SACCOs

Member account protection
for digitizing cooperatives

Member portals bring access — and exposure. Keverd sits at the device layer, below identity checks and above core banking, catching attackers before withdrawals, loans, or account changes.

Talk to Founders

Trusted by forward-thinking teams

Overview

Kenya has over 14,000 registered SACCOs serving more than 5 million members — over Ksh 800 billion in assets. For decades, wealth was protected by branches, passbooks, and face-to-face verification.

That is changing fast. Member portals, mobile apps, USSD, and online loan applications are now standard — driven by member demand, regulation, and competition from digital banks and mobile lenders.

Digitization brings access and exposure. Most SACCOs deployed digital channels without fraud infrastructure to match. Keverd fills that gap at the device layer — catching attackers before the actions that cause real damage.

The problem

What SACCO digital fraud looks like

Member account takeover

Phished or stuffed credentials → login from a new device → withdrawal, fraudulent loan, or M-Pesa redirect. Members often discover it days or weeks later on a statement — funds already gone.

Loan application fraud

Emergency loans and salary advances processed in 24 hours on digital platforms. Stolen credentials, maximum loan from an unknown device — correct member number and PIN, wrong device. Keverd catches it at application.

SIM swap & M-Pesa redirect

Attacker swaps the member’s SIM, intercepts OTPs, resets portal password, changes withdrawal number. Device continuity breaks before the change completes.

Staff-facilitated access

Staff devices accessing member accounts they should not touch — balance checks, facilitated fraud, or unauthorised transactions. Clear audit trail for management review.

Dormant account targeting

Members who never adopted the portal have savings but no device baseline. Attackers target these accounts; Keverd flags first-time device access after long inactivity and requires verification.

Phantom member registration

Multiple fake memberships from one device — small contributions, then loans at multiples of deposits. Farm detected at registration before accounts are created.

How Keverd solves it

Five layers on the member portal

Portal layer integration — no core banking changes required. Keverd captures:

Device fingerprint on every member portal login
Known-device history vs. first-time or new-device access
Loan application device continuity — flagged for loans officer review
Sensitive actions: withdrawal, M-Pesa change, beneficiary, PIN reset
SIM swap breaks — device and number relationship no longer match
Staff device anomalies — member accounts accessed from non-member devices

Portal login protection

Fingerprint every login before full session access. Known devices proceed; new or high-risk devices trigger verification calibrated to what the member does next.

Loan application integrity

Check the device submitting each loan application. Unrecognised devices surface in the queue with Keverd score and flags — loans officer decides with full context.

Sensitive action holds

Withdrawals, mobile money number changes, beneficiary updates, PIN and email resets — unrecognised device triggers hold and SMS alert before completion.

SIM swap detection

Continuity break when the device accessing the portal no longer matches the account’s established relationship — alert before password reset or redirect.

Membership & dormant accounts

Multiple online membership applications from one device flagged at registration. Long-inactive accounts get heightened scrutiny on first digital access.

Integration

Three touchpoints — portal layer only

Integrate at the member portal, not core banking. For Sacco365, Co-oplink, Orbit, and similar vendors, Keverd has pre-mapped configurations — typically 3–5 days to go live.

Member portal login

Placement: Member portal login page
Trigger: Login form submission
Response: device_id, is_known_device, suspect_score, risk_tier, action_taken

Risk response before full session access. Known devices proceed; new devices verify based on intended next action.

Loan application

Placement: Loan application form
Trigger: Loan application submission
Response: device continuity flag, is_known_device, suspect_score, risk_tier, flags[]

Unrecognised devices flagged in the queue for loans officer — no auto-reject; full device intelligence on screen.

Sensitive account actions

Placement: Withdrawal, account settings, PIN reset
Trigger: Each sensitive action submission
Response: device continuity flag, is_known_device, risk_tier, action_taken

Hold + out-of-band SMS to registered number before withdrawal, M-Pesa change, beneficiary update, or PIN reset.

Workflow

Member account takeover attempt

1
Attacker
Logs into the member portal with stolen credentials from a new device.
2
Keverd
Flags unknown device against the member’s known device history before full access.
3
Your portal
Verification required for withdrawal or account changes — or session blocked.
4
Member
Receives SMS that their account was protected — trust moment, not a silent failure.

