Fraud and Risk Management

1. Introduction

With the advances in information technology, most payment transactions have moved to electronic channels like Internet / Mobile Banking and payment cards. Fraudsters have also followed customers into this space. However, the response to frauds in these areas needs further improvement, thereby avoiding putting the entire onus on the customer. There is also a lack of clarity amongst organizations on the reporting of these instances as frauds.

A need is therefore felt to have an industry wide framework on fraud governance with particular emphasis on tackling electronic channel-based frauds. This note endeavors to bring out the challenges and suggests a framework which can be implemented across organizations to effectively tackle the electronic fraud menace.

It would be useful to recall the definition of fraud at this stage. ‘A deliberate act of omission or commission by any person, carried out in the course of a banking transaction or in the books of accounts maintained manually or under computer system in the regulated entities, resulting into wrongful gain to any person for a temporary period or otherwise, with or without any monetary loss to the bank’.

This definition has been recommended as per para 9.1 of the Report of the Study Group on Large Value Bank Frauds set up by the Reserve Bank of India in 1997. It follows that like other bank frauds, various IT related frauds need to get captured through the fraud reporting system and organization should take adequate steps to mitigate such risks.

2. Roles and Responsibilities and Organizational Structure for Fraud and Risk Management for the Banks and Other Select Financial Institutions

 

2.1      Governance and Management of Fraud Risks

 

  • Cashlesso has incorporated appropriate processes into their governance and risk management programs for identifying, analyzing, monitoring and managing the specific risks, including compliance risk and fraud risk, associated with the portfolio of digital payment products and services on a continual basis in a holistic manner.
  • Cashlesso shall conduct periodical risk assessments with regard to the safety and security of digital payment products and associated processes and services as well as suitability and appropriateness of the same vis-a-vis the target users, both prior to establishing the service(s) and regularly thereafter taking into account the ‘Fraud Risk’.

 

2.2      General Guidelines Laid Down by RBI & Cashlesso’s Adherence  

 

  • The Reserve Bank of India requires the Chairman and Managing Directors/Chief Executive Officers (CMD/CEOs) to provide focus on the “Fraud Prevention and Management Function” to enable, among others, effective investigation of fraud cases and prompt as well as accurate reporting to appropriate regulatory and law enforcement authorities including the Reserve Bank of India itself. Cashlesso imbibes this precisely and ensures that the focus of the Senior Management is indeed effective investigation and reporting to the appropriate authorities.
  • The fraud risk management, fraud monitoring and fraud investigation function is jointly owned by the CEO, Audit Committee of the Board and the Special Committee of the Board.
  • The internal policy for fraud risk management and fraud investigation function, based on the governance standards relating to the ownership of the function and accountability resting on defined and dedicated organizational set up and operating processes have been set up and put in place by the board of Cashlesso.

2.3      Classification of Frauds by The Reserve Bank of India

 

  • In order to have uniformity in reporting, frauds have been classified by the RBI as under, based mainly on the provisions of the Indian Penal Code
    1. Misappropriation and criminal breach of trust
    2. Fraudulent encashment through forged instruments, manipulation of books of account or through fictitious accounts and conversion of property
    3. Unauthorized credit facilities extended for reward or for illegal gratification
    4. Cheating and forgery
    5. Fraudulent transactions involving foreign exchange
    6. Any other type of fraud not coming under the specific heads as above
  • In regard to the cases under f) above, transactions resulting from negligence and fraudulent forex transactions involving irregularities / violation of regulations also shall be reported by Cashlesso as fraud if the intention to cheat/defraud is suspected or proved.

 

2.4      Reporting of Frauds to Reserve Bank of India

 

  • Cashlesso if required shall furnish Fraud Monitoring Return (FMR) in individual fraud cases, irrespective of the amount involved to RBI as mandated within three weeks from the date of detection.
  • When required, Cashlesso shall submit fraud reports in cases where central investigating agencies have initiated criminal proceedings suo moto and/or where the Reserve Bank has directed that such cases be reported as frauds.
  • Cashlesso shall also report frauds perpetrated in their subsidiaries and affiliates/joint ventures in the provided FMR format. In case the subsidiary/ affiliate/joint venture of the bank is an entity which is regulated by Reserve Bank of India and is independently required to report the cases of fraud to RBI in terms of guidelines applicable to that subsidiary/affiliate/joint venture, Cashlesso shall not be required to furnish the FMR statement in respect of fraud cases detected at such subsidiary/affiliate/joint venture.
  • In addition to the FMR, if required Cashlesso shall furnish a Flash Report (FR) for frauds involving amounts of ₹50 million and above within a week of such frauds coming to the notice of Cashlesso’s head of Risk & Compliance as advised. The FR, inter alia, would include amount involved, nature of fraud, modus operandi in brief, names of parties involved, their constitution, names of proprietors / partners and directors, names of officials involved and lodging of complaint with the authorities.
  • Further, Cashlesso shall also furnish developments in the fraud case through the FMR Update application as required.

