ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       Robust security and fraud mitigation systems
                Working Group                 Consumer Experience and Protection

                Theme                         Fraud
                Audience for recommendation   Regulators





                Regulators should ensure that DFS providers have in place robust system security and fraud detection, manage-
                ment, and mitigation measures and procedures at the time of licensing and on an ongoing basis, and regulators
                and providers should jointly conduct consumer and agent awareness efforts to prevent fraud.

               Opportunities for fraud arise at numerous points during a DFS transaction, including network downtime,
               agent or staff misconduct, and risky behaviour by customers, such as sharing a PIN. In addition, customers
               may be subject to third-party fraud, such as phishing SMSs requesting money transfers. As such, regulators
               should ensure DSF providers have robust security and fraud detection programs. GSMA’s Code of Conduct for
                                   18
               Mobile Money Providers , for example, provides a list of important security and fraud management principles.
               Providers should also take into account the level of technology used in the market, such as less sophisticated
               equipment (e.g., basic handsets with inadequate encryption standards) that are more likely to expose users
               to identity theft.

               ITU Focus Group’s document, Commonly Identified Consumer Protection Themes for Digital Financial Services,
                                                                                                         19
               recommends that DFS are provided only by licensed entities that are regulated by a financial regulator. This is
               in line with an AFI  recommendation that regulators license and supervise DFS providers under an enforceable
                              12
               regulatory framework. Formal licensing standards should require regulators to assess a proposed DFS provider’s
               understanding of its target market and relevant operational and security risks. Providers should be required
               to establish and maintain adequate: Policies; procedures; controls; audit programs; information systems;
               governance and reporting lines; and hiring standards, including background checks for agents and employees.
               AFI  also recommends that DFS providers be licensed by one regulator, even though some providers may
                  12
               offer services that fall under the purview of more than one regulator. A single licensing framework will help
               to ensure consistency for consumers related to a DFS providers’: financial and technical resources; internal
               controls; operational risk framework, including security controls; and account segregation requirements for
               customer funds.
               Once licensed, the DFS provider should be required to adhere to these standards at all times and be subject
               to inspection to confirm their compliance. CGAP’s paper on Supervision of Banks and Nonbanks Operating
               through Agents  highlights various approaches to monitoring and reporting agent activities. Good recourse
                            20
               systems are helpful for monitoring complaints related to fraud. Regulators could also assess the extent to which
               providers have an effective feedback loop between their AML-CFT and financial crime monitoring, complaints
               handling, and customer/agent awareness/education efforts to ensure fraudsters and fraud schemes are quickly
               identified and addressed, and customers are quickly made aware of schemes to avoid.

               GSMA’s Code of Conduct for Mobile Money Providers  states that mobile money providers shall educate
                                                              18
               customers on how to use mobile money services safely.  These communications could occur using a variety of
               methods. For example, CGAP  reports that Kenya’s Safaricom M-PESA uses SMS alerts, radio announcements
                                       10
               in different local dialects, and newspaper ads to update customers on various fraud schemes, and Banco WWB
               in Colombia requires product security tips be given to customers when they open an account.


               19   ITU-T FG-DFS – (2016), Commonly Identified Consumer Protection Themes for Digital Financial Services https:// www. itu. int/ en/
                  ITU- T/ focusgroups/ dfs/ Documents/ 09_ 2016/ ConsumerProtectionThemesForBestPractices. pdf
               20   Dias, D., Staschen, S., and Noor, W. (2015), CGAP, Supervision of Banks and Nonbanks Operating through Agents https:// www.
                  cgap. org/ sites/ default/ files/ Working- Paper- Supervision- of- Banks- and- Nonbanks- Operating- through- Agents- August- 2015. pdf



                                                                                                       65