H A N D B O DIGITAL FINANCIAL SERVICES AND RISK O MANAGEMENT K ACKNOWLEDGEMENTS The MasterCard Foundation and IFC’s Partnership for Financial Inclusion Program would like to acknowledge the generous support of the participating institutions in our study; Tigo Tanzania, Kopo Kopo Kenya, FINCA DRC, Fidelity Bank Ghana, and Zoona, as well as Genesis Analytics for their work in supporting the risk assessments and contributions to the handbook. The authors would also like to thank Anna Koblanck for her extensive editing, and the IFC clients, DFS providers, and industry stakeholders who participated in interviews, including Software Group, GSMA, and CGAP. Finally, The MasterCard Foundation and IFC would like to extend special thanks to the authors, Lesley Denyes and Susie Lonie, and to the reviewers for their contributions; David Crush, Ruth Dueck-Mbeba, Justice Durland, Cameron Evans, John Gutin, Richard Ketley, Andrew Lake, Joseck Mudiri and Patricia Mwangi. ISBN Number: 978-0-620-71506-5 H A N D B O DIGITAL FINANCIAL SERVICES AND RISK O MANAGEMENT K Foreword This handbook is designed for any type of financial institution offering or planning to 01_ offer digital financial services, such as mobile money and agent banking. It could be microfinance institutions, banks, mobile network operators, or third party payment OVERVIEW service providers. The conceptual framework for risk and risk management is based of risk management on global standards enterprise risk management and best practices (ISO 31000), techniques but the application of principles, illustrations, and descriptions address risks from all perspectives and all types of providers. Examples and case studies are illustrative only and sometimes anonymized to mask the identity of the institution to allow 02_ a fuller description of the circumstances surrounding the events that occurred. Examples are highly characteristic of the type of institution and the specific market Risk environment, and must be contextualized before applied in different contexts. DEFINITIONS The handbook does not assume any prior knowledge of risk management; however it does assume a moderate understanding of Digital Financial Services and Alternative Delivery Channels, including products, the function of agents, the role 03_ of technology and regulators. For the sake of consistency, the handbook will refer to digital financial services, a broader definition that applies to many channels as well Risk management as products. A glossary can be found on page 109 for further descriptions of terms FRAMEWORK used in the handbook. applied The handbook is organized in four parts: 04_ • Part one provides the conceptual framework for risk management and key elements of the process. It also gives an overall context for DFS risk management. INSIGHTS AND • Part two describes the main types of risks faced by DFS providers, including real examples from various markets. TOOLS • Part three introduces the step-by-step process of implementing a risk management framework. It can be used to guide the initial design and deployment of a DFS strategy, as well as how to monitor and manage risks during the ongoing implementation of the strategy. • Part four highlights lessons learned by IFC clients across Africa, and considers how digital financial services may change in the coming years and the risks and opportunities DFS present to financial service providers. In addition, the tools chapter provides a full risk database and there is a glossary that can be used as a reference guide when developing a risk management strategy for your institution. 2 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT CONTENTS overview FOREWORD 2 ACRONYMS 6 EXECUTIVE SUMMARY 8 INTRODUCTION 11 definitions PART I: OVERVIEW OF RISK MANAGEMENT TECHNIQUES 12 PART II: RISK DEFINITIONS 18 1. Strategic Risk........................................................................................................... 20 2. Regulatory Risk.........................................................................................................24 3. Operational Risk...................................................................................................... 28 4. Technology Risk........................................................................................................33 5. Financial Risk...........................................................................................................40 framework 6. Political Risk............................................................................................................ 44 7. Fraud Risk................................................................................................................ 48 Customer Fraud 49 Agent Fraud 49 Business Partner Driven Fraud 50 System Administration Fraud 50 Provider Fraud 50 Sales and Channel Staff Fraud 50 insights and tools 8. Agent Management Risk.......................................................................................... 54 9. Reputational Risk..................................................................................................... 58 10. Partnership Risk....................................................................................................... 61 Summary...................................................................................................................................... 66 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 3 PART III: RISK MANAGEMENT FRAMEWORK APPLIED 68 Section 1: Set Context..................................................................................................... 71 Step 1: Define risk team 71 Step 2: Define roles and responsibilities 72 Step 3: Define timeline and budget for development 73 Step 4: Create a plan 74 Step 5: Establish Risk Tolerance Levels 74 Section 2: Identify Risk...................................................................................................75 Step 1: Research industry resources 76 Step 2: Historical review 76 Step 3: Current assessments 76 Step 4: Brainstorming 77 Step 5: Record all risks identified in a risk register 77 Section 3: Analyze and Evaluate......................................................................................78 Qualitative 78 Step 1: Assign probability and impact 78 Step 2: Risk analysis 78 Risk Prioritization 78 Step 3: Rank risks based on qualitative and quantitative risks 78 Step 4: Decide which risks are worthy of treatment responses 78 Section 4: Risk Strategies............................................................................................... 81 Step 1: Develop risk termination strategy 81 Step 2: Develop risk transfer strategy 81 Step 3: Develop risk treatment strategy 81 Step 4: Develop risk treatment tactical response 82 Step 5: Develop Key Risk Indicator 82 Step 6: Record risk strategies in register 82 Section 5: Monitor and Review...................................................................................... 85 Step 1: Risk Reassessment 85 Step 2: Track risks for period 85 Summary..................................................................................................................... 86 4 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT PART IV: INSIGHTS AND TOOLS 88 Lessons Learned............................................................................................................ 88 Conclusions................................................................................................................... 91 Tools............................................................................................................................ 93 Risk Management Checklist 93 Risk Register Template 94 Risk Database 95 Glossary......................................................................................................................109 References................................................................................................................... 111 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 5 ACRONYMS ADC Alternative Delivery Channel AfDB African Development Bank Anti-Money Laundering and Combating the AML/CFT Financing of Terrorism API Application Program Interface ATM Automated Teller Machine DFS Digital Financial Services ERM Enterprise Risk Management GDP Gross Domestic Product GSMA Groupe Speciale Mobile Association IFC International Finance Corporation ISO International Organization for Standardization IT Information Technology KPI Key Performance Indicator KRI Key Risk Indicator KYC Know Your Customer 6 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MFI Microfinance Institution MNO Mobile Network Operator MOU Memorandum of Understanding NGO Non-Governmental Organisation OTC Over The Counter P2P Person to Person PAR Portfolio at Risk PIN Personal Identification Number POS Point of Sale PSP Payment Service Provider SIM Subscriber Identification Module SLA Service Level Agreement SMS Short Message Service TPS Transactions Per Second USD United States Dollars USSD Unstructured Supplementary Service Data DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 7 Executive Summary The last decade has seen a wave of innovative financial services aimed at serving the unbanked populations in emerging markets. Low-income individuals, micro- entrepreneurs and rural populations that were previously left out of the market due to the high costs of physical expansion are now accessing financial services through mobile phones and networks of agents acting as representatives of financial service providers. This has resulted in a remarkably rapid increase in financial inclusion in some countries. In other markets adoption has been slower and the results are less catalytic, but all markets are growing and are expected to continue to do so as services and products develop. It is expected that the expansion of digital financial services will make an important contribution towards the goal of reaching universal financial access by 2020. However, with the many opportunities provided by ground-breaking technology and innovative business operations also come new risks. The risks related to implementing digital financial services extend far beyond operational and technical risks. In order for the financial inclusion industry to be able to capitalize fully on the benefits of digital financial services, it is important that the accompanying risks are understood and adequately addressed. In this fast evolving field, it has become apparent that what matters to one provider matters to all as large cases of fraud, for example, affect not just consumer trust in one provider but in the market and promise of digital financial inclusion as a whole. The Partnership for Financial Inclusion is a joint initiative of IFC and the MasterCard Foundation to expand microfinance and advance digital financial services in Sub-Saharan Africa. Through the interactions with clients of the program as well as the broader industry in the region and beyond, we identified a need for a handbook on how best to handle risk management for digital financial services. There are a number of good industry publications that focus on specific risks such as fraud or regulatory risk, and some documents focused on challenges specific to certain institutions such as GSMA’s Risk 8 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Management Toolkit for Mobile Network It is probably not a coincidence that it call centers to track, monitor, and predict Operators for example. There is, however, was also one of the few institutions that eventualities; using strong reconciliation no comprehensive guide to risks associated had not had any publicly reported fraud, and settlement processes to reduce with DFS implementations in general that small or large. We found it surprising that potential losses; and to take partnerships in layman’s terms can assist an institution the banks in our sample had the lowest seriously and ensure that partners are held in learning from the beginning what risk levels of developed frameworks, given accountable. is, how risk affects a DFS deployment, and that banks are traditionally known as risk- This handbook uses the ISO 31000 how to manage it. In 2015, we embarked adverse institutions with strong risk and standards for Enterprise Risk Management on a series of research projects to answer compliance departments. Our conclusion to establish principles for risk management these questions and to develop this is that there is a strong need for financial of DFS. The ISO standards use a framework handbook. service providers across the industry of 7Rs and 4Ts to develop risk frameworks, to strengthen DFS risk management In developing this handbook, we which are: practices if they are to achieve their interviewed more than thirty practitioners, business objectives. • Recognition or identification of risks software vendors and industry • Ranking or evaluation of risks stakeholders, and conducted four in-depth Through this research initiative, it • Responding to significant risks organizational risk assessments. Most also became apparent that while risks »» Tolerate of these practitioners are based in Sub- can be described in various different »» Treat Saharan Africa, but their experiences can categories, they are in often strongly »» Transfer also be helpful for other regions. During related. Technology, strategic, and »» Terminate the research, we learned that there are very agent management risks can all lead to few institutions, including banks, MFIs and reputational risk, and fraud can incur even • Resourcing controls MNOs, with any kind of risk framework for bigger financial losses from reputational • Reaction planning DFS. Only one institution had developed damage than from the fraud itself. • Reporting and monitoring risk a comprehensive risk management There were also key strategies that were performance framework that was regularly used and identified as being the most effective in • Reviewing the risk management reported to group level on a monthly basis. managing risk, for example the use of framework DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 9 When doing a risk assessment, it is Going forward, there are key trends that at present, cash remains dominant. It is important to look at causes of the risks will dictate how we look at risk and DFS. therefore essential that providers continue and to identify trends. Prevention is The pace of technology enhancement to focus on liquidity management and much more effective than damage control and smartphone penetration will shape allow customers to cash-out regularly, and after the fact. One example that came how services are developed and offered manage the associated risks. to the market, and regulations will up repeatedly in our research was that continue to change with the dynamics It is our hope that this handbook will a lack of business process or the lack of of the market. In an increasing number provide useful guidance and support to enforcement leads to most large-scale of jurisdictions regulators are starting organizations employing digital financial internal fraud. Large scale internal fraud to mandate interoperability between services to expand financial inclusion. has the power to shut down a service, as payment services including mobile money, Good management of the risks involved well as cause such reputational damage as as well as preventing providers from is necessary for the opportunities of new to shrink the whole market. Technology is signing exclusive arrangements with technology and business models to be often blamed for fraud, but in many cases agents. Whilst the longer term vision is fully realized for the benefit of providers, the opportunity for fraud is opened up by a to see a reduction in the use of cash as partners, customers and emerging lack of good operational practices. people adopt DFS for more transactions, economies alike. 10 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Introduction IFC supports institutions seeking to • Clearly define and describe all types with MNOs to offer traditional banking develop digital financial services for the of risk that may be faced by financial products through new channels. There is expansion of financial inclusion, and is service providers using DFS. a growing need for guidance about DFS engaged in a multitude of initiatives across • Provide easy-to-use guidelines risk management that is relevant and a range of markets through its portfolio of for conducting risk diagnostics, accessible to all types of providers. investments and advisory projects. In Sub- assessments, developing risk Saharan Africa, many advisory projects frameworks, and implementing risk There are several excellent reference are implemented in partnership with The management tools. documents that give technical detail MasterCard Foundation in a joint initiative about the creation of a risk management • Analyze how different types of financial that also includes a comprehensive framework (see page 111) and this institutions currently assess risk and research agenda. Much of the early publication does not seek to replicate implement risk management tools. learning from these projects was captured these. Our focus is to describe the basic • Identify general lessons learned by in the Alternative Delivery Channels and underlying principles of risk management financial service providers about DFS Technology Handbook1 which provides a for practitioners who are not risk specialists risk management that are relevant to comprehensive guide to the components but are involved in the establishment other markets and organizations on of a DFS strategy and, in particular, how and protection of a DFS business. As such issues as integration with exiting to understand the technological building with any new service, there is much to institution-wide risk frameworks; key blocks for a successful deployment. In be learned and many challenges and risk indicators; most common types conjunction with supporting the expansion unanticipated risks to be addressed. This of risks faced; how best to mitigate of financial inclusion through DFS, it is handbook serves as a practitioners guide risk; and best practices for DFS risk important to ensure their sustainability to identifying, assessing, and mitigating management. risks specific to DFS. and reliability via the implementation of effective and responsible risk management We found that although most providers practices. have extended their existing risk frameworks to include alternative The research for this handbook included channels, there is only a nascent three components; interviews with understanding of the additional risk that approximately 30 practitioners; four in- DFS bring. This is particularly pertinent depth case studies with Tigo Tanzania as DFS deployments often mean that (MNO), FINCA DRC (MFI), Kopo Kopo organizations engage in business Kenya (PSP) and Fidelity Bank in Ghana; activities outside of their core business, and a two-day client workshop held in such as mobile network operators Cape Town in November 2015. The research offering financial services through mobile objectives were to: wallets, or banks and MFIs partnering 1 Alternative Delivery Channels and Technology Handbook, IFC, 2015 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 11 01_ PART 1 Overview of Risk Management Techniques Risk can be described2 as the “effect of uncertainty on objectives”. There are many definitions, approaches, and frameworks used across various businesses and industries, with one of the key global standards being ISO 31000. The consequences of a change in circumstances or events may be positive or negative. This section of the handbook lays out the conceptual principles of a risk management framework, the risk assessment process, and the key components of developing a risk management framework for DFS. Risk management begins with the mandate and commitment of the management and governance bodies of the institution, and is followed by design of a framework, implementing risk management, monitoring and review of framework, and lastly, continuously improving the framework. Establishing an effective risk framework is an essential aspect of good corporate governance for all companies and should be a key priority for boards of directors and senior management. The implementation of a risk management framework requires the appropriate risk department for the size of and complexity of the organization. Almost all financial institutions are required to have a head of risk management, with officers or departments responsible for different areas of risk. For DFS, the area that is generally least developed is operational risk, and this requires the greatest attention. The teams involved in managing the DFS operations have the greatest awareness of what is required and what can go wrong and should be included as early as possible in the planning process of a DFS risk strategy. This provides a very useful counterbalance to the business development teams who often fail to anticipate the risks in the strategies that they are promoting or see risk assessment as an impediment to progress. 2 ISO Guide 73 from ISO 31000 12 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT “Risk Figure 1: Framework for managing risk (based on ISO 31000) management begins with the MANDATE AND COMMITMENT mandate and commitment DESIGN OF FRAMEWORK of the • Organization and its context management.” • Risk management policy • Embedding risk management IMPLEMENT RISK MANAGEMENT IMPROVE FRAMEWORK • Implement framework • Implement risk management process MONITOR AND REVIEW FRAMEWORK Source: AIRMIC, Alarm, IRM: 2010 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 13 01_OVERVIEW Risk Management Frameworks All businesses are subject to a range of • Responding to significant risks: the • Resourcing controls: The development risks, some of which are anticipated but development of risk strategies based on of budgets to apply to risk responses. many of which are either unexpected or not probability and potential impact: • Reaction planning: The development of effectively managed. Adopting a formal »» Tolerate: For risks with low probability tactical risk responses. risk management framework can assist and low potential impact, risks can be • Reporting and monitoring risk businesses in planning more effectively, accepted or tolerated as the cost of performance: Period reporting on risk understanding why things have not gone mitigating or eliminating the risk may performance to state whether the risk according to plan and, ideally, in taking be higher than its potential impact. has occurred and losses have happened, action before losses are incurred. The goal »» Treat: For risks with moderate it has occurred and been mitigated; or it in having an effective risk management probability and potential impact, has not yet occurred. framework is to be pro-active rather than treatment can be applied to mitigate • Reviewing the risk management reactive in managing the risks inherent in a the potential loss from events framework: The process of reviewing business model. occurring. and re-iterating the risk management »» Transfer: For risks with high periodically or when significant events As per ISO 31000, there are seven Rs and probability and high potential impact, occur. four Ts of risk management frameworks: the risk can be transferred to a third Risk management frameworks are a • Recognition of risks: The brainstorming party by outsourcing or purchasing of comprehensive set of policies aimed at and identification of all types and insurance. reducing the impact of risks associated subtypes of risk events that may occur »» Terminate: For risks with very high with DFS. The framework is a culmination and impact the DFS implementation; probability and potential impact, of all planning and assessment processes, • Ranking or evaluation of risks: The use of the risk can be terminated by and the risk register is the main body and qualitative criteria based on probability discontinuing the DFS offering or by working document. The methodology and potential impact to rank risks based taking recourse such as sourcing new for development of a risk management on highest to lowest importance; partners or vendors. framework can be found in Part III of this handbook. 