Esigie Aguele, co-founder and CEO of VerifyMe Nigeria company in this interview with BusinessDay’s Frank Eleanya, speaks on the recent growth of fraud in the financial sector. He identifies FRSC data as critical to addressing some of the KYC problems the sector faces.
Are neobanks especially susceptible to KYC fraud?
It’s a complicated question. Are neobanks more susceptible to fraud? Yes, but it’s also kind of conditional. When you have a digital bank that is trying to make money – because digital banks deal with lower transactions and make money from onboarding customers very quickly — the expense of KYC or address verification for Tier 3 and also the delay of it makes it prohibitive and difficult to fit into their business model. You know, high transactions or high volume equals low transaction costs. So, are they more susceptible? Yes. Is there a reason? Yes, because the government has not focused on regulation to establish proper compliance for things like addressing, and also to close the gap between Tier 1 and Tier 3 accounts.
So, this is a complex situation. Traditional banks can afford a comprehensive KYC because they make a lot of money from so many things. People need to open accounts so they can afford to wait for three days. Traditional banks can also charge their customers for the address verification that they do, so it fits into their business model. But, even if you look at the digital banks that the traditional banks are establishing, they are also more susceptible to fraud because the product has become slightly different.
There appears to be a growing trust problem between the traditional banks and neobanks over KYC. As a KYC industry player, what are your views on this?
My thinking is that, potentially, the issue is around the Tier 3 account opening. It is an issue of addressing but also an issue of compliance. Who enforces compliance with the neobanks? While CBN is very hard with the traditional banks, I think the neobanks also need a bit more regulation. This is where it’s still a little fuzzy because the Tier 3 account is the one that can transfer funds and do many other things. For digital banks, waiting three days for address verification and paying N1000 doesn’t work for them. What the government needs to do is adopt the model that is in use in most countries which is to identify the authoritative source of addressing. In most countries, this is the equivalent of FRSC, what they call Modified Virtual Addresses (MVA). It is not NIMC, it is not BVN.
To put it sustainably, the only agency in the country that Nigerians have to interact with periodically – every two to five years – is the Driver’s License Administration. That means that they’re the only ones in a sustainable position to collect changing information on citizens’ functional data. Once you go to NIMC, you don’t ever have to go back again. When you change your address, you shouldn’t have to go back to NIMC to update your records. What happens in most countries is that when you go for your driver’s license, all you do is show proof of residency. That becomes AML compliance, and then that’s what the credit agencies use as their authoritative source of addressing and that is why they have digital addressing in their countries and we don’t.
From your experience, what are the peculiar fraud trends that legacy banks and traditional banks are susceptible to? Are they different or is it just one strand of fraud affecting both sides of the divide?
I believe it’s different. I think with the neobanks, it is mostly identity – using multiple identities or the same face using maybe multiple BVNs or NINs. And I also think what the fraudsters do is open Tier 1 accounts and then see if there are loopholes to get it up to Tier 3.
With the bigger banks, It is much higher transactions involved so detecting fraud will be more from a transaction level. For example, if an account was opened and was doing N10 million, then all of a sudden, it starts doing N50 million, they should be able to detect that bank using analytics. At QoreID, our B2B infrastructure company, we use biometrics or dedubbing in terms of identity fraud to solve the main neobank problem, and also a kind of reporting. However, Nigeria still has to evolve on the transaction fraud part for banks. It is not that banks don’t face the other types of fraud. However, it’s more difficult to defraud Tier 3 accounts. It is not like the quick ID and get-a-loan-now we have in neobanks. So, it’s a little bit different.
A 2022 report from KPMG found that only 30% of local banks have fully implemented KYC and anti-fraud measures. Do you agree with that figure? Should it be higher or lower?
I think it’s probably lower, and even in those banks, they’re probably doing 30 per cent of customers. Imagine opening 10,000 accounts a day. That’s 10 million a day you’d be giving to a KYC company for addressing. This is why digital addressing is key but people don’t realize it. Because with digital addressing there’s no human in the loop, that price goes from N1000 to N100. Part of the solution should be that government should look at regulation as a stimulus. Digital addressing is really what’s going to power massive account opening and banking. Right now, the experience with remote addressing and the regulation of Tier 3 is that the price is prohibitive.
