Asset management grew, the Thrive wellness app saw a fortyfold increase in downloads, and the company executed a merger of two Kenyan life entities. CEO Arthur Oginga spoke of resilience and disciplined execution.
But buried deep in the risk management disclosures, away from the headline numbers, sat a figure that raises serious questions about the insurer’s internal controls.
That figure was Sh106.4 million in confirmed fraud losses over a single financial year.
What makes this particularly troubling is that Sh45 million of that total, representing 42 percent of all fraud losses, came from the company’s own employees.
This was not the work of external hackers or criminal syndicates. It was insider activity, carried out by people within the organisation.
For a company that posted a profit after tax of Sh856 million, that fraud hit consumes more than one out of every eight shillings the company earned.
When you factor in the hidden costs, the rollout of 37 new fraud controls, 177 cases referred to law enforcement, legal expenses, management time, and remediation projects, the true cost is substantially higher. This is not an isolated incident.
The pattern has been building across multiple reporting cycles. In 2022, Old Mutual recorded a medical insurance underwriting loss of Sh158.9 million, according to Insurance Regulatory Authority data, making it one of the worst performers in the sector on that metric.
The company was the largest insurer in Kenya by gross written premium at the time, commanding Sh14.86 billion in premiums, yet it was booking losses that smaller, more cautious operators had already moved to avoid.
The turnaround to a Sh1.4 billion pre-tax profit in 2023 was celebrated as evidence of a successful strategic reset. But what it obscured was the continuing rot in the claims environment.
By the first half of 2025, the insurance service result, which measures whether the core underwriting business is actually making money once claims and costs are set against premiums, had worsened to a loss of Sh303 million.
By year end, the full-year insurance service result had swung to a Sh151 million loss from a Sh361 million profit in 2024, a Sh512 million deterioration in underwriting profitability in a single year.
The list of system vulnerabilities Old Mutual disclosed in 2025 reads like a checklist of basic control failures: weak customer data validation, duplicate vendor records, ineffective anti-money laundering screening, one-time password control weaknesses, credential exposure, system override capabilities, and inadequate segregation of duties.
These are not exotic vulnerabilities. They are the first things any basic internal audit programme should identify and flag for remediation.
The question that must be asked is when these risks were first identified internally, what recommendations were made, and why they were still present and unresolved in 2025.
OTP control weaknesses, for instance, mean the one-time passwords used to authenticate high-value transactions were either interceptable, reusable, or capable of being bypassed through social engineering.
Banks eliminated these vulnerabilities years ago under pressure from the Central Bank of Kenya’s cybersecurity directives.
That a regulated insurer processing Sh10.7 billion in medical claims annually was still carrying OTP weaknesses into 2025 is concerning.
Credential exposure means employee login details had been compromised through phishing or social engineering attacks.
System override capabilities refer to manual processes that allow authorised or compromised users to bypass automated fraud detection flags.
Duplicate vendor records and inadequate segregation of duties are the oldest fraud vectors in corporate finance, allowing hospitals, pharmacies, or ghost providers to bill multiple times for the same service, or enabling the same employee to initiate, approve, and process a payment without independent review.
The internal fraud figure is troubling not because of its absolute size but because of what it implies about the company’s culture and detection capabilities. Insurance insiders who commit fraud at scale typically operate with collusion between multiple staff members or with a single employee in a position of sufficient authority to override controls unilaterally.
In a medical insurance context, the most common pattern involves claims processing staff colluding with external providers to process inflated or fictitious claims.
The duplicate vendor records and override capabilities that Old Mutual has acknowledged are precisely the infrastructure this kind of collusion requires.
The company’s decision to refer 177 cases to investigative authorities suggests this is not a situation where one or two bad actors were caught and removed.
It is a systemic problem affecting multiple individuals and processes across the group’s Kenya and Uganda operations. Old Mutual processed 1,312,217 medical claims in 2025.
Industry estimates suggest fraudulent and inflated claims constitute roughly one fifth of all filed claims.
If Old Mutual’s medical book is consistent with that average, somewhere between two hundred thousand and three hundred thousand of those claims carry some degree of fraudulent inflation.
