Hassan Abdulrasheed, a senior developer with a commercial bank in Nigeria, had his old laptop replaced by the company with a new one. Everything was working very well until he was invited to the head office one fateful day.
As soon as he arrived, he encountered his bosses and officials from the Economic and Financial Crimes Commission (EFCC). The officials immediately flanked him and requested he follow them to their headquarters. On the road to the EFCC office, he was informed that he was being arrested for a N2 billion fraud. He later learnt that criminals had hacked into his old laptop, which contained critical information about the bank’s accounts. The criminals could access one of the accounts and move the N2 billion from it. First, they converted N1 billion into an overdraft which did not raise the bank’s suspicion on time. The money was later withdrawn from another bank account. The second N1 billion was divided and half of it was sent to the account of a microfinance institution operated by one of the prominent fintech companies in the country.
Usually, when a fraud activity involves the movement of money from the accounts of one commercial bank to another commercial bank, it is easy to trace because the Central Bank of Nigeria (CBN) houses the data of all customers in the banking system. The CBN also regulates fintech companies. However, the collaboration between the banks is such that when fraud cases happen, they do not necessarily need to involve the CBN before they resolve the problem. For example, bank A, which first noticed the fraud, can easily put a call across to bank B, which is the recipient bank, and both can resolve the issue without escalating to the apex bank. One of the reasons the banks prefer to not involve the CBN is fear of punishment which would lead to unwanted publicity that could create panic among their customers.
When fraud involves fintech companies, as it is so often becoming the case, resolving it without the involvement of the CBN is becoming difficult. For example, if the fraud involved a commercial bank and a fintech company, the bank will need to put a call across to the fintech. On many occasions, a delay from the fintech to pick up calls or even accept to resolve the problem is all the criminals need to move the money to where they can withdraw it.
Commercial banks are also more likely to comply with any directive of the CBN, being the regulator of the industry. It is however not the same with fintech companies. The difficulty with the fintech companies means that victims like Abdulrasheed would spend weeks and sometimes months in the custody of the EFCC.
According to yet-to-be-published data industry stakeholders shared with BusinessDay, in the past 10 months, the industry has seen an estimated N14 billion in fraud activities. While the fraud activities have impacted nearly every player in financial services, experts say the majority of the cases go unreported.
Some of the cases confirmed by stakeholders include a N2 billion fraud suffered by Access Bank; Fidelity Bank lost N2 billion in over three cases of fraud; Shago lost about N800 million on airtime and bills payment; and Flutterwave lost about N2 billion; In the case of Flutterwave, customers were refunded by the company, which then went to court and later created the Project Radar with the objective of establishing a central blacklist for all known fraud actors.
In a video that went viral recently, some agents under OPay, a Nigeria-based fintech company, were seen protesting at the company’s Lagos headquarters, complaining about unauthorised withdrawals. The agents said they had complained to the company about the authorised withdrawals to no avail.
“Huge sums of money were unscrupulously taken away from our accounts. Balances of our accounts were removed, some were transferred to other banks, and some were used to purchase airtime. Others were transferred to different OPay accounts that we do not have any dealings with,” a spokesperson for the agents said in the video.
In the case of the video, OPay responded, saying that it was an old video that “resurfaced on some social media platforms regarding alleged fraudulent activities on some OPay agent accounts.”
“We wish to state that the allegations are dated and have been resolved in collaboration with all relevant stakeholders,” the company noted.
In many of the fraud cases, hackers connected to banks through an insider who showed them where the loopholes were. The hackers also exploited the financial institution’s interbank services and moved money out. Some stakeholders also told BusinessDay that while the hackers routed funds through a couple of funds, a large portion of the funds allegedly went to platforms such as OPay and from there they moved the money out via agents as cash across hundreds of touch-points.
BusinessDay asked OPay why the delays in addressing the complaints from the affected institutions. In a statement, the company said there is a CBN-prescribed procedure for recovering funds backed by different regulations and judicial authorities. It is in the bid to follow the process that the delays occur. The process of funds recovery is not automatic and many industry players have found themselves on the wrong side of the law for either extending a restriction beyond the period required by law or proceeding to deduct funds without due process.
Adekunle Adeyemi, head of marketing at OPay Digital Services Limited, said as soon the company gets a fraud report, mostly from another bank or financial institution, the first action it takes is to restrict the account (or lien the amount involved – depending on the circumstances of the case).
