As per Global Risk Report 2020 issued by World Economic Forum, Data & Money Theft, Fraud Risk and Cybersecurity attacks occupy the 6th and 7th place among the worlds Top 10 risks. In terms of likelihood and impact on a scale of 1 to 5, Data Theft/Fraud and Cyber attack map to close to 4 in terms of both likelihood and impact. This explains why the Trio of Data Privacy, Fraud & Cyberattacks must be a locus of attention for Business entities, Regulatory bodies and the Government. As per the report 76% of multi-stakeholder survey respondents expect these risks to increase in the coming years.
An examination of fraud cases across several research reports, the typology of fraud cases is as follows :-
||Card Not Present
|Conflicts of interest
- Theft of Cash on hand
- Theft of Cash receipts
- Fraudulent payment tampering
- Physical Asset inventory theft or misuse
|dentity Theft/Impersonation KYC /Money Laundering & Terrorist financing related
|Financial Statement frauds Net-Worth Income overstatements & under statements + Tax frauds
||Data Theft Social engineering
|Insider unauthorised rouge trading
|Intellectual Property Theft
||Financial Statement Fraud
Vendor related Frauds
Intellectual Property Related
Source : Global Risk Report(WEF) 2020, ACFE Report to the Nations 2020
A Global survey conducted by Association of Certified Fraud examiners revealed that about 53% of frauds constituted Asset Misappropriation & 11% that of corruption. These percentages may change in reality as it was a sample survey on detected fraud events. A recent report on Global economic and fraud survey by PWC 2020 shows the following percentiles of disruptive activities.
Source : Global Risk Report(WEF) 2020, ACFE Report to the Nations 2020
The global financial losses involving fraud events is a great worry for Business entities, regulators and the government.
As per ACFE Report to the Nations on Fraud Risk Schemes 2020, the financial losses incurred due to fraud events surveyed across 125 countries was a whooping 3.6 billion USD. Of the fraud events examined, 86% constituted Asset Misappropriation and the rest Corruption and Bribery. The report also interestingly examines duration and velocity of Fraud schemes. The average estimated time to detect fraud schemes was 14 months with a velocity of USD 8300 per month. On an average the survey revealed that organizations loose around 5% of revenue to fraud schemes. Lastly fraud schemes were executed through Email, Mobile IoT and Cyber Online platforms.
In India too as per RBI estimates in 2018, the total financial losses due to fraud risk events can be pegged at more than INR 76,000 crore which is enough to meet a significant proportion of current Bank capitalisation requirements.
As can be seen from these surveys, especially in financial services consumer fraud events through Cybercrime occupy a significant place. It is pertinent to note that an increasing number of external & internal frauds today ride on the digital platform as that has become the new normal replacing the physical world. It is therefore important that multi stakeholder ecosystem which includes regulators and government need to make continuous efforts in improving the defences against perpetuators of fraud. With digital transformation of financial institutions , markets and agent transactions, it is important that Fraud risk management thinking forms an integral part of overall Financial System Architecture. While the above discussion gives us an insight into the fraud risk exposures, let us now understand how the ecosystem comprising of business entities, regulators and the government are responding to these above threats. In doing so we will focus our discussion on the retail payment systems sector. We will examine the key drivers to fraud risk events in the retail payment sector and the challenges that the ecosystem faces in building a robust defence mechanism against Fraud risk.
Fraud Risk in Retail Payment Sector :
Payment Aggregators, Gateways, Retail payment Banking Operations and Retail settlement Operations are exposed to the following scenarios of Fraud risk. However the scenarios by no means can be considered exhaustive as future being uncertain, there will always be innovations by perpetuators to defraud the system.
At individual customer/Consumer level
- identity fraud : Compromise of Personal Identification Data when the predator steals the individual customers Aadhar or PAN or any other KYC information stored in IoT gadgets or other digital repository and impersonates customer identity for committing fraud transactions.
- Many a times , unaware customers are coaxed by fraudsters and to share their Bank account , personal Identity keys. The fraudsters pose as employees of financial institutions, regulator or Banks by spoofing their caller IDs.
- Social engineering : scam mails, SMS on What’s-app, Facebook, spoof calls to customers where they are coerced to transfer money to a account maintained by the fraudster who pretends to be genuine seeking help or an impersonating an agency issuing a contest, Lottery reward , tax authority , regulator, investment firm or the government. The case of scam mails impersonating the government to collect funds for recent COVID pandemic and other disaster relief measures are commonly observed over the last few years.
