Managing the Risk of Fraud in Mobile Money
Let me illustrate the theme of my expose by an incident that happened to me at a Harare restaurant recently. After my meal I thanked the waitress and asked for the bill, showing her my phone to indicate my mode of payment. Instead of bringing a printed bill she asked me to pay not by way of the merchant code that was prominently displayed. “There’s a problem with that code” she said politely. “You can use this number”. It was only after the transaction that I realised what had happened: I had paid the waitress or her accomplice for the meal. Having earlier informed the waitress of my being in a hurry, she knew I had neither time nor mood to raise a fuss with management.
Risk management is a key component to the commercial success of any business. Effective risk management underlies sustainable commercial activity, including m-commerce, because it protects two key commercial assets: revenue and reputation. Mobile operators are familiar with managing risks on their side of the business and those that have launched mobile money are aware that mobile money carries different kinds of risk –particularly the risk of fraud.
Managing risk in mobile money is a challenging task, especially when it comes to the risk of fraud, which not only results in financial loss to the business but also damages the reputation of the service to the customer. As such, mitigating the risk of fraud is a primary objective in a robust risk management strategy.
Any person in business understands that as soon as they move from working alone to employing someone else there has to be in place some form of ensuring that what the other person does or gets as part of their work does indeed benefit the business. In other words, every business greater than that of sole operator has to have some form of internal control. This is the means by which you marshal your enterprise resources to achieve your objectives.
Just as in any worthwhile undertaking, an appropriate system of internal control should neither be costly nor onerous. Whatever shape or form your system, at the end of the day, it should help you to exploit your opportunities as well as manage the risks of doing the things you do. It is desirable to ask oneself a few questions from time to time: Is my system able to detect errors and fraud in sufficient time for me to take appropriate action? Can I quantify and qualify the effectiveness of my controls? Do I have just enough controls – not too many and not too few? What can go wrong? What can I do to mitigate what can go wrong and what should I do to promote what can go right? In other words, regularly reviewing your operations.
One of the major risks facing any business in Zimbabwe today is that of fraud. I am using the term here to denote a wide array of thieving and various deceitful acts by both employees (internal fraud) and outsiders, including suppliers and customers (external fraud). Accountants classify losses from theft rather euphemistically as part of “inventory shrinkage.” But everyone knows what that usually refers to: lost revenue due to theft.
My cited restaurant experience is an example of an internal fraud. In that case it is likely that the waitress and chef were in it together. It follows therefore that fraud is a risk that should feature prominently in one’s regular reviewing of operations. A fraud vulnerability review (also known as fraud risk assessment) follows the pretence of “prevention is better than cure”. The process of risk analysis proceeds from threat assessment to threat evaluation to the selection of countermeasures designed to contain or prevent that risk. Many, if not most, risks are generic; they are present in any environment. In my example, the waitress could have pocketed the cash had I paid in cash. In general effective internal controls operate across operational areas. For instance, effective receipting will depend on an effective billing system.
Questions to consider when identifying and assessing operational risks in mobile money
• What are the most complex parts of the process?
• Where are the most vulnerable bridges or links between interconnected systems?
• Are there any large value, high-risk transactions that happen regularly?
• Are there any authentication mechanisms that are easily faked?
• How could someone abuse the system?
• How could someone disrupt operations?
• What frauds are prevalent in the country apart from mobile money? How common are they?
• What is the general level of criminal activity and the strength of law enforcement in the country?
• What is the likelihood of the risk?
• What is the potential impact on the business (financial and reputational)?
Using controls to mitigate risk in mobile money
Controls in mobile money are either preventive, which reduce the likelihood of fraudulent activity, or detective, which monitor and report trends or activities that have already happened. Below I have outlined the key controls as they affect most mobile money deployments. While this is not a comprehensive list, each of these controls addresses at least one specific risk associated with mobile money. For example, controlling access rights helps to reduce the risk of information manipulation, while monitoring and analysing suspicious transactions increases the visibility of fraudulent activity.
Examples of controls in mobile money and in general
• Control access rights to protect transaction data integrity, e.g. invoicing in a computer system
• Segregation of duties and independent checks to reduce error or fraud on high risk procedures. In general, the functions of (i) initiating a transaction, (ii) approving a transaction, (iii) executing a transaction, (iv) recording a transaction, (v) taking custody of the assets, and (vi) reporting on the transactions, should be divided between at least two people.
• Threshold limits to reduce risk associated with the computer system.
• Customer awareness campaigns to increase customer education and protection, e.g. a notice below the biller code to pay only via that code and none else
• Employee training on acceptable practices and conditions as well as roles and responsibilities
• Communication and information sharing with employees. Many businesses are going through hard times and payroll debts are not uncommon. Where employees are not paid in full silence, ducking and diving does not help the situation.
