Fraud in banks on the increase
The total combined gross revenue of twenty six (26) commercial banks in Uganda was Ugx. 1.94 trillion (US $750 million) in 2011. It increased to US $810m in 2012. The total cost of doing banking business was Ugx. 1.34 trillion (US $515m) in 2011. That is a 69% cost to income ratio (CIR)! It means that for every 100 shillings each bank earned, 69 were spent. This is quiet telling of the level of inefficiency in the sector. With a CIR averaging below 55.1%; UK, Greek, and Irish banks have high profitability despite a large portfolio and demanding clientele base.
Now the new service taxes have made things worse. Formerly, sending money via EFT was Ugx. 50,000 (US $19.2). Effective 1st July 2014, it is Ugx. 70,000 (US $26.9). That is a 40% sudden increase! The service taxes increased by 10%. Banks increased the fees by 40%! They got an opportunity to transfer costs to the customer.
Profitability in banks is specifically influenced by two factors; pricing and service production capabilities and general market conditions. The latter is difficult to control at individual bank level. Pricing and service production are influenced by productivity and efficiency in a given bank. The largest most contributor to a high cost to income ratio in Uganda banks is high staff costs and fraud. With a total of Ugx. 1.94 trillion, experts estimate about 15% is lost to fraud that is a whooping Ugx. 290billion cost or an average of Ugx. 11 billion per bank. Over 80% of the frauds are as a result of the weaknesses in the bank’s IT systems.
Take a case of a recent fraud.
The fraud involved manipulation of the bank’s client database by adding fictitious entries in the place of the genuine ones. Weak controls and lack of real time monitoring over the core banking application enabled some IT staff in collusion with an external party, to exploit a backdoor and install unapproved program on the bank’s SQL server. If the heart is a human’s soul, the SQL server (database) of any core banking application is the bank’s heart. Unfortunately, most banks rely on the vendors for on-going maintenance without providing for independent third party assurances.
The fraudulent program was timed to make changes to the live client accounts at a predetermined time between 3 and 4 pm. The fraud involved replacing the personal details of the genuine clients with those of fraudsters on the specified accounts. The parameters would reset back to the original after 5pm, making it difficult to trace. The impact of the fraud on the bank was catastrophic.
Any banking application has a frontend and backend. The front end is the user interface. When a customer comes to transact with the bank, s/he enters the unique customer bank account information to confirm whether they are genuine customers of the bank, by ‘calling’ all information about the customer in the banking system. If a wrong account is typed the system does not show anything or bring another customer’s information. It is for this reason that banks require tellers to see customers in the face as well as retain copies of their IDs to confirm whether the customer is genuine or not. All this is done in the front end of the banking application.
In the backend, it is where the code that supports the frontend sits. All banking applications use a database system which also contains a business logic that makes it possible to conduct business. Any changes to the database and business logic have an impact on the frontend. It is for this reason that no object should be added to the backend without senior management approval. For example, one of the bank’s controls could be “any withdrawal above Ugx. 10m must be after a senior manager’s approval.” To be effective, this control must be set up in the bank end business logic such a manager is notified every time a teller processes transactions above the allowed limit.
Fraud in Uganda is increasing at a faster rate because few, if any, wants to acknowledge the extent of the problem. As a result, there are not meaningful solutions that the industry has put in place to confront the vice. It is very difficult to solve a problem you cannot acknowledge.
As information technology becomes the top most business driver in any industry, there is need for a specialist independent technical person to sit on the board to assist whenever technical matters concerning IT or risk are to be discussed. This will help provide new perspectives to the board’s risk management thinking and oversight role. The regulator (central bank) in partnership with the Uganda bankers association should establish a fund to set up a fully fledged forensic investigation unit and empower Uganda police economic crime department with the necessary skills to undertake thorough investigations.
In Uganda, just like elsewhere, fraudsters steal because they know they will not be caught, and if caught they will not be prosecuted.
To prevent online frauds, the bank and users must take minimum security precautions:
Conduct on-going independent penetration tests at worse, once every 12 months
Provide on-going user training to all your staff on the network. The best way is to train staff once every six months as technology is ever changing. Plus, fraudsters especially cyber criminals have found out that the easiest vulnerability to exploit is the human error. For that reason, all hacking attacks exploit human negligence or ignorance
Customer awareness of their responsibilities to keep their usernames and access secure is critical as well.
There are many technical insights, but the above suffices.
Copyright Mustapha B Mugisa, CFE. All rights reserved 2014.