Fraud Risk in a Digitized Fintech ecosystem troubling trends and approaches to mitigate Fraud Risk
09 / 12 / 2020
The rapid global digitization driven by advanced technology has brought both benefits and challenges like data theft, fraud, and cyber attacks. This blog explores emerging trends, regulatory responses, and the role of consumers in managing these risks. It also discusses building a robust fraud risk management framework for payment aggregating entities.
Abstract
Global Digitization is taking place at a scorching pace across all sectors given continuous innovation in advanced Internet & Mobile technology, IoT devices . While there are clear benefits that have already accrued due to digitization, the new normal has brought us new challenges too, especially the issue of Data Theft, Fraud & Cyber attack Risk. In this blog we examine the emerging trends in the above risks and how regulators are responding to the challenge of containing these risks at systemic and entity level. We also examine the role of end individual consumers. Finally we discuss the building blocks to implement a robust Fraud Risk Management framework at entity level with specific emphasis on Payment Aggregating entities.
Background
As per Global Risk Report 2020 issued by World Economic Forum, Data & Money Theft, Fraud Risk and Cybersecurity attacks occupy the 6th and 7th place among the worlds Top 10 risks. In terms of likelihood and impact on a scale of 1 to 5, Data Theft/Fraud and Cyber attack map to close to 4 in terms of both likelihood and impact. This explains why the Trio of Data Privacy, Fraud & Cyberattacks must be a locus of attention for Business entities, Regulatory bodies and the Government. As per the report 76% of multi-stakeholder survey respondents expect these risks to increase in the coming years.
An examination of fraud cases across several research reports, the typology of fraud cases is as follows:
Internal Frauds | External Frauds |
---|---|
Bribery | Scams |
Corruption | Card Not Present Customer Frauds |
Conflicts of interest | Cyber/Online |
Asset misappropriation
| Identity Theft/Impersonation KYC /Money Laundering & Terrorist financing related |
Financial Statement frauds Net-Worth Income overstatements & under statements + Tax frauds | Data Theft Social Engineering |
Insider unauthorised rouge trading | Merchant Frauds |
Intellectual Property Theft | Financial Statement Fraud Vendor related Frauds Intellectual Property Related |
Source : Global Risk Report(WEF) 2020, ACFE Report to the Nations 2020
A Global survey conducted by Association of Certified Fraud examiners revealed that about 53% of frauds constituted Asset Misappropriation & 11% that of corruption. These percentages may change in reality as it was a sample survey on detected fraud events. A recent report on Global economic and fraud survey by PWC 2020 shows the following percentiles of disruptive activities.
Source : Global Risk Report(WEF) 2020, ACFE Report to the Nations 2020
The global financial losses involving fraud events is a great worry for Business entities, regulators and the government.
As per ACFE Report to the Nations on Fraud Risk Schemes 2020, the financial losses incurred due to fraud events surveyed across 125 countries was a whooping 3.6 billion USD. Of the fraud events examined, 86% constituted Asset Misappropriation and the rest Corruption and Bribery. The report also interestingly examines duration and velocity of Fraud schemes. The average estimated time to detect fraud schemes was 14 months with a velocity of USD 8300 per month. On an average the survey revealed that organizations loose around 5% of revenue to fraud schemes. Lastly fraud schemes were executed through Email, Mobile IoT and Cyber Online platforms.
In India too as per RBI estimates in 2018, the total financial losses due to fraud risk events can be pegged at more than INR 76,000 crore which is enough to meet a significant proportion of current Bank capitalisation requirements.
As can be seen from these surveys, especially in financial services consumer fraud events through Cybercrime occupy a significant place. It is pertinent to note that an increasing number of external & internal frauds today ride on the digital platform as that has become the new normal replacing the physical world. It is therefore important that a multi-stakeholder ecosystem which includes regulators and government needs to make continuous efforts to improve the defences against perpetuators of fraud. With the digital transformation of financial institutions, markets and agent transactions, it is important that Fraud risk management thinking forms an integral part of the overall Financial System Architecture. While the above discussion gives us an insight into the fraud risk exposures, let us now understand how the ecosystem comprising of business entities, regulators and the government are responding to these above threats. In doing so we will focus our discussion on the retail payment systems sector. We will examine the key drivers of fraud risk events in the retail payment sector and the challenges that the ecosystem faces in building a robust defence mechanism against Fraud risk.
Fraud Risk in the Retail Payment Sector :
Payment Aggregators, Gateways, Retail payment Banking Operations and Retail settlement Operations are exposed to the following scenarios of Fraud risk. However the scenarios by no means can be considered exhaustive as the future is uncertain, there will always be innovations by perpetrators to defraud the system.
