Latest Headlines
Fortifying Payment Architecture Against Fraudsters
James Emejo writes that stakeholders including regulatory institutions, banks, and financial technology companies must tighten the noose around fraudsters whose heinous activities have been on the increase in recent times.
As initially predicted by all the stakeholders, financial innovations come with their bouquet of opportunities and challenges as evidenced in Nigeria and around the globe.
Though breakthroughs in mobile payment technologies have helped to deepen financial inclusion, reduced physical cash handling challenges, and boosted e-commerce among other gains, it has also presented enormous safety concerns, especially amidst the increase in the frequency of security breaches of customers’ accounts.
In fact, the rising cases of frauds particularly those associated with electronic payment systems have been on a sharp increase in recent times, raising concerns among regulatory institutions.
Fraud statistics
The number of fraud cases surged by 177.10 per cent to 146,183 in 2020 from 52,754 in 2019, according to the Nigeria Deposit Insurance Corporation (NDIC) 2020 Annual Report.
Even though the amount total amount involved in 2020 was N120.79 billion, compared with N204.65 billion in 2019, which marks a decline of 40.98 per cent, the surge in fraud cases remains a growing concern in the financial system.
The NDIC stated that the total actual loss fell slightly from N5.46
billion in 2019 to N5.33 billion in 2020, adding that banks sustained the least actual loss of N325 million of the total amount involved during the second quarter of 2020.
The third quarter of 2020 recorded the highest actual loss of N2.514 billion or 25.73 per cent of the total value involved in that period.
According to the report, only 10 out of 30 banks accounted for N119.204 billion or 99.17 per cent of the total amount involved in frauds and forgeries cases during the year in review.
Increasing vulnerabilities
The rise in various digital and online financial products has come with increasing vulnerabilities for consumers in recent times. Some of these products, however laudable they seem, have security gaps that electronic fraudsters have continually taken advantage of.
In recent times, there are concerns that losing access to individual mobile devices especially handsets could result in bank accounts being compromised.
There has been a good number of people who claimed that their bank accounts were wiped out as soon as their phones were stolen, a development which has further raised concerns about the safety of financial products, particularly what the service providers have done to make it difficult for fraudsters to access bank accounts.
Regulatory interventions
Earlier in June, the Central Bank of Nigeria (CBN) released the Risk-Based Cyber Security Framework and Guidelines for
Other Financial Institutions (OFIs), following the recent increase in the number and sophistication of cyber security threats against financial institutions, particularly OFIs.
The central bank also set January 1, 2023 as the effective date for full compliance with the provisions of the guidelines.
The bank said the directive had become mandatory for institutions to strengthen their cyber defenses if they are to remain safe and sound.
In the circular dated June 29, 2022, and signed by the CBN Director, Other Financial Institutions Department, Nkiru Asiegbu, was addressed to all OFIs, the apex bank added that the guidelines represented the minimum requirements to be put in place by all OFIs.
The bank stressed that the safety and soundness of OFIs required that they operate in a safe and secure environment, hence the platform on which information is processed and transmitted should be managed in a way that ensures confidentially, integrity and availability of information as well as the avoidance of financial loss and reputation risks, among others.
The CBN noted that considering the reliance of financial institutions on information and communications technology (ICT) to operate their business and the rising incidences of cyber threats, and attacks targeted at financial institutions, it had become necessary to implement cyber security measures to mitigate against those risks.
The bank specifically noted that threats including ransomware, targeted phishing attacks and Advanced Persistent Threats (APT) had become prevalent, demanding that financial institutions boosted cyber resilience as well as take proactive steps to secure their critical information assets to ensure their safety and soundness.
Subsequently, in July, the central bank further directed financial institutions and payment service providers to do more to enhance transparency and proper disclosure of Digital Financial Services (DFS) going forward.
The apex bank also mandated Deposit Money Banks (DMBs), merchant banks, Other Financial Institutions (OFIs), Payment Service Banks (PSB) and Other Payment Service Institutions as licensed by the CBN, to boost their fraud prevention and risk management capabilities by providing fraud prevention messages and tips for consumers using both audio and virtual modes of communication in local languages.