The Sh106.4 million in confirmed losses represents only the fraction that investigators were able to definitively verify.
The most concrete evidence that Old Mutual has internalised the severity of its fraud problem is the strategic decision it has taken with its medical insurance book.
In 2025, the company rejected contracts worth Sh1.3 billion that it deemed inadequately priced.
This is not normal business selectivity. It is an insurer concluding that significant portions of its core product line have become too contaminated to carry at prevailing market rates.
Medical insurance loss ratios at Old Mutual have been running between 70 and 80 percent once fraud, claims inflation, and operational costs are factored in. An 80 percent loss ratio means that for every Sh100 collected in premiums, Sh80 is going out in claims alone, before administration expenses and fraud-related remediation are counted.
The fraud crisis sits alongside a separate governance controversy that has been playing out in Kenyan courts since 2024. Minority shareholder Joel Kamau Kibe, the sixth largest investor in the company, has filed a petition alleging mismanagement, oppression of minority shareholders, and misappropriation of assets.
Kibe has told the High Court that Old Mutual failed to deliver on its promise to list on the Nairobi Securities Exchange, rendering his investment illiquid.
He has challenged a proposed conversion of a shareholder loan that escalated from $15 million to $48.18 million into equity, arguing it constitutes a fraudulent dilution of minority holdings.
He has further challenged the sale of the Old Mutual Tower and other properties valued at approximately Sh19.4 billion, arguing the proceeds are not being managed transparently.
The company has denied these allegations. The High Court dismissed Old Mutual’s attempt to have the petition thrown out on technical grounds, allowing it to proceed to a full hearing on the merits.
An insurer simultaneously managing a fraud crisis of this scale, a core insurance service result in the red, a strategic retreat from its highest-volume product line, and a contested shareholder lawsuit is a company under multidimensional stress.
Perhaps the most uncomfortable comparison is with the banking sector. KCB Group wrote off just Sh760,000 in fraud in 2025, down from Sh4.5 million the year before.
Equity Group and Standard Chartered have both reported material declines in fraud losses, attributing the improvement to AI-powered transaction monitoring. The banking sector’s fraud trajectory is moving sharply downward.
Old Mutual’s is not.
The standard defence is that insurance fraud is structurally more complex than banking fraud. That is true. But Jubilee Holdings, the only other Kenyan insurer to publish comparable fraud data, recorded actual losses of Sh47.25 million in 2025 on a considerably smaller premium base and averted Sh1.28 billion in fictitious claims through AI deployment.
Old Mutual averted Sh193.6 million in fraudulent claims through analytics in 2025, down from Sh253 million in 2024. The detection figure is falling while confirmed losses continue to materialise.
Old Mutual’s disclosures are, to their credit, more transparent than most Kenyan insurers manage.
The specific quantum of fraud losses, the breakdown between internal and external, the list of risk drivers, and the number of investigative referrals reflect either genuine regulatory pressure or a deliberate decision to own the problem publicly. But the disclosures do not answer the harder questions. How long were the duplicate vendor records present in the system before they were identified?
When was the inadequate segregation of duties first noted in an internal audit report, and what was the board risk committee’s documented response? Which specific business lines account for the bulk of the internal fraud losses? Have any of the 177 cases resulted in arrests or prosecutions?
The 37 new controls implemented in 2025 represent real investment and real effort. The automation of policy processes, improved vendor validation, and enhanced segregation of duties are precisely what should have been in place years ago. They will help, but they will not be enough on their own to close the gap between what Old Mutual’s fraud detection machine is catching and what is still slipping through.Until the internal fraud share is visibly and sustainably declining, until the insurance service result returns to profitability without relying on asset management to carry the group, and until the legitimate grievances of minority shareholders receive a credible judicial resolution, Old Mutual Holdings remains a company navigating multiple concurrent crises.
The Sh106.4 million is not the whole story. It is the part of the story that Old Mutual chose to disclose. The rest remains inside the building, inside the vendor master files, inside the override logs, and inside the fraud referral files now sitting with Kenyan law enforcement.
Add Comment