 

2.5      Reports to the Board

 

  • Cashlesso shall ensure that all frauds of ₹0.1 million and above are reported to their Boards promptly on their detection. Such reports would, among other things, take note of the failure on the part of the concerned officials and controlling authorities, and give details of action initiated against the officials responsible for the fraud.

 

2.6      Quarterly Review of Frauds

 

  • The information relating to frauds for the quarters ending June, September and December to be placed before the Audit Committee of the Board of Directors of Cashlesso during the month following the quarter to which it pertains if any.
  • These shall be accompanied by supplementary material analysing statistical information and details of each fraud so that the Audit Committee of the Board of Cashlesso would have adequate material to contribute effectively in regard to the punitive or preventive aspects of frauds.
  • A separate review for the quarter ending March shall not be required in view of the Annual Review for the year-ending March prescribed at para below

 

2.7      Annual Review of Frauds

 

  • Cashlesso shall conduct an annual review of the frauds and place a note before the Board of Directors/Local Advisory Board for information if any. The reviews for the year-ended March to be put up to the Board before the end of the next quarter i.e. quarter ended June 30th. Such reviews need not be sent to RBI but may be preserved for verification by the Reserve Bank’s inspecting officers if required.
  • The main aspects that shall be be taken into account while making such a review to, inter alia, include the following:
    • Whether the systems in the Cashlesso are adequate to detect frauds, once they have taken place, within the shortest possible time.
    • Whether frauds are examined from staff angle
    • Whether deterrent punishment is meted out, wherever warranted, to the persons found responsible
    • Whether frauds if any, have taken place because of laxity in following the systems and procedures and, if so, whether effective action has been taken to ensure that the systems and procedures are scrupulously followed by the staff concerned.
    • Whether frauds are reported to the authorities, as the case may be, for investigation, as per the guidelines issued in this regard.
  • The annual reviews by Cashlesso shall also, among other things, include the following details:
    • Total number of frauds detected during the year and the amount involved as compared to the previous two years;
    • Analysis of frauds according to different categories and also the different business areas;
    • Modus operandi of major frauds reported during the year along with their present position
    • Detailed analysis of frauds of ₹0.1 million and above;
    • Estimated loss to Cashlesso during the year on account of frauds, amount recovered and provisions made;
    • Number of cases (with amounts) where Cashlesso’s staff were involved and the action taken against them;
    • Time taken to detect frauds (number of cases detected within three months, six months and one year of their taking place);
    • Position with regard to frauds reported to the authorities;
    • Number of frauds where final action has been taken by Cashlesso and cases disposed off;
    • Preventive/punitive steps taken by Cashlesso during the year to reduce/minimize the incidence of frauds
  • Cashlesso shall place the copy of circular on modus-operandi of fraud issued by them for alerting their teams, on specific frauds before the Audit Committee of Board (ACB) in its periodical meetings

 

2.9      Special committee of the Board

 

  • While the Audit Committee of the Board (ACB) of Cashlesso shall monitor all the cases of frauds in general, Cashlesso shall also constitute a Special Committee of the Board for monitoring and follow up of cases of frauds (SCBF) involving amounts of ₹10 million and above exclusively. The Special Committee shall be constituted with three (3) members including one (1) from the Board of Directors one (1) member from ACB and the legal advisor. The periodicity of the meetings of the Special Committee may be decided according to the number of cases involved. In addition, the Committee should meet and review as and when a fraud involving an amount of ₹10 million and above comes to light.
  • The major functions of the Special Committee shall be to monitor and review all the frauds of ₹10 million and above so as to
    • Identify the systemic lacunae if any, that facilitated perpetration of the fraud and put in place measures to plug the same;
    • Identify the reasons for delay in detection, if any, reporting to top management;
    • Monitor progress of the investigation by the authorities and the recovery position;
    • Ensure that staff accountability is examined at all levels in all the cases of frauds and staff side action, if required, is completed quickly without loss of time;
    • Review the efficacy of the remedial action taken to prevent recurrence of frauds, such as strengthening of internal controls.