The central bank further directed the institutions to monitor fraud reports to identify emerging fraud issues and sensitise their customers on how they can protect their assets, following the growing threats to cybersecurity in recent times.
The bank disclosed this in the Exposure Draft on Digital Financial Services Awareness Guidelines, which seeks to address gaps in consumer knowledge and practices with DFS as well as beef up the security of digital services.
The central bank noted that DFS has the potential to expand access to financial services for the Nigerian population and spur innovation in the financial services industry.
The proposed guidelines provide for a set of principles and expectations for financial service providers to integrate into the provision of DFS to ensure consumer understanding, good treatment, and positive outcomes.
Prevalent fraud channels
According to the NDIC report, however, ATM/Card-Related Fraud had 5 8,193 cases recorded within the review period with losses valued at N1.11 billion.
Also, Web-Based (Internet Banking) Fraud accounted for N0.29 billion with 1 1,660 occurrences while fraud associated with internet banking cost the industry N0.98 billion from 18,144 recorded cases within 2020.
In addition, fraud related to mobile banking cost the industry N1.23 billion with 25,357 cases while POS fraud stood at N0.36 billion with 14,914 incidences.
Similarly, fraud associated with e-commerce resulted in losses amounting to N0.17billion with 5,574 cases.
Building appropriate defenses
According to the central bank, the objective of the guidelines is to among other things create a safer and more secure cyber environment that supports information system security and promotes stability of the OFI sub-sector as well as to promote and maintain public trust and confidence in the sub-sector as well as contribute towards the prevention and combating of cybercrime in the OFI sub-sector.
Essentially, the framework provides a risk-based approach to managing cybersecurity risk and consists of six parts including Cybersecurity Governance, and Oversight, Cybersecurity Risk Management System, Cyber Resilience Assessment, Cybersecurity Operational Resilience, Cyber-Threat Intelligence and Metrics, Monitoring and Reporting.
The document further spelled out the roles of the board of directors in relation to cybersecurity as well as the appointment and responsibilities of the Chief Information Security Officer (CISO) among others.
Only recent, a disturbing video went viral on social, showing a teenager who specialises in transferring people’s funds by accessing their phones and breaching all security features.
it is in view of these compromises that operators and stakeholders need to tighten the noose around the payment system to make it difficult for electronic fraudsters to continue to inflict pain on unsuspecting financial consumers. They should introduce more barriers and firewalls going forward.
The framework also seeks to set Digital Financial Literacy (DFL) standards for Digital Financial Services Providers (DFSP), align product development, promotion, and consumer awareness to DFS amongst DFSP, enhance transparency and proper disclosure on DFS as well as provide for the development of financial literacy and consumer education materials on DFS.
The guidelines further provided for awareness and access to redress and complaints handling by mandating financial institutions and payment service providers to disclose information on consumer complaints channels, resolutions, and Service Level Agreements (SLAs) in product enrollment materials as well as ensure periodic training of agents and complaints handling staff.
In addition, DFS providers shall henceforth disclose all terms, conditions, fees, and other associated charges on product offerings prior to enrollment, ensure integration of data privacy and protection standards into internal policies, and conduct evidence-based awareness campaigns to sensitise consumers on how to protect their assets and sensitive details and develop default settings on DFS which are by nature “opt-out” not “opt-in” of data sharing with third parties, and clear and simple “opt-in” language for sharing of data, as well as ensure privacy to data collection and sharing during product enrollment.
The digital service providers are further required to put in place strategies to assess their policies on raising consumer awareness and product usage; develop indicators and performance measures to assess changes in awareness and usage; forward their strategies and performance measures to the Director of Consumer Protection, CBN bi-annually for review.
Moreover, they are requested to forward monthly returns on consumer awareness programmes/initiatives conducted to the Director, Consumer Protection, CBN.
The CBN guidelines came amidst efforts to safeguard financial services consumers against all forms of abuses and exposure to security threats amidst the growing influence on digital services and payment culture.
Last month, the apex bank released the Risk-Based Cybersecurity Framework and Guidelines for OFIs, following the recent increase in the number and sophistication of cybersecurity threats against financial institutions.