Mobile Money Security: What is the Answer – Regulation or Technology?
Recently there have been more reports of digital theft within the M-Pesa mobile money transfer service. In Embu, a M-Pesa agent was tricked into sending Sh50,000 (~$600) to an unknown account. It occurred when an individual received a message that he received an incorrect transfer and then he went to the agent in order to have the mistake corrected. Other examples include thieves posing as customers or Safaricom staff and calls or SMSs from unknown numbers informing the individual that they won a prize. With the large amount of money being transferred on a daily basis, it is easy to see why M-Pesa has been the target of fraud. From July to September in 2011, $683 million was transferred over mobile phones in Kenya.
The interesting aspect to this fraud is that mobile money is shown to be a safer alternative to traditional money transfer services. But as the number of fraud cases increases, it could start to be perceived (true or not) as an unsafe way to both transfer and store money. This could diminish adoption rates, especially at the bottom of the pyramid as they tend to be more risk adverse. Since their account totals are much lower, one fraudulent transfer could wipe out their entire account. Fraud could also cause the telecom providers to be further regulated by governments. Since they are not banks, they are not regulated under the same rules as banks. This includes the Know Your Customer (KYC) laws. After 9/11, there was a great push by the United States for banks globally to gather more information about their clients and further verify their identity. But since the mobile money services provided by telecoms (when not partnering with banks) are not classified as banking services, the telecoms are not required by law to follow the KYC laws. As shown in the examples above, once the money had been transferred, there was no way to get it back. The reason for this is that many mobile accounts are unregistered. Because an individual can simply purchase a SIM card at a local store, there is no way for mobile providers to track who received a fraudulent transfer. But some governments have started to require citizens to register their SIM cards. In Ghana, the National Communication Authority (NCA) has made this requirement mandatory by March 3rd. If a SIM card is unregistered by then, the account could be deactivated. This means that roughly 7.5 million users could have their phone cut off. This is an extreme example of how to further regulate the mobile market. But is it the right answer?
Or can technology provide the answer? Further regulation is probably needed to slow down the amount of fraud, but there is a fine line between being too invasive on the end user and providing greater protection. One of the benefits of mobile money is that the lack of registration required which allows those who do not have a bank account or proper documentation to receive financial services. This is especially true of those that live in rural regions. But along with regulation, how can technology be used to solve the problem? Extra security steps can be taken to verify the validity of the transfer. But, again, it cannot be too intrusive as it could cause a decrease in usage by customers. While regulation and technology could possibly help, one of the main problems is the social knowledge of the end-user. Especially in the “You Have Won” messages, the cons are banking on the end-user lacking knowledge about these types of frauds. As shown in the articles, individuals are starting to catch on as are the authorities. The police have been trying to inform citizens that they need to avoid these messages and take extra steps to confirm the transfer. There is no clear and easy answer to solve this problem, but it must be on the front of the minds of MNOs and government regulators. Mobile money is too strong of a tool to let security issues slow the expansion of financial services to those who never had access to them before.