At the individual customer/Consumer level
- identity fraud: Compromise of Personal Identification Data when the predator steals the individual customers' Aadhar or PAN or any other KYC information stored in IoT gadgets or other digital repositories and impersonates customer identity for committing fraud transactions.
- Many times, unaware customers are coaxed by fraudsters and to share their Bank account, personal Identity keys. The fraudsters pose as employees of financial institutions, regulators or Banks by spoofing their caller IDs.
- Social engineering: scam emails, SMS on WhatsApp, Facebook, spoof calls to customers where they are coerced to transfer money to an account maintained by the fraudster who pretends to be genuine seeking help or impersonating an agency issuing a contest, Lottery reward, tax authority, regulator, investment firm or the government. The case of scam mail impersonating the government to collect funds for the recent COVID pandemic and other disaster relief measures has been commonly observed over the last few years.
- Digital identity and access code passwords are hacked by remote fraudsters when customers use public Wi-Fis to conduct mobile banking transactions or through any other IoT gadgets. Usual suspects are Airports, Railway stations and other public places such as Coffee shops, clubs etc.
- Compromise of Credit/Debit Card when predator hacks or steals Card information, games the tokens resulting in fraudulent Card Not Present transactions. Even card-present transactions are hacked and exposed to fraud.
- In the case of Mobile Apps there are many fake apps that consumers may download from sources or platforms that are not authentic. When digital payment instruments such as UPI e-Wallet or Internet Banking transactions are performed through such apps, the customer data is compromised. Fraudsters launch such fake apps that can't be easily identified or differentiated.
Merchant level scenarios:
- Many times, we see that fraudsters create merchant websites mirroring genuine merchant portals. Customers make retail transactions on “Ghost” merchant websites due to a lack of awareness. At times these Ghost Merchants are so genuinely crafted that even Payment entities may miss out on alerting themselves in their processes. Though URL checks are carried out by Merchant onboarding teams, we need better technology-based strategies to authenticate the websites of Merchants.
- Such fraud websites capture customer payment instrument data resulting in the customer being exposed to financial fraud. Such events result also in protested payment settlement transactions.
- Small & Medium Business units do not have large budgets for stepping up their defences to protect customer & their entity-level data. It is therefore necessary to create fraud risk awareness among this strata of businesses.
- At times consumers also game the e-commerce portals and commit fraud through misrepresentation of orders, changing price, discounts etc resulting in Merchants disputing transactions or succumbing to the fraudster if their process controls are not well in place.
- If merchant websites which store card data of customers are not secure enough there is open exposure to cyber attacks that steal data from merchant portals and use the same for fraudulent transactions.
Money Laundering Cases:
- In addition to the above, there are cases where a money launderer would transfer funds through stolen digital identities and account numbers to potential merchants without any goods or services being delivered. These are suspicious transactions which are for money laundering or terrorist financing. These transactions can be identified only through technology support.
At a regional level, it is observed that in the US, Credit Card frauds dominate the statistics as predominantly customers use Card transactions to make payments. As against this in Asia Pacific and South Asian regions, with accelerated digitization and innovation such as e-wallets, mobile banking, link pay, UPI etc.., fraud schemes on IOT devices driven transactions dominate event statistics. While the above gives us a good sense of fraud scenarios, it is important to understand the key drivers of fraud risk events.
As we look at the drivers of Fraud risk, it is very clear that fraudsters have found digital platforms vulnerable lagging to catch up and opaque due to their multiplicity, and lack of integration & resulting network complexity. Hence committing fraud transactions through Cyber attacks, Social Engineering, Scams through online platforms, IoT devices or repositories etc.. seem to come easy as a cropper.
Added to this are Cyber attack scenarios such as Malware, ransomware attacks, Denial of Service and others which disable system-level controls or defences on online platforms. These types of attacks weaken the IT system controls of online platforms and open the gates for fraudulent transactions. So cyber risk management should not be attended to in silo but integrated with Fraud risk management surveillance. This is critical as the purpose of Cyberattacks in most cases is to weaken the online defences to enable the execution of Data Theft, embezzlement of digital money, espionage and disrepute institutions.
Governments and Regulators globally are taking measures to encourage a collaborative ecosystem between Financial institutions and FinTechs to innovate better technology software products for automated control mechanisms to enable monitor and reduce fraud risk perpetuated on digital platforms. At the same time, stakeholders such as Business entities, Banks, financial institutions & payment participants are engaging intensively to enhance their risk management systems to abate fraud risk.