- Digital identity and access codes passwords are hacked by remote fraudsters when customers use public Wi-Fis to conduct mobile banking transactions or through any other IoT gadgets. Usual suspects are Airports, Railway stations and other public places such as Coffee shopd,clubs etc..
- Compromise of Credit/Debit Card when predator hacks or steals Card information, games the tokens resulting in fraudulent Card Not Present transactions. Even Card Present transactions are hacked and exposed to fraud.
- In case of Mobile Apps there are many fake apps that consumers may download from sources or platforms that are not authentic. When digital payment instrument such UPI or e-Wallet or Internet Banking transactions are performed through such apps, the customer data is totally compromised. Fraudsters launch such fake apps that cant be easily identified or differentiated .
Merchant level scenarios :
- Many a times, we see that fraudsters create merchant websites mirroring the genuine merchant portals . Customers make retail transactions on “Ghost” merchant websites due to lack of awareness. At times these Ghost Merchants are so genuinely crafted that even Payment entities may miss out to alert themselves in their processes. Though URL checks are carried out by Merchant onboarding teams, we need to better technology based strategies to authenticate websites of Merchants.
- Such fraud websites capture customer payment instrument data resulting in the customer totally exposed to financial fraud. Such events result also in protested payment settlement transactions.
- Small & Medium Business units do not have large budgets for stepping up their defences for protecting customer & their entity level data. It is therefore necessary to create fraud risk awareness among this strata of businesses.
- At times consumers also game the e commerce portals and commit fraud through misrepresentation of orders , changing price , discounts etc resulting in Merchants disputing transactions or succumbing to the fraudster if their process controls are not well in place.
- If merchant websites which store card data of customers are not secure enough there is open exposure to cyber attacks that steal data from merchant portals and use the same for fraud transactions.
Money Laundering cases :
- In addition to the above, there are cases where a money launderer would transfer funds through stolen digital identify and account numbers to potential merchants without any goods or services being delivered. These are suspicious transactions which are for the purpose of money laundering or terrorist financing. These transactions can be identified only through technology support .
At a regional level, it is observed that in the US, Credit Card frauds dominate the statistics as predominantly customers use Card transactions to make payments. As against this in Asia Pacific and South Asian regions, with accelerated digitization and innovation such as e wallets, mobile banking, link pay, UPI etc.., fraud schemes on IOT devices driven transactions dominate event statistics.
While the above gives us a good sense of fraud scenarios, it is important to understand key drivers to fraud risk events.
As we look at the drivers to Fraud risk, it is very clear that fraudsters have found digital platforms vulnerable lagging to catch up and opaque due to their multiplicity, lack of integration & resulting network complexity . Hence committing fraud transactions through Cyber attacks, Social Engineering, Scams through online platforms , IoT devices or repositories etc.. seem to come easy as a cropper.
Added to this are Cyber attack scenarios such as Malware, Ransome ware attack, Denial of Service and others which disable system level controls or defences on online platforms. These type of attacks weaken the IT system controls of online platforms and open the gates for fraud transactions. So cyber risk management should not be attended in silo but integrated with Fraud risk management surveillance. This is critical as the purpose of Cyber attacks in most of the cases is to weaken the online defences to enable execution of Data Theft, embezzlement of digital money , espionage and disrepute institutions .
Government’s and Regulators globally are taking measures to encourage a collaborative ecosystem between Financial institutions and FinTech’s to innovate better technology software products for automated control mechanisms to enable monitor and reduce fraud risk perpetuated on digital platforms . At the same time stakeholders such as Business entities, Banks ,financial institutions & payment participants are engaging intensively to enhance their risk management systems to abate fraud risk.
Some of the notable moves visible both globally and in India are highlighted below
- In Asian markets regulators such as MAS( Monetary Authority of Singapore) , HKMA and Bank of Negra Malaysia have issued guidelines in 2019 for technology risk calling for a shift from rule based approach to a behaviourist approach ( behavioural analytics) in identifying cyber attacks. They have clearly encouraged a collaborative framework between Financial Institutions and FinTech entities to innovate solutions to defend cyber attacks. The regulators have clearly emphasised on higher investments in Fraud Risk Analytics applications to enable study patterns and alert instances of Social Engineering and Man in the Middle attacks that are used to perpetuate fraud transactions .