14 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Assessment Process The development of a Risk Management Framework involves conducting a risk assessment process of identification, evaluation, and development of risk treatment strategies for risks associated with DFS. Figure 2: Risk Assessment Process ESTABLISHED CONTEXT COMMUNICATION AND CONSULTATION RISK ASSESSMENT MONITORING AND REVIEW RISK IDENTIFICATION RISK ANALYSIS RISK EVALUATION RISK TREATMENT Source: AIRMIC, Alarm, IRM: 2010 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 15 01_OVERVIEW A risk management framework begins with establishing a context of risks; it should seek to identify and classify the risks involved (and ideally measure risks); evaluate, assess, and analyze the risks; evaluate and plan to minimize these risks; develop risk treatments; and monitor and review the results of risk treatment. The final output of a risk assessment is a risk management framework including a risk register. Also known as a risk matrix, the term risk register is used interchangeably to describe the central database of identified risks, along with their descriptions, causes, effects, and policies - whether it be to tolerate, treat, transfer or to terminate. Risk registers are central to a risk management framework as they capture all possible events and allow users to monitor, report, and reassess risks on an on-going basis. Risk registers also allow providers to lay out all sub-levels of risk and to create risk strategies so that if one level of an event occurs, there is a strategy to prevent it from entering to the next level, such as malware that infiltrates a system but is stopped from gaining access to sensitive data. Risk registers include: RISK CATEGORY CAUSE TREATMENT TACTICAL Strategic, Regulatory, Operational, The event, if it occurred, that RESPONSE Technology, Financial, Political, would result in the risk being The policy or procedure Fraud, Agent Management, actualized implications of the risk treatment Reputational or Partnership Risk strategy EFFECT RISK NAME The impact that the event would KEY RISK INDICATOR Clearly defined name of the risk lead to if it occurred An indicator used for the early identified warning that the adverse effects of RISK STRATEGY the particular risk may occur DESCRIPTION Tolerate, Treat, Transfer or Elaborated description of the risk Terminate CURRENT STATUS Whether the risk event has not OWNER RISK TREATMENT yet occurred; has occurred and Person responsible for monitoring STRATEGY been successfully treated; or has the risk and implementing risk The strategy on how to mitigate or occurred and caused losses. treatment strategy control the risk 16 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Examples have been given in the next section to illustrate this process. The risk register is a living document that is re-assessed and updated on a pre-defined period basis or on occurrence of a major or unexpected event. It is used as the knowledge body of risks for the institution and its DFS implementation. A template for a risk register can be found in the Tools section of this document. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 17 02_DEFINITIONS 02_ Part II Risk Definitions The potential for DFS comes with inherent risks as operations and client interactions are outsourced to agents who open accounts and conduct transactions on behalf of the provider. In recent history, a few notable fraud cases have affected the reputation and financial viability of some operations. While fraud risk is the most notorious and best understood risk associated with DFS, there are many others that are not always incorporated in a provider’s risk management framework although they can be as damaging. These include: strategic, regulatory, operational, technology, financial, political, agent management, reputational, and partnership risks. Each of these risk categories are described and explained in this section, including a substantial number of sub-categories. With each risk, appropriate risk mitigation strategies are also identified and explored. Case studies and practical examples provide a deeper understanding of the concepts. Each risk category also illustrates how a risk register could be used to document key elements such as risk identification, risk ownership, risk assessment, risk treatment, and risk indicators, as part of an organization’s risk management strategy. A helpful checklist asks the reader critical questions and challenges them to reflect on their own organizational risks. 18 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Figure 3: Risk Categories and Interactions STRATEGIC RISK FINANCIAL REGULATORY RISK RISK FRAUD OPERATIONAL RISK RISK AGENT REPUTATIONAL MANAGEMENT RISK RISK PARTNERSHIP TECHNOLOGY RISK RISK POLITICAL RISK Risks do not fall strictly in one category. If a if there are not appropriate back office risk situation arises in one area it can often systems, or fraud risk if the expected fraud create a risk situation in another area, and prevention features are not delivered, or all risks must be considered together. For reputational risk if the customer experience example, poor strategic decisions regarding is poor. Therefore, a strategic need to the service and the technology selection reduce fraud risk may also lead to a need can lead to technology risk which in turn for risk prevention measures in operations, leads to many other kinds of risk, such as technology, agent management and so operational and agent management risk forth. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 19 02_DEFINITIONS 1. Strategic Risk What is your Strategic risk is broadly defined as the actual losses that result from the pursuit Providers need to have a deep understanding of the nature and breadth risk appetite and of an unsuccessful business plan or the potential losses resulting from missed of risks related to their business strategy and the tolerance for their potential tolerance? opportunities. Some examples of this may impact. To address strategic risk, providers be ineffective products, failure to respond must focus on gathering data and to change in the business environment, or appreciating external perspectives from inadequate resource allocation. outside sources including customers, bloggers, information trendsetters, As dependence on technology grows, competitors, and marketplace analysts. providers become increasingly exposed For many DFS offerings, the competition to risk resulting from innovation and may be quite different from that of the core disruptive technologies in the market. organization, and these new competitors Setting company strategy is generally the must be identified and understood. responsibility of the board, which should Financial models can be used to build bring its experience of other companies and scenario analysis and stress testing to industries to bear in identifying the risks further understand the key drivers of to the company’s DFS strategy. Strategic the profitability such as volume, value, risks include those related to branding, revenue, and costs. economic trends, reputation, business models, and competitive positions. It is How to develop a risk register is outlined in also related to technology, which requires Part III. Below is an example of a strategic a reputable, usable, scalable, and secure risk in a risk register and includes the system to minimize strategic risk. category, description, owner, cause, effect, probability, impact, strategy, and Key Risk Indicator. 20 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 1 EXA Strategic Risk – unrealistic business case DFS Provider example: MNO that offers a mobile money wallet Risk Category: Strategic Risk Secondary Category: Reputational Name: MNO mobile wallet fails to reach sustainability in the timeframe designated Description: The DFS does not meet revenue and expense targets and results in negative net revenue and return on investment. Owner: Head of Mobile Money Cause: Poor product or channel design, misunderstanding of market demand and/or competition Effect: Loss of investment Probability: 2 out of 5 Fairly low probability based on market research and financial modeling Impact: 3 out of 5 Medium impact based on that operations will likely be given opportunities to address the problems to fix before operations are ceased Risk Strategy: Treat Treatment Strategy: • Use market research and industry benchmarks to base assumptions • Iterate financial model as implementation progresses • Ensure targets are disseminated and aligned with KPIs • Monitor performance and update strategy as needed Treatment Tactical • Determine the causes of under-performance (product design, market response) and create resolution plans Response: • Adjust business case and targets to reflect the new phase of the product life cycle Key Risk Indicator: • Net revenue • Active customers • Transactions per customer • Active agents • Customers per agent • Float interest rate Current status: Has not occurred DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 21 02_DEFINITIONS Box 1 Strategic Risk Case Studies A) Launching a poorly defined prepared and were providing poor obvious commercial benefits to service: When the first mobile quality services. the MNO in customer acquisition money service in Sub-Saharan Africa Symptoms of hurried implementation and retention, but also restricts the was launched it quickly gained and poor execution of strategic potential maximum size of the DFS to enormous popularity, and was seen decisions can be seen in the many the size of the MNO client base, and by the MNO service provider as a unsuccessful services launched in the if the core telecoms business declines, significant “churn-buster” that would early days. The market exploded so too does the mobile money protect its core telecoms business via with over 200 services launched or business. In the early days of mobile increased customer acquisition and in development in the first five years money, many MNOs considered the retention. As a result, many African with perhaps five percent achieving key benefit of DFS to be its potential MNOs were concerned about the something close to resembling to provide a point of difference that strategic risk to their core business success. The situation is improving, enhanced the attractiveness of their if they did not offer a similar but there are still many services that core telecoms business. Nowadays, service. This caused many MNOs suffer as a direct result of these poor most MNOs in Sub-Saharan Africa to launch mobile money services decisions in the form of understaffing offer mobile money as part of their without properly understanding the and insufficient budget to develop portfolio, so it no longer provides market, the customer proposition, the business and struggling with that differentiation unless it has the technical functionality needed, inappropriate technology. some compelling benefit not offered or the resources required to provide by the competition. a successful service. The ironic B) Loss of core telecoms business: It result of this was that they were is generally the case that in order to Tanzania has several successful subjected to the consequences of a register for an MNO mobile money MNOs, and competition in the different strategic risk by entering a service, the customer has to subscribe telecoms space is fierce. Many new market for which they were ill to that MNO telecoms business customers have multiple SIM cards and use its SIM card. This provides and use the one that offers the best 22 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT deal at the time. All offer similar ever touching that of the person actively complicit in providing direct mobile money services and it is making the deposit. This is against deposits, while others are unaware common for customers to register for the terms of operation because there that it is happening. Efforts are being multiple mobile money accounts3. is no record of the sender’s identity, made to identify the offending agents There is therefore a real issue that which can infringe KYC regulations. by tracking whether a withdrawal when an MNO offers a sustained Bypassing the P2P transaction can happens soon after the deposit and attractive telecoms deal to customers, also have a serious negative impact in another location. There seems the DFS business also grows, whilst on the business revenue model. The little rationale for cashing in and out the competition’s DFS suffers by agent needs to be paid commission in quick succession, and if the cash default. In order to mitigate this for providing the cash in service, and out took place far from the cash risk, added value DFS are being this is typically financed, at least in in, the transaction was probably a introduced in many markets part, by the P2P revenue. Further, direct deposit. Another approach including savings accounts, access to the sender need not even be a mobile is to track the location of the agent loans, and profit sharing on the funds subscriber. and the recipient of the deposit using held in accounts. cell ID; different locations again Direct deposits are therefore the suggest a direct deposit. Agents C) Growing “Direct Deposit” source of potential regulatory prone to high levels of direct deposits transactions: The standard process and financial risk, but arguably are cautioned, and withdrawn from for remitting funds via a wallet is the biggest impact is that they service if necessary. This detection that the customer deposits cash at undermine the DFS strategic role of process is time consuming and an agent, and then remits the funds supporting and protecting the core labor intensive, but currently the by performing a Person-to-Person telecoms business. Most MNOs are best means available to protect the transaction. Whilst the deposit is suffering from increasing levels of business from the risk from direct usually free, nearly all services exact direct deposits. Some agents are deposits. a charge for each P2P transfer. It is possible for customers to bypass the P2P transaction and avoid this charge at the point when they cash in by giving the agent the phone number of the recipient wallet instead of their STRATEGIC RISK – KEY QUESTIONS own. Funds are deposited directly How well is my strategy actually defined? • into the recipient account without • How broad are the risks that we are considering? Have we considered all internal and external factors? • What risk scenarios have we considered to test our plans? 3 In 2014, Tanzanian DFS users had on average 2 mobile money accounts http://www.gsma.com/ What is our risk appetite and tolerance? • mobilefordevelopment/wp-content/uploads/2014/03/ Tanzania-Enabling-Mobile-Money-Policies.pdf Have we mapped our risks to key performance indicators and value measures? • DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 23 02_DEFINITIONS 2. Regulatory Risk Regulatory risk refers to the risks can also be major obstacles to developing Have I identified associated with complying (or not complying) with regulatory guidelines and scaling digital financial services in emerging markets, for example hindering potential areas and rules, such as anti-money laundering/ the customers’ ability to register for a for risk of combating financing of terrorism, Know Your Customer, data privacy, account service because of poor quality personal identification documents, insufficient non-compliance? and transaction limits, trust accounts, and regulations regarding the use of proof of residence, or lack of biometric verification tools. agents. Regulatory risk also includes Several central banks around the world broader rules relating to the operation have allowed for tiered KYC as a means of of a particular institution such as, for introducing proportionality into the risk example, licensing, capital and liquidity. management of mobile services. The risk Non-compliance may be in areas that are of large amounts of money being funneled not directly related to DFS but can have through mobile accounts for money significant impact on business operations laundering or financing of terrorism is including fines, penalties, and even loss likely to be limited as most accounts are of license. Each country’s central bank capped as low-value accounts, can be sets the requirements for mobile banking, traced to mobile phone numbers with mobile money, and agent banking within amounts and date, require security their jurisdiction4 . These generally include PINs, and are continuously monitored. policies that govern DFS, often a national Tiered KYC takes a risk-based approach payments act, financial inclusion act, or and extends proportional access to customer protection act. Central banks the account based on the level of KYC in each country decide if they will allow requirements. Proportional limits are banks, MNOs, payment service providers, placed on the amount per transaction, or a combination of these, to provide account turnover per day, month or year, services through DFS. In addition to the and on the maximum balance that can be types of institutions that will be allowed held at any one time. to offer services, central banks also dictate requirements on the following topics: Agent Management: The use of agents Customer Due Diligence: One of the to act on behalf of financial institutions key areas covered by DFS regulations is is strictly governed by regulators in customer due diligence, including KYC, most markets. There may be business anti-money laundering, and combating the requirements for signing up agents, financing of terrorism. These regulations including whether they are registered or licensed, minimum capital requirements, or even restrictions on the type of 4 In a few markets these regulations are still in development and not yet implemented. business. Regulators also dictate the 24 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT functions that can be performed at customer deposits is key to deterring bank Africa, interoperable “account to account” agents, for example whether they can runs and maintaining a stable financial domestic transfers are currently available5 open accounts or not, collect KYC data, sector. Deposit insurance is not typically in Tanzania, Rwanda, and Madagascar. conduct cash in and cash out transactions, required by central banks for MNOs or Trust Accounts: All non-bank DFS or perform over-the-counter transactions. payment providers as they are not allowed providers, including MNOs and payment The regulator may include stipulations to intermediate the funds and the wallet service providers, are approved by the regarding the exclusivity of agents, for balances are 100 percent backed in trust regulators, either through licensing or example mandating that agents cannot be accounts, usually held in third party ‘no-objection letters’, by a central bank, exclusive to a single financial institution. financial institutions. securities and exchange commission, or a Agent management regulations vary from Privacy: As with all financial services, communications regulator with provisions country to country. In some countries, protection of customer data is paramount for holding funds in one or many trust agent banking and e-money regulations and can be mitigated through IT system accounts. Funds are matched one-to- are clearly established and include full access control and encryption to protect one between the e-money and the funds requirements for the recruitment, data abuse by the provider’s staff. Privacy held in the bank and the providers are approval, training, and on-going regulations may be addressed through not permitted to intermediate the funds management of agents. In countries national privacy laws, telecommunication the way a regulated financial institution such as Tanzania, the regulator has to regulations, and/or financial services would. The purpose is to ensure that individually approve each agent that a regulations. Data privacy is an increasing customer funds are protected and readily bank or MFI recruits. In other markets, concern for institutions as large, public available upon request. These funds are such as Madagascar, there are currently data hacks have been well documented ring-fenced and providers are unable to no regulations and the Central Bank has in the media, causing both financial and use them to pay for operational expenses not given any formal indication of what is reputational losses. Lack of integrity or to pay creditors. Depending on the allowed or prohibited regarding the types around customer data can lead to lawsuits, regulation, interest earned on the trust of agents to be recruited, their business as well as providing opportunities for account may have to be paid to the requirements, or what functions they identify theft and fraud. customer or may be used as revenue for are allowed to perform. In markets like Interoperability: Interoperability is the provider. these, regulatory risk becomes one of the defined as the ability for a user of one Minimum Capital Requirements: For primary risks to a DFS implementation, account or wallet from a provider to banks, minimum capital requirements are as institutions operate under completely receive or send transfers to a user’s a normal part of regulatory requirements unknown circumstances. account or wallet of another provider. for licensing. In some markets, regulators Interoperability may also be described at also require