ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       Liability for fraud
                Working Group                 Consumer Experience and Protection

                Theme                         Fraud
                Audience for recommendation   Regulators





                Regulators should establish that providers are liable for loss or harm due to fraud related to DFS systems/
                platforms, staff, agents, and third-party service providers, while consumers are generally responsible for fraud
                resulting from their negligence (such as negligence in sharing their PIN). Liability for third-party fraud could
                follow a similar approach to existing regulations, such as banking/agency rules.


               Fraud leads not only to customer losses, but damage to the reputation of the provider and the industry as
               well, according to GSMA . Research conducted for the ITU found that 83 per cent of mobile money users in
                                    16
               the Philippines, 56 per cent in Ghana, and 27 per cent in Tanzania have received a fraudulent or scam SMS. In
               both Tanzania and the Philippines, 17 per cent of mobile money users have lost money to a fraud or a scam,
               and in Ghana 12 per cent have.

               Consumers, especially those who are unfamiliar with formal financial services, may not be aware of the rights
               they have in the case of fraud, or find rules governing the liability of providers and customers confusing. The
               consumer may not even realize who the actual service provider is in cases where DFS are provided through
               agents or partnerships between multiple providers.
               Regulators should clearly define and enforce provider liability for losses due to fraud that is related to the
               DFS system/platforms, staff, agents, and/or third-party service providers. Liability for third-party fraud, such
               as fraudsters sending randomly generated phishing messages, may align with existing rules in a market,
               such as banking or agency banking rules. Finally, consumers shall generally be liable for fraud resulting from
               their own negligence, such as when they share their PIN with an agent. The G20 High-Level Principles  on
                                                                                                      13
               Financial Consumer Protection emphasize the need for strong and effective legal, judicial, and/or supervisory
               mechanisms to protect consumers from fraud, abuse, and errors and for regulators to enforce sanctions for
               such misconduct.

               Better than Cash Alliance (BTCA)  guidelines state that customers should be promptly informed of suspected
                                          17
               fraud and compensated for losses due to fraud by the provider’s agents, employees, and third-party service
               providers, including third-party fraud caused by a reasonably preventable security breach. In Rwanda, banks
               are liable for, and have insurance to cover, third-party fraud. When multiple players (e.g., provider, agents,
               outsourced B2B service providers, or business partners) are involved in a transaction, regulators could review
               and/or approve governing contracts at licensing of the main provider and on an ongoing basis when new
               contracts are developed, to ensure that contracts and other agreements clearly define the responsibilities and
               liabilities of all participants. Regulations should provide guidelines as to what each agreement should cover.

               Managing fraud risk requires DFS providers to have a good knowledge of consumers’ potential vulnerabilities
               (e.g., phones with weak security features, low literacy, or customer reliance on third parties to help perform
               transactions) and to design their business processes and technical interfaces accordingly. CGAP notes that
               DFS providers in Uganda and Rwanda have identified their top consumer-facing fraud concerns as SIM swaps
               leading to identity theft; provider impersonation by fraudsters; false promotions, phishing or social engineering




               16   Gilman, Lara, Joyce, Michael. (2012) GSMA, Managing the Risk of Fraud in Mobile Money, http:// www. gsma. com/
                  mobilefordevelopment/ wp- content/ uploads/ 2012/ 10/ 2012_ MMU_ Managing- the- risk- of- fraud- in- mobile- money. pdf
               17   Better than Cash Alliance. Responsible Digital Payments Guidelines. (2016) https:// btca- prod. s3. amazonaws. com/ documents/
                  212/ english_ attachments/ BTCA-  Responsible_Digital_Payments_Guidelines_and_Background.pdf?1469034383



                                                                                                       63