Financial institutions have to deal with fraud. It’s just the way it is. 

‍

Fraud in a financial institution is not a matter of if but a matter of when. 

‍

Some of the biggest fintechs and financial institutions globally and in Africa have experienced fraud. In 2022, Union 54, a card infrastructure provider, paused its services due to chargeback frauds totalling over $1.2 billion. The list goes on. Commercial banks are also affected.

‍

To minimise fraud, companies build processes to plug all possible technical and human loopholes that leave them vulnerable to fraud. 

‍

How do you do this?

‍

Gbubemi Ikomi Olaitan, the head of compliance operations at Sidebrief, Oyindolapo Olusesi, Lead, Legal Services at Kora and Olasehinde Omoriwo, a fintech product manager and consultant have some bright ideas here. 

‍

But first – 

‍

Types of fintech frauds

Fintechs and financial institutions are vulnerable to two main types of fraud – internal and external. While external frauds are more popular, companies can also be exploited by people within the organisation who act alone or in partnership with external parties.

‍

Internal Fraud

This is a type of fraud in which an employee or executive of a startup commits fraud in an organisation in which they work. In many cases, this person knows the inner workings of your product and exploits it. It could be an engineer, a product manager, operations staff etc. 

‍

There have been numerous cases of internal fraud across the Nigerian ecosystem. Between 2022 and 2023, there were close to 318 reported internal fraud cases in the banking ecosystem.

‍

When we hear about fintech fraud, sometimes we just think about what is happening externally. We sometimes focus on fraud from customers and other forms of external attacks. But I’ve seen situations where internally, stakeholders within an organisation used their leverage to manipulate the technology and steal money.  

‍Olasehinde Omoriwo - Fintech Product Consultant

‍

External Fraud

In this case, external bad actors commit fraud through various means. These could include Identity, intellectual property, customer information theft, false invoice spamming, spoofing, phishing, ransomware, and malware etc. In other cases, bad actors exploit a vulnerability in your flow.

For example, say customers figure out a way to pay for things online with their debit or credit card without getting debited. 

‍

There have been situations where many fraudsters sign up on a platform and mask themselves as customers to intentionally look for gaps in your product flow and then exploit you. I’ve also heard of situations where groups intentionally work with other fintech to perpetrate coordinated fraud. - Olasehinde Omoriwo - Fintech Product Consultant

‍

Evolution of fraud in banking and fintech

Frauds evolve with technology.

‍

As new systems come up, fraudsters look for ways to exploit them. Now, there are more sophisticated levels of social engineering. Before, you had friendly fraud from people trying to steal your card PIN at ATM and POS locations. Elder fraud was also very common, where fraudsters pretended to help people, but they then stole their information. 

‍Oyindolapo Olusesi, Lead, Legal Services at Kora

‍

In the late 2000s when ATMs were popular in Nigeria, fraudsters would try to get your pin or even outrightly steal your card.

With the growth of digital payments, embedded finance and mobile banking, fraud attacks have also changed. Chargeback frauds, ransomware, and malware attacks are on the rise.

‍

More recently, you've started seeing instances where people go on social media to complain. Then fraudsters mirror the organisation’s handle and pretend to be a customer support official. They’ll tell you to click a link or send a message, and sometimes, it’s always too late. One of the ways we've been taught to identify fraudulent phishing messages is to look out for typographical errors and even those that don’t because with the help of Gen AI, such messages are now well-crafted.

‍Oyindolapo Olusesi, Lead, Legal Services at Kora

Another growing fraud trend is synthetic identity fraud.

‍

Fraudsters now create synthetic identity fraud, and this is where fraudsters bypass the KYC of an organisation by using fake details. There have been reports about this in the African ecosystem. With the growth of AI and the sophistication of deep fake technology, that’s something we have to prepare for. 

Oyindolapo Olusesi, Lead, Legal Services at Kora

‍

With the advancement of these frauds, fintech and supporting companies need to be more proactive about handling fraud.

‍

How to protect yourself from fraud?

1. Build on existing infrastructure

Take onboarding and identity verification, for example. 

