Chat with us
Insights / Technology
Technology

Five years, zero payment fraud: the boring system design that makes it possible

Zero payment fraud in five years invites a follow-up question: how? The honest answer is unglamorous β€” we didn't solve fraud with vigilance. We solved it with design.

Onyia Chima Jude
Managing Director
β€’3 Jul 2026β€’5 min readβ€’
Placeholder β€” warehouse / loading bay photo
✦ Key takeaways
  • Bank-only by policy removes the most common failure mode entirely β€” no staff member ever collects cash on our behalf.
  • Entry, approval and reconciliation of a payment sit with different people, so no single person can both create a transaction and approve it.
  • Money and stock records are append-only and hash-chained: entries are corrected forward, never silently rewritten β€” tampering is detectable, immediately.

Zero payment fraud in five years is the kind of number that invites a follow-up question: how? Not as a boast β€” as a real question, usually from a principal doing due diligence, or an accountant who's seen this go wrong somewhere else.

We didn't solve fraud with vigilance. We solved it with design.

Bank-only, no exceptions

The first design decision is the one that removes the most risk before it can start: COJUDE is bank-only, by policy, with no exceptions. Every customer payment goes directly to a Cojude International Limited bank account. No sales rep, no driver, no merchandiser ever collects cash on our behalf. That single rule closes the door on the single most common failure mode in Nigerian FMCG distribution β€” cash changing hands somewhere between a shop and a ledger, with no independent record of the handoff.

Separate the roles that touch money

The second decision is separating the roles that touch money, so that no one person can both create a transaction and approve it. Entry, approval and reconciliation of a payment sit with different people, doing different jobs, checking different things. It's a slower way to move money on paper. It's the reason a single compromised login, or a single bad actor, can't quietly move money without a second person noticing.

Append-only money

The third decision is the one most people ask about once they understand it: money and stock records are append-only. Once a transaction lands in the ledger, it can be corrected β€” with a new, timestamped entry that explains what changed and why β€” but it can never be silently rewritten or deleted. Every entry carries a chain back to the one before it, so an entry that's been tampered with breaks the chain in a way that's detectable, not just theoretically but immediately. That's what "tamper-evident" means in practice: not that fraud is impossible, but that hiding it afterward is.

Two timestamps, not one

The fourth decision is timing discipline most customers never think about: every payment carries two timestamps, not one β€” when it was entered into the system, and when it was actually received. Those two numbers being different, or matching too conveniently, are exactly the kind of pattern that a reconciliation process is built to catch.

None of this required exotic technology. It required deciding, early, that convenience would lose to verifiability every time those two things were in tension β€” and then building software that made the disciplined way the only way, instead of a policy someone could quietly skip on a busy day.

That's the real story behind the number. Five years, zero payment fraud, isn't a claim about how careful our people are β€” though they are. It's a claim about what the system will and won't allow to happen quietly. In a business built on moving other people's money for other people's stock, that difference is the whole job.

Onyia Chima Jude

Managing Director

🟒 Ask the author