Highlights of the Panel Discussion

Types of Frauds in Financial Institutions

Frauds can be categorized into three types:

1. First-party fraud: This form of fraud occurs when individuals knowingly provide false information to gain financial or material benefits. For instance, exaggerating their income, fabricating employment details, or misrepresenting their financial situation to access services. Regrettably, first-party fraud is often misclassified as credit loss, leading to challenges in differentiating actual fraud from credit risk, which can impact future lending decisions.
2. Second-party fraud: Involving two parties, this type of fraud is more complex to detect. It happens when someone collaborates with the fraudster by sharing personal details or being complicit in fraudulent activity. Examples include business embezzlement or “friendly fraud,” where a family member or friend misuses someone’s credit card without permission.
3. Third-party fraud: Commonly known as identity theft, this type of fraud involves using an individual’s personal information without their consent to obtain credit or products. This can also encompass creating fake identities using stolen data. Phishing schemes and loan stacking are instances of third-party fraud, where a fraudster acquires funds from multiple loans under a false identity without any intention of repayment.

Recently, a prevalent form of fraud involves small applications. In this scheme, individuals receive SMS messages prompting them to download an app. Even if they have no intention of using it, money is transferred to them. These fraudsters, referred to as “dupers,” then exploit vulnerable targets. Unfortunately, such fraud has surged during the Covid-19 period. Moreover, fraudsters have grown more sophisticated, exploiting end-to-end technology with minimal human interaction, which poses challenges for banks and lenders in effectively verifying applicant identities.

Identifying Internal Fraud: Steps Taken Within the Institution

Many financial institutions have adopted several crucial steps to identify and combat fraud within their organizations effectively. These measures include:

• Utilizing advanced technology: Institutions are leveraging technology to scrutinize borrowers’ credit history comprehensively, employing scorecards and data scrubbing tools to assess potential precursors to fraud.
• Transaction monitoring: Vigilant monitoring of customer records and transactions helps detect any suspicious activities or exceptional changes, allowing for timely intervention.
• Establishing vigilance departments: Institutions have set up dedicated vigilance departments to investigate and verify any unusual or suspicious occurrences within the organization.
• Insider fraud prevention: To prevent insider fraud, privileged access controls are implemented, ensuring employees cannot exploit their positions for fraudulent purposes.
• Compliance with regulatory mandates: Institutions adhere to regulatory requirements by the RBI, such as reporting fraud to the Central Fraud Registry, ensuring a collective effort in combating fraudulent activities.

Recent Case Studies of Fraud

Fraud remains an ever-persistent and intriguing topic, constantly evolving with new sophistication each year. The dynamic nature of fraud keeps everyone, including customers, regulators, and technology providers, on their toes. The continuous game of cat and mouse ensures that fraud will remain relevant as long as the digital economy exists.

Recently, a compelling case study sheds light on the prevalence of synthetic identity fraud. This type of fraud combines real and fake identity information to create accounts for malicious purposes. Fraudsters use various tactics, such as fake mobile numbers, email IDs, and forged personal information, to carry out their schemes. However, there are solutions available to detect and prevent synthetic identity fraud.

One notable case involved a large Indian bank dealing with CASA (Current Accounts Saving Accounts) cards, which experienced a combination of synthetic identity and account takeover fraud. The fraudsters launched bot attacks, creating fake accounts and gaining unauthorized access to customers’ mobile apps. To deceive customers further, they employed social engineering techniques, leading to customers unknowingly sharing sensitive information like SMS OTPs and passwords.

Thankfully, technology providers have developed tools to combat such fraud. By analyzing the risk associated with mobile numbers, email IDs, and device fingerprints, they can detect suspicious activities in real time. This approach ensures that 70% of risky transactions are successfully halted, resulting in a significant increase in accurate user onboarding by over 90%.

This recent case study demonstrates how the financial industry can stay ahead of fraudsters by leveraging technology to safeguard customers and financial institutions alike. As fraud techniques evolve, so will the countermeasures, making this an ongoing battle in the world of digital lending.

Monitoring Loan Frauds

Collaborative Data Approach

• The rise in reported loan fraud cases has become a pressing concern for financial institutions.
• Challenges exist in sharing fraud-related information before loan disbursal, particularly for unregistered cases in the central registry.
• Collaborative efforts among financial institutions to create forums, communities, etc., are essential to tackle these challenges effectively.

Data Democracy and Risk Assessment

• The aim is to establish data democracy, enabling financial institutions to share relevant information and access data from others for improved risk assessment.
• This collaborative data-sharing approach breaks down multiple risk silos and enhances the overall understanding of potential fraud risks.
• Leveraging shared data in lending decisions helps identify risks from various angles, including previous employment fraud or fraudulent activities elsewhere.

Extending Data Democracy Beyond Finance

• The emphasis is on the importance of data democracy beyond financial institutions, extending benefits to individuals and other industries.
• Access to a person’s fraud history for non-financial purposes before renting an apartment or making personal commitments can be invaluable.
• Democratizing data serves as a deterrent, discouraging willful fraud attempts.