A key USP for the neobanks is speed and flexibility, especially in customer onboarding. However, it appears that this may also translate to sacrificing on KYC. How can the neobanks retain flexibility and speed, and still deliver on KYC compliance or does one have to go?
Right now in Nigeria, it is a hybrid. If you get fully digitized people and use a company like VerifyMe, you can open many of your accounts in real-time if you want them to be Tier 3 because we already have digitized Tier 3 information. Unfortunately, the majority of Nigeria is still not yet digitized so it has to be hybrid for now. Until we decide to use FRSC, create layers and create regulations, it’s always going to be a problem.
Could it be that KYC service providers are just playing the devil’s advocate and can’t manage the challenge?
It is about the Nigerian conundrum. We have a lot of startups who come from the Western Europe perspective and prefer to use Optical Character Resolution to read IDs and then do the biometrics from there. A lot of companies do that but it’s not compliant because at the end of the day, the document could be fake and they wouldn’t know. The thing is Nigeria already has an API for identity verification and their operations. A customer who does an API with a licensed company, and then goes ahead to do a biometric verification with the image from that API is compliant, because that’s also what the traditional banks do. But if you want to use OCR to read the ID and the face from the ID, it’s not compliant. So, the issue is not that operators are not providing adequate technology. It is that neobanks are picking non-compliant workflows for onboarding their customers.
So the challenge is on the demand side, not the solution provider side?
It’s not the solution provider. If you do a real identity against NIMC or BVN and the facial recognition, and a Tier 3 address verification, that is completely compliant according to CBN rules. We know that because we do most of the KYC for traditional banks. Traditional banks pick the right onboarding workflow for Tier 3 more than neobanks do. Traditional banks are more stringent with their compliance. You will never see a traditional bank, for example, not do a Tier 3 address verification, or at least select it with their onboarding. For the neobanks, you can pretty much open an account with any ID and that creates loopholes.
Do you think the industry is ready to tackle chargeback fraud because it seems as if it’s on the high? Secondly, do you think that there’s going to be a spike or, perhaps, an appropriate response that will lead to a drop?
First of all, every time there is loss, there’s always going to be an appetite to try to solve the problem. So, I would say that we have a role to play in stopping chargeback fraud as well. That is in terms of identity verification for these processing companies and biometric authentication as well. There are many things we can do to mitigate chargeback fraud but I think it will take some time for us to start to solve the problem.
What role do you think KYC service providers should and can play in mitigating fraud from a holistic approach?
We can help with much better KYC. Chargeback fraud is someone buying something and then going to dispute the charge. Usually, it is only people who feel they can get away with it that do it. So, firstly, what is the whole value chain? We recently had a case of chargeback in VerifyMe and we disputed it. Somebody tried to do a chargeback on us and we don’t even know why. I think we need to look at the whole process of responding – who is responding, how long they respond, the merchant’s response time, and knowing who these merchants are. For example, in Nigeria, the relationship between merchants and banks is not always great. So, it’s not even mostly about identity verification. There are people in Nigeria who are robbed with POS. They use a POS to charge your card and you will never find the owner of that POS.
How is that not an identity issue?
It is not an identity issue because how do you have a POS as a business without being registered with somebody? I should be able to say, “These people charged my card,” and the bank would look at it, trace it to the POS and know the POS owner. You can’t have that here so you don’t even know sometimes if the merchant is involved. It’s also about KYC on merchants. It’s about reporting which merchants have high chargebacks. There is a whole set of analytics that needs to happen to solve this problem.
When banks wanted to solve the fraud problem in the United States, they went to Congress, passed the Fair Credit Reporting Act and set up credit reporting agencies, a layer that they didn’t own. In Nigeria, the FinTech themselves want to start building the fraud app. The danger in that is that everybody will start building their fraud apps. Before you know it, you have a mutually assured destruction. Nobody will allow the other access because nobody is going to empower a layer that they’re not making money from, even if it’s going to eventually help their business. What the FinTech committee should be doing is bringing KYC operators together and saying, “Listen, you guys are the only ones that give data at the point of onboarding. You have to help us share data.”