Incidents

An incident is the case file that opens any time cash behaves unexpectedly — a variance, a tampered seal, an attempted robbery, a missing CIT bag, a policy override. Every incident is logged, investigated, closed with a documented resolution, and is reviewable by internal audit and the regulator.

Cash incidents
Captured cash incidents (variance, theft, robbery) with state.

What an incident is

An incident (`mfi.cash.incident`) is a structured case record with severity level, type, amount at risk, parties involved, investigation trail, recovery actions, and a documented close-out. It links back to the originating record (till session, vault session, CIT trip, branch session) for traceability.

  • **Auto-created** — any variance, any seal mismatch, any policy override, any forced close
  • **Manually created** — robbery, attempted robbery, fire, fraud allegation, suspected counterfeiting, internal control failure
  • **Never deleted** — even erroneously opened incidents are closed with reason, not deleted

Severity levels

LevelMeaningExamples
Level 1Operational, low amount, no fraud suspectedVariance ≤ KES 5,000, denomination mismatch, late closure
Level 2Material amount or repeat patternVariance KES 5,001 – 250,000, repeat overages at one till, single seal mismatch resolved on site
Level 3Major loss or active security eventVariance > KES 250,000, robbery, fire, missing CIT bag, suspected internal fraud, regulator-notifiable event
Warning — Level-3 incidents trigger automatic notification to CFO, head of treasury, head of compliance, and (where applicable) FRC / DCI / CBK. Do not downgrade a level-3 without head-of-compliance sign-off.

Incident types

CodeDescription
variance_shortCash shortage detected at EOD or surprise count
variance_overCash overage detected at EOD or surprise count
seal_tamperSeal damaged or mismatched on CIT bag
seal_missingSeal lost from inventory
override_policyManager overrode a cash policy threshold
force_closeBranch manager force-closed an orphan till session
robberyArmed robbery at branch or CIT route
attempted_robberyRobbery attempted, no loss
fireFire affecting vault or branch
fraud_internalSuspected staff fraud
fraud_externalSuspected customer or third-party fraud
counterfeitCounterfeit notes detected
lost_in_transitCIT bag missing
data_lossCash transaction record lost or corrupted

Incident workflow

  1. **Opened** — auto or manual creation, severity assigned automatically based on type + amount
  2. **Acknowledged** — branch manager (or higher per level) acknowledges within SLA (4h for L1, 1h for L2, immediate for L3)
  3. **Investigating** — gather evidence: CCTV, transaction logs, witness statements, denomination ledgers, attachments
  4. **Resolution proposed** — case officer drafts: cause, action, recovery, prevention
  5. **Approved** — appropriate authoriser per cap table signs off
  6. **Closed clean** — fully resolved with no residual loss
  7. **Closed with loss** — partial or no recovery; loss booked to cash shortage expense
  8. **Escalated** — handed to police / FRC / DCI / CBK; remains open until external case closes

SLA targets

Missed SLAs trigger escalation to the next role and appear on the head-of-compliance weekly review.

LevelAcknowledgeInitial investigationResolution target
L14 hours24 hours48 hours
L21 hour4 hours5 business days
L3Immediate1 hourPer investigation; status report daily

External notification matrix (Kenya)

Some incidents require external reporting:

EventNotifyDeadline
Single cash transaction > KES 1,000,000FRC (STR queue)Within 7 days
Robbery / armed attackDCI + insurance underwriterImmediate
Counterfeit notes seizedCBK Currency Department + DCI24 hours
Suspected money laundering patternFRC (STR)Within 7 days of suspicion
Cyber-incident affecting cash recordsCommunications Authority + ODPC if PII affected72 hours (ODPC)
DTM only — material cash lossCBK Bank SupervisionPer CBK/PG/MFB/05
Warning — STR (Suspicious Transaction Report) confidentiality applies. Do not tell the subject that an STR has been filed. The system flags STR-related fields as compliance-only.

Recovery and accounting

Incidents tie directly to GL:

  • **Shortage at close** — Dr Cash shortage expense, Cr Till cash for the variance amount
  • **Recovered next day** — Dr Cash, Cr Cash shortage expense (reverses the loss)
  • **Recovered from teller** — Dr Receivable from teller, Cr Cash shortage expense; receivable cleared as teller pays
  • **Insurance recovery** — Dr Insurance receivable, Cr Cash shortage expense, on insurer confirmation
  • **Final write-off** — Dr Cash shortage expense (closed), Cr Receivable; tax-deductibility per KRA Income Tax Act

Audit and reporting

All incidents are surfaced in three standard reports:

  • **Incident Register** — chronological list, filterable by level / type / branch / date
  • **Open Incidents Aged** — open incidents by SLA bucket; tracks SLA breaches
  • **Loss History** — cumulative cash loss by branch / type / month, with recovery overlay

Worked scenarios

Scenario — Level-3 incident: CIT bag tamper detected at bank

Setting: Friday afternoon. G4S CIT trip from Eldoret to KCB Eldoret branch. Bag value KES 1.8M.