 

2.10    Cases of Attempted Fraud

 

  • Cashlesso shall not be required to report cases of attempted frauds of ₹10 million and above to Reserve Bank of India. However, Cashlesso shall continue to place the report on individual cases of attempted fraud involving an amount of ₹10 million and above before the Audit Committee of its Board. The report should cover the following:
    • The modus operandi of the attempted fraud
    • How the attempt did not materialize into fraud or how the attempt failed/ was foiled.
    • The measures taken by Cashlesso to strengthen the existing systems and controls
    • New systems and controls put in place in the area where fraud was attempted.
  • Further, a consolidated review of such cases detected during the year containing information such as area of operations where such attempts were made, effectiveness of new processes and procedures put in place during the year, trend of such cases during the last three years, need for further changes in processes and procedures, if any, etc as on March 31 every year shall be put up to the ACB within three months of the end of the relative year

 

2.11    Closure of Fraud Cases

  • If mandated, Cashlesso shall report to RBI, the details of fraud cases of ₹0.1 million and above closed along with reasons for the closure after completing the process as given below.
  • Cashlesso shall close cases where the actions as stated below are complete:
    • The fraud cases pending with authorities/Court are finally disposed of.
    • The examination of staff accountability has been completed
    • The amount of fraud has been recovered or written off.
    • Insurance claim wherever applicable has been settled.
    • Cashlesso has reviewed the systems and procedures, identified the causative factors and plugged the lacunae and the fact of which has been certified by the appropriate authority (Board / Audit Committee of the Board of Cashlesso)
  • Cashlesso shall also pursue vigorously with the law enforcement authorities for final disposal of pending fraud cases especially where Cashlesso has completed the staff side action, if warranted.
  • Cashlesso may at its discretion, for limited statistical / reporting purposes, close those fraud cases involving amounts up to ₹2.5 million, where:
    • The investigation is ongoing or challan/ charge sheet has not been filed in the Court for more than three years from the date of filing of First Information Report (FIR) by law enforcement authorities or
    • The trial in the courts, after filing of charge sheet/challan by the law enforcement authorities, has not started or is in progress.
  • Cashlesso shall follow the guidelines relating to seeking prior approval for closure of such cases from RBI and follow up of such cases after closure as mentioned below
  • Cashlesso shall submit proposal, case wise, for closure to RBI. The cases may be closed after getting the approval of RBI
  • Cashlesso shall maintain the record of details of such cases in a separate ledger. Even after closure of the fraud cases for limited statistical purposes, Cashlesso shall diligently follow up with the investigating law enforcement authorities to ensure that the investigation process is taken to its logical conclusion. Furthermore, Cashlesso shall continue to ensure that they are regularly and appropriately represented in the court proceedings as and when required. All the relevant records pertaining to such cases must be preserved till the cases are finally disposed of by the authorities or Courts, as the case may be.
  • Notwithstanding the fact that Cashlesso may close cases of fraud even when the law enforcement investigation is in progress or cases are pending in the court of law, Cashlesso shall complete, within the prescribed time frame, the process of examination of staff accountability or conclude staff side actions.
  • For closing frauds of Rs 0.1 mn and above, Cashlesso, on being guided by the above points, have to submit their closure proposals to the RBI. In the case of frauds below Rs 0.1 mn, Cashlesso may close the case by using the FMR update application.

 

2.12    Guidelines for Reporting Frauds to Police / CBI

 

  • In dealing with cases of fraud/embezzlement, Cashlesso shall not merely be actuated by the necessity of recovering expeditiously the amount involved, but shall also be motivated by public interest and the need for ensuring that the guilty persons do not go unpunished.
  • All fraud cases of value over ₹10,000/- shall be referred to Audit Committee of the Board (ACB) of Cashlesso who would scrutinize each case and report the matter to the law enforcement authorities for further legal action and recovery.
  • All fraud cases of value below ₹10,000/-, at the discretion of the ACB and further authorized by the CEO may be referred to the Head of Finance & the Legal Advisor at Cashlesso, who would scrutinize each case and deem whether it should be reported to the law enforcement authorities for further legal action and recovery.

 

 

2.13    Separate Department to manage frauds

 

The activities of fraud prevention, monitoring, investigation, reporting and awareness creation should be owned and carried out by the Audit Committee of the Board (ACB) of Cashlesso specifically including the CEO.

3. Online Payment Fraud: The Different Types

Irregular financial transactions may be classified into 3 distinct categories as follows:

 

  1. Transactions intended for money laundering to hide illicit income and/or avoid tax by creating fictitious remitter / beneficiary accounts;
  2. Transactions intended to finance terrorism and other such nefarious activities;
  3. Phishing, Vishing, Spoofing, Hacking, Session hijacking, Man In the Middle (MITM) attacks by cyber criminals intended to steal money.

The most common types of online fraud occur via phishing or spoofing, data theft, and chargeback or friendly fraud. These are explained in detail below.

 

Online Phishing or Spoofing

Phishing is the process of accessing one’s personal information through fraudulent e-mails or websites that claim to be legitimate.  The information gathered this way can include usernames, passwords, credit card numbers, or bank account numbers.