them for MNOs and PSPs. In addition to the regulatory risks the agent level, when a customer from In addition to requirements for MNOs associated with agents, there are several one provider can transact at the agent of and PSPs to hold funds in trust accounts, other types of risk that are detailed in the another provider. Most regulators have regulators may also impose minimum Agent Management Risk section of this not mandated interoperability amongst capital requirements in order to insure document. domestic providers, but some have creditors against insolvency risk and to Deposit Insurance: Deposit insurance instead left the market to self-regulate ensure that the institution has enough is insurance provided to depositors to interoperability. As markets mature, we capital to see through operational costs of protect their deposits in cases of financial may see more mandated interoperability start-up. institution insolvency. It is usually a as regulators aim to intensify competition mandatory part of the laws governing in an attempt to increase customer financial institutions, as the protection of options and reduce prices. In Sub-Saharan 5 GSMA report: State of the Industry 2015 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 25 02_DEFINITIONS MPLE Risk Register 2 EXA Regulatory Risk – inadequate customer registration DFS Provider example: MNO that offers a mobile money wallet Risk Category: Regulatory Risk Secondary Category: Agent Management Risk Name: Agent does not adequately register customer with full KYC procedure Description: Agents may not fully comply with KYC requirements as commissions are designed to incentivize account opening and performing transactions, not regulatory diligence. Owner: Head of Compliance Cause: Poor product or channel design, poor agent training Effect: Increased expenses to follow up and collect KYC data or account closure if these cannot be adequately registered Probability: 3 out of 5 Medium probability based on good training, but common issue Impact: 1 out of 5 Very low impact based on regulators likely response to give warnings before violations are punished Risk Strategy: Treat Treatment Strategy: • Agent education • Align agent incentives to fully registered accounts only • Redesign business processes to be more efficient in managing any documentation • Where regulations allow, open accounts at lower KYC levels until full information can be collected • Mystery shopping • Penalties for non-compliance Treatment Tactical • Additional agent training Response: • Invoke penalties to agents and/or agent management officers Key Risk Indicator: • Percentage of customers with incomplete registrations • Percentage of customers with rejected registrations Current status: Occurred and mitigated 26 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Box 2 Regulatory Risk Case Studies The most common regulatory risks launch was delayed and eventually be shared between several local are caused by the two extremes of “no cancelled, and the team disbanded. banks. Unfortunately, the regulator regulation” and “over-regulation”, Three years later the regulation had was unfamiliar with the state of the both of which can lead to wasted again been modified and the service technology in this nascent market investment and lost revenue. was eventually launched. The cost to and had assumed that it had a range the MNO of the delay, both direct of functionality and capabilities In markets where there is little or and as lost revenue, has not been that was not going to be commonly no clear oversight of DFS, there is disclosed. available for several years. In uncertainty about what the regulator addition, the business case for these requires or what regulations may be In one African market, the central services relied upon a “closed-loop” imposed at a later date. For example, bank decided that it would impose environment with just one revenue a major MNO decided to launch certain regulatory constraints on earner. As a result, what was expected its successful African mobile money any mobile money deployment to be one of the leading DFS markets service in a large South Asian market with the intention of ensuring that has struggled to gain traction and targeting a 2008 launch. Legal there would be full interoperability had poor uptake for several years opinion was that in the absence between services from the start, and until the regulation was modified to of specific regulation, a suitable that the potential risks and rewards account for market realities. framework could be constructed to associated with each service would adhere to more general payments regulation. A substantial amount of money was invested in tailoring the existing technology to the specific needs of the market and a large team REGULATORY RISK – KEY QUESTIONS was recruited and trained to manage local operations. Just two months Do I fully understand all the regulatory requirements and implications applicable to my • institution, my agents and my customers? before the planned launch in the first • Am I in full compliance with these regulations? state, the regulator issued some new guidelines to existing regulation that • Have I identified potential areas for risk of non-compliance? effectively prohibited the launch. • Do I have assurance that processes are adequate to ensure ongoing compliance? Despite intense negotiations, the • Have I established a positive and productive relationship with my regulator? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 27 02_DEFINITIONS • Customer service operations: providing Business processes need to be reviewed assistance to external users of the and updated regularly to ensure that service (customers, agents, and others) they are still relevant. This is particularly and escalating issues that they cannot important in the early part of the service resolve lifecycle. Within a few weeks of launching Is there an • Back office operations: such as creating a service, the gap between expectation and reality for many procedures becomes operations manual and editing agent and other business accounts, trouble-shooting issues, obvious. It is recommended that draft that details and testing any changes to the service (usually minor operational updates) business processes created prior to launch are reviewed and finalized three to four all business • Finance operations: including creation months after launch, when the operations team have experience of real-life of e-money and ensuring that the bank processes? and e-money (control) account match, operations. Thereafter, they should ideally and providing business reports be reviewed annually. If a new functionality is introduced, for example involving a new • Technical operations: providing the partner such as bank-to-wallet transfers, hosting environment and support for new business processes will be required to the technology. manage the new activities. Business Processes: The key to efficient operations that minimize risk is to have Suitable technology can be used to prevent high quality, efficient and effective the occurrence of many risk events, but business processes. Business processes ultimately, particularly as the technology 3. Operational Risk should always add value to customers and for many DFS is not yet fully mature, the Operational risk is inherent in any business mitigate risks. While many institutions best protection from operational risk and refers to risks associated with blame technology or governance as the is well constructed business processes products, business practices, damage to cause of fraud, many cases of major that are properly followed and updated, physical assets, as well as the execution, internal DFS fraud can be traced back to and which are regularly reviewed during delivery and process management of the inadequate (or non-existent) business internal audits to ensure compliance. service. In practice this refers to the large processes that allowed fraudsters to Internal Control: Internal control and diverse range of activities needed to abuse the service. See page 48 for a full procedures are used to protect against administer the business. For the most description of potential fraud risks. fraud, disruptions, reputational risk, part, operational risks are internal to the Every operational process that is and credit risk by ensuring adherence to organization and can therefore be carefully performed on a regular basis should be business processes. The internal control managed. In terms of DFS, the critical documented, describing what needs department conducts operational audits new area of operation is the day-to-day to be done, how to do it, and who on the organization and its agents to business of supporting the channel. This is responsible for doing it. Business ensure that correct procedures are being can include functions touching every part processes should also cater for exceptions, used in terms of transactions, account of the business, such as: specifying what to do if something goes opening, KYC, and branding standards. • Sales operations: including agent wrong at any point in the process and The internal control department tests recruitment, training, and on-going the standard path cannot be followed. the effectiveness of such procedures and agent management Internal audits are used to ensure that standards and makes suggestions and business processes are adhered to by staff. revisions to policies and procedures based 28 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT on a continuous feedback and learning does not need access to the sales section insurance, back-up systems, and off-site loop. where agent accounts are created; junior data storage. team members may have access to maker Internal Audit: Internal audits provide tasks, but not to checker tasks; and so on. Execution, Delivery and Process assurance and checking of processes and Management: Operational risk derived controls. The internal audit department External Reporting: Large funders, from operator error in execution, delivery is responsible for ensuring that financial donors, and shareholders, such as parent and process management includes risks reporting is accurate and reflective institutions, may require additional such as data entry errors, accounting of the real state of financial affairs of reporting in order to monitor performance, errors, lack of mandatory reporting and the institution; that business risks are minimize risk of their investments, and negligent loss of client assets. It is closely assessed and mitigated; and that controls to ensure early detection of problems, linked to technology risk and is more are effective. Internal audit may conduct either operational or financial. Reporting prevalent in DFS due to outsourcing of monthly financial audits of the institution, is usually conducted quarterly for financial transaction to agents. In some regions, high risk functions and processes, as well reporting and semi-annual for qualitative regulators are now implementing new as operational spot audits of branches reporting on progress, challenges and guidelines to reduce this risk and protect and agents, ensuring proper liquidity lessons learned. customer funds. Mitigation of operator management, recording of transactions, error risk can include “segregation of and to detect agent fraud and other External (Financial) Audit: Most duties” between the person conducting misdemeanors. institutions, especially regulated or public the transaction or other activity, the institutions, are required to have external person recording or reviewing it, and the Segregation of Duties: Segregation audits conducted at least once per year. person approving it; role-based access of duties is a procedural methodology An external audit is mostly focused on to systems; agent and staff training; that ensures there are adequate financial reporting of the institution and monitoring; transactions in suspense checks and balances in place to protect to ensure accurate posting of transactions accounts; monitoring suspicious against conflicts of interest and control as well as adequate depreciation and transactions to flag frequent errors in the breakdowns. An example of segregation valuation of the institution’s assets. It may transaction sequence, or specific agents of duties is the accounting principle also include further checks on controls, or staff that make errors frequently. Data (sometimes known as “maker, checker and particularly for high risk activities and analytics, dashboards, and algorithms can approver”) whereby the person carrying out processes. be powerful tools in mitigating operator a transaction or process is separated from errors if they are followed up by resolution, the one recording or reviewing the activity Damage to Physical Assets: Damage to training, or policy enhancement that and the one approving the activity, in physical assets can result from normal reduces the risk of continued errors. order to minimize errors and opportunities wear and tear, natural disasters, acts of for fraud and mismanagement of funds. terrorism, or vandalism. Risks may be Reconciliation and Account Variances: IT systems can be set up so that there magnified using DFS as physical assets are The risk that the actual value in trust is role-based access depending on the in trust to outside parties such as agents accounts is different from the amount requirements for each job function. An and may be in geographic locations where reflected in the e-money system, as well example of role-based access is to enforce the institution does not have regular in- as the risk that off-net transactions (e.g. segregation of duties so that an operator person visits. It is important that potential ATM withdrawals and bill payments) are can only access those functions required damage to physical assets is included not reconciled with internal accounts. to perform his job. For example, customer as part of business continuity plans Some variance may always occur, but care does not need access to the financial and disaster recovery plans. Potential high levels of variance, or those that are section where e-money is created; finance mitigation strategies can include property irreconcilable, may lead to financial losses. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 29 02_DEFINITIONS MPLE Risk Register 3 EXA Operational Risk – insufficient manuals DFS Provider example: Either an agent banking service OR an MNO that offers a mobile money wallet Risk Category: Operational Risk Secondary Category: Regulatory Risk Name: Lack of operational manuals and business processes Description: Back office inefficiency because the operating manuals are incomplete, lacking the exception processes when things do not go according to plan. Owner: Head of DFS Cause: Poor planning and implementation of operational procedures to support DFS Effect: Could lead to mismanagement of systems, customer accounts or funds resulting in compliance violations or loss of funds Probability: 2 out of 5 Moderately low, based on knowledge of risk and development of tools, however, still a risk that not all scenarios are covered Impact: 3 out of 5 Moderate impact, based on leading to reputational and financial losses, but not sufficient to cease operations Risk Strategy: Treat Treatment Strategy: • Review operating manual against list of procedures being undertaken. Add any missing procedures, update existing procedures as required and add the exception use cases to all. Ensure that relevant departments sign off each process • Create process checklists and ensure all processes have been documented and are regularly reviewed and updated if required • Make business process maintenance a key deliverable of the operations team. Treatment Tactical • Identify missing exception procedures. Convene a team to determine what they should be and which functions are responsible for them Response: • Document these process exceptions • Train staff on implementation Key Risk Indicator: • Productivity of back office team measured by »» numbers of suspense transaction resolved »» or number of days transaction stay in suspense accounts »» or time taken to resolve disputes • Transaction exceptions with “in progress” status • Call center issues resolution rate Current status: Has not occurred 30 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Box 3 Operational Risk Case Studies Following the success of mobile of their disappointment with the either no formal business processes money in East Africa, as mentioned technology they initially bought and or incomplete procedures that have earlier, many MNOs decided that its inability to perform the necessary not been updated since they were they needed to have their own operations (despite often an inability written, and are rarely used. When mobile money service as soon as to articulate what was expected asked for their operational business possible. Typically, little thought was from the technology when it was processes, they simply produce given to the technical or operational purchased). training manuals for operating the requirements when they were Technology should reinforce, not technology. For example, a simple looking for a mobile money system replace, strong business processes business process for on-boarding and they relied upon the technology that specify how a service should new agents could be represented6 by vendor to understand what was be operated. It is unfortunately still the diagram below: required. As this was a new type common for DFS providers to have Figure 4: Business processes cover the end-to-end task, not just instructions for operating the DFS system of service, there were no off-the- shelf technical solutions, but many vendors, mainly software providers START END with successful money transfer or YES Sales gets airtime transfer systems, were keen application form Send paperwork Contact agent SUCCESS? NO Inform agent of status and next and documents to sales admin to resolve to fill the gap. Most of them had from agent steps gained a good understanding of the SALES user experience of both customers NO Forward to Sales Create agent and agents but had no access to or Check all compliance admin on system Arrange documents SUCCESS? YES agent comprehension of the back office received team for vetting informed of issue Allocate POS training items system and the tasks that mobile SALES ADMIN money operators had to perform. As NO a result, many early systems looked Vetting good from a user perspective but did checks sub- SUCCESS? YES process not provide the functionality or the COMPLIANCE reports needed to operate the services efficiently. The DFS industry is 6 This example is for illustrative purposes and is not a comprehensive description of the full business process littered with service provider stories described. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 31 02_DEFINITIONS The diagram describes all of the tasks that number did not set up the DFS account number as a reference. needed to on-board the agent, of account, they do not know the PIN The account numbers shown on which entering his or her details into code and cannot use that account; utility bills all had a space in the the DFS system (highlighted in red) nor can they register a new DFS middle of them, but in the electricity is only one part. In the absence of account against that number. MNOs company system there was no such documented processes, it is easy for recycle many thousands of numbers space. Customers that included operators to forget some steps in the every month, but because this is an the space when they paid their bills process, particularly the “exceptions” issue that only becomes apparent had the money deducted from their where things go wrong, for example if long after the DFS launch, processes wallet, but the reference could not the agent fails some vetting checks, or to detach DFS accounts from recycled be recognized by the utility system if full documentation is not received. numbers are often overlooked. and their accounts were marked This can result in potentially good as overdue, and many cut off. The agent applications suffering delays, In addition, the operations team DFS operations team had to quickly or inappropriate retailers being needs to be able to respond quickly find a way to identify customer accepted as agents. to new unforeseen problems. For accounts with this problem, reverse example, there was a major issue the payment to return the money to In the absence of comprehensive when bill payments were first customers’ wallets, and then contact business processes, some essential introduced in one market because the customer and explain how to operation tasks can be overlooked. during the bill payment, customers make the payment successfully. The missing processes are often were asked to enter their utility “exceptions” when things do not go according to plan. A good example is SIM recycling. Because there is a limited range of phone numbers that can be used by any MNO, if a number is not used for an extended period, typically six months, the SIM card OPERATIONAL RISK – KEY QUESTIONS with that number is disconnected Do you have an independent board and internal audit department? • and the number recycled and used • Is there an operations manual that details all business processes that is regularly with a new SIM card. If there is not reviewed and updated? a process to detach the DFS account • Are critical business processes identified and relevant controls assessed? from that phone number, then the • Is there adequate segregation of duties? new SIM card already has a live DFS • Is there a daily reconciliation process between the bank and e-money accounts to account associated with its phone minimize errors and detect fraud? number. Because the new owner of Are there regular, rigorous and adequate internal and independent external audits? • 32 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 4. Technology Risk Technology risk has several implications for providers. With the inability to conduct Am I able to transactions, both agents and customers can lose confidence in the product if they cannot measure the service access their funds. This can create reputational risk and financial losses as customers and agents become inactive and competitive pressure provides them with alternative choices. level from an end- Technology failure also leaves opportunities for fraudsters to take advantage of system inadequacies to conduct unauthorized transactions resulting in theft of funds. See the user perspective? Fraud Risk section below for full descriptions of the types of fraud that could take place. Technology Risk refers to technology failure that leads to the inability to transact. It is closely linked to operational risk. Transactions within a DFS travel through several communications systems and devices in order to initiate the transaction, transfer