Some of the notable moves visible both globally and in India are highlighted below
- In Asian markets regulators such as MAS( Monetary Authority of Singapore), HKMA and Bank of Negra Malaysia have issued guidelines in 2019 for technology risk calling for a shift from rule-based approach to a behaviourist approach ( behavioural analytics) in identifying cyber attacks. They have encouraged a collaborative framework between Financial Institutions and FinTech entities to innovate solutions to defend against cyber-attacks. The regulators have clearly emphasised higher investments in Fraud Risk Analytics applications to enable study patterns and alert instances of Social Engineering and Man in the Middle attacks that are used to perpetuate fraud transactions.
- Move towards a single integrated personal identity platform that can enable stronger authentication measures and enhanced defences against cyber attacks and data theft scenarios.
- Significant investment is being made by stakeholder institutions to use emerging technologies such as Artificial intelligence and Machine Learning platforms to study patterns of financial transactions, customer interaction with IoT gadgets and bank internet portals to enable identifying suspicious entries. The technology is being used significantly in monitoring cyber risk vulnerabilities given the digitization of data and scale of computing.
- Increased customer awareness campaigns by stakeholder institutions.
- New approaches to authentication such as Biometrics, Multifactor Authentication, risk scoring transactions and also enhancing stringent protocols for linking customers to Bank data in Open API programmes.
- In India RBI has announced the move to create a Central Fraud Registry for monitoring real-time digital payment fraud risk. Banks Payment institutions and participants in retail payment settlements will be given access to this registry.
- RBI is sensitizing Banks and payment intermediaries to the importance of creating consumer awareness through multilingual campaigns.
- In addition recent moves to invite applications for a self-regulated industry body for Retail payment operators will benefit the industry in terms of standardizing risk management measures at the systemic level for retail payment systems.
Building blocks of Fraud Risk Management at the Entity level:
- The Company Board must pay serious attention to Fraud Risk Management and constitute a specific committee that will embed people, processes and technology in coordination with Business and IT functions to monitor fraud risk ongoing basis.
- Payment entities need to have a Fraud Risk Management and Assessment Policy that serves as a guide to coverage, approaches and techniques, Governance and assurance mechanisms.
- Employee awareness and sensitization to fraud risk is of utmost importance. Global reports mention that about 40% of the fraud alerts were tipped off by employees in organizations. Therefore implementing a structured programme to educate and equip employees with Fraud Risk management skills is important.
- Fraud Risk Management actions should be driven by the Business process's 1st line and control effectiveness continuously be assessed by the 2nd line Risk Management for better assurance. Risk management units must undertake thematic studies on Fraud Risk exposures across products, processes, customer segments, payment platforms, payment instruments and merchant sectors. This will enable a better understanding of basic drivers of fraud risk and potential threats to the system.
- At a business entity level with special focus on payment aggregator business model, it is important that Fraud Risk Management framework is integrated with Compliance Risk, Cyber & Information security risk, Data Privacy Risk & Merchant Risk Underwriting and onboarding programmes. Together they integrate seamlessly with the Enterprise Risk Management Framework along with other risks.
- While individual silo/thematic level risk assessments are carried out both from a data, process and technology perspective it is important to integrate the Risk scenario assessment, Risk factor attribution and control gap assessment process. Only then loose ends and coordination failures in organization control processes can be avoided and overall fraud risk reduced.
- Payment entities must invest consciously in Enterprise Analytics and especially Fraud Risk Analytic platforms which use Artificial Intelligence and Machine Learning techniques. There should be a structured programme for Data mining, exploratory behavioural analysis for pattern recognition in transactions and scoring to alert suspicious entries. Payment entities must commit financial, people, systems and technology resources to Fraud Risk Analytics processes.
- this pattern recognition approach will enable Payment institutions to identify attributes that enable alert suspicion of fraud, money laundering or personal identity compromise situations.
- A major challenge for payment entities will be to get appropriate and full spectrum data for leveraging Fraud Analytics. Therefore Payment entities will need to collaborate with either central Fraud Registry or Bank channel partners through secure APIs to exchange attribute data for better coordinated fraud surveillance. Such data sharing among multiple stakeholders in addition to the Central Fraud Risk Registry is essential.
- Fraud Risk at systemic, industry and sector levels calls for stronger coordination between Fraud Risk management units of stakeholder entities through regular conferencing and exchange of case studies.
- In principle payment entities must adopt a security-by-design approach to products rather than only to market approach in innovating new customer onboarding and service delivery platforms.
On an overall note, the Fraud Risk Management process is an ongoing effort and is bound to be continuously challenged as with every new digital innovation to gain convenience, speed and economy there will be as many new strategies that fraudsters will adopt to game the system. Therefore we may not be able to completely eliminate fraud risk but can definitely reduce exposure over time through holistic approaches.