 

The most widely used method for phishing is to redirect an online user (from an email or SMS) to an “official” website where they are asked to update their personal information.  User is thereby tricked into revealing personal information that user would ideally not reveal to anyone else.

 

Phishing can also occur via other electronic means such as SMS, instant messaging, and on email. User can be redirected to make a payment on a website that looks legitimate, but which is created to capture user card details so they can be used later.

 

 

Data Theft

Sometimes, dishonest employees or partners can steal credit card data from businesses and use this for committing fraud. Most payment gateways, payment aggregators and online websites take stringent measures to ensure that such privacy breaches do not occur.

 

Cashlesso does not store any card details, and is working on to implement tokenization systems with regulated service providers like Visa & Mastercard. Furthermore, Cashlesso is a certified PCI-DSS compliant organization, which means we undergo stringent audits on data privacy processes.

 

Account information theft: Malware can capture the keystrokes for your login information. Malware can also potentially monitor and capture other data you use to authenticate identity (like special images or words)

 

Hacking

Hacking involves compromise of weak login credentials in the infrastructure which manages live user data. These are relatively easy for a criminal to compromise. The systems and applications are exploited with dictionary of brute force attack till the right password or credentials are obtained, and an organization’s database and customer records are leaked. Cashlesso regularly conducts system audits and penetration testing, multi-factor authentication for Login, implementation of WAF (web application firewall), etc.

 

Man-in-the-Middle Attack

Fake website substitution: Malware can generate web pages that appear to be legitimate but are not. They replace a organization’s legitimate website with a page that can look identical, except that the web address will vary in some way. Such a “man-in-the-middle attack” site enables an attacker to intercept user information. The attacker adds additional fields to the copy of the web page opened in the browser. When an individual submits the information, it is sent to both the organization and the malicious attacker without his/ her knowledge. To prevent this, Cashlesso ensures that every request/data packet is verified by a unique checksum and the data is always transmitted over encrypted channels.

 

Chargeback Fraud or Friendly Fraud

For instance, a customer makes an online purchase. Later, they claim that the purchase was made fraudulently and ask for a chargeback – even though they made the purchase themselves!

 

This is known as chargeback fraud or friendly fraud, where business processes a transaction since it seems legitimate; only to be issued with a chargeback later on.

 

Fraudsters may first place orders of expensive items from the online shopping websites using fake credentials. Later, when the shipment gets delivered, they may remove the items from the boxes and replace with duplicated items, accusing the sellers of sending sub-standard items.

 

Chargeback frauds cause the Merchant’s losses and are a hassle for any business including that of Cashlesso. To mitigate this, Cashlesso has an exhaustive and robust Chargeback and Refund Policy that shall assist the merchant understand why chargebacks happen and take steps against fraudulent charges.

 

4. Security protocols and processes

With the growing number of e-commerce users and transactions, it is important that organizations are aware of the mandatory security protocols for e-commerce websites; so that they can avoid fraudulent situations. We at Cashlesso follow:

4.1      TLS Encryption

Data security on an online payment system begins the moment a user lands on the site. The TLS Certificate tells users that the data transmitted between the web server and their browser is safe.

Cashlesso uses the highest assurance SSL certificate on its website which is the EV SSL (Extended Validity SSL) certificate.

Without TLS Encryption in place, all data sent over the Internet is unencrypted and is visible to anyone with the means and intent to intercept it.

4.2      PCI-DSS Compliance

The PCI Security Standards Council is a global organization that maintains and promotes compliance rules for managing cardholder data for all e-commerce websites and online payment systems.

The Payment Card Industry Data Security Standards (PCI-DSS) is in effect a set of policies that govern how sensitive cardholder information should be handled.

  • The PCI Security Standards Council was created as a joint initiative by the four major credit-card providers: American Express, Visa, MasterCard, and Discover, in the year 2004. Over the years, the PCI-DSS standard has become the guiding principle for online security across the globe.

Cashlesso in order to be PCI-DSS compliant follows certain directives:

  • Maintains a secure network to process payments: This involves using robust firewalls which can protect against malicious security threats. Cashlesso does not use default credentials like manufacturer provided PINs and passwords, and allows customers to change this data as needed.
  • Ensures all data is encrypted during transmission: When cardholder data is transmitted online, it is imperative that it be encrypted. Cashlesso encrypts all information user shares using checkout via TLS (Transport Layer Security). This prevents data interception during transmission from user system to organization.
  • All the details entered by a user like their name, address, etc. are used only to process and complete the order. Cashlesso does not store sensitive information like credit / debit card information, CVV numbers, PINs etc.
  • Keep infrastructure secure: This directive involves Cashlesso keeping abreast of the new PCI-DSS mandates and using updated softwares and spyware to protect against known software vulnerabilities, running regular system and software scans to ensure maximum data protection.