funds, and communicate confirmations with clients. The process may be exposed to potential breakdowns from a number of sources e.g. hacking, power failure, system faults etc., and any breakage in this chain leads to an inability to complete a transaction. If technology failure is persistent and severe the regulator may step in and impose penalties or revoke the license, or customers may abandon the service. Figure 5: As DFS systems become more connected, the number of potential points of failure increases ACCOUNTS TELLERS BANK SYSTEMS ATMS USSD TRANSACTION End-user GATEWAY PLATFORM customers MANAGEMENT GOVERNANCE OTHER DFS SMSC SECURITY SYSTEMS DATA INTERNET GATEWAY Agent PAYMENT GATEWAYS (VOICE) IVR DATABASES PREPAID REPORTING BILLING SYSTEM MERCHANTS, BILLERS, UTILITIES Merchant POSTPAID ENTERPRISE BILLING APPLICATIONS MNO SYSTEM DFS SYSTEM PAYMENT SWITCHES DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 33 02_DEFINITIONS When determining service levels provided can be minimized by employing rigorous influenced by the scale of operations, by the technology, most technical good practices. and a commonly used KPI is the number departments focus on the quality and of transactions per second that can be availability of the technology for which Identification of potential software handled. As the business grows, it is they are responsible. For complex multi- failures begins with identification of important that there are regular meetings component DFS, this can lead to a silo all systems involved in each type of between technical and commercial teams mentality where each team tries to pass transaction. There are several different to ensure that there is sufficient capacity blame for a system failure to another systems and types of software that may planning to cope with growth and to partner. It is therefore important to be involved in a DFS implementation, support any marketing campaigns that have clear and agreed fault diagnosis, including core banking systems, payment could cause a demand spike. resolution, and escalation processes in systems, switches, agent management place. Another potential risk in the division systems, POS/ATM applications, mobile Hardware Failure: Hardware failure is of responsibility is that each technical team applications, biometric systems, and client the inability to transact due to failure measures the quality of service of its part relationship management software. Once of physical devices including ATMs, POS of the system only, and it can be difficult identified, a risk analysis can be conducted devices, and mobile handsets, as well to get a complete picture of the end-user to understand the potential vulnerabilities as back-office servers and networking experience. When entering into partner of the institutions’ own systems and their components. Additionally some channels agreements to provide DFS, it is essential interactions with other systems. As far as may be dependent on peripheral devices to determine in advance technology KPIs possible, providers should also understand such as biometric readers, printers or card such as Transactions Per Second or system the pressure points in their partners’ readers. Clearly the biggest risk lies with up time and ensure that these can be systems to ensure that partners can fully the servers that host the DFS applications. measured in full. provide the required service levels. At each Providers need to ensure that they have a layer, providers should have a consistent solid business continuity plan in place. This Software Failure: Inherent in any plan for training, testing, and maintenance should include backup servers that can technical system is the potential for of the software, with proactive measures easily be utilized in a case of failure, ideally software issues. There are many potential to prevent and detect any potential issues through a ‘mirrored’ service that ensures causes of software failure, such as bugs, that could affect service. In addition, that the live servers are replicated in real changes to seemingly unrelated systems providers must ensure that they have time so that in the case of failure the backup both in-house and in partner systems, and a clear service level agreement with will be immediately available. Power poor update and maintenance procedures. their service providers and technology outages can be an issue in many emerging If systems are not adequately maintained vendors that details not only response and markets, so reserve power supplies are and available so that customers, resolution times for issues, but confirms needed. These may be generators in large merchants, and agents are unable to the roles and responsibilities of each party. establishments like the provider offices, access their funds and transact when or as simple as solar chargers for the POS needed, it may result in a loss of business Typically, for business critical systems, devices. In addition, there is a need for for the DFS provider and significant the DFS provider should specify system disaster recovery systems that can be reputational damage. It is not realistic to availability and other KPIs to ensure quality brought online at short notice in case of imagine that any system can provide 100 of service and then work to enforce these a catastrophic failure of the main servers, percent availability, but service outages standards with all parties involved in the such as fire, flood, or a terrorist attack. channel. System performance is strongly Many countries have regulation dictating 34 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT the minimum distance between the main maintenance, repair and replacement, Transaction Delays: Transaction delays site and that of the disaster recovery including liabilities, timings and costs may be caused by the technology having system, and the maximum duration of as well as expected normal failure rates insufficient capacity to deal with demand, the switch-over before the service is once for the devices. It is important to note causing queues in the system. There are again available. that hardware failure may be caused by multiple interconnected systems involved failure of the device itself, or failure of its in DFS and a breakdown at any point in the Unavoidable “wear and tear” necessitates connection to the back-end software. chain could cause the transaction to delay, regular maintenance and updating of It is important that the provider is able often leaving the customer and agent hardware. Many companies now operate to quickly diagnose the root cause of unaware of whether the transaction has systems in the cloud and assume that hardware failure in order to know the type completed or not. This can include delays this ensures a constantly maintained and of solution to apply to maintain service. in receipt of a confirmation SMS to the updated, distributed system in which customer’s device. Transaction queues can capacity increases and disaster recovery Network Connectivity Failure: Hardware also have more significant consequences, is guaranteed. These assumptions need failure also includes connectivity issues, such as the system failing to process to be clarified in the hosting contract and which continue to be a major challenge in transactions or leaving them hanging regularly reconfirmed. However, using developing markets, particularly in rural indefinitely. the cloud presents other potential risks. areas. Intermittent coverage, insufficient Cloud based services rely on high quality availability, and network downtime inhibit Transaction Replay: Mobile operators internet links, and the provider should use transactions and can result in a loss of use “transaction retry” patterns, which a minimum of two independent internet business. Connectivity starts with the automatically resend transaction requests services in country with sufficient capacity internal networks of the provider and if an immediate confirmation is not and availability on different internet extends to communication infrastructure received. These replays carry the risk of routing. Another risk of cloud services is that connects to third parties involved in the user initiating duplicate transaction security; cloud-based servers make the DFS the channel offering and to the client. requests because they do not realize that provider dependent on the cloud provider the transaction was successful the first to ensure that suitable security measures If networks are down, the user will not be time around until after they have already are in place and the DFS provider may need able to initiate a transaction. If this is a made several attempts. There is also the to perform an audit of the hosting sites persistent issue, it will lead to reputational risk that the network creates multiple and protocols to confirm that this is indeed risk as it affects the customer experience messages based on a single message from the case. when customers wait for long periods of the user. time for networks to come back on line. Agent hardware may be supplied Since voice and SMS channels are relatively Loss of Data: Data protection should directly by the DFS provider, or may be more stable and have wider availability be included in the providers’ business procured independently by the agent. than data networks, many providers continuity plans to ensure that customer Devices are not typically covered by choose to use those channels instead of data is not lost or compromised through service level agreements, but rather data. In one example, an MFI procured theft, loss, neglect or insecure practices. through manufacturer warranties. When POS devices with dual SIMs so that their Customer data should be stored off-site selecting agent devices, there should agents could switch between them when with backups. be legal agreements concerning device one operator was down. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 35 02_DEFINITIONS Cyber Attacks: Cyber-attacks are security to them, are increasingly sophisticated. assets—no matter what the firm’s size threats to the integrity of a provider’s Insiders, too, can pose significant threats. or business model. client and transactional data, as well as • Technical controls, a central component potential attacks of corporate espionage Cyber-attacks are often carried out in four in a firm’s cybersecurity program, in order to gain access to internal process stages: infiltration where the attacker gains are highly contingent on individual and technological strategies through first access; propagation where the attacker situations. hacking or malware. Financial services expands access through back doors or • Institutions should develop, implement, was the second most attacked sector in password mining; aggregation where the and test incident response plans. 20157, after healthcare. The introduction of attacker collects records and data; and Key elements of such plans include DFS provides potential hackers additional exfiltration when the data is exported. Most containment and mitigation, eradication access points in which to attack systems defense is focused on the infiltration stage, and recovery, investigation, notification, and data and can create new risks. but since attackers are often most skilled and customer communication. in this area successful defense should be • Institutions typically use vendors A variety of factors are driving exposure included at all stages. To manage the risk for services that provide the vendor to cybersecurity threats. The interplay of cyber-attacks, providers can work with with access to sensitive firm or client between advances in technology, changes auditors to develop threat models where information or access to firm systems. in business models, and changes in how breach points are mapped and mitigation They should manage cybersecurity firms and their customers use technology strategies developed. In addition, risk exposures that arise from these creates vulnerabilities in information providers can protect themselves by using relationships by exercising strong due technology systems. For example, web- cloud services that are likely more secure diligence across the lifecycle of vendor based activities can create opportunities than proprietary hosting, or purchase relationships. for attackers to disrupt or gain access cyber-attack insurance to protect against to corporate and customer information. losses from financial and data loss or legal • Well-trained staff represent an Similarly, employees and customers expenses. important defense against cyber- are using mobile devices to access attacks. Even well-intentioned staff information from financial institutions, Institutions should build their cyber can become inadvertent vectors for which creates a variety of new avenues capabilities keeping the following points successful cyber-attacks, for example for attack. The landscape of threat actors in mind: through the unintentional downloading includes cybercriminals whose objective of malware. Effective training helps • A sound governance framework with may be to steal money or information reduce the likelihood that such attacks strong leadership is essential. Board- for commercial gain, nation states that will be successful. and senior-level engagement on may acquire information to advance • Institutions should take advantage of cybersecurity issues is critical to the national objectives, and hacktivists whose intelligence-sharing opportunities to success of cybersecurity programs. objectives may be to disrupt and embarrass protect themselves from cyber threats. • Risk assessments serve as foundational an entity. Attackers, and the tools available There are significant opportunities to tools for institutions to understand engage in collaborative self-defense the cybersecurity risks they face across through such sharing with other 7 Auditing Cyber Security in an Unsecured World, The the range of the firm’s activities and Institute of Internal Auditors, 2015 financial institutions and regulators. 36 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 4 EXA Technology Risk – network connectivity failure DFS Provider example: Either an agent banking service that uses mobile technology as its primary means of transacting OR an MNO that offers a mobile money wallet Risk Category: Technology Risk Secondary Category: Reputational Risk Name: Network connectivity failure Description: Customer cannot perform transactions through mobile application or at an agent due to: • Mobile phone service is not available • The provider’s system is experiencing temporary system downtime Owner: Head of IT Cause: Poor performance of vendor technology, insufficient capacity in DFS system, inadequate MNO service Effect: Transactions cannot be performed, resulting in loss of revenue and poor customer experience Probability: 2 out of 5 Moderately low based on diligent selection of vendors and service level agreements Impact: 3 out of 5 Moderate in the short term as the customer is likely to try again until successful. However, persistent problems will lead to reputational and financial loss Risk Strategy: Treat Treatment Strategy: • Test the mobile operator’s ability to deliver messages at the required service level on a periodic basis • Test end-to-end transaction process time taken and success rate periodically • Install performance monitors to show the system traffic and raise alarm if it approaches peak TPS • All transactions defined with clear completion boundaries, thus allowing for clear rollback procedures in the event of incomplete transactions • Service level agreements with system providers that have detailed strategies for enforcement • System upgrades • Use USSD enabled POS as a fall back to mobile data (3G) to reduce reliance on data connectivity Treatment Tactical • Invoke penalties from service level agreements with vendors Response: • Develop offline transaction modes Key Risk Indicator: • Transaction success rate (of transaction requests reaching the system) • Sufficient capacity to cope with peak transaction rate • Calls to customer services about failed transactions Current status: Occurred and controlled DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 37 02_DEFINITIONS Box 4 Technology Risk Case Studies A) When M-PESA was launched three months of launch it was clear B) Fidelity is a tier one bank in in Kenya, a bespoke system was that the forecast was far too low. The Ghana with close to one million commissioned from a software technology was struggling to keep customers, 80 branches, 110 ATMs developer. There was little hard up with the unforeseen huge number and 1000 banking agents. To address evidence on which to base the volume of transactions being submitted. A the financial exclusion of 70 percent forecast that in turn would provide task force was set up to find ways to of Ghanaians, the bank established a the basis for the system capacity increase capacity quickly but even Financial Inclusion Unit to pioneer requirements. It was felt that an so, customers started to experience agent banking in 2013. The flagship optimistic but realistic forecast was transaction delays and occasional product is the Smart Account, an that by the end of the first year there system breakdowns which required entry level card-based product using would be around a third of a million manual intervention to process agents for basic services normally active customers, each transacting transactions by a large team of provided at bank branches. about three times per month. The customer service representatives. To support the Smart Account system was built with the capacity For several months the technology business, a new stand-alone system to service this requirement plus a team was constantly “running to was purchased. Agent banking was a reasonable margin of error. Adding stay still”, finding ways to add young business sector at the time with capacity to enable processing larger capacity that was full by the time it many technology providers creating numbers of transactions, larger was deployed. In parallel they were new systems, and few services had a databases to hold more customer building longer-term solutions to the proven track record. Fidelity decided and transaction records, and all intrinsic architectural constraints. to test the waters by selecting an add- the supporting architecture “just Whilst the capacity issues were on technology platform separate from in case” would be very expensive eventually resolved, the incremental its core banking system. Deploying and unjustified, so the system was cost of constant improvements to the new technology is always a source of built to meet the expected demand. under-sized launch technology were risk. As the agent business was new Of course, M-PESA’s success was extremely significant. to Ghana and Fidelity Bank, it took beyond any expectation and within 38 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT the bank some time to assess the full of around 20 percent and problems Fidelity is investing in improving its needs of the market and as a result were encountered in linking the core technology platform and to move its it could not upfront build in the banking and Smart Account agent agent banking and Smart Account flexibility the system needed to allow systems), it forces the team to focus business onto the same platform as for changes as the project progressed. on constant fire-fighting instead of the main bank. business development, especially as “You need to thoroughly investigate Technology can be a major source of numbers of Smart Accounts ramped and anticipate your requirements, risk, especially when you are a pioneer up (to approximately 300,000). and state and restate. Otherwise, the as in the case of Fidelity Bank. Today, supplier may give you a solution for Even though the Smart Account with over two years’ experience and today and not tomorrow.” and the agent banking channel have still the only commercial bank with ~Dr. William Derban grown exponentially since inception, bank agents in Ghana, Fidelity is the high targets set by Fidelity Bank optimistic that its technology risk has The Smart Account was launched are yet to be achieved. With more been greatly reduced as it improves in July 2013 with very high advances in agent management on its current technology platform. expectations. By the end of the first systems in the past few years, six months, Fidelity had opened over 55,000 accounts. The agent numbers grew rapidly, as well as the volume of transactions. However, as the number of transactions grew, Fidelity begun to experience a number of TECHNOLOGY RISK – KEY QUESTIONS challenges. Some related to the fact • Do I have service level agreements with my system provider to ensure software uptime? that this was a new service in the • Do I have service level agreements as well as fault diagnosis and repair procedures in country, and staff and agents had place with my partners? no other examples of bank agents to • Am I able to measure the service level from an end-user perspective? compare to or learn from. Secondly, • Is my software adequately communicating with devices to minimize transaction the technical system seemed inflexible failures? and unable to cope with the increased • Are third party providers and vendors effective and adequate in their security protocols demands on it from a fast evolving and risk management approaches? market. Unplanned downtime has • Is access to corporate IT assets restricted and only granted based on an established improved significantly, but remains a role-based access framework? big issue. Coupled with unacceptable • Do I have any mechanism in place to prevent loss or leakage of sensitive information transaction failure rates (agent POS (confidential information, intellectual property, personally identifiable information) devices began to show failure rates from the organization? