside the BoU IT systems, and instructions were received by the BoU to pay the wrong beneficiaries, leading to the subsequent diversion of the funds. Now, where the diversion took place, how, and who were involved is a subject matter of the ongoing investigation for which I cannot comment,” a composed Dr Atingi-Ego said at the announcement of the BoU monetary policy.

In this case, findings indicate that payment invoices were created, reviewed, approved, and fed into the payment portal—the IFMS. En route, an officer with top level clearance intercepted the files, manipulated them and relayed them to BoU.

The instructions flow

Customarily, the Treasury Service Department in the ministry generates a debt repayment invoice within the IFMS. The invoice particulars such as payee and amount are picked from the Debt Management and Financial Analysis system (DMFAS). The DMFAS system is used to track external debt payments.

The IFMS, according to the Ministry of Finance, is the system of computerisation of public financial management (PFM) processes, from budget preparation and execution to accounting and reporting, with the help of an integrated system for financial management of line ministries, spending agencies and other public sector operations.

The Payments Processing Department then reviews the different invoices in the IFMS and assembles them into a payment request file. It is upon this that a system administrator formats the payment instruction file, adds it to the IFMS payables, backs up a copy of the file and encrypts it using scheduled scripts.

A service account on the Secure File Transfer Protocol (SFTP)—a secure file transfer protocol that uses secure encryption to provide a high level of security for sending and receiving file transfer—with a code name then picks the encrypted payment instruction file from IFMS and sends it to the SFTP/Managed File Transfer Services directory, where it is downloaded by a BoU service account.

The BoU service account backs up a copy of the encrypted file, then decrypts it and also stores a backup copy of the decrypted file. A separate BoU Banking System (BBS) then validates the file, which is later deleted by the service account. The BBS then automatically processes the payment instruction file for payment; usually eternal payments are effected in a day or two. The BBS, then, generates an e-statement of the transaction, which is encrypted and backed up on the Managed File Transfer Server (MFTS) server.

The customer service team within the BoU Banking Department then shares the statement via the email AGO¬[email protected].

The bank job

Investigations show that debt payment invoices to the IDA and AFD were generated through the usual channels; created, reviewed, approved, and assembled through the instruction file in the IFMS. However, in the case of IDA, peculiarly, there was a delay of 14 hours, after which the file was formatted, copied, encrypted and sent to the MTFS server from where it was downloaded by the BoU’s BB System and then validated and processed the payment instruction file, after which the customer service team confirmed payment and issued a payment statement.

The systems audit probe established that the emails for both the formatted payment instruction file for payments to beneficiaries accounts outside Uganda, acronymed EXT—in the IMFS— “appear to have been intercepted, and some of the contents in the attachments changed and new emails (with changed attachments) sent to mailboxes of select staff via an online spoofing service” hosted in Czech Republic in Central Europe.

Similarly, the email for payment statement sent by BoU to the Ministry of Finance, as initiator of the request for payment, “appear to have been intercepted, delayed in reaching the mailboxes of the intended recipients” at the ministry. The contents were changed and then sent to the mailboxes of select staff in the ministry via an online spoofing service—used to disguise a sender's identity and impersonate another system— whose host was ‘emkei.cz’ hosted in Czech Republic and the Internet Protocol or IP address ’14.29.236.247’.

An IP address is a unique identifying number with which to communicate for each device that connects to the internet.
For example, when you try to log onto ‘www.monitor.co.ug’ your browser first translates that symbolic domain/website name into an IP address.

To access any website from your device—computer, tablet or phone—you need to have an IP address from your Internet service provider (ISP). The ISP, in turn, obtain their stocks of IP addresses from one of the five Regional Internet Registries; AFRINIC (Africa) headquartered in Mauritius, LACNIC (for Latin & South America), ARIN (for North America), RIPE (for Europe), and APNIC for (Asia/Pacific).

“In both incidents (wiring of money to London and Tokyo), the original emails of both the EXT and confirmation of payments retrieved from the devices of staff at BoU however, were sent from IP address 196.216.1778.19 which is registered to webmail bou.org, a BoU registered host,” the probe reads in part.

Investigations showed that the confirmation of payment for both transactions from BoU were sent from a BoU banking officer, Ms Eunice Kahimakazi via her email address; [email protected]. These emails, the probe report notes, however, appear to have been delayed by about 45 minutes—for transaction one to Tokyo—and 26 minutes for second transaction to London. Further attachments in these email addresses had contained Roadway Co Ltd for transaction one and MJS International for transaction two as payees.

On the contrary, investigations show that, the “corresponding emails retrieved” from the mailboxes of staff at Ministry of Finance had IDA (changed to Roadway Co Ltd) and MJS International (not changed in the second transaction” as payees and had been received from “[email protected]” and the host ‘emkei.cz’, and not [email protected] from the BoU IP address.

Gone in 60 seconds

Investigations detail that the payment instruction files were manipulated, payee details changed from IDA to Roadway Co Ltd and AFD to MJS International, before encryption in the IFMS. The report details that both digital signature hash analysis and decryption of backup copies at both BoU and the ministry show that the contents of the EXT were the same between sources—Finance—and BoU in both transactions.

In transaction one, upon decryption of the EXT, it was noted that the orders for payment were to Roadway Co Ltd as the payee and not IDA. Likewise, it was noted that the orders were for BoU to pay for MJS International, and not AFD.

However, the payee details in the encrypted copies were different from those of the backup copy of the EXT prior to encryption at the ministry of Finance” in both transactions, the report notes. Furthermore, the payee details in the encrypted copies were different from those in the backup copy of EXT prior to encryption at the ministry of Finance in both transactions.

“The above findings imply that, in both incidents, the payment instruction files were manipulated/hanged prior to encryption and onward relay to BoU via the SFTP and MFTS,” the report details.

The PwC auditors also reached out to their network of sleuths in England and Japan to conduct open internet searches in order to identify any details relating to Roadway Co Ltd and MJS International.

“The results from these searches indicate that there are a number of companies around the world registered as MJS International. In addition, high level searches conducted by out UK team indicated that there is no MJS International that is registered at the address captured in the transaction details ie. Cavendish Square, London. The address belongs to a building in Central London used by individuals who wish to rent office space,” the audit reads in part.

BoU revealed last week that the corresponding bank in London had managed to recover $8.205m (Shs22.9b) wired to MJS International and are now pursuing a balance of $390,000 (Shs1.4billion). However, sources indicated that the $390,000 had vanished in thin air.

On the other hand, results of searches in Tokyo indicate that there are about seven companies with the name identical to Roadway Co Ltd. There was however one company with the address similar to the one in the transaction details.

“Consistent with the description with the description in the changes payment instruction which stated that they were being paid recycling plant systems and machinery, this company also appears to be in recycling business and has a simple website” which does not have business activities in Uganda, let alone Africa.

How Shs50 billion heist from BoU was planned

BoU has so far been unsuccessful in getting back the funds wired in Tokyo, and likely won’t, according to people familiar with the matter.