Restrict information access: An important part of securing online payments on e-commerce websites is restricting access to confidential information so that only authorized personnel will have access to cardholder data. Cardholder data must be protected at all times – both electronically and physically.

5. Fraud management

Financial crimes have assumed complex character. Cashlesso understands well how fraud, compliance and cybersecurity are interlinked and takes a holistic approach to mitigate these risks by employing data analytics, artificial intelligence and machine learning technology to:

 

  • Consistent monitoring and accurate detection of risks, while keeping false positives below minimum acceptable threshold
  • Intelligent self-learning Fraud and Risk Management (FRM)
  • Provide support to all Network Participants with a bouquet of solutions which are relevant across the entire financial crime spectrum

 

Know Your Customer (KYC) procedures

 

A strong KYC process is the backbone of any fraud prevention activity. Such a process enables Cashlesso to prevent unscrupulous elements from gaining entry into the organization’s environment, which gives them an opportunity to carry out their fraudulent intentions. Similarly, appropriate due diligence procedures before recruitment of employees are essential to prevent known fraudsters or people with fraudulent motives to have access to the organization’s channels. Cashlesso imbibes strong procedures to carry out due diligence of potential merchants & employees before they are enrolled.

 

Merchant fraud occurs when someone creates a fake or bogus company with no intention of selling any product to the customer. The business appears legitimate; but since it offers no actual goods or services, all users who make an online purchase only end up losing their money.

 

Cashlesso implements strict processes in place to vet every company which uses gateway for processing payments, such as:

 

KYC & Background checks: Adhering to strict KYC norms even before Cashlesso onboards a business is an integral part of fraud mitigation practice followed. Cashlesso shall have in place an in-house ‘Risk’ team that runs background checks on new businesses and vets them before they are ‘live’ on Cashlesso’s platform.

 

Physical security: Cashlesso shall put in place a dedicated team to take care of the security of the physical infrastructure. This team shall conduct regular security audit of their office to check for deviations/lapses. It shall be the responsibility of this team to ensure that physical assets and data copied do not go out of the offices of the organization without authorization.

 

Creation of fraud awareness amongst staff and customers: Awareness on how to prevent and detect frauds is the basis of fraud management. Cashlesso adopts various measures to create awareness amongst staff and customers as detailed below in this policy.

6. Fraud detection

Detection of fraud

 

In certain cases, despite strong prevention controls aimed at fraud deterrence, fraudsters do manage to perpetrate frauds. In such cases, sooner the fraud is detected, the better the chance of recovery of the losses and bringing the culprits to justice. System triggers that throw up exceptional transactions, opening up channels that take note of customer/employee alerts/disputes, seeding/mystery shopping exercises and encouraging employees/customers/ well- wishers to report suspicious transactions/behaviours are some of the techniques that are used for detection of frauds at Cashlesso. The exceptional/suspicious transactions/activities reported through these mechanisms are investigated in detail once reported by the Risk & Operations Team.

 

Transaction monitoring

 

Within the Operations Team, a transaction monitoring unit is assigned that is responsible for monitoring various types of transactions, especially monitoring of potential fraud areas, by means of which, early alarms can be triggered. This unit has the expertise to analyze transactions to detect fraud trends and has the authority to immediately trigger alarms and suspend the account. This unit works in conjunction with the technical team within organization for data extraction, filtering, and sanitization for transaction analysis for determining fraud trends. Cashlesso has put in place automated systems for detection of frauds based on advanced statistical algorithms and fraud detection techniques.

 

Alert generation and redressal mechanisms

 

Cashlesso has established appropriate mechanisms to take note of the disputes / exceptions or suspicions highlighted by various stakeholders including the transaction monitoring team to investigate them thoroughly. Furthermore, Cashlesso also incorporates a strong whistle blowing mechanism as a policy.

 

 

Contact for reporting suspected frauds

At Cashlesso, customers can report any fraudulent activity that they may notice on:

 

contactus@cashlesso.com

 

A dedicated staff shall reply to customer queries and concerns regarding frauds through the above email ID.

 

 

Importance of early detection of frauds

An organization’s fraud management function is effective if it is able to minimize frauds and when fraud occurs, is able to detect the fraud so that the loss is minimized

 

Cashlesso documents and implements the configuration aspects for identifying suspicious transactional behaviour in respect of rules, preventive, detective types of controls, mechanism to alert the customers in case of failed authentication, time frame for the same, etc

 

 

Systems for detecting ‘Merchant Fraud’

 

Cashlesso takes this check one level higher by monitoring all suspicious and potentially fraudulent businesses, and the transactions that originate from them:

 

  • Transaction monitoring: We follow an inherent ‘Risk’ logic that may detect a possible fraud. For instance, a merchant who gets 20-40 online orders in a day suddenly starts to get 300-500 daily orders and keeps escalating in the same manner.

