Reviews
Why Nigerian banks, fintechs are facing increase in fraud, cybersecurity threats – Tayo Ogunlade
As Nigeria’s financial industry experiences rapid growth, driven by the widespread adoption of mobile phones and increased internet penetration, it also confronts a significant and escalating challenge of cybercrime.
Financial institutions, at the forefront of this digital revolution, are particularly vulnerable to sophisticated cyberattacks that pose serious risks of financial losses and reputational harm.
In this interview with Nairametrics, Tayo Ogunlade, the Chief Technology Officer at Onafriq, a South Africa-headquartered payment solution firm, speaks on the factors driving the increase in frauds across financial platforms in Nigeria and how banks and fintechs can address it beyond investments in cybersecurity infrastructure. Excerpts:
Nairametriics: Lately, there has been an increase in reports of system hacking, financial frauds, and all that, what do you think is driving this surge in online frauds in Nigeria?
Tayo Ogunlade: Well, not far-fetched. People will always see an opportunity that exists but many times you find growing economies like ours, Nigeria and not just Nigeria, but several other African countries and even non-African countries that have the kind of population that we have and the challenging economy would more or less have cyber security issues or fraud issues on the high.
So we are only seeing this because it’s now becoming deeper and those challenges are now there. Fraud has been on the rise particularly because with innovation and with the quest to do things in simpler ways, organizations would sometimes undermine security and would be going for the numbers.
So you see that in recent times there have been several additions to the financial space in terms of companies that are coming out with different sorts of provisions and in those scenarios, you would also find that you are creating more nodes that are connected to the bigger nodes and if the new nodes are weak you have also created a hole within the entire financial system, which of course poses a security risk.
Nairametrics: Talking about new nodes, there have been some instances in recent times where banks had to disconnect some fintechs over suspicions of being used as fraud channels. Can we say that the fintechs don’t have strong anti-fraud mechanisms compared with banks?
Tayo Ogunlade: So, the thing is many of these fintechs have good cybersecurity frameworks in place but again once it happens to you, you begin to realize that you have not done the very simple things, right?
So you find people spend a lot of money putting several things barricading their infrastructure and so on but simple things like adequate KYC, or KYCs that are actually valid and have been validated; those are very simple things and without those things, you can land into a billion dollar loss.
Many of the recent frauds have been linked to issues around onboarding. You know what’s common in the market these days is, oh come on this platform and you are signed up ASAP and you can keep transacting ASAP. So those things also have consequences especially when we do not have very strict rules guarding how KYCs are captured, and how KYCs are validated and revalidated.
So those are the things majorly and I would say 80 or 90% of the time that have caused the issues that we have seen in recent times.
Nairametrics: The CBN recently came up with some new KYC rules, part of which include that every wallet and account owner must submit their BVN and NIN. Do you see this reducing cases of fraud?
Tayo Ogunlade: In a way it should. Again CBN makes the rules and CBN also made a rule at some point that allows the creation of accounts with just phone numbers, which led us to where we are today but doesn’t mean it was a bad thing. It’s just that the underlying factor which was the phone number was not enough to secure the entire space which we have seen.
BVN is quite the same, however, BVN because you have been captured with your biometrics becomes better than the phone number but that doesn’t completely solve the problem. It doesn’t completely solve the problem because we are in a space where people can steal other people’s identities or people can leverage the ignorance of certain folks to allow them to do certain things without them knowing.
Take for instance, you go to northern Nigeria where people perhaps don’t even have a clue of the significance of the importance of not sharing things like BVN and so on. You’ll find them releasing their BVN for a token, they would even opt to do facial recognition for you so that it passes and fraudsters can use this information to, of course, perpetrate evil and when you’re tracing, you trace it to one man in his house somewhere down Sokoto and of course, you can’t get the money.
So you find that the landscape requires that KYC is deeper. I mean in previous years you find banks visiting houses, visiting their customers to know them, putting a face to their customers, and knowing the colour of their building.
Now, several companies have come up with technologies that are able to solve that but in reality, we are seeing that these things have been bypassed.
Nairametrics: So, what role do you see the NIN playing in all these KYC issues?
Tayo Ogunlade: NIN and BVN would go a long way in making sure that we can at least identify everybody on the network. However, we still have the risk of people stealing people’s identities or people using the ignorance of certain folks to perpetrate evil on their behalf. So that is still there and needs to be tackled.
Nairametrics: Year-on-year, commercial banks in the country continue to record increase in losses due to fraud, can we say they are not investing enough in cybersecurity?
Tayo Ogunlade: When you look at the budgets of several banks, you will find cyber security as a significant item. So, it means that to a large extent, many organizations are taking this seriously.
Again, when you look at what poses a significant risk to the business that can come as a big blow, it is a cyber security risk. It means that with a well-planned cyber security attack that is successful, you can cease to have a business.
That’s how bad it can be. Every other risk can perhaps undermine several parts of the business and it will keep going, but with cyber security, you can land yourself into having zero business. So, I know many organizations are putting significant efforts into doing that, but there is still so much more to be done, especially in collaboration.
Everyone is connected or interconnected at some point and your biggest risk is where you have the weakest link. So, collaboration is where you get to identify those things, where you get to see how different parties can mitigate those things and so on. So collaboration is key as much as increasing investment.
Also, if you look at the pattern of fraud in banks, you will see a lot of involvement of insiders. Like just recently, I was reading a report that a tier-1 bank sacked about 100 people for involvement in fraud.
So, as a bank that is investing in cyber security against external attacks, what can you do against internal forces that are also involved in fraud? I mean, to be fair, your biggest risk is the internal one.
You can build fences around the external ones, but the internal ones are already within the fences. In practical terms, processes, frameworks, internal audits, revalidation of processes, and moving people around, are things and so many other things that can be done to ensure that you are building a process-driven organization.
Yes, many of these organizations are process-driven, but many of them from experience are process-driven theoretically.
They do things on paper and for regulation’s sake. You will see that in practical terms, many of these things are not as they have been defined by standards that many of these organizations claim to have, like the ISOs and the rest of them. So if all of the things mentioned in all of those certifications were there too strictly, they would have dealt significantly with even internal threats.
Nairametrics: Earlier, you mentioned cases of people giving out their data indiscriminately, thus getting exposed to fraud. How well-aware are Nigerians when it comes to cybersecurity?
Tayo Ogunlade: I think we have matured and we have improved greatly as a nation on technology as a whole and education of people, but we are not there yet 100%. I mean, you still find people of age bracket 50 and above still falling, even people in younger age brackets still falling for things as simple as sharing links, where they enter their personal information.
So, you’ll find banks investing every day in publicizing. In fact, in several organizations such as ours, we have tended to build all of our products with security in mind, educating the user. So, as you come on board our platform, you get to know what security is after signing up, you get to know what to keep secured, what we will never ask you, and so on.
So several organizations do that, but there’s so much more to get done. Again, this is a growing economy and or a growing nation, and education has a lot to do with this, exposure has a lot to do with this. If you are outside of Lagos, Abeokuta, Abuja, Port Harcourt, Ibadan, and Kano, which are some of the major cities, you most likely do not know what’s happening outside the cities.
Again, the level at which we are, education-wise, and exposure-wise as a nation, has its influence on how people get to understand the landscape of cyber security. But the onus is on all organizations to ensure that apart from educating people, you have also put in stringent processes that would make it very difficult for even people who have been lured unsuspectingly to have their monies leave the platform.