Switching to the online route: Is all well?

Shutterstock

The recent announcement on demonetisation has led to a flurry of people running/queuing up outside bank branches and ATMs, to either deposit their old currency notes or withdrawing any denominations they can get their hands on. What it has also inadvertently led to is a rise in individuals and businesses adopting digital technology for transactions. Case in point: E-wallet providers having reported an overwhelming increase (in the region of 200-500 percent) in overall traffic, recharges, application downloads as well as a surge in average e-wallet balance, in just one day post the announcement by the government.

While the advancement of technology in providing innovative services, combined with the explosive growth in internet banking, has permanently altered the business landscape, banks need to be aware of how to manage the associated risks that come with this territory. Cyber crime as a trend cannot be ignored. One may argue that the actual losses are, at times, not significant enough to a bank’s financials, the potentially greater impact from cyber crime is on customer and investor confidence, reputational risk, and regulatory impact that together add up to substantial risks for financial services companies. These issues ultimately have the potential to impact the reliability of a bank and in extreme cases, may lead to a systemic crisis.

Business and technology innovations that the banking sector is adopting in their quest for growth are in turn presenting heightened levels of cyber risks. These innovations have likely introduced new vulnerabilities and complexities into the overall ecosystem. For example, the continued adoption of web, mobile, cloud, and social media technologies has increased opportunities for attackers. With organisations increasingly depending on technology, it is perhaps not surprising to find that cyber crime continues to increase in volume, frequency and sophistication; as has also been substantiated in Deloitte’s India Banking Fraud Survey, Edition II. This includes ATM skimming, phishing/vishing and misuse of credit and debit cards.

Figure 1. New fraud trends that banks believe will be areas of concern in the next two years | Source: Deloitte’s India Banking Fraud Survey, Edition II

Given the thrust towards cashless banking, while electronic wallets are gaining in popularity and usage, what is important to understand, are the inherent fraud risks and challenges (owing to the varied transaction models that exist as well as the technology used) that a user/ financial institution may be affected by. The below table highlights the key globally observed fraud risks that are likely to impact India in the future as the domestic market grows: o    Phishing: Fraudsters dupe customers through phone calls/ SMS/emails to share sensitive information such as PINs/ passwords that may result in embezzlement of virtual money from the wallet. The customer may also transfer virtual money himself under false promises or schemes. This may also happen with agents/retailer who own trust accounts and perform cash-in/cash-out transactions.
o    Intrusion/Cyber attack: Fraudsters may hack into the mobile money platform and manipulate wallets to their benefit/gain.
o    Benefits through misconduct: Regular customers discover product or application flaws that can provide benefits to them in a specific scenario and they repeatedly simulate the same scenarios to exploit these limitations. Example, transaction failures for specific scenarios results in wallet/ account getting credited without corresponding debit from the other side; referral bonus on already registered customers; avail bonus on refill of wallet, without actually recharging/refilling; avail discount on same merchant transaction.
o    Access to wallet through unauthorised SIM swap: A fraudster may impersonate and furnish fake documents to effect a SIM swap. Since most of the wallets are linked to MSISDN, the fraudster gains access to wallet of the subscriber and can embezzle the funds. This could be a serious concern for OTT players as they do not have control on SIM swap since they do not own the network.
o    Fake KYC: Customers can furnish fake KYC documents to gain access to premium wallets that allows higher transaction value (transfer and cash out). This may help facilitate money laundering.
o    Commission frauds by agents (Introduce fake accounts/perform split transactions): Mobile money agents may try to earn more for themselves by breaking up legitimate customer transactions into smaller ones. By doing so, agents can earn more commissions as a result of higher transaction volumes. Agents may also introduce fake accounts to gain higher registration commissions.

Source: Deloitte study released in Aug 2015, ‘Mitigating emerging fraud risks in the mobile money industry’
As is evident from the above, most of the key root causes are a result of internal control failures around governance, IT and continuous monitoring, making regular fraud review and monitoring a mandate. With the mobile payments industry largely at a nascent stage in India, the ultimate surge in mobile platform adoption rates may be accompanied by a spate of fraud risks. Organisations therefore, while focusing on building a user base, also need to look into adopting fraud control measures. In our experience, each stakeholder in the mobile wallet value chain tends to look at risks in isolation, limiting the preventive measures to their immediate area of operations. Some of the key mitigation measures are listed below:

A more robust fraud mitigation approach would involve deriving synergies from respective stakeholders (banks, telecom companies, etc) and integrating them to build a robust, comprehensive fraud risk management framework. In our view, the success of such an integrated approach to fraud risk management in the mobile wallet industry rests on three pillars:
o    Strong foundation: Coordinated SDLC (System Development Lifecycle) governance - Organisations need to take cognisance of all possible fraud scenarios while developing the products or application. UAT needs to be comprehensive to cover all exceptions and fraud scenarios and tested not only by business users from all entities, but also independent control functions. The roles and responsibilities between organisations and departments need to be clearly defined, including accountability in case of any fraud incidence.
o    Leveraging data analytics to build a fraud indicator dashboard for robust monitoring: Building upon the learnings from risk analytics in the banking sector and fraud management systems in the telecom sector, mobile wallet companies can develop a fraud indicator dashboard to help in early detection of red flags. Such a dashboard can help provide real time fraud alarms on customer transactions and internal violations; enable customer profiling, provide analysis to strengthen product gaps, etc.

Effective consequence management: Organisations need to set the right tone at the top and exercise strong disciplinary action against identified suspects. It is also important to have a sound process to manage customer grievances due to fraud and transfer accountability to the party responsible for this.

Information for the editor for reference purposes onl

- By KV Karthik, Partner – Forensic, Financial Advisory, Deloitte India

The thoughts and opinions shared here are of the author.