Columnists

How far should the regulators go in bank fraud payments prevention?

scam

As Kenya continues to increase mobile and internet banking services penetration, fraud threats are posing a great risk to financial customers hindering the uptake of these payment services.

In the national payment strategy released by CBK this year, it noted that customer fear of fraud is one of the hinderances affecting the use of bank cards for merchant transactions in Kenya.

Standard Chartered Bank in its 2021 Sustainability Impact Report noted that fraud threats which include card fraud and payment fraud almost doubled in just one year. In mobile money, the cases of fraud are overwhelmingly reported every day.

In 2021, KNBS reported that data breaches like data extortion, leakage, and disclosures constituted almost 71 percent of cyber-attacks for Kenyan businesses.

According to the Allianz Risk Barometer 2022 report, the most feared cause of business interruption is cyber incidents, reflecting the rise in attacks, the impact of companies’ growing reliance on digitalisation and the shift to remote working.

So how best can the regulator trying and stem the problem?

Let’s take this example reported by one of the dailies where someone had a card with them but got an alert from the bank that a transaction had been made. What is interesting was that the person had never used that card for online shopping.

This case was reported to the bank and the card blocked but this person continued to receive notification of someone still trying to make transactions with the same card.

In Kenya, the liability of such fraud cases lies with the customer, therefore they lose their money. But in US, with such a similar fraud case, the bank would have refunded the lost money. This is because under the Electronic Fund Transfer Act, the liability of unauthorized transactions is placed on financial institutions.

In the event where thieves hack consumers accounts or steal their phones and transfer money, the resulting transaction is considered unauthorized and requires banks or payment services to refund them.

The consumer protection law also goes further to demand that financial institutions are required to credit customers for unauthorized transfers from the accounts made by third parties. Where the third-party service gives a customer access to transfers from the customers bank account, the regulation holds that the service provider is liable for unauthorized transactions.

In the instance where the customer is tricked into authorizing payments, the liability is with the customer because the Electronic Fund Transfer Act does not protect those payments.

This clearly shows that Kenya has weak consumer protection laws when it comes to assigning liability of fraud payments.

Financial institutions have taken their consumer protection duty as one that ends at only issuing warnings of increased fraud cases and the need for precautions. But assigning liability incentivizes parties to exercise due diligence on their part and reduces the risk of fraud payments.

Fraud payments are largely where parties would have avoided by conducting due diligence to prevent fraud. So, Kenya should borrow this piece of consumer protection legislation from the US to help stem fraud payments problem.

The big regulatory challenge is in instances where consumers are tricked or scammed into sharing personal details that lead to authorizing payments.

The world is still struggling with this because its from this angle that most cases of fraud are emerging yet assigning liability to financial institutions as it is the case for unauthorized payments will actually lead to more fraud cases. Consumers will end up being less vigilant on fraud prevention because there is no incentive to the exercise.

The other challenge too is that with increased fintech penetration where more peer-to-peer payment providers are becoming popular. As peer-to-peer payments are becoming popular, fraud is also increasing within this space creating further regulatory challenges.

So the question is, how far should regulators go in fraud prevention under their consumer protection duty?