A sudden spike in transaction velocity (number of transactions per minute/hour/day), volume (amount transacted for), or pattern (international orders for a local brand) is an indicator of fraud and Cashlesso systems immediately flag such transactions for further investigations.

‘Risk’ logic also entails business rules for monitoring the thousands of transactions on Cashlesso platform on a daily basis. This logic should be designed according to the merchant, and logic pathway should easily differentiate between standard day-to-day transactions and those that carry a high probability of risk.

 

  • Third Party Background Checks: Cashlesso uses third party checks including, but not limited to Accuity that conducts a thorough background checks.

 

  • E-KYC: E-KYC is conducted to further verify the documentation provided by the Merchant at the time of on-boarding.

 

  • Extensive Documentation: We seek and verify company and director documents to verify, keep record and match with the government databases for security and risk mitigation.

7. Fraud preventive actions & improvements

The means of deception that fraudsters and criminals are using these days can range from forging identification documents, creating fake business profiles/storefronts, forging invoices/ receipts, restructuring transactions to fall below reportable thresholds and other techniques. Cashlesso in order to effectively monitor fraud, maintains a holistic approach, involving the merchant’s entire portfolio and appropriate technological support.

 

Cashlesso considering the  updated applicable regulatory mandates comprising pre on-boarding Know-Your-Customer (KYC) and screening, and post-on-boarding monitoring of merchant behaviour and transactions. These do however permit risk-based flexibility with actionable customised solutions. Furthermore, internal risk profiling, periodic updates, and fraud reporting if applicable (to the Financial Intelligence Unit of the Government (FIU-IND), Central Bureau of Investigation/Police, Reserve Bank of India’s (RBI) Department of Banking Supervision, and others) shall also be undertaken. Even where there are no mandates, Cashlesso carries out these measures via self-imposed checks to detect transactional anomality’s and possible frauds.

 

Cashlesso’s different checks allow recognizing different fraud indicators, and in the process also encounter specific challenges:

 

  • Digital on-boarding processes: Cashlesso inculcates the practice of digital checks backing increasingly popular digital on-boarding processes and follows the RBI and Insurance Regulatory and Development Authority’s Video KYC norms, as well as the Securities and Exchange Board of India’s (SEBI) e-KYC permissions. Although there is the issue of faking a storefront online via seemingly professional business websites, regardless of whether an actual brick and mortar storefront exists. Cashlesso on such suspected merchants, does additional checks varying from verifying domain name purchase dates, actual site visits and social media activity along with assessing the business authenticity through licensing/registration checks, credit checks and examining balance sheets if required.
  • Merchant website checks: Manual regular checks on a merchant’s website also provides indicators, like reviewing product listings and online customer reviews to help identify the sale of prohibited/fake products. This assists Cashlesso in reassessing merchant risk levels post on-boarding, like identifying merchants and observing the transactions who maintained an artificially low-risk profile at the time of on-boarding.
  • Money laundering/tax evasion detection: Detecting money laundering or tax evasion is challenge given the payments chain’s complexity, which can involve multiple intermediaries or variations in payment cycles. For instance, the merchant can route customer funds through multiple payment intermediaries to enable a direct disbursement to fraudulent recipients thereby, enabling laundering, or so the funds never reach the merchant’s legitimate bank account. This aids in concealing revenue and avoiding tax obligations. To mitigate this, Cashlesso conducts a beneficial owner check that helps identifying money laundering/terrorist financing concerns, in this instance, a promoter/director/investor identified from the company’s filings with the portal of the Ministry of Corporate Affairs, whose name matches one on a sanction, Politically Exposed person (PEP) or international Anti-Money-Laundering/Combating Financing Terrorism list.
  • Payments innovation: Fraud detection strategies implemented at Cashlesso keeps track of vulnerabilities arising out of new payments innovation (Wallets, Unified Payments Interface, fintech participation through open banking/Application Programming Interface access and other new payment channels that are opening up). Cashlessos’ transaction monitoring algorithms also would need to become more intelligent for transactions routed through such channels, for example, the data points to be assessed would differ.
  • Real-time fraud detection at scale: Further, seamless on-boarding and settlement today, requires real-time fraud detection mechanisms. The proliferation of digital payments and numerous new merchants (like micro-merchants) also requires effective fraud prevention at scale. New age anti-fraud technology can offer the requisite tools here, including:
    • Automated alerts for transaction anomalies (Merchant Code Category violations, URL mismatches, unusual transaction/refund/chargeback frequencies/patterns, or exceeding permitted limits, to name a few,
    • Thorough monitoring of transactions for identifying illicit merchant websites or payments processing through unreported/ shadow sites,
    • Automated underwriting