- Move towards a single integrated personal identity platform that can enable stronger authentication measures and enhanced defences against cyber attacks and data theft scenarios.
Significant investment is being made by stakeholder institutions to use emerging technologies such as Artificial intelligence and Machine Learning platforms to study patterns of financial transactions, customer interaction with IoT gadgets and bank internet portals to enable identify suspicious entries. The technology is being used significantly in monitoring cyber risk vulnerabilities given the digitization of data and scale of computing.
- Increased customer awareness campaigns by stakeholder institutions.
- New approaches to authentication such as Biometrics, Multifactor Authentication, risk scoring transactions and also enhancing stringent protocols for linking customers to Bank data in Open API programmes.
- In India RBI has announced the move create a Central Fraud Registry for monitoring real time digital payment frauds risk. Banks and Payment institutions and participants in retail payment settlements will be given access to this registry.
- RBI is sensitizing Banks and payment intermediaries the importance of creating consumer awareness through multilingual campaigns.
- In addition recent moves to invite applications for a self regulated industry body for Retail payment operators will benefit the industry in terms of standardizing risk management measures at systemic level for retail payment systems.
Building blocks of Fraud Risk Management at Entity level:
- Company Board must pay serious attention to Fraud Risk Management and constitute specific committee that will embed people, process and technology in coordination with Business and IT functions to monitor fraud risk ongoing basis.
- Payment entities need to have Fraud Risk Management and Assessment Policy that serves as a guide to coverage , approaches and techniques , Governance and assurance mechanism.
- Employee awareness and sensitization to fraud risk is of utmost importance. Global reports mention that about 40% of the fraud alerts were tipped off by employees in organizations.
Therefore implementing a structured programme to educate and equip employees with Fraud Risk management skills is important.
- Fraud Risk Management actions should be driven by the Business processes 1st line and control effectiveness continuously assessed by the 2nd line Risk Management for better assurance. Risk management units must undertake thematic studies on Fraud Risk exposures across products, processes, customer segments, payment platforms , payment instruments and merchant sectors. This will enable better understanding of basic drivers to fraud risk and potential threats to the system.
- At a business entity level with special focus on payment aggregator business model, it is important that Fraud Risk Management framework is integrated with Compliance Risk , Cyber & Information security risk, Data Privacy Risk & Merchant Risk Underwriting and onboarding programmes. Together they integrate seamlessly with Enterprise Risk Management Framework along with other risks.
- While individual silo/thematic level risk assessments are carried out both from a data, process and technology perspective it is important to integrate the Risk scenario assessment, Risk factor attribution and control gap assessment process. Only then loose ends and coordination failures in organization control processes can be avoided and overall fraud risk reduced.
- Payment entities must invest consciously in Enterprise Analytics and specially Fraud Risk Analytic platforms which use Artificial Intelligence and Machine Learning techniques . There should be a structured programme for Data mining, exploratory behavioural analysis for pattern recognition in transactions and scoring to alert suspicious entries . Payment entities must commit financial , people, systems and technology resources to Fraud Risk Analytics processes.
- These pattern recognition approach will enable Payment institutions to identify attributes that enable alert suspicion of fraud, money laundering or personal identity compromise situation.
- A major challenge for payment entities will be to get appropriate and full spectrum data for leveraging on Fraud Analytics. Therefore Payment entities will need to collaborate with either central Fraud Registry or Bank channel partners through secure APIs to exchange attribute data for better coordinated fraud surveillance. Such data sharing among multiple stakeholders in addition to Central Fraud Risk Registry is essential.
- Fraud Risk at systemic, industry and sector level calls for stronger coordination between Fraud Risk management units of stakeholder entities through regular conferencing and exchange of case studies.
- In principle payment entities must adopt Security by design approach to products rather than only go to market approach in innovating new customer onboarding and service delivery platforms.
On an overall note, Fraud Risk Management process is an ongoing effort and is bound to be continuously challenged as with every new digital innovation to gain convenience, speed and economy there will be as many new strategies that fraudsters will adopt to game the system. Therefore we may not be able to completely eliminate fraud risk but can definitely reduce exposure over time through holistic approaches.
By Krishnan Chari, Vice President Enterprise Risk - Ingenico ePayments India