Every day, hundreds of customers become victims to fraud, be it online transactions, card skimming, applying for loans, winning lotteries and last but not the least, Facebook and social media frauds. The easiest approach usually followed is to blame the customers for the frauds and pass on the liability to them because it is they who have shared details with vendors and third parties.
Reasons why frauds remain unabated:
- Data leakage by institutions and their vendors
- Poor use of technology
- Inadequate fraud awareness for the customers
- Poor policing by law enforcement
- Recycled proceeds of crime and end-use
Data Leakage by Institutions and Vendors: Banks and institutions carry a lot of data that can be passed around and misused. Data includes your name, date of birth, PAN, email, mobile, and can also include your account usage information. The bigger risks lie when bulk customer data, called ‘dumps’, are shared and misused. You received a phishing call only because someone somewhere had shared your data. By establishing strong data protection framework; frauds can be put to an end.
Financial institutions must review their processes and third-party vendors for data leakage instances, develop strict control, conduct surprise audits or mystery shopping at their vendor and enable strong penalties in their vendor contracts to preclude any data misuse cases. Institutions must sensitize their employees to watch out for leakages.
Poor Use of Technology by Institutions: Everyone knows the buzzwords in technology - Data, Artificial Intelligence and Predictive Analytics. As per the 2018 global survey by ACFE, 40% of internal frauds were detected by a tip, 15% by audit, and sadly, only 1% by IT controls. Are institutions using enough of intelligence and related technologies to prevent fraud? Transaction monitoring rules need to be intelligent, dynamic, proactive, and use customer profiles, spend patterns and trends to set a benchmark.
In skimming frauds, for instance, a bare minimum cash limit on a credit card should be provided, customers who want more can always ask for it. This too should be based on the customer’s previous spend patterns. Banks should create a profile of the customer using the type of transactions he conducts, their amounts, frequency, time stamps, whether transactions are online or swipes, amount of cash withdrawals if any, locations used, regular IP addresses, mobile and laptop devices, online shopping merchants and trends, e-wallets used, fund transfer beneficiaries and corresponding amounts. Banks and financial enterprises can find out whether a customer uses the internet for banking, shopping sites he visits, e-wallets he prefers and the chances he will conduct ten online transactions in five minutes and exhaust his entire card limit, or use the card at a particular merchant. Armed with data and analytics, banks will find it easier to distinguish between a genuine transaction and a fraudulent one, be able to detect frauds early and prevent subsequent losses. All institutions already use a fraud monitoring software, it only needs to be enhanced with the current fraud trends in the shortest possible time.
Banks can have a conserve and protect approach and pitch the right product to the right customer. Not all customers need online banking or high cash withdrawal limits. For example:
1. Banks offer instant loans but may fail to recognise an account takeover prior to the instant loan application. They should also recognise if the end beneficiary of multiple loans is the same account number.
2. A cash withdrawal balance enquiry on a credit card is followed by withdrawals to the max.
3. Rapid fire online transactions or cash withdrawals in the dead of the night.
4. Cash withdrawal transactions at few minutes prior to and after midnight, thereby taking advantage of the daily permissible limit.
5. Change of internet password and/or mobile followed by high-value online transactions.
6. Cardholder availing all available credit lines in one go.
7. Multiple cards used in a series at a particular ATM.
8. Swipe transactions in multiple geographies (within India or abroad) at near about the same time.
9. Banks should ensure their ATMs are guarded 24 X 7; guards are trained to prevent suspicious activity, customers wearing caps and goggles and so on. ATMs should be well lit and patrolled by cameras equipped to capture images at night with necessary storage capacities. Using intelligence and real-time CCTV monitoring at an ATM, banks can distinguish between the account holder and a stranger.
Inadequate Fraud Awareness for the Customers: It is correct to state frauds happen because customers share data. It is also true to state that banks are also to some extent are responsible for fraud. If you have played the radio lately, you can hear the Almighty Reserve Bank of India educating you on fraud prevention, something your bank is expected to do. Can one ask for more? Banks should prepare a brief script, call every single customer and educate him on fraud prevention. This may sound outrageous but can be more effective than the current efforts of mailers and messages, lost among other junk communications. I would not really mind if my banker calls me up one day and says something like “Hey Milind, whats up! You know this already but it is my solemn duty to inform you not to click and share bank information on unknown links, share OTPs and card details, no matter who calls. ” With an information overload everywhere starting with your mobile, fraud alert messages need to stand out and be noticed.