 

In-house Fraud Prevention System

AN in-house custom Fraud Prevention System in place allows Cashlesso to block transactions based on certain risk rules to minimize fraud. The rules can deal with IP addresses, Geo location, user details, velocity checks etc. Following are the features provided by our Fraud Prevention System:

  • Block IP Address: It allows the admin to block specific or ranges of IP addresses from being able to process transactions into their account. Once blocked, user should not be allowed to attempt any transactions into their account. Any transaction made using these IP addresses should be rejected.
  • Whitelist IP Address: This allows the admin to whitelist IP addresses to create a lists of trusted IP addresses or IP ranges from which only those users can access the domains. It should limit and control access only to trusted users.
  • Block Issuer Countries: This allows the admin to block transactions that are made from cards that are issued from specific countries.
  • Block Email Address: It allows the admin to block transactions based on email address provided while initiating the transaction.
  • Limit Transaction amount: It allows the admin to specify the minimum and maximum amount limit for the transactions from the same accounts per day. So that large transactions frauds and costly chargebacks can be avoided.
  • Block Card Bin Range: It allows admin to block specific Card Ranges for processing transactions to their account. Admin needs to provide the first 6 numbers of a card that specifies the details of the card.
  • Block Phone Number: It allows the admin to block transactions based on phone number that is provided while initiating the transaction.

 

Cashlesso also endeavours to continuously improve the business rules such that;

  • Fraud losses are reduced by identifying and challenging fraudulent transactions
  • Customer experience is not compromised by reducing false positives
  • Authorize legitimate transactions that are interrupted and bring them back on track as quickly as possible with automated tools
  • Obscure patterns and emerging trends in data – which are otherwise impossible to detect for the human eye – are recognized

8. Fraud investigation

At Cashlesso, a detailed and thorough fraud analysis shall be conducted to identify the reason for fraud occurrence and establish customized mechanism to prevent such frauds.

 

Entire staff, especially in the fraud control function, shall be educated about frauds and trained in the following skills and areas of expertise:

 

  1. Fraud control tools and their usage;
  2. Investigative techniques and procedures;
  3. Cardholder and merchant education techniques to prevent fraud;
  4. Scheme/ Card operating regulations;
  5. Data processing and analysis and liaising or communicating with law enforcement agencies; and
  6. The requisite skills required to (i) set and update appropriate rules, (ii) monitor the exceptions thrown based on the rules on a continuous basis and take necessary actions promptly, (iii) communicate/ escalate wherever required to appropriate authorities, and (iv) differentiate false positives from the rest

 

Furthermore, Cashlesso shall maintain updated contact details of service providers, intermediaries, external agencies and other stakeholders (including other organizations) for coordination in incident response. Cashlesso shall put in place a mechanism with the stakeholders to update and verify such contact details and also formulate specific SOPs to handle incidents related to payment ecosystem to mitigate the loss either to the customer or organization.

 

The examination of a suspected fraud or an exceptional transaction or a customer dispute/alert in the organization to be undertaken by:

  • Fraud risk management group
  • Specific committee/team of employees constituted to examine the ‘suspected fraud’
  • External agencies, if any, as appointed by the organization.

 

Fraud Investigation function

 

It is widely accepted that fraud investigation is a specialized function. Thus, the fraud risk management group at Cashlesso shall undergo continuous training to enhance its skills and competencies. The first step in the investigation process will be gathering the entire transaction details, documents and complete details of the customer/employee or vendor. To investigate into suspected cases, the group would adopt various advanced techniques including computer forensics, forensic accounting and tools to analyze large volumes of data as required.

 

The investigation team will further conduct oral interviews of customers or employees to understand the background and details of the case. In case an interview of the person accused of fraud is required to be undertaken, the investigation group shall follow a prescribed procedure and record statements appropriately. The investigation activities would be carried out discreetly and within a specified time line. The investigating team shall take into account all the relationships of the involved parties (with the organization, if required) while investigating and submit an investigation report. The investigation report will help the respective business groups take a decision on the case and further if the case may be, all the relationships of the customer with the organization. The investigation report should conclude whether a suspected case is a fraud and thereafter the report would form the basis for further actions such as regulatory reporting as mandated.

 

In case of an employee involvement in the fraud, the investigation report would form the basis of staff accountability and HR actions. It is stated explicitly, that during the course of the investigations, Cashlesso would adopt only means permitted by law, regulations and code of conduct of the organization and any inconvenience to customers or general public shall be reasonably avoided. Cashlesso understands that certain investigations are best carried out by law enforcement authorities and that Cashlesso shall refer critical/complicated cases to such authorities at the appropriate time, to enable them to carry out their responsibilities efficiently and further if required, the investigating team shall seek the support of other specialized groups within the organization, such as the audit group to carry out investigations efficiently.