Fraudulent loan application

1
Attacker
Submits maximum emergency loan application using member credentials from an unrecognised device.
2
Keverd
Flags device never associated with this member account.
3
Loans officer
Sees application in queue with Keverd score and flags — investigates before approval.
4
Member
Legitimate loan not blocked by default; fraud caught with human judgment plus device data.

Staff internal access audit

1
Staff device
Accesses a member account from hardware never linked to that member.
2
Keverd
Records anomaly — staff device on member account access log.
3
Management
Audit trail supports investigation; deters casual or facilitated internal fraud.
4
Note
Keverd identifies pattern, not intent — legitimate operational access may occur; investigation follows.

Field guide

Reading Keverd flags for SACCO teams

For operations staff, loans officers, and security teams handling alerts day to day.

Flag	What it means	How to use it
BOT	Session behaviour matches non-human patterns.	Unusual on member portals. Review if seen on login or application flows.
AUTOMATION	Form interaction consistent with scripting.	Flag for ops review — rare for typical member use.
USER_AGENT_SPOOFED	Device misrepresents browser or OS.	Review on login and loan application from new devices.
TIMEZONE_IP_MISMATCH	Timezone does not match IP location.	Context only. Do not block on this flag alone.
AD_BLOCKER	Ad blocker detected.	Informational. Low weight in SACCO member risk scoring.

First 30 days

What success looks like

100%of portal logins receive a device fingerprint
Week 1weekly member protection summary — blocked access attempts
Loansfraudulent applications flagged in officer queue with device context
Week 4internal access anomaly report for management
Day 30verification thresholds reviewed — SMS capability and dormant-account rules

The internal access anomaly report often surprises management first — staff device patterns broader than expected. Handled with care, it can justify the investment alongside member fraud protection.

Default configuration

Tuned for SACCOs

New device login	SMS verification before sensitive action	Requires real-time SMS from portal
Sensitive actions	Hold + member SMS on unknown device	Withdrawal, M-Pesa, beneficiary, PIN, email
Loan review	Flag new device above agreed loan amount	Loans officer makes final decision
Dormant account	Heightened check after N days inactive	First legitimate access may verify — communicate to members

For SACCO leadership

Starting the conversation

SACCOs decide through boards and membership trust — not the same motion as fintech sales.

The opening question

If a member’s phone is stolen tonight, can you detect an unauthorised login tomorrow morning — and stop a withdrawal before it processes? For most digitizing SACCOs the answer is no. That opens the member protection conversation.

Member trust, not just fraud tech

Frame for boards as member protection: SMS saying their account was protected from unauthorised access. Digital transformation that makes members safer, not more exposed.

Digital transformation committee

Enter through IT or digital committees already evaluating portal security — Keverd fits the vendor stack conversation without leading with fear.

Regulatory posture

SASRA expects adequate controls on digital channels. Device-level access monitoring, anomaly detection, and member alert logs strengthen compliance demonstrations.

Onboarding

5–7 working days — 3–5 on common portals

01Identify portal vendor (e.g. Sacco365, Co-oplink, Orbit) — confirm pre-mapped config if available
02Share portal login, loan application, and account settings URLs
03Confirm SMS gateway can send real-time alerts to member numbers
04Add Keverd snippet to login, loan, and sensitive action pages
05Configure webhook and authentication token
06Confirm sensitive action list: hard verification vs. soft notification
07Agree loan amount threshold for new-device loans officer review
08Agree dormant-account inactivity threshold
09Test run: access test accounts from unknown device
10Brief operations and loans officers using workflows and field guide
11Brief management on internal access audit format
12Go live — first weekly member protection summary at end of week one

Known limitations

Interpret signals correctly

Keverd operates at device and session layer — not transaction amounts, contribution history, or loan repayment patterns in core banking.
Members on multiple legitimate devices (phone, work laptop, family tablet) may see new-device verification until baselines build — communicate during portal onboarding.
Third-party portal vendors may need cooperation to add the script — factor vendor timelines into onboarding (often 3–5 days on common platforms).
Internal access audit identifies anomalous patterns, not intent — investigation still required.
Dormant accounts with no prior digital access have no baseline — first login from any device is new; frame as security feature in member communications.

Member account protection for digitizing cooperatives