Principle
| | |
Member Organisation fraud prevention standards should include controls designed to prevent external fraud.
| | |
Control Requirements
| | |
| a. | A Member Organisation should include in its fraud prevention standards, controls to mitigate the risk of external fraud occurring, including but not limited to:
| | |
| | 1. | Hotline available 24 hours to report suspected fraud and take immediate action to respond to the fraud (e.g., blocking account access or cards).
| |
| | 2. | The provision of an emergency stop self-service capability for customers to immediately freeze their account and block further transactions if they suspect their account has been compromised.
| |
| | 3. | Customer identity and access management controls for online/mobile accounts and digital products.
| |
| | 4. | Use of blacklists to screen and block transactions, card provisioning or access from identified high risk:
| |
| | | a. | Accounts
|
| | | b. | IP addresses
|
| | | c. | Email addresses
|
| | | d. | Compromised devices or those that have previously been used for fraud (e.g., mobile phone app registered to an account which has been used to conduct fraud).
|
| | 5. | The capability to swiftly block transactions from customer accounts/cards, with defined safeguards in place to release the block.
| |
| | 6. | Requiring users of online and mobile services to consent to the activation of GPS during an active session to allow the organisation to monitor location.
| |
| | 7. | The capability for mobile apps to detect use on devices which have subject to jailbreaking or rooting, and subsequently block the use of the app or restrict access to sensitive data or features.
| |
| | 8. | Prohibiting the use of VPN services when accessing online or mobile services.
| |
| | 9. | Device registration which allows users to register trusted devices for access management.
| |
| | 10. | A restriction on concurrent log-ins to mobile app or a limitation on the number of devices which a mobile app can be installed and accessed.
| |
| | 11. | The identification of mule accounts (e.g., accounts set-up to receive fraudulently obtained funds and launder the proceeds of crime).
| |
| | 12. | User behaviour profiles which allow rules to be implemented to prevent access to customer accounts if unusual behaviour is identified.
| |
| | 13. | Monitoring of product inactivity and dormancy, particularly where products are reactivated.
| |
| | 14. | Notification sent to the customer when changes are made to static data to previous and new details.
| |
| | 15. | Online, mobile and phone payments:
| |
| | | a. | Sending an OTP to verify all payments instructed (new and existing beneficiaries), including transactions through remittance accounts.
|
| | | b. | Notification to the customer of new payees added (e.g., SMS, call back).
|
| | | c. | Setting a default limit for single and daily transactions which should be periodically reviewed and updated where required (e.g., review of customer profiles and behaviours, and actual fraud cases/customer losses).
|
| | | d. | Notify the customer if the default transaction limit is increased (e.g., if the customer account type is upgraded).
|
| | | e. | The option for customers to reduce the default limit for a single transaction.
|
| | | f. | The option for customers to reduce the default limit for daily transactions.
|
| | | g. | An immediate block on further transactions if a transaction limit is reached either through individual or recurring payments whether to one or multiple beneficiaries.
|
| | | h. | Additional verification checks to authenticate:
|
| | | | i. | Unusual transactions (e.g., transactions after a period of account dormancy, changes to customer behaviours).
| | |
| | | | ii. | Unusual patterns of transactions (e.g., multiple payments to the same beneficiary in a short period).
| | |
| | | | iii. | Transactions exceeding a defined value threshold.
| | |
| | | | iv. | Requests to increase the single or daily transaction limit.
| | |
| | | | v. | Initial transactions after registration for online banking or mobile services, or registration of a new device.
| | |
| | | i. | Additional verification checks should include but not be limited to, one or more of the following:
|
| | | | i. | Automated call-backs.
| | |
| | | | ii. | Manual call-backs.
| | |
| | | | iii. | SMS to registered mobile number.
| | |
| | | | iv. | Authentication via biometrics on registered mobile device.
| | |
| | 16. | Credit and debit cards:
| |
| | | a. | Adherence to all card scheme rules (e.g., mada business rules, Visa CVV2 code, Mastercard CVC2 code).
|
| | | b. | Use of one-time passwords (OTPs) to approve online transactions.
|
| | | c. | For high risk transactions, the use of extra authentication measures in addition to OTPs or mobile app approval (e.g., automated call-back to the phone number on the account).
|
| | | d. | Address/Postal code verification for online card payments.
|
| | | e. | New cards issued to require activation before use.
|
| | 17. | Validation controls to ensure the authenticity of cheques and similar instruments.
| |
| | 18. | Periodic inspection of ATMs for evidence of suspicious activity or devices that could compromise card security.
| |
| | 19. | Removal of clickable links in all emails and SMS sent to customers.
| |
| b. | Member Organisations should additionally implement the following preventive controls on a risk-based approach:
| | |
| | 1. | A delay to activation when a customer requests an increase in online/mobile transaction limits.
| |
| | 2. | Robotic prevention mechanisms prior to the instruction of a payment to mitigate the risk of automated bot activity.
| |
| | 3. | Functionality for customers to request instant notification of all account and card transactions to their registered mobile device.
| |
| | 4. | Geofencing when transactions occur in a location outside the customers home area (e.g., using mobile device geolocation data to require verification if a user attempts to access products and services while in a foreign country which is not in line with user behaviour profile).
| |
| | 5. | Procedures for holding suspicious transfers to countries classed as high-risk in the organisation's jurisdiction risk model.
| |
| | 6. | A delay to payments requested for new payees added via online/mobile services until further verification is completed.
| |
| | 7. | Introducing a delay before a new soft token can be activated on a mobile device.
| |
| | 8. | Notifying the customer of the registration of a new device and identifying critical services (e.g., card provisioning, addition of new payees) which should be disabled for a period following the new device registration.
| |
| c. | Member Organisations providing lending and credit products should include in fraud prevention standards, controls to mitigate the risk of external fraud occurring, including but not limited to:
| | |
| | 1. | Review of applications/proposals to check for potential application fraud (e.g., manipulation of details or misrepresentation of the applicant's financial position).
| |
| | 2. | Checks for fraudulent or counterfeit documents provided for identification or as security on lending.
| |
| | 3. | Panel management controls for agents, intermediaries, valuers and other third parties.
| |