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 39 02_DEFINITIONS 5. Financial Risk Financial risk is one of the most impactful this case, the institution would be paying Are my trust risks related to DFS. While all risks discussed in this paper can have direct or more in interest to creditors than they are earning by lending it, creating significant accounts indirect financial losses, there are specific financial losses. adequately risks related to the financial management of a DFS provider as described below. Foreign Exchange risk: Foreign exchange diversified? losses can be incurred when trading Liquidity risk: Liquidity risk is the risk that currency, or by having a mismatch of the institution is unable to meet its cash currencies in which loans and deposits flow obligations and becomes insolvent. are denominated. Book values of debt Transactional patterns such as average obligations can grow substantially deposit amounts, inflows, outflows, and through adverse fluctuations in currency, durations should be monitored closely resulting in losses. Forex risk can also be after the launch of DFS as customer an issue if the organization’s income is behavior may be affected by having generated in a different country to where convenient access to funds and this may its costs are incurred. change the asset/ liability profile of the financial institution. Concentration risk: Concentration risk refers to overexposure to a particular Credit risk: Credit risk is the risk that clients counterparty (credit) or sector. If there is do not repay their loans and either do not a concentration of funds held at any one have sufficient collateral or the institution particular bank, the institution is at risk is unable to collect on it. In this case, the of excessive loss of client funds should institution is still responsible to its deposit the bank become insolvent. Placing holders and must find alternative ways to funds at multiple banks will help mitigate repay them in case loans turn bad. this risk, although it creates additional administration. Similarly, over-reliance Interest Rate risk: The risk of the interest on a particular customer segment may rates on borrowed funds increasing, while risk large amounts of revenue should at the same time, being unable to increase customer preferences change such that the interest rate charged to customers due large amounts of deposits are withdrawn. to long term loan rates being locked in. In 40 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 5 EXA Financial Risk – foreign exchange exposure DFS Provider example: Any DFS provider that incurs a high proportion of its costs in a different currency to the one in which they receive income. For example a PSP operating in several markets from a central head office. Risk Category: Financial Risk Secondary Category: Strategic Risk Name: Foreign Exchange Risk Description: The risk that financial losses are incurred due to fluctuations in foreign exchange rates. Owner: Head of Finance Cause: External causes such as economic performance and monetary policy of local governments Effect: Leads to real or book losses if liabilities are in foreign currency and it appreciates Probability: 2 out of 5 Moderately low probability due to stable currency exchange rates over last ten years Impact: 4 out of 5 Moderately high impact if fluctuation is severe enough Risk Strategy: Transfer Treatment Strategy: • Source local borrowings or foreign borrowings in local currency to the fullest extent possible • Negotiate contracts with vendors and providers in currency of borrowings • Transfer remaining risk that cannot be avoided Treatment Tactical • Purchase currency swaps for exposed risk Response: Key Risk Indicator: • Foreign exchange rate Current status: Has not occurred DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 41 02_DEFINITIONS Box 5 Financial Risk Case Studies Zoona is an independent financial and allowing rapid expansion when services provider that offers over- required. Thus the staff level is the-counter financial services via low, with around 60 percent of the agent networks in Zambia, and more workforce based in the support office recently in Malawi. Its 1,400 active and the rest in the local markets. agents provide mainly domestic Nevertheless, the biggest cost to the remittance services to 1.3 million business is staff related costs. individual customers, with over 90 percent of transactions coming This geographical separation of from its longer established Zambian operations from the markets mean business. that Zoona has a currency mismatch in that it earns revenue in local Zoona has a centralized support currency but has a large proportion office, which handles technical of its expenses in South African support, customer care, and certain Rand and US dollar. When the other corporate functions for all exchange rates were relatively stable, operating entities. Only a relatively this was not a problem. However, small team is therefore needed in the the majority of its revenue currently countries of operation to provide comes from Zambia, and the Kwacha sales support, setup and any other dropped in value versus the Rand by operational functions that must take almost 60 percent in the latter part place locally. This centralization is of 2015.8 intended to provide economies of scale as the business expands into new markets. Cloud-based technology is used, reducing the technical overhead 8 (Forex chart from http://fx-rate.net/ZAR/ZMK/ ) 42 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Historical exchange rate Rand to Kwacha ZAR/ZMK Fortunately the exchange rate appears ZK 950 to be returning to previous levels. ZK 900 Currency fluctuations are obviously ZK 850 beyond the control of Zoona, but the ZK800 risk is so high that steps are needed ZK 750 to mitigate this risk. Apart from ZK 700 normal treasury hedging techniques, ZK 650 management is taking the approach ZK 600 of diversifying into a number of ZK 559 different markets to help mitigate the ZK 500 01/15 02/15 03/15 04/15 05/15 06/15 07/15 08/15 09/15 10/15 11/15 12/15 01/16 impact of changes in one currency. FINANCIAL RISK – KEY QUESTIONS • Do I have sufficient funding and cash to meet obligations and buffer for unexpected cash flows? • Do I have credit risk policies in place including credit risk assessments and KPIs for portfolio monitoring? • Am I aging my portfolio at risk and creating loan loss reserves as per my regulatory requirements? • Is my trust account(s) adequately diversified and covered by deposit insurance? • Is my foreign currency hedged? • Are internal back-office processes, reconciliations and controls adequately designed, verified and monitored regularly? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 43 02_DEFINITIONS 6. Political Risk Political risk is the possibility that political decisions, events, or conditions, will significantly affect the profitability of a business or the expected value of a given economic action. Are there any Political risks are faced by institutions as a result inter alia of civil unrest, terrorism, war, foreseeable corruption, slowed or retracting economic growth, or unsuitable economic conditions following fiscal or monetary policy changes set by the government. Events caused by political threats? political risk have impacts on operational risk, in particular business disruption and should be included in business continuity plans. Political risks are beyond the control of the organizations and customers affected by them, but can have a serious impact on the business. Whilst they cannot be prevented, in some cases they can be predicted, such as known elections, and contingencies set in place in case the risks materialize, as happened to two IFC partners discussed in Box 6 below. 44 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 6 EXA Political Risk – sudden system disruptions DFS Provider example: Any DFS provider as all are reliant upon agents and communications technology. Risk Category: Political Risk Secondary Category: Reputational risk Name: Inability to access account or conduct transactions. Description: Post-election violence, civil unrest, war or terrorist activity disrupt normal business operations, by directly closing the business, or closing an essential partner function such as the mobile network, or the retailers that operate as agents Owner: Head of Risk Cause: Political instability, elections, war, terrorist attack and/or outside disruption Effect: Customers cannot access accounts due to loss of connectivity or inability for agents to operate business as usual Probability: 1 out of 5 Very low given history or civil peace in local market Impact: 3 out of 5 Moderate impact based on potential for business disruption Risk Strategy: Tolerate Treatment Strategy: • Develop service disruption plan for agents, staff and/or branches Treatment Tactical • Invoke service disruption plan for agents and staff Response: Key Risk Indicator: • PAR • Service availability (uptime) • Agent activity • Customer activity Current status: Has not occurred DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 45 02_DEFINITIONS Box 6 Political Risk Case Studies A) FINCA DRC is a microfinance the DRC government disabled all Political unrest is expected to institution founded in 2003 that internet, voice and mobile data continue in the DRC, and FINCA launched an agent banking service in services. MNOs and Internet service is understandably very concerned 2011 to expand its footprint beyond providers complained of losing about this, making plans to minimize its 18 branches. Its 548 agents form millions of dollars of business during business impact. Political factors the largest agent banking network in the shutdown. The POS devices of remain beyond its control, and the the Democratic Republic of Congo, FINCA agents became inoperable, consequences of a prolonged period where only 4 percent of a population and customers were unable to access without network connectivity could of 75 million has an account with a their accounts. As a result, customers be profound. formal financial institution. FINCA could not repay outstanding loan now holds a quarter of a million obligations to FINCA. The FINCA B) LAPO Microfinance Bank is customer accounts that can be portfolio at risk rating increased, and a Nigerian microfinance bank used for savings and loans. More did not fall back to its previous level operating in 26 states, currently than half of FINCA’s business is in the months after the disruption. As providing 1.3 million customers with transacted via agents using biometric PAR is a key performance indicator microfinance services. It is in the POS terminals. Transaction details for assessing portfolio quality, the few process of creating an agent banking are communicated from the agent days of disruption in early 2015 led service to supplement its regional POS device by mobile data network to long term negative performance branches. to a switch which links to the and significant financial losses. The LAPO has significant assets in the FINCA servers via a secure internet mobile (voice) network was restored north east of Nigeria where there connection. within two to three days, and the have been several serious terrorist internet was restored for corporates, attacks in recent years.This has In response to demonstrations including financial institutions, after against proposed extensions to the caused branches to be closed at short ten days, but the impact was still notice, and in one instance staff presidential term in January 2015, being felt long afterwards and customers were trapped inside 46 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT a branch for several hours during a risks, including provision of training nearby incident. In financial terms, and a staff manual giving guidance the uncertainty caused by civil unrest on what to do in case of being in the also has an impact on the quality of vicinity of a terrorism situation. The the loan assets, impacting its ability agent model is particularly vulnerable to grow the portfolio. to political disturbances given that LAPO relies on its relationships LAPO is launching its agent network with its agents to manage business in 2016, and the disruption caused disruption. Mitigation techniques by terrorist groups is likely to should be integrated into the agent continue. LAPO has instigated a training and management systems. number of measures to mitigate the POLITICAL RISK – KEY QUESTIONS • Are there any foreseeable political threats, or imminent events that might create a political threat? If so, am I prepared? • Do I have contingency in place to manage the implications of an outage due to political events? • What is my communication plan to customers, partners and investors in the event of political risk affecting my business? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 47 02_DEFINITIONS 7. Fraud Risk Have we Fraud is a notorious risk for DFS and the cause of much concern to DFS providers. Fraud risk is multi-faceted and relates to several other risks. Operational and technology risk can developed cause fraud risk, and fraud can lead to financial risk. Fraud is also a significant driver of reputational risk. Large cases of fraud in mobile money have been reported over the last detective few years that have caused financial damages of millions of dollars. These have been due controls for to customer, agent, and employee fraud from creating ghost accounts and conducting fraudulent transactions. Funds have been stolen from providers, agents, and customers. fraud? Fraud can have a large impact on the reputation of an institution, and the industry as a whole. If funds are stolen from customer accounts at the fault of the provider, providers must ensure that funds are returned to customers immediately. The process of preventing fraud includes conducting assessments to understand where fraud could be detected and prevented, determining risk appetite and establishing effective controls. Fraud can generally be defined as either major fraud involving very large sums and usually perpetrated against the financial institution, often by staff; and minor fraud involving agents or customers as victims or perpetrators and smaller sums of money. There are many reasons why people commit fraud, but a common model to bring a number of these together is The Fraud Triangle9. The premise is that fraud is likely to result from a combination of three general factors: Pressure (or motivation to commit fraud); Opportunity (typically because of poor systems or processes); and Rationalization (typically that they will not be caught). One of the most effective ways to prevent fraud is to decrease the opportunity for fraud, by having excellent fraud prevention and detection technology and procedures. This reinforces the need for fraud risk management. The most common types of DFS-related fraud are defined in the MicroSave publication Fraud in Mobile Financial Services (2012)10 and have been summarized below by source of fraud. 9 http://www.cimaglobal.com/Documents/ImportedDocuments/cid_techguide_fraud_risk_management_feb09.pdf.pdf 10 MicroSave Fraud in Mobile Financial Services, Mudiri, 2012 48 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Figure 6: The Fraud Triangle: framework for spotting high risk fraud situations THE FRAUD TRIANGLE A framework for spotting high-risk fraud situations RISK TREATMENT Financial or emotional force pushing towards fraud OPPORTUNTITY FRAUD RATIONALISATION Ability to execute plan Personal justification of without being caught dishonest actions Customer Fraud Agent Fraud CUSTOMERS DEFRAUDING AGENTS AGENTS DEFRAUDING CUSTOMERS • Counterfeit currency: the risk that customers deposit counterfeit currency at an • Unauthorized access to customer unknowing agent in exchange for electronic value, and then withdraw legitimate PINs: agents gain access to customer currency from another agent. PIN numbers and conduct fraudulent • Unauthorized access of agents’ transaction tools: customers access agent POS devices transactions. to conduct fraudulent transactions. • Imposition of unauthorized customer • Fraud on agent web channel: Customers access agent web channel without charges: agents charge customers fees authorization and conduct fraudulent transactions. for transactions above and beyond the • Voucher fraud: fake vouchers are made to represent genuine vouchers from NGOs or list price and fraudulently keep the fees government and given to agents in exchange for cash or electronic value. instead of remitting to the provider. • Split withdrawals: customers request CUSTOMERS DEFRAUDING CUSTOMERS a withdrawal from the agent, and the agent splits the withdrawal in two or • Unauthorized PIN access: customers gain access to other customer’s PIN numbers and more transactions in order to collect conduct unauthorized transactions. more cash out commissions from the • Identity theft: customers use IDs of other customers to gain access to accounts. customers. • Phishing, SMS spoofing, fake SMS: fraudulent customers send fake SMS to agents either from their own handsets or generated from computers. The SMS looks genuine to the recipient. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 49 02_DEFINITIONS AGENTS DEFRAUDING PROVIDERS FRAUD BY MASTER AGENTS • Split deposits: customers request • Unauthorized withdrawals from agent levels within systems and are abused to a deposit from the agent, and the accounts: master agents abuse access conduct fraudulent transactions. agent splits the deposit in two or more to agent accounts and withdraw funds. • Weak passwords/transaction PIN: transactions in order to collect more • Illegal deductions from commission employee passwords are hacked due to cash in commissions from the provider. earned by agents: master agents weak password settings. • Direct deposits: agents directly deposit charges excess commission splitting funds from a customer into another fees to the agent. Provider Fraud customer’s account instead of cashing CONTACT CENTER AND OPERATIONAL in, and then send a transfer funds Business Partner Driven SUPPORT FRAUD request in order to avoid the fee. Fraud • Registration of customers with fake • Unauthorized access of customer EMPLOYEES DEFRAUDING BUSINESSES details: agents sign up customers payment records: employees abuse that do not provide accurate KYC • Employees link wrong mobile numbers access to customer records. information. to bank accounts: employees link their • Illegal transfer of funds from customer • Registration of non-existent customers: own mobile or a corroborator’s mobile accounts: employees conduct agents sign up ghost-accounts in order number to a bank account in order to fraudulent transactions. to receive the registration commission. have illegal access to the account. • Unauthorized SIM swaps: call center • Registration of individuals as businesses: • Illegal reversal of customer payments staff change customer PIN numbers. agents sign up customers as a business to the business: employees reverse • Unauthorized access to co-workers’ account in order to receive the higher payments conducted by customers and system access rights: call center staff commission. keep the cash. gain access to co-workers’ access • Impersonation of provider status: • Illegal transfers from business accounts: rights in order to conduct fraudulent an unauthorized agent acts as an employees conduct fraudulent transactions. authorized agent to conduct fraudulent transactions transferring funds from transactions. business accounts to fraudulent Sales and Channel Staff accounts. Fraud • Money laundering on platform: agents • Bribery: sales team bribes agents and/ knowingly conduct transactions for System Administration or customers or request unauthorized customers that are for the purposes of Fraud payments. money laundering in order to receive • Abuse of passwords: employees • Unauthorized access of agent commission. use access to passwords to conduct transactional data: sales staff use agent AGENT EMPLOYEES DEFRAUDING AGENTS fraudulent transactions. data to conduct fraudulent transactions. • Creation of fake/non-existent users: • Theft of funds: agent employee steals employees create fake accounts in order funds from the cash float at the agent. to conduct fraudulent transactions. • Underreporting of cash balances: agent • Individual users with multiple rights: employee misrepresents the cash float employees are given access to multiple balance at the agent. 50 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 7 EXA Fraud Risk – split deposits DFS Provider example: MNO that offers a mobile money wallet and uses agents to cash in for a fixed (or stepped) commission fee Risk Category: Fraud Risk Secondary Category: Agent Management Risk Name: Split deposits Description: Agents force customers to split deposits into a number of smaller transactions in order to generate higher commissions at the cost of the provider. Owner: Head of DFS Cause: Commission structures incentivize misbehavior of agents. Effect: Provider is forced to pay higher commissions to agent than originally intended which can severely impact net revenue. Probability: 1 out of 5 Moderately low based on strict policies and controls Impact: 1 out of 5 Very low based on largest potential loss is transaction fee Risk Strategy: Tolerate Treatment Strategy: • Use data analytics tools to flag suspicious transactions such as multiple transactions to or from the same account at the same agent within a 24 hour period • Develop a comprehensive due diligence process for the recruitment of agents to minimize recruitment of agents with poor reputation or those likely to commit fraud • Carry out mystery shopping activities to identify agents trying to split transactions and practice good agent management by using remedial action • Education of agents by including split transaction warnings in agent training materials • Call center for customers to report suspicious activity Treatment Tactical • Agent retraining Response: • Enforcement of penalties for agent mismanagement and closure of agents Key Risk Indicator: • Suspicious transaction reports Current status: Occurred and controlled DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 51 02_DEFINITIONS Box 7 Fraud Risk Case Studies One of the most reported large scale a number of employees created system and thus could not recognize frauds experienced by a DFS was “counterfeit” e-money that was not inappropriate behavior by their due to poor operational practices. covered by “real” money, and became colleagues, or correct any issues. The service was one of the early increasingly creative in finding Possibly the worst omission was that DFS deployments in Africa and it ways to cash it out, for example via there were no procedures in place soon became successful. Because of complicit agents or by creating bogus to investigate any issues that were this success in a highly competitive customer accounts. This was possible reported, so the various fraudulent market, the service providers focus due to a lack of operational controls activities lasted for several years was on increasing numbers of that allowed the perpetrators to abuse before being uncovered. customers and transactions and as a the system with impunity. Operators consequence, little attention was paid could create their own logins, with There are many reported instances to the many warning signs that all some individuals having multiple of small scale agent fraud. One of was not well. Within a few months user IDs to confuse any audit trail. the most common is splitting large of launch, the employees tasked There was no segregation of duties transactions into many smaller with daily reconciliation, ensuring enforced to prevent operators from transactions. For example “split that the e-money issued matched processing bogus transactions, and withdrawals” are where a customer the money in the bank account, no suspicious behavior monitoring wishes to cash out a specified were reporting large discrepancies. to identify potential fraud. New amount and instead of doing a single These warnings were ignored by staff were not formally trained on transaction, the agent performs management. For nearly two years operating the complex back office multiple smaller withdrawals and 52 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT earns a fixed amount on each. This without their knowledge or consent is possible because most services in order to earn a commission. An pay the agent a fixed amount per added sophistication on this scam withdrawal rather than a percentage, occasionally occurs when an agent making it possible to earn the same registers a genuine customer and then commission multiple times instead of offers to demonstrate how the service just once. works by doing a deposit, immediately followed by a withdrawal, using the Another way for agents to scam the new customer’s phone. The agent provider is to register customers earns commission on both the cash in who have come in for an airtime and cash out despite no real exchange top up for the mobile money service of money having happened. FRAUD RISK – KEY QUESTIONS • Have you determined your level of acceptable financial losses due to fraud? • Have you identified the key areas for potential fraud risk for your institution? • Have you developed preventative and detective controls for fraud? • Are you actively monitoring and reviewing your fraud risk management strategy? