Get the insight of the Boulder Digital Transformation of MFIs Programme thanks to Violette Cubier – Week 8: Risk, Fraud and Customer Protection

Get the insight of the Boulder Digital Transformation of MFIs Programme thanks to Violette Cubier – Week 8: Risk, Fraud and Customer Protection

This week’s module on “Risk, Fraud and Consumer Protection in digital financial services” was presented by Paul Makin (25 years of experiences in the digital financial services, and a primary player in the development of M-PESA in 2004), and Jean Louis Perrier (consultant with ACRC). The module was very dense (more than 7 hours of self-paced content, and a 2 hours live session) and tackled various topics: fraud risks, money laundering risks, cybersecurity risks, data protection and customer protection, specific risks associated to agents’ networks…

Paul Makin introduced the module with some words on Customer Protection. Regulators are increasingly asking financial service providers to limit any losses for customers, to reimburse clients in case of any problem, to provide fair terms and conditions for clients, and to have a clear customer complaints process in place. Clients also have a legitimate expectation on the privacy of their personal data and transactions. EU’s General Data Protection Regulation (GDPR) is shaping the global agenda on customer data and privacy and initiatives in the EU are spreading in other regions (including in developing markets), might it be for KYC, AML, switches… GDPR is giving many rights to individuals, among others the right to be informed when personal data is collected, the right to accuracy and rectification and the right to erasure / to be “forgotten”. Infringements can lead to fines up to EUR 20 million, or 4% of the firm’s global revenue. It is therefore increasingly important for financial service providers, including in developing markets, to ensure client protection and in particular the protection of clients’ data.

A large part of the module was then dedicated to the risks of working with agents. Agents are key, because they are the primary interface between financial service providers and customers. They play a key role for branding / visibility, to explain services to customers, to deal with customers complaints. There are however also many potential risks in working with agents: lack of suspicious activity reporting (AML), frauds (requests for PIN changes, requests for cash-in/cash-out reversals), agents not keeping within liquidity boundaries, agents changing location of the points of sale. As highlighted by Paul Makin, “the use of agents can trigger operational, technological, legal, reputational and fraud risk”. Frauds from agents are common, with for instance multiple deposits or cash outs to maximise commissions, fake registrations (registering fake users for commissions), AML/KYC failures (accepting cash in/out with no KYC). Some key measures can help in decreasing risks associated with working with agents, such as having a strict KYA (Know Your Agent) process in place for the on boarding of agents, to ensure that they are trustworthy, professional and liquid, using GPS to locate agents and make sure they do not change the location of their points of sale, a continuous and regular training of agents on services, basic KYC performed by the agents, and in depth KYC and screening performed by the financial service provider.

The module then tackled cybersecurity and mobile network security issues. As explained by Paul Makin, there are many, many possible ways for a successful attack on mobile networks. “Eavesdropping” by externals is very common, might it be because the communication between a phone and a cell tower is overheard, through the creation of fake mobile networks, or even due to the work of criminals from inside the Mobile network operators’ team. Financial service providers should therefore never rely on the security of mobile network or mobile phone. They should instead provide their own end-to-end security, with key measures such as asking customers to restrict access to their phones (use of PIN / biometric control), making sure customers install updates (which usually include security updates) as soon as available from their manufacturer, using secured apps (and not the device’s browser), and by securing access to apps (PIN / biometric, encryption).

There are also many risks associated to the use of the USSD technology. USSD is the norm for a majority of mobile payment services in emerging markets because it works on every mobile phone. It is however rather insecure (no encryption of any kind, so USSD is particularly simple to hack), difficult to use for clients (short codes, time limits for transactions) and not offering a good customer experience. A very common type of fraud with USSD is the “SIM swap”: the SIM of the victim is swapped to another phone controlled by the criminal, who transfers victim’s money to himself and his associates. Some solutions to avoid these types of fraud include restricting SIM swaps for agents, and disabling multiple SIM swaps within short periods.

Jean Louis Perrier then underlined how cyber-attacks on African banks are also increasing, with an estimated cost of more than 1 billion USD for Africa, every year. Smaller financial service providers are also facing this risk, because criminals do know that their systems are less robust and easier to hack. However for smaller institutions (Tier 2/3 MFIs), remedies do not need to be extremely complex. For smaller institutions, simple measures can help substantially decrease cybersecurity risks, for example running a simple cybersecurity self-assessment, performing awareness raising for the board or employees, implementing basic cyber hygiene rules, distributing an information kit to customers, or training staff on cybersecurity.

As underlined by Paul Makin, frauds by agents and external hackers are getting most of the media coverage, while in reality the most successful attacks (in terms of amount defrauded) are insider jobs. This means that financial service providers should target their cybersecurity effort towards insider threats. Key measures include running background checks on staff, having a two-factor authentication for staff log-in, making sure someone whose job does not involve money transfer cannot access the functionality, putting in place control points (authorisation beyond a certain transaction value), accounts reconciliation, and controlling physical access to data centres.

(Author: Violette Cubier, InFiNe.lu grantee)