Best practices: Anti-fraud and compliance for fintechs in South Africa

Fraud remains a major concern in the fintech industry - and in any sector that involves managing finances. Although ripe with positive innovation, new fintech channels and solutions also mean new avenues for fraudulent activities to take place and new vulnerabilities that can be exposed. Players across the ecosystem need to work together and continually improve security measures to keep bad actors at bay and protect the funds and data of the end users we serve.

At Stitch, fraud prevention and regulatory compliance remain top priorities.

Fintech fraud in South Africa

Cybercrime was first defined, and the first real cybercrime law passed in South Africa, in 2021. Before this time, it was difficult to prosecute fraudsters, leaving the fintech industry particularly vulnerable. Since then, fintech companies, legislators and security infrastructure players have made significant progress in understanding how fraudsters operate and finding ways to stop and prevent fraud from happening.

One organisation working to combat fraud is the Southern African Fraud Prevention Service (SAFPS), who reported a 600% increase in incidents of fraud in 2022 vs 2018. In response, the SAFPS is developing a product named Yima. Head of Product Development at the SAFPS, Nazia Karim, explained that “Once launched, the product’s website will be a one-stop-shop for South Africans to report scams, secure their identity, and scan any website for vulnerabilities related to scams. They will also be able to educate themselves on identifying a scam.”

Reports will be collated and shared with law enforcement for investigation, also giving users the opportunity to share fraud incidents directly with their banks, retailers or insurance companies via a scams hotline.

In South Africa today, some of the most common fraudulent activities involve phishing and social engineering scams, investment-related scams, data breaches and unauthorised transactions.

Incidences of attacks vary depending on the business model or platform. Banking on digital platforms (via app, online and over the phone), for example, has seen the lowest incidence of fraud. From 2020 to 2021, fraud in digital banking in South Africa decreased by 18% overall, with the biggest decline occurring in the mobile banking sector.

Card fraud, however, remains high, with debit cards as most vulnerable. Phishing and OTP vishing scams to obtain customer details are also increasingly common. 

Common types of fintech fraud in South Africa

Some of the most common types of fintech-related fraud include:

• Account takeover: a cybercriminal takes ownership of an online account using stolen passwords and usernames
• Identity theft: if a fintech platform is compromised or if user data is mishandled, it can lead to identity theft, where bad actors use stolen identities to open or log into user accounts, or take out loans in someone else's name
• Payment fraud: this includes fraudulent transactions, unauthorised access to accounts or cards and scams targeting individuals or businesses through mobile payment apps, peer-to-peer payment platforms or online marketplaces
• Money laundering: when illicit funds are disguised as legitimate transactions. This involves complex techniques to obscure the origin and destination of funds
• Phishing and social engineering: this involves tricking individuals into revealing sensitive information, such as login credentials or financial details, by impersonating trustworthy entities through emails, websites or phone calls 
• Synthetic identity fraud: when criminals combine real and fake information to create new identities that are difficult to detect. They can then use these to open accounts, apply for loans or engage in other fraudulent activities
• Cyber threats: includes various tactics, such as phishing, malware attacks and data breaches, used to target individuals, businesses and financial institutions, with an intention to steal their data 

An overview of compliance frameworks and the regulatory landscape in South Africa

The FIC Act regulates two integral procedural elements that are vital to the fintech payments space: Anti-Money Laundering (AML) and Know Your Customer/Business (KYC).

Amongst other regulatory controls, the FIC Act ensures that no transactions may occur that are provided by anonymous or fictitious persons or entities, and that all customer data is vetted appropriately.

This can be ensured through third-party verification and checking data against government-owned databases (such as the Department of Home Affairs), and it can even extend to independently vetting bank account records.

Additionally, it stipulates that any parties that process transactions must adhere to continued transactional monitoring. This entails the use of risk-based mechanisms that can detect any unusual or suspicious transactions as they occur in order to proactively prevent them from entering the banking system.

PCI compliance is another payments-related data protection industry standard that is intended to secure cardholder data from bad actors. Any financial organisation that processes cardholder data is required to adhere to stringent PCI requirements.

These organisations must obtain their PCI DSS Level 1 certification – an international standard that governs the safe processing of cardholder data, and ensures that the peripheral information and system security measures, systems and processes are followed. 

Mitigating the risk of fraud in fintech

While fintech fraud remains a concern, fintechs, regulators, financial institutions and other players across the industry are continuously working to improve security measures and adopt advanced technologies - from AI/ML to biometrics - to stay ahead of fraudsters. 