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 53 02_DEFINITIONS 8. Agent Management Risk The introduction of agents to act on behalf Insufficient Liquidity: Agents require Do you provide of financial services providers presents many benefits in cost, geographical reach, sufficient cash on hand and electronic value to manage customer’s transaction enough training and scale, but also introduces new risks. requests for cash in and cash out on a for agents and The management and supervision of day-to-day basis. To meet these needs, agents is imperative to a well-functioning agents typically use cash float from their distributors? service that protects customers. The use of agents can trigger operational, existing businesses; travel frequently to a branch or another agent to exchange technological, legal, reputational, and cash and e-float; or, for busy agents, utilize fraud risk, which are covered in other a relationship with a liquidity manager, sections. In addition, there are risks directly such as a super-agent, from whom they associated with agent management: can access fast and frequent turnaround of cash and float. In some cases, liquidity Agent Density: Customers use agents facilities may be offered by the financial to access their mobile financial service, service provider or a third party in the especially for cash in and cash out, and form of initial capital infusion or a short require close proximity to an agent in term overdraft to offset shortfalls in order to conduct transactions. However, liquidity. Sufficient liquidity management providing the right number of agents processes and facilities are required to to meet customer demand is always a ensure that agents are satisfied and not challenge to any DFS. Insufficient agents inconvenienced, and for customers to trust can refer either to a lack of nearby agents, that there are funds available immediately or lack of capacity of the nearby agent to upon request. meet customer demand, resulting in long queues or liquidity problems (see below). Theft of Cash Float: An agent’s business operations may be put at risk from On the other hand, too many agents excessive deposits. The cash may be can also be a risk because the customers stolen, and this is especially the risk if the are diluted amongst them so that no agent develops a reputation for holding agent has the critical mass of customers large amounts of cash. Liquidity managers needed to earn sufficient commission to should offer pick-up and drop-off services offset the cost of e-money and cash float to mitigate this risk. management. In these circumstances, the agents often fail to maintain float and are Teller Errors: Agents and their tellers thus unable to serve customers. Infrequent may make key stroke errors in entering usage of the DFS can result in agents transactions or counting errors in cash forgetting how to offer the service or to management that will result in a float forget their PIN so that they cannot serve being unreconciled and sustaining losses customers, even if they have liquidity. 54 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT either to the agent or to the customer. manager. Agent mishandling of customer conducted by regulators; however, even if Teller errors also include the risk of losing service can impact providers through that is the case, providers should also be or damaging paper records that may put loss of customers, inactive accounts, and conducting oversight themselves. Agent the agent and provider at risk of regulatory reputational risk. supervision by providers including data non-compliance. analytics and in-person visits reduces Poor Agent Selection: Agent selection the opportunities for risk in the DFS Poor Training: Training of agents is policies typically include minimum operations, such as fraud risk, reputational typically standardized and rooted in the suitability criteria (based on regulatory risk, regulatory risk and strategic risk, as provider’s policies and procedures to requirements and the provider’s well as improving the likelihood of success comply with regulatory guidelines. Training assessment of required capacity). Poor by increasing activity rates of agents and policies include the training content, agent selection may lead to inactive customers. the required frequency and timing of the agents, reputational risk, regulatory agent training, and the required trainer risk and financial losses for the provider. qualifications. Agent training should be Agents should be well trained on the thorough and include refresher courses to requirements for maintaining their agent mitigate risks of errors and to provide a status, monitored frequently, and closed if consistent customer experience across all not meeting the minimum criteria. agents. It is essential that those serving customers at agent locations are trained, Inadequate Branding and Marketing: not just the agent service owner, and this Branding and marketing materials should can be a challenge. It is common for badly be standardized and included in the policies trained agents to claim that the service is and procedures for agent management. not working, rather than admit that they Branding and marketing materials don’t know how to use it. Customers that should be provided by the financial have a poor first experience at an agent are service provider and can include signage, often discouraged from using the service brochures or other collateral. A consistent again, and may even be discouraged from user experience is important to reduce the using DFS at all. risk of client inactivity and reputational risk. There should be sufficient supply of Customer Service Mismanagement: marketing materials to support customers Agents are the first line of customer in their early use of the service. service for DFS providers. Included in the training on policies and procedures Whilst the regulator takes a hands-off should be mechanisms for agents to approach to agents in many markets, some handle customer complaints and inquiries countries may require a provider’s use of such as basic troubleshooting, provision agents to be approved by regulators and of call center numbers, and the logging in some, each agent must be individually of complaints for relaying to the agent licensed. Supervision of agents may be DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 55 02_DEFINITIONS MPLE Risk Register 8 EXA Agent Management Risk – liquidity constraints DFS Provider example: Any DFS provider that relies on agents having a store of value (or e-money) in their accounts to serve customer deposits. For example an MNO that offers a mobile money wallet. Risk Category: Agent Management Risk Secondary Category: Reputational Risk Name: Lack of agent liquidity Description: Customer cannot perform cash in transaction because the agent does not have sufficient e-money Owner: Head of DFS Cause: Agent is capital constrained or chooses not to invest in DFS operations, or has no convenient mechanism to quickly access e-money Effect: Customer cannot cash in because there is no e-money available, resulting in poor customer experience Probability: 3 out of 5 Moderate probability based on difficulty of controlling agent liquidity levels Impact: 2 out of 5 Moderately low impact based on customers’ ability to return later or visit another agent. If service is early in life cycle, or problem is persistent, impact will be higher. Risk Strategy: Treat Treatment Strategy: • Use of agents and super-agents for liquidity • Call center logs • Process to alert agents when their e-money float is low • Control the roll out of agents to ensure that there is both sufficient geographical coverage, and that each agent has sufficient customers to support his business • Process to identify when agents are consistently failing to meet their liquidity requirements, and mitigation procedures • Pre-fund agent capital requirements through loans or lending institution partnerships • Mystery shopping and good agent management Treatment Tactical • Increase capital requirements and agent due diligence for new agent sign-up Response: • Re-evaluate commission structure to ensure sufficient incentives in place. Key Risk Indicator: Agent e-money balances Current status: Occurred and mitigated 56 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Box 8 Agent Risk Case Studies According to the GSMA,11 on average DFS reputation and put potential cannot easily access the money in 51.4 percent of DFS agents are active, customers off using it, especially if their accounts, or if they think the or around half of the agents recruited it happens early in the customers’ intended recipient of the money to offer DFS to customers are exposure to the service. Common will have trouble cashing out, they actually doing so. In some markets, causes of agent inactivity are either are put off using the service. This the inactivity level is much higher. that the agents do not know how to creates a downward spiral, as agents This means that customers may walk use the service, or they have forgotten do not bother to maintain their into a fully merchandised DFS agent their PIN codes, or they have run out e-money float regularly if they are to perform a transaction, only to be of e-money float. not experiencing customer demand, told that the agent is not operational. so more customers have a bad agent Worse still, in an attempt to save Agents need to have a supply of experience and stop (or never start) face, these agents often tell customers e-money float to send to customers using the DFS. Because of this, that they cannot be served “because wishing to deposit money; and successful DFS providers have a the DFS is not working today” which they need cash to give to customers range of strategies to ensure that their undermines the service by making it wishing to make a withdrawal. Even agents have access to several ways seem unreliable and unsafe. A bad among active agents, liquidity issues of managing float, such as enabling agent experience can damage the are common, especially in rural areas aggregators and super-dealers to far from the nearest bank where assist agents, and providing merchant GSMA state of the industry report: mobile money 11 cash can be deposited to replenish payments by DFS to continually top 2015. Inactive agents are defined as not having served a customer in the previous month. the e-money supply. If customers up the agents e-money holding. AGENT MANAGEMENT RISK – KEY QUESTIONS • Do you have concrete agent agreements that cover all of your risks and abide by local regulation? • Do you have a comprehensive training program for agents and distributors? • Do you have a range of contingency plans to facilitate liquidity management? • Do you have feedback processes in place to identify and resolve agent performance issues? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 57 02_DEFINITIONS Are partners assessed for The best way to protect the business from reputational risk is to have a strong risk either reactively or proactively, depending on what the situation requires. Most reputational management function to prevent those organizations already have a PR strategy risk? risks most likely to affect the service or the company’s reputation. Risk prevention for damage limitation, and the DFS business should be included with key includes minimizing opportunities for fraud personnel briefed about the service so or those risks caused by poor customer that they can react quickly to reputational experience such as failed transactions, threats. As DFS can be quite complex, it is lack of connectivity and liquidity, or poor advisable to also have a nominated person agent experience. Preventing reputational from the DFS team to liaise with the public risk can be achieved by focusing on the relations manager to ensure that the customer experience and building trust. correct messages are being delivered. Creating a good customer experience can be achieved by ensuring customers can Whilst press briefings are the first step 9. Reputational Risk access their funds when and where they towards mitigating reputational risk, it Reputational risk refers to the risk of need them, as well as creating avenues for is also advisable to communicate directly losses from damage to the image of a customer recourse such as encouraging with agents, merchants and any other provider, partner, or stakeholder, leading and supporting agents to provide first level DFS partners to reassure them about the to a reduction of trust from clients and customer service, operating well-managed situation. In addition, customer services agents. Losses may occur in reduced call centers to solve customer complaints should be briefed and provided with agreed revenue and shareholder value, as well and inquiries, and returning customer statements that can be communicated to as increased operating costs or legal funds in any cases of fraud. Reputational concerned customers. It is also important liability. Reputational risk is not a direct risk is also an effect of partnership risk if to communicate internally to appraise risk, but is a result of other risk-related partners fail to meet clients' expectations. staff and reassure them. problems, such as many of those discussed The provider should be prepared to throughout this handbook. However, by address issues and maintain customer its nature, the consequences can be severe relationships, even if the event was the and long lasting. The risks that are most fault of the partner. likely to result in reputational damage are technology failure causing an inability For those risks that cannot be avoided, to transact, lack of transparency in a mitigation strategy is used. A key policies and pricing, fraud, poor customer component of a mitigation strategy experience, lack of agent liquidity, and is a public relations strategy that has high prices. contingency to manage negative press, 58 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 9 EXA Reputational Risk – transaction failures DFS Provider example: For example an MFI that offers agent banking Risk Category: Reputational Risk Secondary Category: Technology Risk Name: Poor customer experience caused by technology risk Description: Agents cannot perform a transaction when requested by customers because the service is not available for several hours Owner: Head of DFS Cause: The DFS is suffering an unplanned technical outage Effect: The service gets a reputation for being unreliable. Agents are embarrassed. Customers are not confident that they can access their money. Over time they stop using the service Probability: 2 out of 5 Moderately low due to strong technology risk mitigation Impact: 2 out of 5 Moderately low based on unlikelihood of losing all customers Risk Strategy: Treat Treatment Strategy: • Prevention of risk event that would lead to reputational risk • Strong SLA with the technology provider, based on robust technology • Incident resolution process and escalation matrix in place • Well-resourced customer care department • Customer feedback channels through agents, call centers, social media, email, branches, or other channel Treatment Tactical • Communications plan to alert the business to the outage, and then for agents and other partners to be advised of the issue and its expected resolution time Response: • Procedure in place to manage press enquiries about the incident • Customer care advised of how to handle calls from customers and agents Key Risk Indicator: Short and long term KPIs (did the incident affect the expected performance of the business?) Current status: Has not occurred DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 59 02_DEFINITIONS Box 9 Reputational Risk Case Studies A) A successful DFS provider sales. It is not known what the drop “Definitely the damage was far discovered that it had been defrauded in sales would have been if it had beyond mobile money in our of a significant amount by corrupt kept silent and the fraud had been country…It was beyond the MNO employees. The police was called in revealed by the media in headline and touched the whole mobile and the suspects charged. Because of news. On balance the DFS provider money space. Reputational damage this, it seemed unlikely that it could now believes it should have kept was manifold.” “hush it up” and avoid a scandal. quiet and hoped for the best. After some debate it decided to go For a while, the reputational damage public in the press, explaining what B) A major African MNO was one extended beyond DFS to its core had happened, that the issue had of the successful early DFS providers. telecoms business. In addition, the been stopped, and that none of its A couple of years after launch it entire DFS sector in this market customers had suffered as a result. experienced internal fraud that was was affected; its major competitor The public reaction was, as might reported in the national press. A confirmed that this incident also be expected, that customers favored scandal ensued. The MNO admits impacted its DFS sales as the loss the competitors because of security to the damage this scandal caused its of consumer confidence shrunk the concerns and a resulting drop in business: whole market. REPUTATIONAL RISK – KEY QUESTIONS • Do I understand the financial value of reputation, or the potential cost of losing it? • Do I consider reputational risk with strategic risk? • Do I have clear standards linked to the preservation of reputation and integrity? • Are partners assessed for reputational risk? • Do I have a comprehensive communications and public relations plan to proactively address rumours or concerns with my service? • Do I have a comprehensive customer support line for customers and agents? • Are there guarantees in place to protect customer and agent funds? 60 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 10. Partnership Risk Do you share DFS partnerships are often necessary, and valuable in terms of providing • The lack of level playing fields in regulatory environments leads to expected expanded services to clients and improving operating efficiency. In some cases suboptimal partnership arrangements. outcomes and partnerships are required by regulations. Business partnership risk can include the breakdown of relationships with KPIs with your In all cases, some level of cooperation and partnership is required as the banks rely operational and strategic partners partners? on MNO networks for connectivity and the MNOs rely on banks to hold funds in including distributors, master agents, vendors, technology providers, trust. Effective partnerships are equally implementation partners, and donors. It rewarding relationships that have unique can also be a source of reputational risk. value propositions for each party and Bank and MNO Partnerships: As the provide an improved experience for the world of DFS expands to include new customer. products such as algorithm-based lending The Partnership for Financial Inclusion and bank-to-wallet integrations, bank and program published a study in 201412 MNO partnerships are becoming more outlining lessons learned from and more common. In many markets partnerships in DFS. It found that there across Sub-Saharan Africa, bank-to- were four key factors for success in DFS wallet integrations are now common partnerships: place allowing customers to move funds between bank accounts and mobile • Deficiencies in the partnerships from wallets and to cash in and out using either either one or more of the partners not bank or MNO agents. The fluidity of funds playing a role that is key to their success, creates a better user experience for the or one or more of the partners playing a customer, but hybrid models involving role they are ill-equipped or unmotivated banks and MNOs are also at the highest to play; risk of partnership breakdown. The two • DFS partnerships must enable the institutions try to work together to build partners to generate value for their a client-facing single product, and the respective companies; question of who owns the customer often • Partnership roles in a DFS becomes a challenging discussion. If the implementation must be aligned with partnership was to break down, both competitive and comparative advantage the product and client retention could and motivation; be at risk. Institutions need to develop Partnerships in Mobile Financial Services: Factors for 12 Success, IFC, 2014 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 61 02_DEFINITIONS a mitigation strategy for retaining the will be conducted to minimize impact on service, and the integration itself is a customer in the event this may happen. the customer or the business. potential point of failure. It is therefore Mitigation strategies may include essential that the quality of service of the Vendors: Vendors play a large part in a DFS pro-active management of customer partner organization is well understood rollout. The risk of technology failure has a relationships through customer service, before the partnership is confirmed. Poor large impact on the customer experience marketing and branding campaigns, as quality of a partner is often blamed on the and the partnership the provider holds well as outlining customer ownership DFS provider. For example, if the payment with its vendors can affect the risk of agreements within the partnership switch is over-stretched the customer may transaction failures and service delays. agreements and including clauses around need to attempt a transaction several times things like exclusivity and non-compete Technical Integrations: Most services before a bill is paid, and this will typically be issues. In some markets, banks are the are dependent on technical interfaces seen as a fault of the DFS. Underpinning smaller, less dominant DFS partner with third parties. The first and foremost all technical partnerships there must and may find it difficult to negotiate a requirement for technical integration is be a clear understanding of the service level playing field with MNOs. It may be for connectivity. DFS have an inherent levels achievable by the partner, and an decided that they are better off playing the requirement to use data or voice networks agreed expected (average) performance. background role of holding accounts and to offer services using technology. This Partners should be subject to penalties loans, while the MNO manages the client- includes the use of mobile network access, for consistent under-performance against facing relationships. including SMS, USSD, and 3G services. these service levels. An important point often overlooked is the need to define Agent Distributors: When utilizing Beyond the basic requirements around exactly what is meant by service level and complex agent network structures in a connectivity, as DFS services mature, how it will be measured. business model for DFS, the performance they are increasingly integrating with of the agents can be largely dependent on other technologies, often via Application Crucially, there needs to be agreement the ability of the master agent to manage Program Interfaces. These include about how incidents will be managed. them. This typically encompasses training, integration with core banking systems When a technical incident involving two provision of liquidity, marketing materials to allow funds to be transferred between or more technologies occurs, the biggest and incentives. The relationship between DFS accounts and conventional bank issue can be to determine where the the provider and the master agent plays and MFI accounts; integration with fault lies, with everyone claiming that a key role, and the breakdown of this billers such as utilities, either directly or another party’s technology is to blame. relationship may result in a disruption via payment switches; integration with This may be happening in a high-pressure to customer experience. Partnership various POS devices; and integration with situation if the fault is serious, so it is agreements with agent distributers should money transfer organizations to facilitate important to have pre-agreed procedures cover all levels of services, and clearly international remittances. Interoperability where all parties work together, as far as state expectations and remuneration to between DFS is also starting to happen, is reasonable, to identify and resolve the reduce partnership risk inherent in the either bilaterally or via switches. problem. There must also be escalation relationship. They should also contain clear processes in place for incidents that are Wherever there is a technical integration, rules on how the ending of a partnership not possible to resolve using standard there is a dependency on the partner procedures. 