Fraud in Uganda: How Millions Were Lost to Internal Collusion
Kampala’s Anti-Corruption Court is at the epicenter of a major mobile money fraud, as the case continues against six ex-employees of MTN charged with defrauding the company of 10 billion UGX ($3.4 million). Among those charged is MTN’s former Finance Manager, along with the Head of Public Access and mobile money, who is counter-suing MTN for wrongful dismissal. Charges laid against the six ex-employees include embezzlement, electronic fraud, a neglect of duties, and unauthorized disclosure.
Along with sensational daily headlines, this case is providing a detailed account of the impact of a particularly large and public internal fraud on the mobile money system. Testimonies revealed that a significant portion of the money stolen came from MTN’s suspense account, which temporarily holds unclassified or disputed transactions. This includes funds from customers who enter the wrong number for their intended recipient, a not uncommon occurrence and reported to be one of the drivers of relatively high agent-assisted over-the-counter transactions in Uganda. The account did not have appropriate reconciliation procedures in place, which allowed the fraudsters to steal billions of shillings in just a few months between May and December of 2011.
MTN Uganda is not the only company impacted by fraud. Late last year in neighboring Rwanda, Tigo lost over 495 million francs ($170,000) when staff colluded to manipulate the mobile money system. There are many more cases like this that go unreported, and are dealt with quietly by providers. CGAP partners globally are increasingly concerned about fraud – both fraud conducted by internal staff as well as fraud perpetrated externally against agents and customers.
One of the most worrying aspects of the MTN case was that fraudsters internally generated float, or created e-money, on the mobile money system. The float was then sent to colluding agents and customers who cashed out the value. This means that e-money was being generated that was not backed by physical cash in MTN’s bank account held at Stanbic. As one former MTN employee testified, the stolen money was essentially “printed by MTN itself”. This demonstrates how fraud of this nature can have financial stability implications.
The unauthorized internal generation of float led to massive discrepancies between the general ledger account (MTN’s e-money balance) and bank balance at Stanbic. At one point, audit reports revealed that the discrepancy totaled 146 billion UGX, roughly $50 million, in falsely created e-money. The audit reports, from as early as 2009, warned MTN of various weaknesses in the mobile money system that made it prone to fraud, such as the mismanagement of user rights administration. It was reported that terminated employees continued to have access to the system as their user rights remained active and their passwords unchanged.
Staff were also able to use multiple active user log-ins which made collusion easier and the system much more susceptible to fraud. While MTN reached out to Fundamo, the platform provider for the mobile money system at the time, to help the IT Team tackle specific risks, adequate solutions such as stricter controls and procedures were not implemented, the fraudsters prevailed and billions of shillings were lost.
Since the fraud case, MTN has taken significant action to strengthen their systems in Uganda. The company spent nearly 14 billion UGX ($4.7 million) on a financial migration project, and rolled over from the Fundamo platform to an Ericsson one which they expect to be more secure. One important feature on the platform is that it allows senders to see the recipient’s name before money is sent. This decreases the number of wrong number transactions and reversal requests, and lowers the balance on the suspense account. The company also implemented stronger internal controls and is working more closely with the central bank to ensure that adequate monitoring procedures are in place. MTN also covered the full cost of the losses incurred by the fraud to ensure that the money of both customers and agents was not affected.
The very public nature of this case and scale of the losses will hopefully lead to some positive outcomes in both Uganda and beyond. At the very least, we are anticipating that the MTN case will inspire more open and forthright conversation around fraud among industry actors in mobile money markets around the world. More open dialogue can pave the way for the identification and adoption of practices that mitigate the risk of internal fraud.
Conversations with CGAP partners have revealed that some providers have already put such practices in place. This includes the clear separation of duties for staff (different members of staff initiate and approve transactions), better management of password access (2 or more passwords needed to access the system), having internal staff and departments dedicated to monitoring and addressing fraud (compliance departments within providers or having full-time resource to ensure that all issues raised by audits are addressed), implementing automated reconciliation systems for e-float accounts (performed daily by independent units), and automating transaction monitoring and revenue assurance systems to ensure that suspicious transactions are noticed immediately and addressed swiftly.
Although mobile money providers need to take the lead in strengthening their platforms and risk mitigation processes, regulators need to adequately oversee that sufficient internal controls are in place. In Uganda, the MTN fraud case has led to an increased sense of urgency to strengthen regulation in this area. As we explained in a blog earlier this week, the central bank will not have the legal authority to regulate the payments sector until the BOU Act is amended and a payments law enacted. Against the backdrop of the fraud trial, the Governor of the BOU expressed concerns regarding the impact that ‘radical’ mobile money business will have on financial regulation.
