kasri.app
Book a demo
← Back to blog

Blog

Why one person should never approve building money

Dual-signatory payments are not bureaucracy. They are the cheapest, most effective fraud control available to a volunteer committee — and the Unit Titles Act has required them since 2008.

By Kasri Team · 29 Mar 2026

TreasuryFraudGovernanceDual signatory

Every Tanzanian housing association that has lost money to its own treasurer has the same story. A trusted committee member, often a friend of the chairman, has sole signing authority on the body corporate’s account. Small irregularities go unnoticed because nobody else is watching. Larger ones get explained away as “let me check the receipt next week”. A year or two later — at handover or at audit — six figures of shillings are missing and nobody can produce a paper trail.

It almost never starts as fraud. It starts as expediency. The treasurer is the one closest to the money, the one who knows what the lift contractor charges, the one whose phone has the M-Pesa app already installed. Splitting the signing authority between two officers slows everything down, the committee says, and the committee is right — until the moment slowing things down is the only thing standing between you and a hole in the sinking fund.

This is exactly why the Unit Titles Act No. 16 of 2008 requires dual signatures on every outgoing payment. The law has known about this failure mode for fifteen years. The software stack to enforce it without slowing anyone down has existed since about 2022.

What “dual signatory” actually means, mechanically

The phrase is loose enough that committees use it to mean different things. Here is what it should mean, operationally, in a body corporate worth taking seriously:

  • Two distinct officers. Almost always chairman and treasurer. Never two people on the same physical device. Never two passwords known to one human.
  • Two distinct user sessions. Each officer logs in from their own device. The countersigning step happens after the first signature has been recorded — not as a same-screen “OK, OK” double-click.
  • Same-person countersigning blocked. The user who initiated the request cannot also approve it. This is enforced at the API layer, not as a polite suggestion.
  • Fresh step-up MFA on every signature. A stolen email session cannot move money. The countersigner has to prove physical possession of a TOTP token at the moment of signing.
  • The same approval surface for every payment over the threshold. No “small payments are fine” carve-out. If the by-laws say the threshold is TZS 100,000, then every payment over that line goes through the same gate.
  • Immutable record of both signatures, both timestamps, both IP addresses. Stored in an append-only audit log. Hashed against tampering.

What dual-sig protects against

Three classes of attack:

Insider fraud. The treasurer cannot drain the account. The chairman cannot pay his cousin’s company. Either officer can spot and block a suspicious request from the other one — and the block is timestamped, so the audit log shows that the system worked.

Compromised credentials. Phishing is real. M-Pesa scams targeting committee officers are not theoretical. If an attacker takes over one officer’s email, the second officer’s MFA is the perimeter that holds.

Rushed approvals. The expensive lift contractor calls the chairman, says the parts have to be paid for today or the order falls through. Without dual-sig, the chairman pays. With dual-sig, the treasurer has to look at it too — and “I’ll get back to you in twenty minutes” is often enough to deflate a social-engineering attempt.

What dual-sig does not protect against

Collusion between the two officers. If the chairman and the treasurer agree to take money out together, dual-sig will not stop them. This is why dual-sig is paired with three other things in a serious system: an immutable audit log that survives both officers being replaced; a read-only ledger view for every owner so collusion is visible from outside the room; and a quarterly external review (or, soon, RERA inspection) that catches patterns across multiple buildings.

Dual-sig is necessary. It is not sufficient. But it is by far the cheapest control you can put in place — and the only one of the four that is already required by law.

The objection committees raise

“It will slow us down.”

Yes. By about ninety seconds per payment. The treasurer’s phone vibrates, they unlock it, they tap approve, they tap the TOTP, they tap confirm. That is the entire workflow.

In exchange, you get a control that has, in every body corporate that has ever lost money to its own treasurer, been the single missing piece. And you get a record that will be the difference between walking out of the next AGM with the committee re-elected, or walking out with a formal accusation hanging over the room.

It is not bureaucracy. It is the cheapest insurance you will ever buy.

Want help applying this in your building?

Book a demo Contact us