“Although not straight cut, we maintain the restriction while the bank/FI or customer obtains a court order. This court order empowers us to do any of the following: maintain the restriction, extend the restriction for a longer period, perform deductions/reversals, or other similar actions. A common occurrence is that these complainants do not come back to us within the allowable period, or sometimes attempt to mount pressure on us to reverse funds to them outside of the laid-down procedure. Insisting on due process or averting their minds to the proper procedure may sometimes seem like we are uncooperative. But as you would understand, with great power comes great responsibility,” Adeyemi said.
OPay will not immediately perform reversals based on a report from a third party on an account. Also, the company contacts the account owner to obtain proof of the legitimacy of the transaction or a court order to lift the restriction.
“There are also instances where different law enforcement agencies investigate a single account, or there are numerous reports. We currently have the largest customer base in the industry; therefore, you will understand that we receive a higher volume of reports and deal with a higher volume than others. It is therefore not always a walk in the park, and this process requires sensitively and carefully navigating the circumstances of each case, whilst preventing fraud or stopping fraudsters from benefiting from the proceeds of fraud, and also keeping to the legal provisions which govern our operations,” Adeyemi said.
Simon Aderinlola, an agent network specialist and one of the drivers of antifraud governance in Nigeria, told BusinessDay that for financial fraud to happen, there is usually either collusion by negligence or by intent.
“There are user experience and positively far-reaching inclusion benefits in simplifying digital onboarding as some digital banks and fast-growing fintechs have done. The lower the barriers to entry, the stronger the KYC filters need to be, lest our product design becomes a foot in the door for bad actors,” said Aderinlola.
Hackers are also on the lookout for operators under pressure to meet shareholder expectations. According to Aderinlola, aggressive shareholder expectations may also push some providers to prioritise profits over necessary guardrails, at times silencing recommendations of their risk and compliance professionals.
Hackers are also attracted to the concept of the mule. In financial fraud terms, a mule is a conduit through which stolen funds are either cashed out or reforwarded on an extra journey through legit digital financial pipes, to hide the intent and path.
“Understandably, the larger your agent network, the greater the possibility of your system being the most accessible for fraudulent cashouts,” Aderinlola said. “It is the duty of any licensed entity to work tenuously to disassociate itself from any connotation of being party to such.”
Fraud activities have a huge impact on the image of the financial system as it reduces the confidence of investors and consumers of products and services. Beyond that, the process of recovery is very tedious and expensive. In most cases, the monies lost are never recovered and it withers companies’ profits.
Usually, the banks affected by the fraud are supposed to seek redress in court, however, BusinessDay found that a high court order is needed to authorise a refund from banks. But, securing this order in a Lagos court is almost impossible. Rather than Lagos, banks are now going to Oyo State to get justice. One of the downsides is that in doing so, bank lawyers expose themselves to extortion by clerks in Oyo who demand as much as 10 percent of the amount in dispute before they stamp judge orders.
Experts say the operators are likely to report fraud cases more should the CBN consider a different approach instead of sanctions. The apex bank has different sanctions for erring banks and payment service providers for infringements of extant guidelines, circulars, rules, and regulations. For example, card fraud that exceeds the limit set on the card by the cardholder will see the bank paying the full amount involved.
Tiwalola Osazuwa, partner in the corporate and commercial, intellectual property and mergers and acquisition practice groups at Aelex, told BusinessDay that the CBN needs to explore collaboration in resolving issues of fraud except in cases where the banks involved did not deliberately neglect to follow the guidelines.
An industry stakeholder who pleaded anonymity told BusinessDay that regulators are trying to resolve the fraud problem, but they are also being careful because of policy and customer rights.
“It’s not working because everyone is not collaborating or working together. Someone wants to take the shine or media limelight and the fraudsters are capitalising on this,” the stakeholder said.
A way out, he said, could be by establishing a strong dispute system where banks and financial institutions can refund stolen funds received when they cannot show evidence of CBN-level KYC for customers who receive funds. Banks can also pause or put ‘Post No Debit’ on accounts that receive sudden inflows until the owners can prove legitimacy. This is part of customer due diligence and KYC requirements that Nigerian and global banks are expected to provide.