‍

Many startups have developed the expertise to build this type of infrastructure. Their solutions have gone through several iterations and have been tested with live users, so it’s best to adopt them. This can help reduce the risks you’re exposed to compared to building your own solution.

‍

In some areas of fintech, the best approach would be to look for existing solutions instead of building new ones. For example, personal identification systems or identity verification systems. It’s important to think in ecosystem ways. 

Olasehinde Omoriwo - Fintech Product Consultant

‍

2. Follow regulations and collaborate with regulatory bodies 

‍

The purpose of regulation is not to stifle innovation. It’s to protect your startup and the customers. So, it’s important to comply with them.

‍

There are already regulations in the space, but fintech companies sometimes don’t want to follow these regulations to the letter, and because of that, they are exposed to all kinds of risks. 

Enforcing these regulations is one of the key ways that the government can help prevent fraud in the fintech industry. The CBN and the SEC created a regulatory sandbox, one of the ways fintechs can test their solutions. We need to have more regulatory sandboxes around the fintech space. It’s also important for the government to create an environment that fosters partnerships. 

Oritsegbubemi Ikomi Olaitan - Head of Compliance Operations, Side Brief

In many cases, regulatory bodies lay down the rules around the data fintechs should collect and certain requirements that your product must meet before you launch. An example is changes to KYC requirements for Tier 1 accounts in Nigeria, where CBN mandated linking either BVN or NIN to the accounts.

‍

For fintechs that do cross-border payments, complying with regulations is non-negotiable as they're more predisposed to fraud due to the number of parties involved.

‍

Compliance with regulatory requirements will help you stay on the good side of regulators and protect you from fraud.

‍

3. Identify fraud patterns and set up controls to prevent them

Preventing fraud starts from the pre-development stage of your product. During development, map out your ideal user profile with data points like personal information, transaction volume, behavioural data etc. 

‍

This will help you flag unusual behaviour and users who don’t fit your profile. 

‍

Fraudsters have patterns. One is for a fraudulent person to use the same details across platforms like images, names, BVNs, and date of birth. In some cases, they try unusual transaction volumes multiple times, which is not consistent with normal users. In efficient systems, they become blacklisted, and fintech can easily point them out. 

Olasehinde Omoriwo - Fintech Product Consultant

‍

4. Involve compliance at the building stage

Before building and launching your product, ensure that it meets the necessary compliance standards.

‍

The compliance team generally assesses the risks involved in launching a product and then builds processes to mitigate those risks. 

‍

At Kora, we speak to the product team to fully understand what they're trying to do. This gives the compliance team the knowledge to dissect the risks and identify the risks inherent in the product before it is built and after it is launched. ‍

‍Sometimes, you lean on the experience from the product you’ve launched before and lean on that experience. We do that in terms of internal controls, KYC, data protection, and security.  After development, the compliance team carries out extensive testing to ensure that the suggested controls are implemented and that there are no loopholes. As a general practice, we also carry out ongoing tests for both the product and the work environment.- 

Oyindolapo Olusesi, Lead, Legal Services at Kora

‍

5. Get hiring right

While you can put measures in place to minimise fintech fraud, hiring right is one precautionary measure you can use to prevent fraud, especially internal fraud. 

‍

To a large extent, it can be difficult to control how much access some of your key team members have to your systems. At this point, it comes down to trust. So, get hiring right. 

‍

Aside from that, there are also on employee onboarding policies that you should have. Things that you have to check the history of employees.

‍

You should have an airtight employee onboarding policy. It’s important to check employees' criminal history. Doing this will help you avoid hiring people that’ll jeopardise the business. Carry out checks on their guarantors and ensure they sign all contracts shared with them. 

Oritsegbubemi Ikomi Olaitan - Head of Compliance Operations, Sidebrief

---

At Kora, our goal is to connect Africa to the world and connect the world to Africa via payments. For startups and businesses working in Africa, we provide All The Support You Need ™️ to start, scale and thrive on the continent.

‍

Sign up to see all the ways you can thrive with Kora.