Managing the Risk of Fraud in Mobile Money

Managing the Risk of Fraud in Mobile Money

Let me illustrate the theme of my expose by an incident that happened to me at a Harare restaurant recently. After my meal I thanked the waitress and asked for the bill, showing her my phone to indicate my mode of payment. Instead of bringing a printed bill she asked me to pay not by way of the merchant code that was prominently displayed. “There’s a problem with that code” she said politely. “You can use this number”. It was only after the transaction that I realised what had happened: I had paid the waitress or her accomplice for the meal. Having earlier informed the waitress of my being in a hurry, she knew I had neither time nor mood to raise a fuss with management.

Risk management is a key component to the commercial success of any business. Effective risk management underlies sustainable commercial activity, including m-commerce, because it protects two key commercial assets: revenue and reputation. Mobile operators are familiar with managing risks on their side of the business and those that have launched mobile money are aware that mobile money carries different kinds of risk –particularly the risk of fraud.

Managing risk in mobile money is a challenging task, especially when it comes to the risk of fraud, which not only results in financial loss to the business but also damages the reputation of the service to the customer. As such, mitigating the risk of fraud is a primary objective in a robust risk management strategy.

Internal Control

Any person in business understands that as soon as they move from working alone to employing someone else there has to be in place some form of ensuring that what the other person does or gets as part of their work does indeed benefit the business. In other words, every business greater than that of sole operator has to have some form of internal control. This is the means by which you marshal your enterprise resources to achieve your objectives.

Just as in any worthwhile undertaking, an appropriate system of internal control should neither be costly nor onerous. Whatever shape or form your system, at the end of the day, it should help you to exploit your opportunities as well as manage the risks of doing the things you do. It is desirable to ask oneself a few questions from time to time: Is my system able to detect errors and fraud in sufficient time for me to take appropriate action? Can I quantify and qualify the effectiveness of my controls? Do I have just enough controls – not too many and not too few? What can go wrong? What can I do to mitigate what can go wrong and what should I do to promote what can go right? In other words, regularly reviewing your operations.

Fraud Risk
One of the major risks facing any business in Zimbabwe today is that of fraud. I am using the term here to denote a wide array of thieving and various deceitful acts by both employees (internal fraud) and outsiders, including suppliers and customers (external fraud). Accountants classify losses from theft rather euphemistically as part of “inventory shrinkage.” But everyone knows what that usually refers to: lost revenue due to theft.

My cited restaurant experience is an example of an internal fraud. In that case it is likely that the waitress and chef were in it together. It follows therefore that fraud is a risk that should feature prominently in one’s regular reviewing of operations. A fraud vulnerability review (also known as fraud risk assessment) follows the pretence of “prevention is better than cure”. The process of risk analysis proceeds from threat assessment to threat evaluation to the selection of countermeasures designed to contain or prevent that risk. Many, if not most, risks are generic; they are present in any environment. In my example, the waitress could have pocketed the cash had I paid in cash. In general effective internal controls operate across operational areas. For instance, effective receipting will depend on an effective billing system.

Questions to consider when identifying and assessing operational risks in mobile money

• What are the most complex parts of the process?
• Where are the most vulnerable bridges or links between interconnected systems?
• Are there any large value, high-risk transactions that happen regularly?
• Are there any authentication mechanisms that are easily faked?
• How could someone abuse the system?
• How could someone disrupt operations?
• What frauds are prevalent in the country apart from mobile money? How common are they?
• What is the general level of criminal activity and the strength of law enforcement in the country?
• What is the likelihood of the risk?
• What is the potential impact on the business (financial and reputational)?

Using controls to mitigate risk in mobile money

Controls in mobile money are either preventive, which reduce the likelihood of fraudulent activity, or detective, which monitor and report trends or activities that have already happened. Below I have outlined the key controls as they affect most mobile money deployments. While this is not a comprehensive list, each of these controls addresses at least one specific risk associated with mobile money. For example, controlling access rights helps to reduce the risk of information manipulation, while monitoring and analysing suspicious transactions increases the visibility of fraudulent activity.

Examples of controls in mobile money and in general

• Control access rights to protect transaction data integrity, e.g. invoicing in a computer system
• Segregation of duties and independent checks to reduce error or fraud on high risk procedures. In general, the functions of (i) initiating a transaction, (ii) approving a transaction, (iii) executing a transaction, (iv) recording a transaction, (v) taking custody of the assets, and (vi) reporting on the transactions, should be divided between at least two people.
• Threshold limits to reduce risk associated with the computer system.
• Customer awareness campaigns to increase customer education and protection, e.g. a notice below the biller code to pay only via that code and none else
• Employee training on acceptable practices and conditions as well as roles and responsibilities
• Communication and information sharing with employees. Many businesses are going through hard times and payroll debts are not uncommon. Where employees are not paid in full silence, ducking and diving does not help the situation.
• Monitor and analyse suspicious activity
• Monitor activity on system access – does system access tally with historical business activity
• Create robust customer recourse and escalation procedures – customers can be a good internal control resource
• SMS alerts to customers, where possible
• Management checks and review

A thriving business environment is fodder to a thriving community and vice versa. I will be sharing specific incidents in future. Please help the SME in Zimbabwe – and other businesses for that matter – by sharing your experiences with me (caleb.mutsumba@gmail.com) and/or leaving your comments below.

