Blog
Why one person should never approve building money
Dual-signatory payments are not bureaucracy. They are the cheapest, most effective fraud control available to a volunteer committee — aligned with the Act's two-officer common-seal model.
By Kasri Team · 29 Mar 2026 · 7 min read · Updated 10 Jun 2026
Every Tanzanian housing association that has lost money to its own treasurer has the same story. A trusted committee member, often a friend of the chairman, has sole signing authority on the body corporate’s account. Small irregularities go unnoticed because nobody else is watching. Larger ones get explained away as “let me check the receipt next week.” A year or two later — at handover or at audit — six figures of shillings are missing and nobody can produce a paper trail.
It almost never starts as fraud. It starts as expediency. The treasurer is the one closest to the money, the one who knows what the lift contractor charges, the one whose phone has the M-Pesa app already installed. Splitting the signing authority between two officers slows everything down, the committee says, and the committee is right — until the moment slowing things down is the only thing standing between you and a hole in the sinking fund.
The Unit Titles Act addressed this failure mode in 2008. Section 36(2) requires the body corporate’s common seal to be authenticated by the chairman and the secretary jointly — a two-officer model that establishes the governance principle of dual authority on every binding act of the body corporate. The operational extension of this principle to financial controls — dual-signatory payment approvals — is how committees implement the Act’s intent in the mobile-money era.
What dual signatory actually means, operationally
The phrase is loose enough that committees use it to mean different things. Here is what it should mean in a body corporate worth taking seriously:
- Two distinct officers. Almost always chairman and treasurer. Never two people on the same physical device. Never two passwords known to one human.
- Two distinct user sessions. Each officer logs in from their own device. The countersigning step happens after the first signature has been recorded — not as a same-screen “OK, OK” double-click.
- Same-person countersigning blocked. The user who initiated the request cannot also approve it. Enforced at the system layer, not as a polite suggestion.
- Fresh step-up MFA on every signature. A stolen email session cannot move money. The countersigner must prove physical possession of a TOTP token at the moment of signing.
- The same approval surface for every payment over the threshold. No “small payments are fine” carve-out. If the by-laws say the threshold is TZS 100,000, then every payment over that line goes through the same gate.
- Immutable record of both signatures, both timestamps, both IP addresses. Stored in an append-only audit log. Hashed against tampering.
The four-controls stack — dual-sig alone is not enough
| Control | What it stops | What it does not stop |
|---|---|---|
| Dual-signatory | Single-officer fraud, unauthorized payments, rushed approvals | Collusion between the two officers |
| Immutable audit log | Tampering with historical records | Real-time fraud before detection |
| Owner read-only ledger | Concealment — every owner can see the money trail | Errors in the ledger itself |
| Quarterly external review | Sustained collusion, structural errors | Isolated incidents between reviews |
Dual-sig is the first line. It is necessary. It is not sufficient. But it is by far the cheapest control you can put in place — and the only one of the four that derives directly from the Act’s common-seal model.
Three attack classes dual-sig stops
Insider fraud. The treasurer cannot drain the account. The chairman cannot pay his cousin’s company. Either officer can spot and block a suspicious request from the other one — and the block is timestamped, so the audit log shows that the system worked.
Compromised credentials. Phishing is real. M-Pesa scams targeting committee officers are not theoretical. If an attacker takes over one officer’s email, the second officer’s MFA is the perimeter that holds. This is not theoretical — it is the single most common fraud vector in Tanzanian condominiums.
Rushed approvals. The expensive lift contractor calls the chairman and says the parts have to be paid for today or the order falls through. Without dual-sig, the chairman pays. With dual-sig, the treasurer has to look at it too — and “I’ll get back to you in twenty minutes” is often enough to deflate a social-engineering attempt.
Real Tanzania fraud patterns — anonymised
Every committee that has gone through a treasury loss recognises one of these:
-
The personal M-Pesa float. The treasurer collects service charges to his personal number, pays vendors from the same number, and the float is never fully reconciled. Six months later, TZS 2.3 million is unaccounted for. The treasurer claims he “lent it to himself temporarily.” The committee cannot prove otherwise.
-
The ghost vendor. A payment is approved to “Lift Maintenance Services Ltd” for TZS 1.8 million. The company does not exist. The resolution authorising the payment was a WhatsApp message from the chairman to the treasurer. No dual-sig. No audit trail. No vendor due-diligence file.
-
The committee-split transfer. A departing treasurer transfers the body corporate’s bank balance — TZS 12 million — to the new treasurer’s personal account “for convenience.” The new treasurer is never formally added to the bank mandate. Six weeks later, the money is gone and the bank says the transfer was between two personal accounts that are not the bank’s problem.
The common thread: every one of these required only one person’s signature to execute.
The WhatsApp approval vs dual-sig workflow — side by side
| WhatsApp approval | Proper dual-sig workflow | |
|---|---|---|
| Evidence | Screenshot, deletable | Immutable log entry |
| Time | ~10 seconds | ~90 seconds |
| Fraud risk | High — single person, no MFA | Low — two people, two MFAs |
| Auditability | None — “the message was deleted” | Complete — timestamps, IPs, device IDs |
| Legal weight | Contestable | Court-admissible |
For the payment infrastructure that makes the collection side work, see how TIPS transforms service charge collection. For the record bundles the audit log feeds into, see what audit-ready records look like. And for the broader financial control environment, see the RERA-readiness checklist.
How to set the threshold in your by-laws
Add a clause to your by-laws at the next AGM:
“No single officer shall have authority to authorise or execute any payment exceeding TZS [amount] from the body corporate’s funds. Every such payment shall require the approval of at least two elected officers, each acting from a distinct authenticated session, with each approval recorded in the body corporate’s audit log with timestamp and identity verification. The threshold may be raised by special resolution for specific capital projects authorised by the body corporate in general meeting.”
Template, adapt, ratify, file with the Land Registry. That is the entire legal fix.
The objection committees raise
“It will slow us down.”
Yes. By about ninety seconds per payment. The treasurer’s phone vibrates, they unlock it, they tap approve, they tap the TOTP, they tap confirm. That is the entire workflow.
In exchange, you get a control that has, in every body corporate that has ever lost money to its own treasurer, been the single missing piece. And you get a record that will be the difference between walking out of the next AGM with the committee re-elected, or walking out with a formal accusation hanging over the room.
Hundi mbili — dual signatures — is not bureaucracy. It is the cheapest insurance you will ever buy.
This week action
Open your body corporate’s bank statement or mobile money statement. For every outgoing payment above TZS 100,000 in the last 90 days, ask: can I produce a record showing two distinct officers approved it? If the answer is no for any of them, you have a governance gap that needs to close before the next payment cycle — not before the next audit.
Updated June 2026 for RERA draft status.
Want help applying this in your building?