Typhoons are great engines of destruction. When a typhoon makes landfall it often produces a devastating storm surge that destroys everything in its path without mercy. The best defence against a typhoon is an accurate forecast that gives people time and means to get out of its way. It is therefore prudent to watch, watch again, and then watch out if you happen to be in a typhoon-prone area.
Since its inception, the digital financial services (DFS) industry has been subject to a wide range of frauds, across different markets and players of the ecosystems. The diverse nature and scale of these fraud cases has been evolving across markets. As a result, most digital financial services operators are now deploying in-house, dedicated fraud teams. Supply-side research by The Helix Institute of Digital Finance in Bangladesh and Kenya identified fraud as the biggest concern amongst agents, in 2013 and 2014. Our recent surveys in both Tanzania and Uganda highlighted how prevalent it has now become—42% of agents and a little more than half of agents, respectively, indicate that either they personally, or one of their employees, have experienced fraud in the last year. In other markets, such as Zambia and India, it has been cited as one of the top challenges to an agent’s business in 2014. In response, The Helix Institute collaborated with leading specialists to build a Risk and Fraud Management in DFS course. The course highlights key risks as well as mitigation/management strategies.
Source: Compiled from Agent Network Accelerator (ANA) Surveys. ANA surveys were conducted in 2013 in Uganda, Kenya, and Tanzania; in 2014 in Bangladesh, Kenya, Pakistan, and India; and in 2015 in Zambia, Tanzania and Uganda. Country comparison graphs contain most recent data available.
Emerging trends involve both internal employee fraud and fraud by external parties. DFS provider employees can use their position to gain access to confidential customer information, especially in cases where there are no tight checks, and then use this to target customers, gain account access, or otherwise obtain client funds. In one mobile network operator (MNO), employees colluded and stole about US$ 3.4 million through accessing the company’s suspense account which temporarily holds unclassified or disputed transactions. The staff members were then able to generate e-value and redirected the funds for withdrawal through some colluding agents. This was due to lack of appropriate reconciliation procedures and mismanagement of the user access rights for the mobile money system, where staff members were using multiple active system user log-in credentials. In Rwanda, an MNO found one of its staff members orchestrating fraud by redirecting funds amounting to US$ 673,943 for withdrawal through conniving agents over a 12-month period. In South Africa, the collusion between a few employees of a major MNO and a bank resulted in a major SIM swap fraud. This resulted in the loss of thousands of Rand.
Third parties, such as employees of institutions providing outsourced services or unaffiliated fraudsters, generally contact agents or customers indirectly through social engineering (typically spoofing/phishing) scams to fraudulently obtain account information and rob them. Others have been able to hack into accounts or wallets, to ultimately obtain funds illegally. Recently, in India, 5 engineering students robbed a private sector bank of tens of millions of Rupees using fake mobile wallet transactions over a period of four months, since December 2015. The students managed to hack into the bank’s newly-introduced wallet so that if a customer tried to send funds to another wallet holder, and the recipient was offline, the initiator of the transaction did not end up losing any funds. Instead, funds were pulled from the bank and directed to the fraudster’s wallet. This fraud case was uncovered when about US$ 1.2 million had been siphoned off. In Kenya, fraudsters who are typically prison inmates, with illegal access to mobile phones through syndicates, continue to perpetrate fraud through social engineering. The latest methods used are through calling or sending text messages to random numbers, either in pretence of being relatives requesting for funds or as representatives of different companies: for example, banks or supermarkets, communicating about winners of special promotions. In the latter cases, they request that the subscriber sends funds to a specific mobile wallet to ‘activate’ their winnings, in order to receive their large cash prizes.
The latest random messages being pushed around Kenya target anyone who is about to send funds. These text messages are as “Please nitumie ile pesa kwa hii number, simu yangu imezima”, which translates to “My phone has gone off, so kindly send those funds to this number instead”. Since sending money is a common activity, when some people receive this text message, they are duped into believing it has been sent by the intended recipient. They are misled into thinking that the intended recipient is having trouble accessing their normal wallet/phone, and so are providing an alternative number so that funds can be transferred. The sender then send funds to the new number. Many innocent customers have lost money by responding to these calls or text messages, with those living in the rural areas most commonly hit.
