DFS Risk: “When It Works, It’s Great; When It’s Bad, It’s Awful"

Many innovative DFS providers don’t have an embedded culture of risk management. More traditional providers understand risk as it relates to conventional financial services, but often fail to grasp the implications of advanced technologies and their potential impact on customers.

CGAP’s recent "Doing Digital Finance Right" focus note highlights 7 core customer risks that are particularly salient with digital financial services. A survey among a range of DFS providers from 11 emerging markets in Africa plus 5 multinational organisations, conducted by IFC and The MasterCard Foundation, exposes five additional risks that providers face in the design and delivery of DFS, several of which affect the potential for consumer risks.

The survey included microfinance institutions (MFIs), mobile network operators (MNOs), banks, payment service providers (PSPs), and technology providers, and aimed to gain a broad perspective of current risk management practices. It shows that some of the biggest points of risk evolve from extended value chains, ie, partnerships formed to provide DFS, in which one organization does not control the end to end service, potentially leaving the system, and the customer, vulnerable.

While some literature is available to give advice on how to manage these new risks, best practices usually come from hard-earned experience. One company interviewed said that moving to DFS greatly enhanced both the positive and negative impact on their customers:

“Most customers using these (DFS) really like it. When it works it’s great but when it’s bad it’s awful. Much worse than normal systems.”

1. Reputational risk

Concerns regarding reputational risk were apparent in all of the interviews. For instance, with frauds appearing in the news in some markets, customers lost trust in providers, which impacted their use of both DFS and also their core voice business. As one said:

“Definitely the damage was far beyond mobile money … it was beyond the DFS provider and touched the whole mobile money space. Reputational damage was many-fold.”

Competitors not involved in the fraud said they may have inherited some customers who switched suppliers, but the whole market shrunk so they were net worse off. Technology providers are particularly concerned about reputational risk as they are often implicated, regardless of whether the technology was to blame. They are taking large steps towards improving the security of their systems, and giving the DFS providers risk training and templates of procedures to help protect the reputation of their software.

2. Regulatory risk

For all types of institutions in all markets, there is a strong general feeling that most regulatory frameworks are ambiguous, constantly changing, or sometimes developed by those that don’t understand DFS and thus impose impossible or contradictory policies, such as having separate mobile banking and agency banking regulations that contradict each other. Despite this, many believed they have no choice but to live with it, although one took a more proactive approach:

“If you’re not willing to ask for forgiveness rather than permission you’re not going to go anywhere in this new market.”

Most institutions considered AML/CFT and KYC to be the principal sources of regulatory risks. Requiring customers to provide identity documents that they simply do not have is excluding large proportion of the population in some market, especially in rural areas.

3. Technological risk

Interconnectivity with multiple systems and reliance on third parties makes all institutions vulnerable to technology risk. Many have issues with system downtime and transaction failure, which impacts customer trust and can also be a source of reputational risk. This is one of the reasons why many customers prefer agents to transact on their behalf, as the risk is then considered to be the agent’s problem.

4. Fraud

Almost all interviewees admitted to experiencing some fraud, mostly minor, although the full extent is unknown. The MNOs were more likely to have seen large internal fraud, while the banks and MFIs were likely to cite small scale agent fraud, such as fee mark ups, customer ID theft, and duplicate transactions. Because of customer sensitivity to fraud, as well as the cost to the business, fraud is the risk most likely to be covered in risk management frameworks, with multiple mitigation strategies. One institution had even developed a reconciliation tool for agents to help prevent fraud.

5. Operational risk

There was a fairly low awareness of the importance of risk mitigation by employing clear, well-constructed operational procedures and business processes amongst most organizations. The notable exception was the banks, for which this is a core strength.

Next Step: creating risk frameworks that work

As the DFS market grows, the customers are becoming more sensitive to potential fraud, and less tolerant of poor product performance. To combat this, most institutions have some type of risk management framework for their core business that has been extended to DFS. The implications of how DFS change the risk profile are understood by some, whilst many remain unsure of how to react, creating a growing need for guidance about DFS risk management relevant and accessible to all types of DFS providers. Risk registers are fairly widely used, but there seems to be a limited understanding of how to implement them. Group level MNOs and MFIs are recruiting risk managers to train local level staff, but most recognize that this is just the start of a long journey.

The interviews that IFC conducted are part of a larger study on Risk Management that will be published in 2016.