Fraudsters use every trick in the trade to fool you into believing they are somebody else. So, you can receive a call from your bank, RBI, MasterCard, Visa processing department, GST team, and Aadhaar. You will be lured with free reward points, free card with mind-boggling benefits, loans at are you kidding me interest rates; basically anything that is free, tempting, and today is the last day kind of offer. You can also receive income tax refund due emails. There are instances where the fraudsters have reproduced a bank’s IVR. This is played to the customer who is prompted to punch in his card details and OTP. Just that the details are legible at the other end. Yes, the customer should not share card details and OTPs. At the same time, banks too, should recognise a fraudulent transaction in time and block it.
RBI Guidelines on Limiting Customer Liability: Among all the guidelines issued by the regulator under this circular, ‘negligence’ is probably the most important takeaway for the banks. The most important demands of the regulation are:
- Robust and dynamic fraud detection and prevention mechanism
- A continuous system of advising customers on how to prevent fraud.
- Customer is entitled to zero liability if the unauthorized transaction occurs due to contributory fraud/ negligence/ deficiency on the part of the bank.
Law Enforcement and Arrests: A strong contributor to the high number of frauds year on year is the government’s efforts, and police to be more specific. Try reporting a fraud at a police station and the responses can be:
The amount is too low to investigate! We don’t investigate such cases, your bank does!
File complaint at the police station where the crime was conducted!
The bank has to file the complaint, not the cardholder! We receive hundreds of such complaints every day and can’t investigate all!
It’s quite stupid of you to first enable the fraud by sharing card data and then asking us to investigate!
Cops can also lower the nature of offence and file a complaint instead of an FIR, making it easier for them to simply ignore your case. Your bank will also only ask for a police complaint acknowledgment and not insist on an FIR. An FIR, on the other hand, requires the police to initiate at least some review in the name of investigation.
Proceeds of Crime: Among various drives the government is propagating, the one drawing the most attention is anti-corruption.
It is safe to assume the money obtained from frauds is not declared in the perpetrator’s IT returns. One can also assume the ill-gotten wealth is not donated to temples and charitable organizations but is rather invested to conduct more fraud. Imagine the outcome if the current trends of frauds continue, the rural population who have barely begun using smartphones, have opened a Jan Dhan Yojana account and are duped. Hundreds of frauds that take place every day are overlooked, the police conveniently refuse to investigate and control. Unless the crime/ fraud amount/ involvement of accused/ clout is substantial, you can rely on the police not to investigate the fraud.
India is globally recognized as an IT superpower. The same IT companies also provide software and fraud prevention tools to the banking and financial industry. It is an awkward and embarrassing position to be in, a region having a multi-billion dollar IT industry hub famous for its talent, technology and software exports, and having an equally high number of IT-enabled frauds with no end in sight, with no recourse to law. We have reached a point where Indians are calling US citizens and taking them for a ride. When fraudsters can get access to such technology and identify loopholes, it’s much easier for a legitimate financial institution to use that technology, plug gaps and prevent frauds.
The above strategies can be customized not just by banks but virtually any service providers. Fraud instances will crash if data is not shared. Frauds will also come down if police act immediately, and we taxpayers will be grateful if they are technologically well equipped, staffed and interested to investigate, arrest and stop frauds. This requires a big push from the government with necessary infrastructure.
Your bank is legally bound to conduct fraud awareness, use the best tools and technologies to combat fraud, and monitor your transactions to ensure no fraud transactions take place.
Currently, banks pass on the liability of the fraud to the customer by claiming negligence and data compromise. You may have compromised some data or be outwitted. Your bank should not make you pay for it because of its own negligence.
Senior Principal Consultant - Fraud Investigations, Enterprise Product Group, InfrasoftTech