Page 73 - ITU-T Focus Group Digital Financial Services – Recommendations
P. 73
ITU-T Focus Group Digital Financial Services
Recommendations
Title of recommendation Require fraud reporting per standardized fraud definitions
Working Group Consumer Experience and Protection
Theme Fraud
Audience for recommendation Regulators
Regulators should standardize definitions of fraud types and require standardized, electronic, timely fraud
reporting from providers. Regulators should use this and other information to monitor fraud types and trends
in the market and determine whether and what type of additional fraud detection and mitigation measures are
necessary and feasible.
Fraud is a key DFS security issue and its frequency is increasing, according to research by FinCoNet . To monitor
21
and control fraud, regulators need access to regular, timely, and standardized data. Although monitoring and
circulating data on frauds and scams is essential to the health of the DFS sector, providers may be averse to
reporting fraud incidents due to a perceived risk to their reputations. Regulators should mandate reporting of
all DFS-related fraud and other criminal activity, and provide confidential mechanisms for sharing information.
Providers should submit fraud information electronically using standard templates and definitions to
allow regulators to more efficiently aggregate and analyze data and trends and report emerging issues to
providers, other regulators, and law enforcement. Analysis should inform additional fraud detection and
mitigation measures, and regulators should disseminate aggregate information so that providers have a better
understanding of fraud across the market and can take appropriate steps.
FinCoNet provides examples of fraud definitions. FinCoNet also describes some of the main types of DFS fraud
21
as theft of personal data and security credentials; identity theft based on profiling and tracking techniques;
malware, phishing, and SIM card swaps (i.e., when a customer’s mobile phone is attacked and phone calls and
SMS are fraudulently received by a fraudster’s SIM card). GSMA lists and defines key fraud risks in terms of
16
where in the process the fraud may occur, including, but not limited to, the following:
Transactional (customer) fraud
• Vishing/Smishing - phone calls or SMS to gather personal details such as account numbers, PINs or
personal identification details.
• Advance fee scams – customers are duped to send funds under fake circumstances.
• Payroll fraud – a non-existent employee receiving funds.
• Reversal requests - customer requests to reverse transactions that were in fact successful, or unintended
recipient cashes out following an erroneous transaction.
• False transactions - sending fake SMS to make customers believe a transaction was successful. Often
accompanied by a reversal request.
Channel (agent) fraud
• Split transactions - agents split cash-in transactions in order to earn multiple commissions in a tiered
commission structure.
• False transactions - agents transferring customer funds to a personal account.
• Registration fraud - creation of accounts for false, invalid, or duplicated customers for the purpose of
obtaining extra registration commissions.
67
