It’s time India gets a FraudStack

Until five years ago, the biggest challenge for Indian banks was unusually high non-performing assets (NPAs). Today, the system can give itself a pat on the back for having improved asset quality, thanks to tighter insolvency legislation, and improved loan discipline among corporate borrowers. But now, there is a new threat to asset quality on the horizon.?

?

Fraud is rising?

?

The Reserve Bank of India (RBI) is losing patience with inadequate IT systems in banks. The regulator has hauled up several large banks over the last few months over user access, data security, and other issues that make the banking system vulnerable to fraud.?

?

The regulator reported last year that frauds in banking transactions increased 10-fold in the last 10 years. These figures may neatly point to the problem at hand, but the issue of rising fraud is a lot messier than it seems. Each loan category contributes to the total volume and value of fraud differently; and banks are vulnerable to various types of frauds on a number of fronts.?

?

Let’s take a look.?

?

Loan category and sector-wise split?

?

I examined RBI data in a previous edition of this newsletter and found that:?

?

1. Private sector banks accounted for the largest number of frauds?

2. Public sector banks saw more high-value frauds than their private sector counterparts?

3. The most high-value frauds occurred in the advances category?

4. Card and internet-related frauds occurred largely in the private sector banks?

?

There’s no single source of fraud?

?

The threat of fraud isn’t cohesive – it doesn’t emanate from a single source or in a single form. In fact, addressing fraud is almost a multi-disciplinary endeavour. It requires equitable participation from industry players, disrupters and regulators. To effectively tackle fraud and identify the role of each stakeholder, we must first categorise it. Here, I propose a loose categorisation framework:?

?

1. Direct threats: Defrauding the lender through identity theft, misstating of transaction amounts, or manipulating proof of financial behaviour during underwriting. ?

?

2. Indirect threats: Defrauding existing customers of banks with social engineering scams or phishing, account takeovers, malware attacks and more.?

?

Currently, fraud detection measures are deplorably fragmented. Lenders conduct a mix of customer due diligence practices like KYC, audits, reporting, and customer education. Tech solutions are powerful tools that can help detect and prevent fraud, but these are often buried deep within their larger tech-based risk assessment strategy.?

?

Fraud prevention needs to stop playing second fiddle to risk assessment?

?

The direct threat of fraud is largely avoidable. Risk assessment solutions are designed to judge a borrower’s intent and ability to repay a loan. And fraudulent applications speak to users’ intent to make good on their promise of repayment – it almost always ends in bad debt.

?

Tech suites used by lenders for risk assessment often come equipped with fraud detection capabilities, but these are not enough. For example, KYC, underwriting, and recovery functions are often outsourced to different vendors. The data generated by these exists in silos. Therefore, red flags identified during due diligence may not be communicated to underwriters in time or at all. And if a fraudulent application manages to get past these defences and a loan disbursed is defaulted on, the lender will have incurred a loss that could have been avoided with a streamlined flow of information.?

?

The case for a FraudStack ?

?

Regulated entities are under growing pressure from the RBI, and it has become more critical than ever for technology providers to craft solutions that are compliant. Lenders need a regulation-compliant, coherent, and unified strategy to address fraud in all forms, complemented by a comprehensive tech solution that consolidates all measures to fight fraud in one place. ?

?

A one-stop set of fraud tackling tech measures that functions parallel with a risk engine – a FraudStack, if I may – could be made up of a set of interoperable layers:?

?

1. Prevention?

?

Prevention occurs before a fraud even gets the chance to enter a lender’s customer acquisition funnel. For example, customer due diligence measures like KYC take place long before a borrower is acquired. KYC can be done digitally, through photographs, liveness checks through video, in addition to in-person site visits. While KYC is primarily used to prevent money laundering, it acts as an irrefutable source of truth for fraud identification as well. Digital KYC tools should be integrated with the Central KYC registry so that a lender admits only those customers whose KYC information meets the norms set by the regulator.?

?

Prequalification is another measure that could be incorporated into the detection layer. In risk assessment, lenders often use alternative data to evaluate a borrower’s intent and ability to pay a loan. Alternative data such as the number of devices connected to one user, and the nature of apps on their mobile phone could also allow lenders to flag potential frauds.?

?

Fetching financial statements directly from data custodians like banks could cut out the need for the user to share (and potentially tamper with) their documentation. Account Aggregator integration can help lenders prevent statement tampering entirely.

?

2. Detection?

?

The detection layer will act as the second line of defence if preventive measures fall short. In fact, fraud detection is generally well developed in the industry – it is already a part of risk assessment product suites. Tampered statements can be easily spotted thanks to advanced OCR tools, metadata evaluation, and transaction computing, among other methods. I’ve already delved into the subject in the FinBox guide to fraud detection.?

?

3. Damage control ?

?

Detection and prevention won’t function with 100% efficiency, so lenders must be prepared to deal with the damages caused by fraudulent applicants. This layer should include an early warning system that can alert of delinquencies and trace them to accounts flagged during detection or prevention. This could help separate delinquencies based on users who are unable to repay due to strained resources from users with malicious intent. Loan recovery approaches must likewise be altered for the two segments.?

?

The RBI recognises reporting as central to fighting fraud. Its Master Directions on Fraud emphasise that lenders must furnish Fraud Monitoring Returns in all cases irrespective of the amount involved. Each case is fed into the Central Fraud Registry – a database that can be integrated into the proposed FraudStack. This would allow lenders to report fraud more promptly and protect other lenders in the ecosystem.

?

Conclusion?

?

A centralised tech stack would consolidate fragmented measures taken across fraud prevention, detection, and management. It could find applications as a standalone tool focused on fraud, or as part of a comprehensive credit infrastructure alongside risk assessment. Such concerted focus on tackling an area responsible for asset quality deterioration would definitely fortify lenders’ IT systems and help them better deal with regulatory compliance.?

?

I would love to hear your thoughts!?

?

Cheers,?

Rajat?