Amid increasing vulnerabilities, James Emejo tasks regulatory authorities to make electronic payment agents more accountable for security breaches on their platforms
If anything, the emergence of digital and electronic payment systems is supposed to reduce the dangers and challenges hitherto associated with cash handling.
Before now, the argument had been that carrying a huge amounts of cash around exposes individuals to risks of physical attacks by criminal elements including armed robbery among others.
However, despite the historic evolution of the payment landscape especially card services in the country, the inherent risks associated with new technology have called for concerns around safety in particular.
In its 2021 Annual report, the Nigeria Deposit Insurance Corporation (NDIC) lamented that the “increasing use of digital channels, which spiked due to the lockdown measures that were introduced to counteract the spread of the COVID-19 pandemic has aptly been noted.
“The increasing reliance on electronic platforms for carrying out transactions may have contributed immensely to the rise in frauds and forgeries cases via these channels,” NDIC said.
The corporation disclosed that the value of fraud and forgery perpetrated in Deposit Money Banks (DMBs) rose by 34.9 per cent to N7.19 billion in 2021 compared to N5.33 billion in 2020.
The number of fraud cases in the banking sector also increased by 44.8 per cent to 211,713 incidences in 2021 compared to 146,183 cases recorded in the preceding year.
The NDIC noted that during the review year, a total of 365 bank staff were involved in fraud and forgery cases, compared with 474 in 2020, indicating a 4-year gradual decline.
According to the report, temporary staff constituted the largest perpetrators of insider-related frauds and forgeries, representing 57.53 per cent of the total reported cases while permanent staff accounted for the balance of 42.47 per cent in the review year.
While observing that the DMBs continue to engage temporary staff as a cost-saving measure in conducting their business, the NDIC said it had continued to direct the banks’ management to prioritize security measures, including comprehensive background checks, to minimise the incidences of fraud and forgeries committed by dishonest staff within that cadre.
The first quarter of 2021 recorded the highest number of reported fraud cases with 73,578 incidences, while the biggest actual loss of N2.32 billion was recorded in the third quarter of 2021.
According to the NDIC, in the review period, fraud perpetrated across the counter stood at N1.13 billion while internet banking fraud amounted to N1.83 billion as well as mobile banking fraud stood at N1.26 billion.
POS, Internet, mobile banking vulnerabilities
The NDIC report further noted that the channels and instruments through which frauds and forgeries are perpetrated have gradually evolved to include digital and web-based platforms, such as e-commerce, PoS, and mobile banking.
Electronic (or digital banking) channels accounted for 187,870 cases or 88.74 per cent of total fraud cases, with an actual loss of N4.97 billion representing 69.10 per cent of total industry losses for 2021, compared with all other channels, which accounted for 23,843 cases with an actual loss of N2.23 billion or 31.02 per cent of the total industry losses while ATM/card-related fraud had the highest frequency, accounting for 25.43 per cent of total fraud cases, followed by mobile banking and web-based fraud cases with 22.75 per cent and 16.56 per cent, respectively.
Across-the-counter frauds contributed the least with 0.38 per cent, while other non-electronic channels accounted for 1.70 per cent in 2021.
However, amid the cashless policy of the CBN, which has gained some popularity in recent times, fraudsters have further evolved other plans to rob unsuspecting bank customers of their hard-earned money.
The miscreants now go about with Point of Sale (POS) devices and rob their victims at gunpoint.
One of the victims, who identified herself as Aghata, narrated her ordeal in the hands of robbers/fraudsters who held her at gunpoint. According to her, they withdrew over N75, 000 from her account right inside a moving private commercial vehicle in Abuja. The hoodlums now go about with POS devices to circumvent the cashless policy initiative.
Responses from financial institutions
Yet one of the ironies of theft via POS is that even when the cases are reported, the financial institutions or payment agents appeared not to have any proactive response in place to help the poor customers.
According to Aghata, her Access Bank ATM card was used to withdraw all her savings on that fateful day of the attack. But when she later filed her complaint with her bank’s branch, she was shocked to be told there was nothing that could be done as the card was used on the Opay Digital network. And this is just one case in hundreds of occurrences – some unreported because they’ve lost confidence in the ability of the institutions to assist in recovery.
However, observers believed the regulator is needed to further tighten the noose on payment services providers in the areas of security and recovery of customers’ stolen funds.
Quest to fortify defences
The CBN on August 18, 2022, moved to strengthen the cyber resilience of Other Financial Institutions (OFIs) to ensure that they remain safe and sound amidst the increase in the number and sophistication of cyber security threats and attacks against them.
The move was contained in a circular titled, “Exposure Draft of the Rise-Based Cyber security Framework and Guidelines for Other Financial Institutions,” which was addressed to all OFIs in the country.
The CBN correspondence dated August 13, 2021, and signed by the Director, OFIs Department, Nkiru Asiegbu, stipulated the minimum requirements for enhancing cyber security.
The apex bank explained that the purpose of the guidelines which provide a risk-based approach to managing cyber security risk was to among other things create a safer and more secure cyber environment that supports information system security and promotes stability of the OFI sub-sector.
It noted that the safety and soundness of the sub-sector particularly required that they operate in a safe and secure environment.
Hence, it stated that the platform on which information is processed and transmitted should be managed in a way that ensures the confidentiality, integrity and availability of information as well as the avoidance of financial loss and reputational risk among others.
Essentially, the document provided for cyber security governance and oversight; cyber security risk management system; cyber resilience assessment; cyber operational resilience; cyber threat intelligence and metrics monitoring and reporting.
The guidelines also spelt out the responsibilities of the board of directors, senior management and chief information security officer (CISO).
The CBN stated that the board of directors shall ensure that cyber security is completely integrated with business functions and is well managed across the OFI.
The board is also to have oversight and overall responsibility for cyber security programmes.
In addition, senior management of OFIs shall be responsible for the implementation of the board-approved cyber security strategy, policies, standards and the destination of cyber security responsibilities among others.
The document also mandated every OFI to appoint or designate a CISO whose responsibilities shall include the day-to-day cyber security activities and the mitigation of cyber security risks in the institution.
KYI on POS operators
There is, however, the need for regulators to further strengthen monitoring and enforcement of the activities of mobile payment agents especially POS operators going forward.
Analysts said the CBN must mandate proper KYC as well as ensure that every POS transaction can be tracked irrespective of location and network service provider.
They also frowned at a situation whereby everybody gets the POS without proper due diligence, adding that most operators use the devices for nefarious activities.
In 2021, 14,914 POS-related fraud cases were reported with actual loss amounting to N763 million.