 

 

Recovery of fraud losses

 

The concerned group at Cashlesso shall make all reasonably possible efforts to recover the amount lost. They may use specialized groups like legal (internal or external) or government agencies for this purpose. The investigating team may also be able to recover some amounts during the course of their investigation. The Police may also recover some amount during their investigation. If incase a court case has been filed, these recoveries shall be cited as received pending final adjudication or settlement reached.

9. Customer awareness on frauds

Creation of customer awareness on frauds

 

Customer awareness is one of the pillars of fraud prevention. It has been seen that alert customers have enabled prevention of several frauds and in case of frauds which could not be avoided, helped in bringing the culprit to book by raising timely alerts. Cashlesso thus aims at continuously educating its customers and solicit their participation in various preventive/detective measures. It is the duty of all the groups in organization to create fraud risk awareness amongst their respective customers. The fraud risk management group should share its understanding of frauds with each group, identify areas where customer awareness is lacking and if required, guide the groups on programs to be run for creation of awareness amongst customers. The groups should ensure that in each of their interaction with customers there is at least one message to make the customer aware of fraud risk.

 

The following are some of the measures that may be followed in time to create awareness amongst customers:

  • Publications in leading newspapers
  • Detailed ‘do’s and don’ts’ on the web site of the organization
  • Messages printed on organization’s stationery such as envelopes, card covers, etc.
  • Interstitials on television and radio

 

It may be ensured that the communication to the customer is simple and aimed at making them aware of fraud risks and seeking their involvement in taking proper precautions aimed at preventing frauds. Such communication should be reviewed periodically by the fraud risk management group to judge its effectiveness

10. Employee awareness and training

Creation of employee awareness

 

Employee awareness is crucial to fraud prevention. Training on fraud prevention practices shall be provided by the fraud risk management group at various forums. Cashlesso may use the following methods in time to create employee awareness:

  • Class room training programs at the time of induction or during risk related training sessions
  • Publication of newsletters on frauds covering various aspects of frauds and containing important message on fraud prevention from senior functionaries of the organization
  • E-learning module on fraud prevention
  • Online games based on fraud risks in specific products or processes
  • E-tests on prevention practices and controls
  • Detailed ‘do’s and don’ts’ put up on the worksite of the employee
  • Safety tips flashed at the time of logging into application, screen savers, etc.
  • Emails sent by the respective business heads
  • Posters on various safety measures at the work place
  • Messages/discussions during daily work huddles

 

Rewarding employees on fraud prevention

 

A positive way of creating employee awareness is to reward employees who have gone beyond their call of duty, and prevented frauds. Awards may be given to employees who have done exemplary work in preventing frauds. Details of employees receiving such awards may be published in the internal fraud newsletters by Cashlesso.

11. Do’s and Don’ts to Prevent Fraud

  • Do not share confidential details like card number, expiry date, PIN, OTP etc. with anyone. Anyone of importance will never ask for your card data/passwords up front. The regulated entities and financial service providers have a safe protocol to gain admin access to an account if the need ever arises. If you are asked for such details by anyone posing as an organizational representative, please ask them to send you an email. Only respond to emails from official organizational domain;
  • Do not search for customer support numbers on Google, Twitter, FB etc. Connect through official accounts across various social media platforms e.g., Website, Twitter, Facebook. Never call / respond to unverified mobile numbers claiming to be customer support of any payment or banking organization.
  • Do not uncontrolled allow access to third-party apps such as Screenshare, Anydesk, Teamviewer;
  • Always remember you do not have to ‘Pay’ or enter your UPI pin to receive money;
  • Passwords are safer when you don’t write them down. Keep strong passwords that you can remember, change them frequently, and refrain from writing them down somewhere;
  • You have the right to dispute suspicious charges on your card or accounts. Raise a chargeback requestfor any unidentified transaction on your card. You have a legal right to a resolution, however, this must not be misused as the Payment Gateway’s/ Merchant’s have the legal right to contest unfounded Chargebacks as well.
  • When contacted by a Fraudster, immediately report the incident to your nearest cyber-crime center and lodge an FIR providing relevant

12. References

13. Annex 1

Monthly certificate in respect of submission of fraud cases

 

Name of the bank:

Date:

Certificate for the month:

 

 

It is certified that soft copy of the following fraud cases, which were to be reported to RBI during the month ————————, have been sent to RBI by mail

Sl.No.

Fraud Number

Name of the Party

Amount Involved (Rs Lakh)

Date Sent