Here are some fraud prevention strategies fintechs can employ and how businesses can implement them: 

A strong technical foundation

• Know-Your-Customer (KYC): enables businesses to verify the identity of customers and mitigate the risk of identity theft. By gathering relevant information and conducting thorough identity checks, fintech companies can establish a strong foundation for fraud prevention
• Data security: security measures such as encryption, multi-factor authentication (MFA) and regular security audits can help safeguard sensitive information from unauthorised access
• Artificial Intelligence (AI) and Machine Learning (ML): can be utilised to significantly enhance fraud detection capabilities. These technologies can analyse vast amounts of data in real time, to identify patterns and detect anomalies that may indicate or flag fraudulent activities
• Biometric authentication: via fingerprint or facial recognition can add an extra layer of security to user accounts by providing a unique and nearly impossible-to-replicate identifier, reducing the risk of unauthorised access
• Transaction monitoring: real-time transaction monitoring systems that analyze customer behaviour and transaction patterns help to flag risks or potential fraud before it spreads. A strong security foundation includes setting rules and thresholds to flag suspicious activity, such as unusually large transactions, multiple transactions within a short time frame or transactions from high-risk locations 
• Two-Factor Authentication (2FA): requiring customers to provide an additional authentication factor (i.e. a unique code sent to their mobile device) can help to verify their identity during login or high-risk transactions
• Device recognition: can be utilised to identify and authenticate customer devices used for accessing accounts or initiating transactions. This helps detect and block fraud attempts from unfamiliar or compromised devices
• Behavioural analytics: can be leveraged to analyse customer interaction patterns and detect anomalies. By establishing baseline behaviours for each customer, unusual activities, such as sudden changes in transaction types or deviations from established patterns, can be flagged for investigation
• Pattern recognition: these algorithms can help identify similarities and correlations among fraudulent activities across different customer accounts. Identifying patterns can detect fraud rings or organized fraud attempts

Continuous monitoring and adaptive strategies

Fraud prevention is an ongoing process that requires constant monitoring and proactive measures. Fintech companies should regularly review and update their fraud prevention strategies to stay ahead of evolving threats, invest in advanced fraud prevention tools, regularly train employees on fraud detection techniques and conduct thorough audits to identify risks and vulnerabilities.

Education for end users 

For fintechs offering products and/or services directly to end-users, it’s important to ensure users have the correct, up-to-date knowledge to interact as safely with your product as possible. Educating end-users about fraud empowers them to make informed decisions and take appropriate actions to safeguard their financial resources. By becoming aware of common scams or risks associated with certain fintech products, customers are less likely to unknowingly fall victim to fraud.

User-initiated alerts systems can be useful to flag any suspicious or unauthorised activity taking place on a fintech platform, from the bottom up. Encourage customers to report any suspicious or unauthorized transactions promptly, and provide an easily accessible channel, such as a dedicated fraud reporting hotline or email address, where customers can report fraudulent activities. 

Where Payments Service Providers like Stitch fit in

As a payments service provider, Stitch enables businesses to securely receive transactions from end users via multiple methods, and send payouts as needed. For pay-ins, Stitch acts as an intermediary between the end user and the recipient or merchant. We receive the payment authorisation from the end user and verify the payment details.

A transaction begins when the end user initiates a transaction:

1. User initiates a transaction through an app or platform, with Stitch as the chosen payments provider, and selects a payment method
2. User authorises payment by providing necessary payment details to the recipient or merchant, which may include bank account information, credit card details, etc. They then permit Stitch to initiate the transfer of funds on their behalf - often by entering MFA
3. Notification and confirmation: Stitch notifies the end user and the recipient or merchant upon completion of the transaction

Stitch as the TPPP (third-party payments processor):

4. Settlement: After the funds are successfully transferred, Stitch ensures that all money that should have been transferred has been received and then settles with our merchants into their bank accounts.

With many different parties involved in a transaction, it’s important for all to have robust safeguards in place to reduce and mitigate fraud. By implementing preventative measures, practising due diligence, and utilising security technologies, all members of the value chain can play a role in ensuring secure and trustworthy transactions.

How Stitch manages fraud prevention and remains fintech compliant

Stitch employs a number of industry-standard and extra-mile measures to ensure our clients and their consumers can transact as safely and securely as possible, including:

• PCI DSS Level 1 Certified 
• Tokenisation and encryption of sensitive customer financial information 
• MFA on both sides (i.e. on the PSP side and the bank side)
• 3D-Secure transactions
• Extended delays and blocking of suspicious payments prior to settlement
• Transaction monitoring and scoring with fraud rules in place (i.e. value, velocity, etc.)
• Service level agreements with all merchants
• Cautionary locks or holds on accounts when requested from a merchant
• Dashboards to monitor trends, outliers and fraud percentages
• Device fingerprinting
• Unique references per deposit
• KYC details on each payment
• Sim swap detection
• Bank-and-merchant-facing dispute portal for future mitigation

Our compliance and security teams regularly assess and optimise our fraud mitigation practices to ensure everyone - our clients and their end users - is able to engage with our products as safely and securely as possible. 

Learn more about how Stitch can support your business Get in touch