CharacterRole
Florence AchiengBranch manager Eldoret
Peter OtienoG4S crew chief
Aisha HassanKCB Eldoret cash desk
Mary MutuaHead of treasury HQ
Kimani MwangiHead of compliance HQ

Timeline

  1. Day 1, 14:30: Florence ships KES 1.8M in bag with seal #91211 via G4S. (Trip CIT/2026/0612 in transit)
  2. Day 1, 15:45: Aisha at KCB inspects seal — it is intact-looking but does NOT match the manifest number (manifest says 91211, seal reads 91212). (—)
  3. Day 1, 15:46: Aisha refuses to accept bag. Calls Florence and G4S Ops simultaneously. (—)
  4. Day 1, 15:50: Florence opens an L3 incident: type seal_tamper, amount at risk KES 1,800,000, parties G4S crew + KCB receiver. (Incident INC/2026/0612 OPENED, L3)
  5. Day 1, 15:55: Automation pages Mary, Kimani, CFO, CEO. Bag stays in joint custody at KCB pending investigation. (Escalation matrix triggered)
  6. Day 1, 16:30: Kimani notifies G4S insurance (24h clock), drafts DCI report (police filing). (External notification logged)
  7. Day 1, 17:00: Joint count of bag at KCB with Aisha, Florence (driven down), G4S regional manager: KES 1,800,000 intact. (No loss)
  8. Day 1, 17:30: Investigation: G4S admin loaded wrong manifest — physical seal was always 91212, manifest data-entry error. (Cause: G4S data-entry error)
  9. Day 1, 18:00: Bag accepted into KCB cash desk. Trip reconciled. Incident remains L3 but moves to 'investigating'. (Trip closed_clean)
  10. Day 5: G4S provides written root cause + control fix. DCI report withdrawn (no crime). Incident closed clean with control finding logged for next G4S service review. (Incident CLOSED CLEAN)

Outcome — No financial loss; level-3 procedure handled correctly; G4S control improvement logged; learning shared institution-wide.

Reference

Incident states

StateMeaning
openedCreated, awaiting acknowledgement
acknowledgedOwner acknowledged within SLA
investigatingEvidence gathering in progress
resolution_proposedDraft resolution awaiting authoriser sign-off
closed_cleanResolved, no residual loss
closed_with_lossResolved with documented loss / partial recovery
escalated_externalHanded to police / FRC / regulator
reopenedReopened after fresh evidence (manager + audit approval)

Key incident fields

FieldTypeNotes
nameCharAuto INC/YYYY/NNNN
levelSelectionL1 / L2 / L3
typeSelectionSee types table above
amount_at_riskMonetaryMaximum exposure
amount_lostMonetaryConfirmed loss
amount_recoveredMonetaryRecovered to date
branch_idM2O res.branchSite of incident
origin_recordReferenceTill / vault / CIT trip / branch session
acknowledged_byM2O res.usersSLA stamp
closed_byM2O res.usersSign-off
external_reportsO2M attachmentFRC / DCI / CBK filings
str_filedBooleanTrue if FRC STR submitted; restricts visibility

Troubleshooting

SymptomLikely causeFix
Cannot acknowledge incident — 'not the authorised owner'Auto-assignment routed to a different roleOpen the incident, check assigned owner. If reassignment needed, the current owner reassigns, or head of compliance forces.
Incident sits in 'closed_clean' but ledger still shows a lossRecovery journal not postedOpen the incident's GL panel, click Post Recovery Journal. Verify cash shortage expense reverses to zero.
Cannot close L3 incident even after investigation completeExternal notification (DCI, FRC, CBK) not yet acknowledgedAttach the regulator acknowledgement letter PDF to the incident, then close-out is enabled.
STR-flagged incident is visible to branch managersSTR confidentiality flag not set; without flag, normal RLS appliesCompliance officer ticks str_filed = True; visibility instantly restricts to compliance-only group.
Incident SLA appears breached even though we resolved on timeResolution time captured in user local timezone but SLA computed UTCVerify server timezone; incident SLA computation should use res.partner.tz of the assigned owner. Update record manually with reason.

See also

Was this page helpful?