62 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT MPLE Risk Register 10 EXA Partnership Risk – service unavailability DFS Provider example: A bank offering agent banking with POS and customer mobile access provided by partner MNO connectivity Risk Category: Partnership Risk Secondary Category: Reputational Risk Name: Relationship difficulties between the owners of the service – leading to service outage Description: Significant relationship difficulty within the provider consortium results in service unavailability for customers. Owner: Head of DFS Cause: Inability of the partner to meet the increasing capacity requirements of the DFS provider as the business has grown faster than expected Effect: Service unavailability for customers and agents, and customers cannot access accounts. Probability: 2 out of 5 Moderately low based on partnership agreements and well-structured commercial arrangements Impact: 5 out of 5 Very high impact based on complete dependency on partner for delivery of service Risk Strategy: Transfer Treatment Strategy: • Services levels detailed in the partner contract • Monthly technical reviews with partners, including expected volumes, to ensure capacity planning ahead of the demand curve • Ensuring that the partner is sufficiently incentivized to keep the service running and grows with it. Treatment Tactical • Legal action against partner for failing to provide service Response: • Wherever possible, qualify a secondary provider to work in parallel or on standby. Key Risk Indicator: • System uptime • Performance vs KPIs Current status: Has not occurred DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 63 02_DEFINITIONS Box 10 Partnership Risk Case Studies A) The Kopo Kopo business was in disputes. By late 2015, Kopo Kopo By late 2015 it was earning more originally founded in Kenya in 2012 had recruited 4,000 active merchants from its cash advances in Kenya to exploit the potential for M-PESA focused on specific retail channels than from its core business. to be used for in-store (merchant) such as catering, hairdressers, agro- payments for goods and services. dealers, and service stations. Due By leveraging its existing investment • Safaricom, the company providing to this growth, Safaricom saw the in merchant acquirer software for M-PESA, had launched “Lipa na opportunity to manage this business Lipa na M-PESA, it has white- M-PESA” (Pay by M-PESA) to in-house and is now competing labeled it for use by other institutions consumers a year or two earlier, so the directly with Kopo Kopo to recruit outside of Kenya. The software will capability existed, but few merchants new merchants. Safaricom has the be sold on a licensing fee basis accepted it and usage was very low. advantages of scale, reputation, and Kopo Kopo has entered into Kopo Kopo formed a partnership and offering a cheaper service commercial agreements with several with Safaricom to provide a merchant as it charges just its share of the providers. The product is due to service to increase the number of transaction fee. It has proven very launch in 2016 in Ghana, Uganda, retailers accepting Lipa na M-PESA successful. Anticipating the risk of a and Zimbabwe, and will provide an and thus drive usage by consumers. change in relationship from partner additional revenue stream provided The service is free to customers but to competitor, Kopo Kopo sought to the service support does not exceed merchants pay a small percentage diversify in two directions: expectations. of the transaction value as a fee that Kopo Kopo’s preparedness for the is split between Kopo Kopo and To remain competitive in the • Kenyan market, it has developed inevitable emergence of its partner as Safaricom. a competitor has been a major factor a popular merchant cash advance Kopo Kopo recruited merchants by service offering funds based on in its business’ survival in a very providing them with transaction a credit rating that is constantly competitive market. data, business intelligence, and fast updated based upon the merchants B) A major (non-telco) DFS provider access to funds via web and android historical performance via Lipa suffered from fraud perpetrated by applications, as well as bulk payment na M-PESA. (This initiative is not one of its partners. It contracted and bulk SMS capabilities. In addition without financial risk, but no issues with the three largest MNOs in the it took on the task of intermediating had arisen at the time of writing.) country to use their communication 64 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT networks, specifically the SMS and It noticed that all the affected agents USSD channels, and could provide were using agent phones connected the mobile money service to any to the same MNO, and this provided customer or agent with a SIM card the essential clue. The fraud involved from any one of them. A number an employee in a technical role at the of agents started to report the MNO with access to the SIM card same issue; their e-money float was management systems. The fraudsters disappearing. Over the course of two had developed a scam whereby the weeks this grew from one agent per agent PIN was harvested and the SIM day to three or four, each reporting card was temporarily swapped whilst losses of several hundred dollars. By the funds were withdrawn from the examining the transaction statements account. As soon as this scam was of the affected agents around diagnosed, the MNO partner was the time of the frauds, and then contacted and the issue explained. following sequences of transactions Presumably the MNO tightened up and accounts involved, it determined its SIM swap procedures because the the means by which the fraud was scam stopped within 24 hours and being perpetrated. has never been repeated. PARTNERSHIP RISK – KEY QUESTIONS • Do you have a contract or MOU with your partner that includes protections and contingency plans? • Do you have service level agreements with you master agents and distributors? • Do you share expected outcomes and KPIs with your partners? • Do you have realistic, measurable technical service levels agreed with your partners? • Is there an agreed technical escalation process to resolve incidents? DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 65 02_DEFINITIONS Summary The ten risk categories described above are broad categories used to describe DFS risk. A full list including also a number of sub-categories can be found in the risk database on page 95. As the DFS industry evolves many more potential risks will start to unfold and the task to identify, understand and mitigate risks will be a continuous one. Now that a broad understanding has been established in Part I, and the most common currently known potential risks have been identified in Part II, institutions can move to developing risk management frameworks. Part III provides a step-by- step instruction on how to set up and implement a framework. 66 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 67 03_FRAMEWORK 03_ Part III Risk Management Framework Applied In the previous part of the handbook, we describe and illustrate the key risks in DFS implementation. In this part, we will take the concepts of the risk management framework described in Part I, and take the reader through a step by step process of the risk management cycle. It begins with Establishing Context, moves to Risk Identification, Evaluation, and Risk Strategy Development, and then concludes with Monitoring and Review. There are several literature sources on the process of implementing a risk management framework. The GSMA has also published a risk management toolkit that uses an excel- based format to guide MNOs on mobile money risks13. This handbook is loosely based on the ISO 31000 business industry standards for risk management. It has been adapted and contextualized for DFS-specific risk management. The process begins with defining the project team and setting objectives and acceptable risk levels. Next, all possible risks are identified and articulated. Evaluation of the risks is done either through qualitative or quantitative methods to assess the probability and potential impact of the risk. The evaluation allows institutions to prioritize risks and to identify which risks can be tolerated, transferred, terminated, or require the development of a treatment strategy (covered in Section 4). Lastly, the framework is implemented and periodic reviews take place, going back to the planning and identification stage in order to ensure that it is always timely and an accurate reflection of the risks faced. Using the ISO 31000 Risk Assessment Process described in Part 1, there are five sections to developing risk management frameworks, as shown in figure 7. 13 Risk Management Toolkit, GSMA & Consult Hyperion, 2015 (http://www.gsma.com/mobilefordevelopment/managing- risk-in-mobile-money-a-new-comprehensive-risk-toolkit) 68 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Figure 7: Risk Assessment Process START SET CONTEXT IDENTIFY EVALUATE STRATEGIZE REVIEW AGAIN ASSIGN DEFINE TEAM RESEARCH PROBABILITY & TERMINATE REASSES IMPACT ROLES & REVIEW HISTORY ANALYZE TRANSFER TRACK RESPONSIBILITIES TIMELINE & ASSESS TODAY PRIORITIZE TREAT BUDGET TACTICAL CREATE A PLAN BRAINSTORM RESPOND RESPONSE DEFINE DEVELOP REGISTER RISKS TOLERANCE INDICATORS RECORD RISKS The sections that follow describe the activities and areas to focus in each of the steps of the diagram above. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 69 03_FRAMEWORK Box 11 Creating a Risk Management Unit Whilst many larger organizations Fraud Avoidance – these activities approved by the risk team. It takes have some kind of risk management are split into two types: internal a hands-on approach to any changes support at group level, Tigo fraud and customer facing fraud. and is involved from the start of the Pesa Tanzania is one of very few Potential internal fraud is controlled development process. local operating companies with by a combination of business a dedicated in-country DFS risk procedures; data analysis to uncover Compliance with regulations – it is management team tasked to prevent, any unusual activity; and monitoring the team’s responsibility to provide detect, and mitigate any potential of staff interaction with the systems specified reports and any other risks. The risk management team to identify suspicious behavior. The information requested by the central was set up in 2012, two years after majority of activity is in detecting bank, and to assess and implement the launch of Tigo Pesa, with the and mitigating customer facing any changes to reporting or business appointment of a DFS Finance and fraud. For example, there was an operations required when regulations Risk Manager, reporting to both the increasing incidence of customers change. One team member acts as head of division and to the Millicom sending money to wrong numbers the anti-money laundering reporting group chief financial officer of DFS. and the recipients fraudulently officer. Since then the team has grown to five claiming that the money was theirs. The risk management team is subject people who perform a number of By championing the development to regular peer reviews by DFS roles to protect the business: of a new function to confirm the managers from other members of recipient name during transactions, the group; internal audit by Millicom Processes and Controls – responsible the team managed to reduce this type for ensuring that business processes group; and external audit by Ernst & of fraud by an impressive 60 percent. Young. are available for all Tigo Pesa activities, and that these are reviewed Platform Integrity and Project regularly and updated whenever Assurance – any changes to the necessary. Also controls access to log technology, whether a minor onto the Tigo Pesa systems. adjustment or a major new piece of functionality, has to be assessed and 70 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Section 1: Set Context The objective of the risk management planning process is to develop the overall risk management strategy for the DFS and to decide how it will be executed and how it will be integrated in the overall DFS implementation plan. The planning process begins with the creation of a team, which then develops the timeline, costs, and outline of the risk management plan, methodology, and the process and templates that will be used in the development of the risk management framework. Step 1: Define risk team The team will be made up of various staff and stakeholders that will be responsible for the success of the DFS, and will also provide contrasting and complementary backgrounds in order to ensure that the risk management framework covers a comprehensive list and analysis of potential risks and the associated mitigation strategies. The team should comprise members of risk management, DFS channel management, sales and marketing, IT, finance, internal control and compliance departments, management, as well as external experts, consultants, or facilitators. Table 1: Example of Risk Team Name Title Department Contact Details Risk Manager Agent Banking/Mobile Money Head of Agent Banking/Mobile Agent Banking/Mobile Money Money Distribution Manager Agent Banking/Mobile Money Product Manager Agent Banking/Mobile Money Head of IT IT Marketing Manager Marketing Call Centre Manager Customer Care Regulatory Officer Compliance Finance Manager Finance Fraud Investigation Officer Finance DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 71 03_FRAMEWORK Step 2: Define roles and responsibilities The multi-disciplinary project team is primarily responsible for assembling the risk management assessment and framework. The team will be led by a risk manager, who should ideally also be included in risk assessment and management of other projects to ensure cohesive risk management across the organization. The roles of each team member should be clearly defined and articulated up front in the planning process and recorded in the project plan. The risk manager’s responsibilities include: • Solicit support from senior management for the risk management framework • Determine acceptable levels of risk, in consultation with stakeholders • Develop and approve the risk management plan • Promote the risk management process • Facilitate communication • Approve risk responses when necessary • Regularly report risk status to management and key stakeholders Table 2: Example of Risk Team Roles & Responsibilities Name Title Lead or Support Risk Manager Lead Head of Agent Banking/Mobile Money Lead Distribution Manager Support Product Manager Support Head of IT Support Marketing Manager Support Call Centre Manager Support Regulatory Officer Support Finance Manager Support Fraud Investigation Officer Support 72 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Step 3: Define timeline and budget for development The timeline for the risk management framework will be decided on by the planning team and will include start and end dates for each phase, key milestones and deliverables. Timelines should also include agreed on intervals for re-evaluation of the risk management framework. It may be necessary to allocate a budget for the development of the risk management framework if it is expected that activities include external data collection, contracting consultants and facilitators, or off-site meeting costs. Budgets may also include contingency funds for potential losses based on the quantitative analysis in the risk assessment phase. Table 3: Example of Risk Framework Timeline & Budget Name Start Date End Date Estimated Budget Risk Identification Week 1 Week 8 Publication Review Week 1 Week 1 Historical Review Week 2 Week 2 Current Assessment Week 3 Week 6 $15,000 for external consultant for technical advisory Brainstorming Week 7 Week 8 $6,000 for facilitator Risk Evaluation Week 9 Week 12 Assign probability Week 9 Week 10 $10,000 for external consultant for technical advisory Assign impact Week 9 Week 10 $10,000 for external consultant for technical advisory Risk prioritization Week 10 Week 10 $10,000 for external consultant for technical advisory Risk Strategy Development Week 11 Week 12 Develop risk treatment strategy Week 11 Week 12 $10,000 for external consultant for technical advisory Develop risk tactical response Week 11 Week 12 $10,000 for external consultant for technical advisory Define KRIs Week 11 Week 12 $10,000 for external consultant for technical advisory Risk Framework Management Week 13 Week 14 $10,000 for external consultant for technical advisory Review Framework Review Every 6 months DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 73 03_FRAMEWORK Step 5: Establish Risk Tolerance Levels During the planning process, the risk team will establish the risk tolerance levels of the Step 4: Create a plan institution, both in terms of quantitative Planning the development of the risk management framework will include developing levels of losses, as well as qualitative processes, outlines, methodologies, definitions, and templates approved by all members levels of tolerance. Quantitative values of of the risk team. potential losses can be estimated for most risks identified through the risk assessment process described below. The risk team will Process: Describes the process that will be used to carry out the risk management establish the level of risk tolerance, such framework development and how it will be integrated into the overall DFS that any risk identified with a potential loss business. above the threshold will be required to be Outline: During the planning process, the planning team will develop an outline avoided or transferred or if below the lower of the risk management framework. See page 93 for a checklist for developing a threshold, then the risk will be accepted. risk management framework. For example, an institution may decide that any risk with a potential impact of less than Methodology: The methodology described in the plan outline will identify $10,000 will be accepted, between $10,000 means by which to accomplish the qualitative and quantitative risk assessment, and $100,000 will be mitigated and above evaluation and analysis, risk ranking, and registering in the risk register with $100,000 will be avoided or transferred. associated treatments. The outline of the methodology will also describe the Financial losses due to fraud should have means through which the organization will decide whether to terminate the risk, some level of acceptance, as implementing treat the risk, tolerate the risk, or transfer the risk. risk policies to completely eradicate losses Definitions: The definitions described in the risk management framework will be would be more expensive than accepting a glossary of terms for the team to work under common definitions of the risks. some levels of fraud. Once agreed upon, the acceptable level of fraud losses should Templates: The outline will include agreed on templates that will be used be budgeted and included in forecasts and throughout the risk management framework development. Templates should used as a Key Risk Indicator to measure include the risk register as described below, templates for brainstorming sessions performance. The industry benchmark for for risk identification, risk analysis, and risk evaluation. The risk management manageable fraud losses is seven basis framework template will also be included in the risk management plan outline. points of total transaction volumes, or 0.07 percent. The qualitative ranking described below can also be used to set risk tolerance levels such as those risks identified with a qualitative score of 1 – 5: Accept Risk, 6 – 12: Control Risk and 13 – 25: Avoid or Transfer. There may be other qualitative risk tolerance policies that the institution may wish to institute such as zero tolerance for illegal activities or regulatory violations. 