• Monitor and analyse suspicious activity
• Monitor activity on system access – does system access tally with historical business activity
• Create robust customer recourse and escalation procedures – customers can be a good internal control resource
• SMS alerts to customers, where possible
• Management checks and review
A thriving business environment is fodder to a thriving community and vice versa. I will be sharing specific incidents in future. Please help the SME in Zimbabwe – and other businesses for that matter – by sharing your experiences with me (email@example.com) and/or leaving your comments below.
Caleb Mutsumba RPA, CFE
Mobile/WhatsApp: +263 772 466540/ +263 712 620287
|Revenge of the Deplorables|
|I’ve been writing a lot recently about global politics and the drivers and implications of the increase in populism. I’m returning to it again this week, not because of Donald Trump’s inauguration, but because of the launch of the latest update of The Economist Intelligence Unit’s Democracy Index, which measures the state of democracy in 167 countries globally. If, like me, you think that democracy is a good thing then 2016 was an unhappy year: the average global score fell from 5.55 out of 10 in 2015 to 5.52 in 2016, with 72 countries recording a lower score and only 38 an improvement.
One of the most notable features of the Democracy Index, which is compiled using the expertise of our team of country analysts, is that the US is now classed as a “flawed democracy” rather than a “full democracy”. The key driver of this is a decline in public trust in democratic institutions to historic lows. Mr Trump’s election was in large part a consequence, not a cause, of this trust deficit, which has been a long time in the making. Promising to “drain the swamp”, Mr Trump tapped the mood of deep popular disaffection with government and elected officials that has been growing in recent years. Across the Atlantic, the UK saw its democracy score increase, as the Brexit referendum led to a marked increase in popular debate and participation.
Democracy-lovers looking for a distraction should check out countries such as Portugal, Cabo Verde, Peru, Madagascar and Tanzania, which have been quietly making progress and improving their democracy scores. Let me know via Twitter @Baptist_Simon or email on firstname.lastname@example.org.
LONDON, July 4 (Reuters) – Zimbabwe hopes to get its proposal to clear debt arrears with multilateral lenders signed off by December, enabling it to start talks with bilateral sovereign lenders. Finance Minister Patrick Chinamasa said Government is looking forward to the three multilateral lenders to formally adopt the country’s debt clearance strategy when they meet in December. In early March, the government agreed to major reforms including compensation for evicted white farmers and a big reduction in public sector wages in an effort to woo back international lenders.
The Southern African country’s foreign debt stands at $8.3 billion, of which $1.8 billion is arrears. Zimbabwe is one of the few countries in arrears with the IMF. Countries are required to clear all arrears with multinational lenders before engaging in talks with other creditors. Zimbabwe owes around $110 million to the International Monetary Fund, which it hopes to clear against a special drawing rights (SDRs) allocation of around $130 million, Chinamasa said at a briefing at London-based think-tank Chatham House.
It is hard to pinpoint the exact moment in the last eight days at which Britain’s politics became officially more absurd than America’s. Last week’s Brexit vote, shocking as it was, was just the starting gun. Since then both the Labour and the Conservative party leaderships have collapsed. The “Leave” campaign has swiftly backtracked(paywall) on its promises. Labour’s Jeremy Corbyn, after enduring a stunning no-confidence vote, appeared to compare Israel with the Islamic State. The Conservatives’ Boris Johnson, the cheerleader of Leave and presumed next prime minister, bowed out after beingstabbed in the back by his own sidekick, Michael Gove. And a leaked letter from Gove’s wife exposed the Tory party’s leading figures as little more than the puppets of media barons.
The US primary season was by turns hilarious and horrifying, but it fulfilled its purpose: There are now the requisite two candidates for president, and the one who is a racist liar with no idea of how to govern is pretty unlikely to win. Britain has no credible leadership on any side, nor are there any clues as to where it might emerge. With astounding swiftness, the UK has replaced the US as the political laughingstock of the world.
This compounds the disaster of the referendum itself. If, as some hopeful pundits speculate, Brexit may yet be halted, it will take extraordinary leadership to mollify the pro-Leave voters who will feel cheated. If Brexit goes ahead, it will take equally extraordinary leadership to steer the economy through its impacts, and to negotiate new trade deals with an unforgiving EU and other countries. (Perhaps they should appoint Donald “I make great deals” Trump as chief negotiator.)
When Trump was on the ascendancy in America, many British politicians could hardly hide their smug disdain. How hollow that looks now.—Gideon Lichfield
“I wrote an article on this a few years ago and interviewed a few experts on fraud in non-profits and why it tends to go undetected for so long. One theory was that non-profits are too trusting and assume that people who work for them respect the spirit of charity that the organization is built on. Unfortunately this isn’t always the case and a lack of internal controls combined with the limited staffing typical of non-profits makes it easier for employees in accounts to steal. Accounts payable fraud seems to be among the most prevalent, possibly due to situations where due to staffing limitations, one employee is responsible for too many financial tasks without checks and balances. If you’re interested in reading the article, you can find it here: Fraud in Non-Profits”