These are just a few examples of a multitude of alarmingly creative approaches to defrauding agents and end-users. Among customers, there are also perceptions of fraud vulnerability as identified by Consumer Protection and Emerging Risks in Digital Financial Services report by CGAP, MicroSave and BFA, which also reaffirms the prevalence of these occurrences. The general trend is that frauds that circumvent back-office systems result in large-scale losses to the providers, while smaller frauds from third parties often target lower amounts from agents or customers.
But how should providers heed evolving fraud?
Typhoon-prone countries have increasingly sophisticated early-warning systems. Similarly, DFS providers need sophisticated risk/fraud management systems. Providers need to understand fraud and track its evolution over time in order to manage it effectively. This understanding is derived from robust monitoring of the ecosystem and fundamental monitoring questions are asked on an on-going basis: What new fraudulent activities are happening? Is there a trend? Are all controls adequately designed and executed? Are employees aware and do they understand their roles and responsibilities?
Fraud Management Systems
DFS providers need sophisticated risk/fraud management systems (FMS). The FMS help service providers to understand the nature of frauds. A lot of data is generated from different systems in any DFS provider. FMSs enable fraud managers to use this data and design rules and algorithms to track the pattern of frauds. They enable them to set fraud rules which help in identifying collusion checks, velocity checks, threshold checks, black-list checks, new subscriber checks, profile checks, SIM swap checks, etc. These systems help providers to understand fraud and track its evolution over time ― thereby helping to manage them effectively and reducing revenue losses. Velocity and pattern detection tools, which are real-time, dynamic, efficient, and effective in finding patterns that point to fraud, add powerful capabilities for next generation fraud management.
Reliable and relevant data and dashboards
Data is critical for monitoring and managing DFS fraud. Reliable data is generated through working with technology providers to build robust systems or tools that determine and track normal and abnormal behaviour. Providers need to ensure robust prevention measures on the first line of defence – registration or account opening processes. Combining this with data-driven alerts can provide real-time, multi-channel defences to address a wide spectrum of fraud threats. At the same time, more traditional “maker-checker” approaches to ensure segregation of duties, together with back-office monitoring and reconciliation teams, are key to maintaining the integrity of digital finance systems.
Providers need to ensure robust internal controls. They can be of two types: preventive controls and detective controls. Some examples of preventive controls can be measures like limiting number of transactions per day (value or volume), authentication of transactions, having passwords at different levels, providing limited access to employees, etc. These are generally low-cost solutions to the providers. Detective controls, on the other hand, are post facto. Typical detective controls are: understanding the patterns of transaction activity, reviewing high-value /high-volume transactions, monitoring log-in activity of employees, etc. These tend to be expensive, since DFS providers need to build systems for this. When any fraud happens, preventive measures offer the first line of defence.
Clear reporting and communicating channels between stakeholders, including customers
Different providers have different organisational structures, which determine the number of stakeholders involved. Internally, managers, back-office support, customer service, and finance and revenue assurance teams must all be aware of fraud risk and encouraged to communicate any anomalies or suspicious activity to relevant internal parties. External communication to agents and customers is equally important for effective preventive control. Awareness creation among customers on how to avoid the risk of fraud is a critical preventive measure to reduce customer spoofing/phishing scams. Lastly, in the event of the detection of suspicious activity, clear internal procedures defining both how to escalate awareness and ensure immediate action, need to be in place. Whistle-blowing within institutions should also be encouraged.
DFS ecosystems continue to evolve; however, with this the scope for fraud is also growing. For DFS to realise its full potential, all stakeholders inclusive of regulators, donors, providers and their partners, as well as customers, have a role to play in combating fraud – and minimising the risks of DFS being swept away by burgeoning typhoons of fraud. The first Helix Risk and Fraud Management in DFS, is ongoing – click here to check it out!