The Governor also commented that the central bank’s ability to control interest rates could be undermined if action was not taken and that existing prudential regulation may no longer be sufficient to protect customers’ money and ensure the stability of the overall financial system. We are hoping that this new sense of urgency is translated into action. At the very least, the central bank can take a more active role in ensuring that mobile money providers have put in place adequate controls for risk management, instead of outsourcing the supervisory task to banks in Uganda as they do now. Such measures will increase the chance that discrepancies between e-money float and cash in bank are closely monitored and that any such discrepancies are swiftly addressed.
As the details of this case unfold, it is clear that failure to closely monitor and aggressively address fraud can result in significant losses to providers as well as undermining the confidence of customers and the regulators entrusted with protecting them and the integrity of the financial system.
Great blog Olga. Show me a mobile money provider who hasn't had issues with reconciliations at one time or other and I will be surprised! Important to have more dialogue about it to ensure risk systems are industrialised.
Thanks Brad. I completely agree that more open dialogue is key. We are also looking for more good examples of measures to control the risk of internal fraud so welcome a contribution of those in this discussion!
it is a great blog. I, as a central bank officer, may obtain precious view to focus on in outlining regulation for Digital Financial Services, especially for bank or ptovider supervision in its mobile payment system securities and safety
Better Safe than Sorry
The blog is really frightening as mobile money is generally believed to be more secure than other modes like offline payment mode or even online payment modes of cash in cash out. I as an ex banker always maintained that we have been continuously failing to control frauds inside our bank premises, and controlling these outside at agent premises is almost impossible. However, the reported fraud again shows how internal failures continue to flourish. It may appear stupid even, but we need to ingrain the payment systems within the banking systems only. Indian proposed system of creating payment banks involving the telcos, in some sense, appears more logical now. I prefer banks because only banks have over last two centuries of commercial banking have suffered enough to care for risks involved in managing cash or other persons' moneys, and technology has strengthened their systems and procedure to a greater extent. Similarly, banking regulators can regulate only banks and miserably fail to control other institutions like MFIs or telcos. Finally, while dealing with poor peoples money, it may be better to be safe than sorry.
Hi YP Issar,
Thanks for your feedback. I am not sure if we want to go as far as ingraining payment systems into banks but telcos certainly need to start an open dialogue with bank on best practices in security, which rarely happens. I agree with you completely that banks have been dealing with similar risks for much longer and have built very strong internal control systems. They are the right ones to advise the MNOs on how best to set up risk mitigation efforts. I am hoping we see more of this in the future.
This is a good read Olga.Thanks
Hi Olga, could the bitcoin blochchain technology be the answer to curb this sort of fraud? Great article btw.
Hi John, interesting suggestion. Can you please tell me more how it would be safer to use bitcoin blochchain? I am not sure how reconcilliations work in this regard and just how much fraud these systems have seen...
An interesting article, This is strange that how MTN Fraud & Risk Department overlooked the user roles and allowed the staff to have multiple logins.Operations is the Key function of MFS business.
In order to have smooth operations executions, strong efforts should be made on operational processes & building Internal control,Usually it happens to have multiple login where staff is less and organizations create different profiles and authorizations for using multiple logins for one user.This helps in avoiding the more staff recruitment and saving cost but in other way, organizations are inviting users to play with system and giving them a chance to involve in fraudulent activities.Consequences of authorizing one user with multiple logins can be very damaging.
There should be maker and checker concept for mitigating the risks and creation of separate Internal Control Department for monitoring the Internal Staff activities.
Risks can easily be mitigated by building the strong controls, like Daily reconciliations, Users Activity Monitoring, Creating different profiles and assigning authorizations as per their nature of work, Organizations shouldn't compromise on Users roles and one user should have only one login. System should also be smart enough to record the user's activity logs.
Syed, I think MTN has since made a lot of changes to it's internal control systems, learning the hard way on how important it is to have a system which is air tight. They now also reconcile their e-money and cash float every 15 minutes, to allow for discrepancies to be immediately seen. But you are 100% right that risks can be mitigated if they are tracked closely. But also remember that fraudsters are always finding new vulnerabilities in the system so organizations have to be reactive to the risk and consistently ensure that they are on top of monitoring.
Recent news on Mobile Money fraud in Kenya (http://allafrica.com/stories/201601150712.html) urged me to write on this blog. The fraud is committed on low value transactions whereby fraudsters conned customers using simple tactics.
This time it is less of internal & system controls and more about customer education & awareness. I still believe the responsibility falls on financial services providers as well as regulators to design and execute awareness programs.
Kenya is just one example I have seen this happening in other parts of the world specially where Telecom operators are taking active part in Mobile Money.
This also calls for amendments in criminal laws of the country to include crimes happening on digital financial services space.
I agree totally with Y P Issar that Banks have more experience instituting and managing internal control risks and Telcos must engage them to minimise internal/internal frauds in mobile money services. Central Banks must re-align their regulatory efforts in this regard too because mobile money has come to stay and it is a financial inclusion enabler to a very great extent!