It’s a well-established fact that fraud is a global problem. But global does not mean uniform, and the types of fraud that are a less-used tactic in one territory may be the dominant form in another.
During the IDC Financial Insights (India) conference, I joined Ganesh Vasudevan, Research Director, IDC Financial Insights Asia/Pacific, to discuss the types of fraud that are most prevalent in India, and some of the common pitfalls encountered by financial institutions as they try to combat it.
An expensive problem
The scale of the challenge of fraud in India is reflected in the amount of money that banks are spending on fraud prevention and detection. The figure is projected to grow by over 21% over the next four years and is estimated to stand at $130 million per annum by 2025.
That is being driven in a major way by one important attack vector: phishing. In fact, the Indian Computer Emergency Response Team (CertIN) saw phishing increase by 87% from 2020 to 2021. During the same period, card fraud and frauds related to internet banking increased by 41%, with at least ten fraud incidents reported every day, at a cost of over $12,500 per day.
It's important to note that 40% of all fraud incidents faced by financial institutions is related to card or internet incidents via phishing and its related activities – smishing, vishing, skimming, and so on. This demands the question: why are these expensive and damaging fraud vectors seemingly going unchecked?
The Indian financial landscape
To answer that, we need to look at a little bit of recent history. India has been generally known as a cash-based economy, but that started to change – rapidly – at the start of 2020.
The pandemic had a massive impact on digital transformation right across the globe, and India was no exception. In 2017, only 21% of households had internet access; by 2021, that figure had more than tripled to 61%. The lockdowns over 2020 and 2021 saw more than 130 million people come online.
Contactless payments and e-commerce became the norm rather than the exception. Since 2020 March, the volume of Unified Payments Interface (UPI), India’s digital payments facilitator regulated by the Reserve Bank of India, jumped nearly 240% while the spike in value terms was over 273%.
And of course, with large amounts of money at stake, the fraudsters were not long in following.
Banks and FIs are aware of the problem, and they are taking defensive measures against fraud. Unfortunately, many of those measures are not effective. Bad actors – the fraudsters and scammers – are relentless early adopters and highly adept at rapidly adapting to any countermeasures that they find in their path. And often, banks and FIs find themselves playing catch-up.
There is an overreliance on outdated technologies to prevent fraud, technologies that are simply not up to the challenge. The digital technologies that underpin online transactions may have started life as direct emulations of analog processes, but that was a long, long time ago. Since then, they’ve evolved extensively.
A digital-first world demands digital-first solutions
The same can’t be said for the measures used to combat fraud. Here, they tend to be direct ports from the physical world: username and password pairs and SMS OTPs for second-factor authentication. These are concepts that are decades old and were never designed with security in mind; small wonder that the fraudsters have found ways to bypass them.
Many organizations have adopted a zero-trust security framework, which requires all users to be authenticated, authorized, and validated, continuously. This one-size-fits-all approach offers a degree of security, but at the expense of customer experience. At a time when customers expect fluid and seamless user journeys, a continuous authentication approach is inefficient and adds undue friction to the customer journeys.
The Reserve Bank of India (RBI) takes a hand
It’s not only banks and their customers who want to do something about fraud. The RBI (Reserve Bank of India) has been taking an increasingly harder line on the problem. On 18th February 2021, the Reserve Bank of India (RBI) published the Digital Payment Security Controls directions – a detailed set of guidelines designed to help bolster India’s digital payments ecosystem.
One of the important aspects of these guidelines is the RBI’s strong focus on behavioral biometrics. It’s a recommendation that makes a lot of sense – fraudsters might be able to intercept OTPs or steal credentials but getting past behavioral biometrics is another matter entirely. Because it recognizes a user from their unique patterns of swiping and typing and even how they hold a device, it provides a high level of security and does so passively, without adding friction to the customer journey.
For this reason, behavioral biometrics has not only gained significant traction across the globe, but it’s also become the recommended approach for standards that form the backbone of regulations in a number of countries. One example is Strong Customer Authentication, or SCA, where the UK’s Financial Conduct Authority has strongly recommended the use of behavioral biometrics.
Modern solutions for a modern challenge
The large-scale adoption of SCA is a powerful reminder that across the globe, businesses are understanding that sophisticated fraud can’t be tackled with primitive technologies. Banks and FIs need to look to solutions that are highly evolved and designed with a digital-first mindset.
Rather than thinking in terms of trying to detect and prevent fraud, a positive identity approach is the answer, where the genuine user is positively identified to be the person whom they say they are – which helps prevent fraud and reduces friction. Callsign’s solutions layers Muscle Memory Technology, our best-in-market behavioral biometrics, with a host of other technologies that allow businesses to passively identify legitimate customers with minimal friction while keeping the bad actors locked out.
Those technologies include Callsign’s location and device intelligence, which lets businesses offer authentication that combines device and behavior in one single action. As a leader in providing SCA-compliant solutions – Callsign has helped some of the world’s largest banks meet SCA requirements with behavioral biometrics and device fingerprinting – we can offer the same smooth and seamless solutions that allow businesses to comply with the RBI’s requirements.
Callsign’s Orchestration Layer gives organizations the ability to create simple and personalized experiences in a secure and controlled manner. In a highly competitive arena, a smooth customer experience is an important consideration for financial institutions.
Customer experience has to be completely fluid, end to end. The onboarding experience needs to be easy and seamless while keeping the customer safe, as does every interaction thereafter whether it be on the app or website. Only if something seems off, then step-up authentication can be used, – meaning that friction is only introduced by design.
Looking to a safer future
The Indian technological and financial landscape has changed beyond recognition in the last few years. One thing that is very certain is that many of those changes – in particular, the massive shift towards online and digital – are permanent.
There is little doubt that more changes are coming. The RBI’s requirements are likely to be followed by further regulatory changes and the techniques of the fraudsters are certain to keep evolving. Fraud isn’t going to go away any time soon.
But by tackling evolving fraud with forward-looking solutions, businesses can not only catch up with bad actors, but also stay one step ahead of them. It also ensures that organizations can keep pace with the changes of regulation that are happening not just in the future, but – as RBI’s directions demonstrate – right now. And that’s welcome news for banks and FIs – and their customers.