Caleb Mutsumba RPA, CFE
Forensic Auditor
Mobile/WhatsApp: +263 772 466540/ +263 712 620287
Skype: caleb.mutsumba
LinkedIn:- http://zw.linkedin.com/in/calebmutsumba

Advertisements

Fraud in Non-Profit Organisations

“I wrote an article on this a few years ago and interviewed a few experts on fraud in non-profits and why it tends to go undetected for so long. One theory was that non-profits are too trusting and assume that people who work for them respect the spirit of charity that the organization is built on. Unfortunately this isn’t always the case and a lack of internal controls combined with the limited staffing typical of non-profits makes it easier for employees in accounts to steal. Accounts payable fraud seems to be among the most prevalent, possibly due to situations where due to staffing limitations, one employee is responsible for too many financial tasks without checks and balances. If you’re interested in reading the article, you can find it here: Fraud in Non-Profits

Dawn Lomer

Blackmail Fraud: What is it?

Immunity from Termination

The one distressing development that we at 5wh are witnessing across many of our client organisations in Zimbabwe is what we have come to call “blackmail fraud”. In this situation, the fraudster – either amateur or professional and mostly in administrative or managerial position – commits acts of transactional or systematic non compliance as part of or adjacent to the fraud scheme.

When the fraud is detected, the fraudster calls attention to the non compliance issue. In many instances, because of the legal doctrine of vicarious liability, the non compliance issues tend to peril the employer more than the employee. In the end, employers are stopped from acting against the offender in a way they would have or what the Code of Conduct stipulates.

Though this is not a new phenomenon, we have seen that, with penalties getting so excessive (take tax penalties, for instance), it seems that even the smaller non-compliance issues give rise to this phenomenon of “non-terminability” or “immunity from termination”.

Where to Now?

Internal Control

An organization is a living entity which changes over time. As a result, the organization’s mission, goals and objectives must be regularly evaluated and periodically revised. Thus, internal control is an ongoing process known as the Internal Control Cycle. After an organization analyzes its goals and objectives to determine its risks, management must analyze these risks and evaluate the policies and procedures in the identified high-risk areas. Part of the management process includes monitoring the progress made toward meeting goals and objectives. Monitoring also helps to ensure the effectiveness of the organization’s internal controls and the effectiveness of the policies and procedures. Periodically, policies and procedures should be revised to mitigate risk and eliminate redundancy. They must also be communicated internally and externally, as necessary.

Everyone in an organization has responsibility for internal control.

Tone at the Top

Management’s attitude, actions, and values set the tone of an organization, influencing the control consciousness of its people. Internal controls are likely to function well if management believes that those controls are important and communicates that view to employees at all levels. If management views internal controls as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be communicated. Employees are aware of the practices followed by upper management including those that circumvent internal controls. Despite policies to the contrary, employees who note that their managers frequently override controls, will also view internal controls as “red tape” to be “cut through” to get the job done. Management can show a positive attitude toward internal control by such actions as complying with their own policies and procedures, discussing internal controls at management and staff meetings, and rewarding employees for following good internal control practices. Although it is important to establish and implement policies and procedures, it is equally important to follow them. In the “immunity from termination” scenario, the Code of Conduct is not only perceived to just another worthless document; it is in effect a hollow manuscript.

Management Ethics, Philosophy & Operating Style

An organization’s culture evolves from the values of its members and the culture, in turn, exerts a strong influence on the actions, decisions, and behaviors of all employees.

An ethical culture requires engaged employees and managers who understand why doing the right thing is important for the organization’s long-term viability; and they have the determination to see that in fact the right thing does get done.

What are some of the key attributes needed for an organization to be fully integrity-based?
• Employees feeling a sense of responsibility and accountability for their actions and for the actions of others.
• Employees freely raising issues and concerns without fear of retaliation.
• Managers modeling the behaviors they demand of others.
• Managers communicating the importance of integrity when making difficult decisions.
• Leadership understanding the pressure points that drive unethical behavior.
• Leadership developing processes to identify and remedy these areas where pressure points occur.
These attributes touch other aspects of the organization that go beyond the fundamental abilities of making a profit and maintaining high levels of quality and productivity: how well the organization adapts to change, or encourages employees to be engaged in decision making, how well the organization creates a collective sense of purpose around shared values. It is this broader set of skills and qualities that create the foundation needed to support an ethical culture. These higher-level behaviors are no longer “nice to haves.” These are the behaviors now demanded for survival in this economic environment of creative destruction.

Management’s philosophy and operating style affect the way the organization is managed. They determine, for example, whether the organization functions informally with verbal instructions or formally with written policies and procedures. They also define whether the organization is conservative or aggressive in its response to risks. In other words, they define the organization’s “risk appetite” or the level of risk that is acceptable to the organization. To be successful, the organization’s internal controls must be aligned with management’s philosophy.

Our summary advice is:

(a) Tone at the top.
(b) Making certain Internal Controls are operating as they should at all times. This calls for an independent monitoring function.

(c) Periodic Fraud Vulnerability Review (also known as Fraud Risk Assessment) which follow the pretence of “prevention is better than cure”. Here experts assist with the process of risk analysis that proceeds from threat assessment to threat evaluation to the selection of countermeasures designed to contain or prevent that risk.

(d) Effective, conclusive investigations where a fraud is suspected or detected.

About 5wh Audit

5wh is a relationship-oriented professional services company that provides the following solutions to business challenges:
Ø Internal Audits
Ø Forensic Audits
Ø Compliance Audits
Ø Due Diligence Investigations
Ø Business Systems Design, Development and Reviews

We work with business owners and leaders who are set on blowing away those constraints blocking their way to success. We also assist our clients isolate hidden economic assets in their business and determine specific projects to optimize and leverage those assets for greater profit and growth.
We know that the only way to turn your potential for success into actual success is to blow away the constraints that block your path.
________________________________________
© Caleb Mutsumba