Addressing Internal Fraud Challenges

• Internal fraud within organizations is a critical challenge, as perpetrators can move between companies without accountability.
• Establishing a centralized repository accessible to potential employers can mitigate this issue and promote transparency.

Building an Inclusive Data-sharing Ecosystem

• The overarching goal is to create an inclusive data-sharing ecosystem benefiting financial institutions, individuals, and other sectors.
• Collaborative risk assessment and data democracy empower stakeholders to combat loan fraud effectively.

Registration of Loan Frauds with the RBI

The RBI has mandated all banks to promptly report identified frauds to the central fraud registry (FMR) in real-time. This database serves as a central repository where all financial institutions submit their fraud-related data. As part of RBI’s vision for 2020-2025, they aim to create a negative list of fraudulent account numbers and publish it in real-time. Although currently accessible through their website, RBI plans to offer API integration for easier access to this data. 

With the central fraud registry in place, banks can leverage this data to cross-check before disbursing loans, helping identify potential fraud risks. By integrating with any API, FIs can proactively prevent fraud proceeds from being transferred to fraudulent accounts, strengthening their fraud detection capabilities. RBI’s strategic vision is to establish a fully functional system by 2025, providing a vital tool for combating loan fraud and ensuring a more secure financial ecosystem.

Pre-Warning Signs of Loan Frauds

Experienced individuals with a long history in banking or dealing with financial institutions often possess a keen intuition for identifying fraud at an early stage.

To provide examples of pre-warning signs for such frauds:

• If a person is in an extreme hurry to secure a loan.
• If someone claims to have numerous banks ready to offer them loans at unusually low-interest rates.
• If a person manipulates personal relationships with the bank to push them into providing a loan.

Such behaviours indicate desperation beyond normal levels, raising red flags and suggesting potential fraud. In such cases, it becomes crucial to double-check and reverify every step of the loan process. Employing advanced technologies, as mentioned earlier, can aid in cross-verifying information and reducing the occurrence of such fraudulent activities.

Identifying these signals is essential when borrowers display excessive desperation, negotiate unrealistically low-interest rates, or submit an excessive number of documents. Bankers can carefully assess such red flags and make informed decisions based on the evidence at hand. Being vigilant in this manner helps safeguard financial institutions from falling victim to fraudulent schemes.

Detection of Frauds Through Data Analysis

In the digital lending landscape, physical connections with borrowers are diminishing, making it imperative to implement robust controls to assess risk, especially in document verification. Fortunately, technology now offers tools that enable real-time document checks and auto OCR (Optical Character Recognition) during user onboarding. These tools automatically extract and validate data from the provided documents while ensuring authenticity.

To enhance the fraud detection process further, financial institutions can explore the account aggregator framework introduced by RBI. This framework allows access to other lenders’ loan histories, aiding in comprehensive risk assessment. Additionally, utilizing strong alternate data-based scoring mechanisms can provide deeper insights into a borrower’s profile, including mobile numbers, email IDs, and digital footprints.

By combining document tampering proof, alternate data, account aggregator, and advanced technology, banks can safeguard their lending process and mitigate risks efficiently. Implementing these solutions not only improves efficiency and reduces costs but also enhances the overall borrower experience.

Furthermore, technology advancements enable real-time access to paychecks and employment records, providing lenders with valuable data for quicker loan decisions and ensuring safer loan disbursals. The availability of such information allows for more comprehensive risk analysis, taking into account the borrower’s employment history across previous organizations, enabling lenders to make faster and more informed lending decisions.

Awareness Programme for Financial Institutions Employees Regarding Frauds

It primarily involves training rather than just raising awareness, as the key is to lend to the right borrowers. The training focuses on the usage of the latest technology tools to prevent fraud while also creating awareness among customers. SMS alerts and web sliders are used to raise awareness for customers against falling prey to fraud lenders. Moreover, the employees, especially in the credit department, receive training on how to scrutinize loan applications using document screening tools. Additionally, they are educated on identifying forged documents or numbers in balance sheets and GST returns, emphasizing the importance of using appropriate verification tools. Furthermore, employees are trained to identify potential fraud in MSME loans, such as detecting forged documents or misrepresented financial figures. Such comprehensive training and awareness programs play a crucial role in equipping financial institutions’ employees to combat fraud effectively.

How Financial Institutions Communicate Fraud Detection to Customers

• Many banks, especially in India, are hesitant to openly admit to fraud-related issues, concealing their vulnerabilities and portraying a flawless image.
• In contrast, financial institutions in some other countries openly acknowledge their mistakes and weaknesses, fostering a culture of transparency and trust.
• The manual loan process and inadequate digital verification in Indian banks pose challenges in detecting and preventing fraud effectively.
• Indian banks need to adopt a more transparent approach and openly acknowledge any weaknesses or fraud-related incidents.
• Regular communication from regulatory bodies, such as the Reserve Bank of India (RBI), through websites, channels, and social media, can educate the public about potential fraud risks.
• Striking a balance between raising awareness and inadvertently sharing tactics with potential fraudsters is a significant challenge.
• Banks must invest in automating loan processes and improving digital verification to enhance fraud detection capabilities.
• Third-party investigators can play a vital role in thorough applicant verification, adding an extra layer of security.
• Financial institutions should continuously adapt and evolve their fraud detection methods to stay ahead of ever-evolving fraudulent tactics and protect their customers effectively.

