Over the years the banking system has evolved from brick-and-mortar structures to more digital methods of banking. Nowadays even traditional banking institutions offer neo-bank-like services; Wema Bank built ALAT, Zenith ZIVA, and various other traditional banks have also created apps like these. As banking has changed, so have the verification systems. In times past you had to bring physical verification documents to these brick-and-mortar structures but fintechs have pushed this button further. With rising mobile and internet penetration, banking and identity solutions have shifted to mobile. To open a Flutterwave or PayStack account you just need to upload your documents online and send a picture of yourself taken in the comfort of your own home or wherever you are. These advancements in technology and banking solutions have brought simplicity and ease to financial services. These advancements have also created room for more modern and advanced fraud schemes. According to data from the Nigerian Deposit Insurance Scheme (NDIC), fraudulent activity recorded in deposit banks in Nigeria increased from 14,6183 in 2020 to 211,713 in 2021, a 44.8% increase in one year alone. This is indicative of rising financial problems plaguing the Nigerian and the African banking industry.
Rising cyber Fraud
In recent years there have been ongoing reports of banking fraud and breaches both in the fintech and traditional banking sectors. Flutterwave suffered a ₦2.9 billion ($6.3 million) breach earlier in the year and a series of other breaches, while Glade Finance lost $214,000 to an internal hack. Last year telecoms giant MTN took 18 banks to court over a ₦22.3 billion ($53.7 million) mobile money fraud and even Heritage Bank was named in fraud rumours which they have since referred to as a hoax. But financial institutions typically have a hard time admitting that they have suffered a breach. When reports of the Flutterwave breaches first came to light they denied that they had suffered a breach, telling TechCabal that during what they described as a “routine check” the company realised that some users had not activated some of the recommended security settings and this might have made them susceptible to fraud, so they were tightening up security. In reality, Flutterwave was freezing customer accounts and pursuing legal steps to recover millions of naira. These breaches have often been connected to crypto, betting sites, and other online financial services which fraudsters use to launder stolen funds. The accounts frozen by Flutterwave during its cyber crises were also connected to crypto accounts. This shows the new wave of fraud schemes rising to meet evolving banking standards and technology. In other words, as technology evolves to fight fraud, fraudsters are adapting to these new systems. So what is the way forward for fintechs to mitigate this cybercrime risk?
The answer is having a robust security system. What this means is that financial institutions need to ensure that they put appropriate, ongoing checks in place to mitigate risk for customers across their platforms as well as checks to safeguard against fraud in their own systems. Daniel Ade-Ojo, a fraud intelligence specialist at Moniepoint, categorises these preventive protocols into two systems; a standardised security program and an advanced security technology. According to him, “The standardised security program is your security approach to your customers’ environments, so it speaks to the security functions that exist when a customer is being on-boarded. It addresses questions like what are the security functions that exist when the customer wants to initiate transactions or make an order depending on what service the fintech is offering? etc. So, all of these speak to the security protocols that are in place for your user environment. The advanced technology program meanwhile, speaks to what you are doing to secure the backend operations on the app. So, what anti-malware functions are in place for your software? These are the things that protect your network from being attacked externally, and how you are able to flag them if they get triggered.”
These security protocols also include fraud risk assessments in mobile apps to evaluate existing vulnerabilities on the app and create solutions for the identified gaps. They include internal audits; auditing your internal financial processes and also the people building these systems. Companies also have to continually update their technology. They need checks in place to ensure that they are not using outdated technology or outdated security tools. They also need to have checks that continually promote automatic updates for their technology and ensure that there’s a team monitoring for when the system is unable to flag some things in real time. All these checks create more overhead for financial institutions especially fintech startups who are new in the market. The fintech ecosystem has witnessed a decline in funding recently due to an overall global financial downturn so this means resources are tighter now. For a lot of these companies, the question becomes how to build robust and efficient security systems but still keep financial and manpower costs down.
