A comprehensive overview of the current regulatory frameworks in South Africa, common types of fintech fraud, and how businesses operating in the space can safeguard themselves and their customers from fraud.
Fraud remains a major concern in the fintech industry - and in any sector that involves managing finances. Although ripe with positive innovation, new fintech channels and solutions also mean new avenues for fraudulent activities to take place and new vulnerabilities that can be exposed. Players across the ecosystem need to work together and continually improve security measures to keep bad actors at bay and protect the funds and data of the end users we serve.
At Stitch, fraud prevention and regulatory compliance remain top priorities.
Cybercrime was first defined, and the first real cybercrime law passed in South Africa, in 2021. Before this time, it was difficult to prosecute fraudsters, leaving the fintech industry particularly vulnerable. Since then, fintech companies, legislators and security infrastructure players have made significant progress in understanding how fraudsters operate and finding ways to stop and prevent fraud from happening.
One organisation working to combat fraud is the Southern African Fraud Prevention Service (SAFPS), who reported a 600% increase in incidents of fraud in 2022 vs 2018. In response, the SAFPS is developing a product named Yima. Head of Product Development at the SAFPS, Nazia Karim, explained that “Once launched, the product’s website will be a one-stop-shop for South Africans to report scams, secure their identity, and scan any website for vulnerabilities related to scams. They will also be able to educate themselves on identifying a scam.”
Reports will be collated and shared with law enforcement for investigation, also giving users the opportunity to share fraud incidents directly with their banks, retailers or insurance companies via a scams hotline.
In South Africa today, some of the most common fraudulent activities involve phishing and social engineering scams, investment-related scams, data breaches and unauthorised transactions.
Incidences of attacks vary depending on the business model or platform. Banking on digital platforms (via app, online and over the phone), for example, has seen the lowest incidence of fraud. From 2020 to 2021, fraud in digital banking in South Africa decreased by 18% overall, with the biggest decline occurring in the mobile banking sector.
Card fraud, however, remains high, with debit cards as most vulnerable. Phishing and OTP vishing scams to obtain customer details are also increasingly common.
Some of the most common types of fintech-related fraud include:
The FIC Act regulates two integral procedural elements that are vital to the fintech payments space: Anti-Money Laundering (AML) and Know Your Customer/Business (KYC).
Amongst other regulatory controls, the FIC Act ensures that no transactions may occur that are provided by anonymous or fictitious persons or entities, and that all customer data is vetted appropriately.
This can be ensured through third-party verification and checking data against government-owned databases (such as the Department of Home Affairs), and it can even extend to independently vetting bank account records.
Additionally, it stipulates that any parties that process transactions must adhere to continued transactional monitoring. This entails the use of risk-based mechanisms that can detect any unusual or suspicious transactions as they occur in order to proactively prevent them from entering the banking system.
PCI compliance is another payments-related data protection industry standard that is intended to secure cardholder data from bad actors. Any financial organisation that processes cardholder data is required to adhere to stringent PCI requirements.
These organisations must obtain their PCI DSS Level 1 certification – an international standard that governs the safe processing of cardholder data, and ensures that the peripheral information and system security measures, systems and processes are followed.
While fintech fraud remains a concern, fintechs, regulators, financial institutions and other players across the industry are continuously working to improve security measures and adopt advanced technologies - from AI/ML to biometrics - to stay ahead of fraudsters.
Here are some fraud prevention strategies fintechs can employ and how businesses can implement them:
A strong technical foundation
Continuous monitoring and adaptive strategies
Fraud prevention is an ongoing process that requires constant monitoring and proactive measures. Fintech companies should regularly review and update their fraud prevention strategies to stay ahead of evolving threats, invest in advanced fraud prevention tools, regularly train employees on fraud detection techniques and conduct thorough audits to identify risks and vulnerabilities.
Education for end users
For fintechs offering products and/or services directly to end-users, it’s important to ensure users have the correct, up-to-date knowledge to interact as safely with your product as possible. Educating end-users about fraud empowers them to make informed decisions and take appropriate actions to safeguard their financial resources. By becoming aware of common scams or risks associated with certain fintech products, customers are less likely to unknowingly fall victim to fraud.
User-initiated alerts systems can be useful to flag any suspicious or unauthorised activity taking place on a fintech platform, from the bottom up. Encourage customers to report any suspicious or unauthorized transactions promptly, and provide an easily accessible channel, such as a dedicated fraud reporting hotline or email address, where customers can report fraudulent activities.
As a payments service provider, Stitch enables businesses to securely receive transactions from end users via multiple methods, and send payouts as needed. For pay-ins, Stitch acts as an intermediary between the end user and the recipient or merchant. We receive the payment authorisation from the end user and verify the payment details.
A transaction begins when the end user initiates a transaction:
1. User initiates a transaction through an app or platform, with Stitch as the chosen payments provider, and selects a payment method
2. User authorises payment by providing necessary payment details to the recipient or merchant, which may include bank account information, credit card details, etc. They then permit Stitch to initiate the transfer of funds on their behalf - often by entering MFA
3. Notification and confirmation: Stitch notifies the end user and the recipient or merchant upon completion of the transaction
Stitch as the TPPP (third-party payments processor):
4. Settlement: After the funds are successfully transferred, Stitch ensures that all money that should have been transferred has been received and then settles with our merchants into their bank accounts.
With many different parties involved in a transaction, it’s important for all to have robust safeguards in place to reduce and mitigate fraud. By implementing preventative measures, practising due diligence, and utilising security technologies, all members of the value chain can play a role in ensuring secure and trustworthy transactions.
Stitch employs a number of industry-standard and extra-mile measures to ensure our clients and their consumers can transact as safely and securely as possible, including:
Our compliance and security teams regularly assess and optimise our fraud mitigation practices to ensure everyone - our clients and their end users - is able to engage with our products as safely and securely as possible.