Preventive Measures to Avoid Data Leakage

Data leakage is a significant concern, especially when dealing with personally identifiable information (PII). Two notable incidents, the AIMS hospital data breach and the Fullerton incident, highlight the critical need to address this challenge effectively.

The Challenges:

• Storing PII in an unencrypted format poses a major vulnerability.
• Keeping the same data on the same server further compounds the risk.

Enhancing Data Security:

To tackle these issues and enhance data security, robust encryption mechanisms have been implemented, comprising the following features:

1. Separate Server: Sensitive data is stored on a different server, providing an additional layer of isolation.
2. Limited Access: Only designated IPs are granted access to the data, minimizing potential breaches.
3. JWT Tokens: Access to data is controlled through JWT tokens, enhancing security during data exchange.
4. Role-Based Security: Role-based access ensures that only authorized personnel can view specific information.

Tokenization for Enhanced Security:

• Tokenization replaces sensitive PII with unique identifiers, ensuring that no critical data is exposed, even in the event of a breach.

Protecting Sensitive Information:

• Critical information, such as health records, is stored in an encrypted format, inaccessible to unauthorized individuals.
• These measures effectively mitigate the risk of exposing sensitive data, safeguarding both individuals and organizations.

Consent Management:

• Empowering individuals to control access to their data enhances customer trust and transparency.

Extending the Solution:

• These preventive measures can be adopted by other organizations seeking robust data security solutions.
• By implementing these approaches, organizations can build trust, comply with data protection regulations, and demonstrate their commitment to safeguarding customer information effectively.

Leveraging Machine Learning and AI for Fraud Identification and Detection

The Challenge

In the realm of fraud identification and detection, machine learning and data analytics play a pivotal role. With the abundance of data available today, the key challenge lies in efficiently processing and transforming this data into actionable insights in real-time. Without timely detection and decision-making, the entire effort becomes futile in today’s fast-paced digital world.

The Solution

To address this challenge, an analytics-driven approach becomes imperative. Data-driven decision-making, underpinned by machine learning and AI, emerges as the crucial horizontal aspect of fraud prevention and mitigation. For instance, many organizations have been successful in consolidating diverse data silos, such as identity verification, fraud detection, transactions, and payments, into a unified platform. Such platforms offer a holistic view of a user’s journey. This single-pane view becomes a valuable asset for stakeholders, be it the CIO, CTO, CSO, or CEO of a financial institution.

The adoption of such analytics platforms at an early stage is advantageous, as it allows the analytical models to mature and yield meaningful results over time. Leveraging machine learning techniques, these models learn and adapt, incorporating additional tools like behavioural analytics. For example, the analysis of a user’s device behaviour, including unique patterns, touch gestures, dwell time, and the relationship of the user with the device, creates a distinctive fingerprint that aids in identifying and differentiating legitimate users from fraudsters who may attempt to tamper with devices.

Adapting Automation to Comply with Supreme Court’s June 2023 Ruling: Banking Institutions and the Challenge of Fraud Flagging

In response to the Supreme Court’s June 2023 ruling, banking institutions face a challenge in adjusting their automation systems for fraud flagging. As per the master direction, banks must report any identified fraud to the central registry. While they must comply with this requirement, the regulatory body determines whether the information is published. To ensure legal measures are followed, banks now have to provide a three-month window before declaring an account as fraudulent, and only after proper legal measures or directions are taken. The Supreme Court emphasizes the importance of offering fair opportunities and equal treatment to customers during the process. This approach aims to prevent abrupt harassment and ensures customers are provided with a proper legal process before any conclusive actions are taken.

Social Media Frauds

In the context of social media fraud, one of the significant concerns is impersonation, where malicious actors create fake profiles to deceive others. Institutions must exercise caution while assessing profiles and leverage available technological solutions to identify and take down such fraudulent accounts. Detecting fake organization pages, product pages, and posts on social media can be achieved through various tools and solutions currently available in the market.

From a lending perspective, institutions can assess a user’s digital footprint and monitor their presence across different social media platforms. By evaluating their accounts and the number of social handles they use, institutions can implement straightforward checks to ensure the authenticity of the user during the onboarding process. Many fintech companies have already deployed these measures to gauge user credibility during the onboarding journey.

Furthermore, certain NBFCs providing educational loans have taken additional steps to validate applicants’ LinkedIn details by cross-referencing them with the certificates they provide. Although this process emphasizes the importance of data validation, it is essential to strike a balance by not solely relying on any single data point for assessment.