Don’t reinvent the wheel
One of the first lessons you learn in research is to say you’re adding to existing knowledge rather than discovering a new concept. What this means is that often when you dig deeper, you always find existing solutions. Whether big or small, someone somewhere is creating a solution. Typically, the approach for a lot of financial institutions is to build their own security systems. As technology evolves they create their own apps to adapt to this system and these systems have whatever security legacy banking institutions have. In Nigeria, customers typically submit a picture and a number like the Bank Verification Number (BVN) or their National Identification Number (NIN) online which is then verified through whatever internal systems that bank uses. The bank may reach out to the National Identity Management Commission for NIN verification or search the BVN database. What these banks have discovered over time is that these verification processes and security protocols are capital-intensive and also not effective. According to Esigie Aguele of QoreID, it’s possible to have a scenario, where an individual has multiple digital IDs from one ID source. Aguele believes that when banks and Fintechs take on the task of cyber fraud prevention on their own, it not only compromises their ability to deploy resources to their core functions, it also puts their clients at risk. Because these companies were built for other purposes, their security protocols are not as advanced as the experts whose focus is only security. The alternative to this is simply to find experts in the security ecosystem and collaborate with them.
There’s quite a lot of KYC automation technology and other security technology currently available in the market. Instead of reinventing something that already exists, outsourcing will save fintechs time and money. African fintechs can leverage the built-for-purpose infrastructure and specialised skills offered by KYC companies to safeguard their systems against fraud. This not only reduces spending but it improves customer safety. Companies like QoreID and other digital identity and consumer data analytics companies have been built to tackle these problems efficiently for their customers with QoreID launching a bouquet of fraud prevention solutions. Aguele is a strong proponent of collaboration in the financial industry “If you compare the archetype of fraud-resilient systems in developed countries with the reality in our continent’s fintech space, you immediately see the need for stakeholder collaboration in priority areas such as reporting and sharing data on fraud, especially at the point of onboarding new customers. When we talk about reporting we mean access to on-demand data in a federated environment. I think this is the area where most institutions have to come together. Suffice it to add that digital identity companies have a key role to play because we have the technology, which we can build at a faster pace, and we are at the centre of the onboarding protocol so that puts us in a strategic position to sustainably provide that industry service.,” Aguele adds.
The approach to cyber fraud was mainly two-factor authentication (2FA), but now the system has become so wide and vulnerable requiring multi-factor authentication protocols to not just tell you who a customer is but provide further insights beyond facial recognition. Anti-Money Laundering (AML) and criminal background checks, as well as financial profiling, consumer analytics, and a host of data and insights are now used to create a reliable online identity profile. The best approach now is to leverage existing systems of liveness verification, biometric check, etc. to put one’s company in a better position to operate a safe space and attain optimal customer experience. QoreID’s Fraud Solutions, as mentioned previously, leverage cutting-edge AI-powered authentication. These sophisticated solutions incorporate advanced features such as facial recognition, liveness detection, and a range of authentication and identity protection measures. Speaking on this advanced system, Aguele says, “Our facial recognition technology creates both 2D and 3D face maps to increase the accuracy of the face matches. In addition to this, our re-authentication solution deploys a de-duping layer where we can check all future onboarding attempts against existing users on a customer’s platform using the face from the initial onboarding. This allows us to detect users creating duplicate account profiles and we take this a step further by checking the face against our global list of hundreds of fintechs connected to our solution, with an alert if this user has been flagged by any other organisation for fraud.” This particular feature helps to prevent fraudsters from creating fake accounts or using stolen identities.
All these measures ensure that user accounts are kept secure and protected from phishing attacks and other potential compromises. Additionally, QoreID’s service does not rely on locally stored biometrics, providing a more secure and precise means of authenticating the user’s identity and ownership of the account they are accessing. According to the company, their service is designed for easy implementation and integration with existing systems, providing a seamless user experience for fintechs, insurance companies, telecommunications, healthcare, and other industries.
For most Fintechs and legacy bank operators, the challenge of upgrading their technology to QoreID’s standards may come at the cost of impeding their operational efficiency and weakening their fraud prevention and mitigation systems. By looking around the ecosystem for existing solutions and sharing available data with industry peers they can scale more efficiently and more securely. The Central Bank of Nigeria (CBN) has made some progress regarding open banking and providing fraud mitigation resources, but until they move beyond guidelines to proper implementation, it’s better for existing fintechs and legacy bank operators to outsource aspects of security, which include verifying digital identity, to the experts, and also for everyone in the financial ecosystem to collaborate where they can to fight fraud.