Kenya’s data regulator, the Office of the Data Protection Commissioner (ODPC), has fined Diamond Trust Bank (DTB) Kenya and its Ugandan subsidiary KES 500,000 after a customer’s bank statements were repeatedly sent to the wrong country for nearly three years, exposing a rare cross border failure inside a regional banking group and raising fresh questions about how lenders manage shared systems.
The ruling, delivered by the ODPC in December 2025, closes a complaint first lodged in August 2025 by a Kenyan customer who said she began receiving another person’s bank statements in November 2022.
The error persisted despite multiple reports to the bank and only stopped in August 2025. During that period, her own DTB Kenya statements were suspended, cutting her off from transaction records needed for daily financial management and compliance.
At the centre of the case was a mix-up between DTB Kenya and Diamond Trust Bank Uganda, two separate legal entities that share backend banking infrastructure.
An incorrect manual capture of an email address during onboarding at the Ugandan unit linked the Kenyan customer’s email to a third-party account in Uganda. The result was years of misdirected statements, alerts and the exposure of sensitive financial data to an unintended recipient.
The complainant told the regulator that the breach caused financial distress, loss of trust in the bank’s controls and anxiety over the risk of fraud and identity theft.
The customer escalated the matter several times, including in April and May 2025, before the error was finally corrected. DTB Kenya said it added her email to a “do not contact” list as it investigated, which stopped delivery of her own statements, but did not immediately resolve the data leak from Uganda.
DTB Uganda admitted that the incident stemmed from human error compounded by manual data handling between its core banking system and its customer communications platform. The lender says it has since automated the process, deleted the wrongly captured email address and introduced stronger controls, including masked account numbers, password-protected PDF statements, unsubscribe options and regular staff training.
In its findings, the ODPC held that both banks breached the customer’s rights to be informed, to access and to rectify personal data under Kenya’s Data Protection Act.
The office faulted DTB Kenya for failing to resolve the issue despite repeated reports, and DTB Uganda for processing personal data without a valid legal basis and allowing an error to persist for years.
Beyond the fines, the regulator also issued an enforcement notice against the Ugandan unit, warning that further sanctions could follow if corrective measures fail.