74 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Section 2: Identify Risks The process of risk identification aims to determine all knowable risks to the DFS. However, as it is impossible to identify every potential risk, an iterative process should be used to conduct re-assessments on a periodic basis. Risk identification should be done as early as possible in the development of the DFS in order to allow for the maximum time possible for development of the risk responses. However, the earlier the identification process is done, the less certainty the organization will have about the expected probability and impact of the risk. The risk identification process can include different methodologies for identification and should include a full spectrum of risks to a DFS as outlined above. Box 12 Customer-centric Risk Management The greatest risk to any business strategy is that customers do not adopt the service in the numbers anticipated. Such problems are often associated with poor product design or due to a mismatch between customer and agent locations. Customers also seldom close an account. They simply withdraw their funds. This business risk needs to be understood through appropriate customer engagements, often managed by the call center or through periodic customer interviews that identifies the reasons why customers are not using the service, and added to the risk register findings. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 75 03_FRAMEWORK Step 1: Research and review industry resources It is recommended to begin by reviewing publications to identify risks that are applicable and resonate with your institution. There is a wide variety of resources available that are specific to different institution types or to specific DFS risks, such as: • Risk Management Toolkit, GSMA & Consult Hyperion, 2015 (http://www.gsma.com/mobilefordevelopment/managing-risk-in- mobile-money-a-new-comprehensive-risk-toolkit) • MMU Managing the Risk of Fraud in Mobile Money, GSMA, 2012 (http://www.gsma.com/mobilefordevelopment/wp-content/ uploads/2012/10/2012_MMU_Managing-the-risk-of-fraud-in-mobile-money.pdf) • Mobile Financial Services Risk Matrix, USAID and Booz Allen Hamilton, 2010 (http://www.gsma.com/mobilefordevelopment/wp- content/uploads/2012/06 • /mobilefinancialservicesriskmatrix100723.pdf) • Bank Agents: Risk Management, Mitigation, and Supervision, CGAP, 2011 (http://www.cgap.org/publications/bank-agents-risk- management-mitigation-and-supervision) • Digital Financial Services Risk Assessment For Microfinance Institutions, A Pocket Guide, AFI, 2014 (https://lextonblog.files. wordpress.com/2014/09/dfs_risk_guide_sept_2014_final.pdf) • Mobile Financial Services Technology Risks, AFI, 2013 (http://www.afi-global.org/sites/default/files/pdfimages/AFI_MFSWG_ guidelinenote_TechRisks.pdf) • Fraud in Mobile Financial Services, Mudiri, MicroSave, 2012 (http://www.microsave.net/resource/fraud_in_mobile_financial_ services#.VmWI9E10xes) • Risk Management in Mobile Money, Lake, IFC, 2013 (http:// • www.ifc.org/wps/wcm/connect/37a086804236698d8220ae0dc33b630b/Tool+7.1.+Risk+Management.pdf?MOD=AJPERES) In addition, a comprehensive list of potential risks is included in the Risk Database section of this publication and can be used for reference. Step 2: Historical review Step 3: Current assessments definitions, the agent and distribution The risk identification process will begin The current assessment of the DFS strategy, agent contracts, technology with a retrospective view on risk, taking development takes a critical look at the partner contracts, the local regulatory into consideration risks that have been current state of the implementation to guidelines, the technology specifications, tolerated, treated, or realized throughout understand what risks are most likely to the operating procedures manuals, the other project life cycles, including past exist. The implementation assessment financial projections, market research, product and channel implementations will include an analysis of the current or other documents that are available for from your own institution or others within financial model, product specifications, review. Keeping in mind the risk categories, the market. The historical review will business model, technology development, the team can also be asked to identify be done through secondary research of regulatory approvals, competitor analysis all possible risks that they recognize as internal risk management documentation, and market research. Using the risk relevant for their areas of operations. At as well as external sources such as industry categories described above, the risk team this stage, it is important to list as many contacts and the media. can start to put together the long list of risks as possible, without judging their potential risks. Many risks will start to importance. emerge as the team explores the product 76 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Step 4: Brainstorming To complement the historical and current assessments, creativity techniques can be used for brainstorming sessions that may include external experts or facilitators. Step 5: Record all risks identified in a risk register This is the first step in the development of a risk register. All identified risks should be recorded including name, description, and owner, as well as any notes on preliminary responses to the risk that arise during the identification phase. At this stage, the list is meant to be as exhaustive as possible. During the evaluation stage, risks will be ranked and categorized in order to decide on relative importance. Table 4: Example of the Risk Identification Stage for DFS Strategic Risk Risk Type: Strategic Risk Name Description Cause Effect Owner The DFS fails to reach The DFS does not meet Poor product offering, poor Results in negative net revenue Head of Agent Banking/ sustainability in the revenue and expense channel management, poor and return on investment. Mobile Money timeframe designated targets in specified management of resources, poor timeframe forecasting Provider does not fully An incorrect Poor strategy development, Leads to development of Head of Marketing understand its target understanding of the poor market research, poor inappropriate products and poor market for DFS. customer needs and consumer testing of the product uptake and usage available resources or channel Provider does not fully Staffing for sales Long term investment needs of Provider is unable to meet targets Head of Sales invest in resources support is under- DFS channel is not understood for agent acquisition, and thus required to meet resourced or appreciated by management revenue targets are not achieved targets. and board. and sustainability is not reached. Competition Competitors are gaining Competitors providing superior Customers migrate to other Head of Agent Banking/ market share service or lower prices. providers Mobile Money DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 77 03_FRAMEWORK Section 3: Analyze and Evaluate Once all risks have been identified, the Step 1: Assign probability and Risk Prioritization process of analysis can take place in impact Step 3: Rank risks based on order to evaluate and prioritize them. For each risk identified, a probability and qualitative and quantitative risks Qualitative methods for analysis are the impact qualitative assessment should most commonly used, such as developing Risks can now be prioritized based on be performed. Impact is the potential a scoring and ranking system, as described potential impact and probability. Using loss if the risk is realized. This could be below: the qualitative ranking methodology, risks financial loss, reputational loss, or legal with the highest combined probability and or regulatory penalties. Impact can impact score will be ranked highest, and Qualitative be measured on a scale of 1-5, 1 being those with the lowest combined score will Qualitative analysis allows you to start the lowest and 5 being the highest. A be ranked lowest. If using the quantitative ranking the importance of the risks measurement of 1 represents a negligible methodology, those with the highest identified, and begins with the evaluation impact, 2 is low, 3 is moderate, 4 is high and R-value would be ranked as the highest of characteristics and priorities based 5 is extreme. risk. Ranking of the risks by priority will on pre-qualified metrics defined during Probability is the assumed likelihood that allow the project team to work towards the risk planning process. The qualitative the event will occur. It is also assigned risk strategies for each risk by working on analysis builds on the risk identification on a scale of 1 – 5, with 1 being a remote the most important ones first. process to define risk and evaluate causes possibility, 2 is unlikely, 3 is possible, 4 is and impacts. Risks may be categorized Step 4: Decide which risks are likely and 5 is an almost certainty that based on source or cause, or by impact, worthy of treatment responses the event will occur. A risk rating is then in order to facilitate the development quantified by multiplying the ranking Using the quantitative scoring, the of risk responses during the qualitative assigned to both probability and impact to institution can now decide whether to analysis. The final output of a qualitative produce a combined score for a particular tolerate, treat, transfer or terminate the analysis will be the definition of the risk, risk. risk. Scoring thresholds may be used such the probability, and the potential impact. as: 1 – 5: Accept Risk, 6 – 12: Control Risk For example, the risk of competitors Step 2: Risk analysis and 13 – 25: Transfer or Avoid. gaining market share is given a probability of 3 based on the fictitious example of a The risk analysis is written documentation financial institution in highly competitive for the risk register that includes an environment with low barriers to entry, analysis of the causes and effects of the and a potential impact of 3 based on risk; description of why the probability some losses in financial revenue, but not and impact were assigned as such; any complete losses as customer loyalty is high secondary risks; priority; timeframe of for this particular institution. when they might occur; and potential ways to treat. The steps to qualitative analysis are described below: 78 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Figure 8 Qualitative risk ranking matrix Impact Probability Negligible (1) Low (2) Moderate (3) High (4) Extreme (5) Certain (5) 5 10 15 20 25 Likely (4) 4 8 12 16 20 Possible (3) 2 6 9 12 15 Unlikely (2) 2 4 6 8 10 Remote (1) 1 2 3 4 5 Once the analysis is complete, the risks should be categorized by type or priority, and recorded in the risk register. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 79 03_FRAMEWORK Table 5: Example of the Risk Evaluation Stage for DFS Strategic Risk Name Description Cause Effect Owner Probability Impact Combined Ranking (1 – 5) (1 – 5) Score The DFS fails to The DFS does not Poor product Results in Head of 2 3 6 #2 reach sustainability meet revenue offering, negative net Agent in the timeframe and expense poor channel revenue and Banking/ designated targets in specified management, return on Mobile timeframe poor investment. Money management of resources, poor forecasting Provider does not An inadequate Poor strategy Leads to Head of 1 2 2 #4 fully understand its understanding development, development of Marketing target market for of the customer poor market inappropriate DFS. needs and research, products and available resources consumer testing poor uptake of the product or and usage channel Provider does Staffing for sales Long term Provider is Head of Sales 1 3 3 #3 not fully invest in support is under- investment of unable to resources required resourced DFS channel is meet targets to meet targets. not understood for customer or appreciated acquisition and by management activation, and and board. thus revenue targets are not achieved and sustainability is not reached. Competition Competitors are Competitors Customers Head of 3 3 9 #1 gaining market providing migrate to Agent share superior service other providers Banking/ or lower prices. Mobile Money 80 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Section 4: Risk Strategies At this stage in the process, all risks cash at the agent’s premises. This risk achievable, agreed-upon, assigned, and should have been assessed and ranked can be transferred through the purchase accepted. At this stage in the process based on probability and impact. Based of theft insurance either on behalf of the it is important to involve any relevant on the risk acceptance thresholds set out agent, or as a requirement for agents to operations resource to ensure that the risk in the planning process, the project team purchase insurance for themselves as part is being tackled from a practical “bottom- will now be able to identify which risks of the agent agreement. up” approach to prevent the creation of will be tolerated, treated, transferred, or inappropriate or unworkable strategies. terminated. Risks with low probability and Step 3: Develop risk treatment Any proposed risk treatment strategy low impact are most likely to be tolerated strategy should meet the following criteria: and no further action is required. For those Developing the risk treatment strategy risks that require treatment, transfer, or • Consistent with organizational values, will be one of the largest tasks undertaken termination, a strategy must be developed. the objectives of the DFS business plan, by the risk management project team. and management expectations; Deciding on treatment strategies may Step 1: Develop risk termination require a compromise, since some • Technically feasible; strategy proposed responses may be mutually • The project team or risk owners should Risk termination is done at the highest exclusive or counterproductive. For have the ability and resources to carry levels of combined probability and impact. example, mitigating the risk of excessive out action required; It involves taking actions required to time delays to launch a service could • Achieve balance between reduction of ensure that either the threat cannot occur cost money, thereby creating new risks the risk impact and the ability to meet or it can have no significant effect on the by increasing pressure on the budget. project objectives. project. The spectrum of risk termination Risk treatment strategy development Risk treatment strategies are required to strategies includes a complete cancellation also needs to take a holistic view of all cover all risks exposed. Multiple strategies of the DFS implementation, or changing proposed responses and make sure these can be used to ensure there is no residual the fundamentals of the business strategy, are coherent. exposure as per Figure 6 below. to redefining product specifications or agent management strategies. Risk treatment may include policies or actions that will reduce the likelihood or Step 2: Develop risk transfer impact of the specific risk, thus reducing strategy its score to an acceptable range before Risk transfer strategies are applied when the project begins, or an incremental the risk can be transferred to a third party application of the treatment strategy that that is better positioned to address a is implemented as risk becomes greater. particular threat. Agreements are required Risk treatment strategies may also include with a third party that clearly defines response strategies on how to control which party covers the other party’s damage only if and when risk is realized. liabilities. An example of a risk transfer In general, treatment strategies should be strategy relates to robbery of the agent’s appropriate, timely, cost-effective, feasible, DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 81 03_FRAMEWORK Figure 9: Steps involved in developing risk Step 4: Develop risk treatment tactical response mitigation strategies Once the risk treatment strategies have been developed, a tactical, action-oriented response also needs to be developed for each strategy. The tactical responses should be IDENTIFY RISK integrated into DFS documentation such as the business plan or work plans. MANAGEMENT STRATEGIES Step 5: Develop Key Risk Indicator Detection of event occurrence can be conducted through monitoring of Key Risk Indicators associated with each identified risk. The Risk Database section found in the SELECT RESPONSES Tools Chapter of this handbook has examples of appropriate KRIs to be used to measure and detect event occurrence. Acceptable KRI parameters should be developed and agreed No on by management and the risk committee to allow project managers to proceed with escalation procedures if and when flags are triggered by non-performance of KRIs. ALL RISKS ADDRESSED? Parameters and limits should be established by the risk function or board risk committee. They are generally a reflection of the risk tolerance of the institution. Yes Step 6: Record risk strategies in register PLAN & RESOURCE ACTIONS Lastly, the risk strategies are to be recorded in the register along with the previously documented information for each risk identified. UPDATE RISK REGISTER REVIEW PREDICTED RESIDUAL EXPOSURE PREDICTED EXPOSURE ACCEPTABLE UPDATE RISK MANAGEMENT FRAMEWORK Source: Project Management Institute: Practice Standard for Project Risk Management 82 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Table 6: Example of the Risk Strategy Development Stage for DFS Strategic Risk Using the scoring thresholds of: Risk Level 1–5 6 - 12 13 - 25 Action Tolerate Treat Transfer or Terminate For the risk identified in Table 5, risks ranked 3 and 4 can be tolerated as they have a combined score of less than 5. Risks 1 and 2 will require a treatment strategy because they fall in the control threshold of scores between 6 and 12. Strategic Risk #1: Risk Category: Strategic Risk Secondary Category: Financial Risk Name: Competition Description: Competitors are gaining market share Owner: Head of Marketing Cause: Competitors providing superior service or lower prices Effect: Customers migrate to other providers Probability: 3 out of 5 Impact: 3 out of 5 Risk Strategy: Treat Treatment Strategy: • Perform research to understand competitor offering, its strengths and weaknesses • Monitor call center logs for complaints about service levels • Promotions to keep customers engaged and active • Cross-sell other products and services to create customer stickiness Treatment Tactical • Re-evaluate product and channel design, pricing, and commission structures Response: • Conduct market research to further understand market demand and develop renewed value proposition Key Risk Indicator: % Market Share DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 83 03_FRAMEWORK Strategic Risk #2: Risk Category: Strategic Risk Secondary Category: Reputational / Financial Risk Name: The DFS fails to reach sustainability in the timeframe designated Description: The DFS does not meet revenue and expense targets, which results in negative net revenue and return on investment Owner: Head of DFS Cause: Poor product or channel design, misunderstanding of market demand and/or competition Effect: Loss of investment Probability: 2 out of 5 Impact: 3 out of 5 Risk Strategy: Treat Treatment Strategy: • Use market research and industry benchmarks to base assumptions • Ensure targets are realistic and aligned with KPIs • Ensure that sufficient resources (people/ funds) assigned to achieve targets • Monitor performance and update strategy as needed Treatment Tactical • Iterate financial model as implementation progresses Response: • Re-evaluate pricing and commission structures • Conduct market research to understand market demand • Perform promotional activity to stimulate uptake Key Risk Indicator: • Net revenue • Active customers • Transactions per customer • Active agents • Customers per agent • Float interest rate 84 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Section 5: Monitor and Review The effectiveness of the risk management framework depends on how well it is implemented. Implementation includes initiating work on the tactical responses addressed in Section 4, as well as periodic review and reassessment. As the DFS matures and evolves, new risks will appear, and the probability and impact of previously identified risks will change over time. The risk management framework and the risk register are living documents. The project team will decide on reporting and reassessment intervals at the onset of the risk management framework development. It is recommended that risk reporting is conducted quarterly and full reassessment is conducted annually. Step 1: Risk Reassessment In addition to regular review, it may be necessary to conduct a reassessment if one of the following occurs: • Occurrence of a major or unexpected event; • A fundamental change to the business plan or DFS management strategy; • A new type of service is offered via the DFS; • End of implementation phase. Step 2: Track risks for period For each period reported on, each risk will be reported as either: • Did not occur • Occurred and contingency plan invoked • Occurred and impacted project (time, cost, and quality) In addition to reporting on the existing risk register, it should also be reported if any new or previously unidentified risks have been noted, the effectiveness of the risk strategies, or any changes to cause and effect of risks within the register. It is also very useful to track the risk profile for key risks over time, as changing circumstances (including the implementation of risk prevention and mitigation strategies) can make the risk of a specific event occurring more or less likely, or change its potential impact. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 85 03_FRAMEWORK Summary In order to successfully implement a DFS the possible risks associated with the strategy, a standardized structure for DFS implementation. Once identified, building a risk management framework appropriate and consistent assessment is required to support and sustain the methodologies can be used to assess and operations. The process begins with rank the priority of the risk identified. establishing the context, including Development of treatment strategies building the team and getting full buy-in includes deciding whether to tolerate, from management and the board. The treat, transfer or terminate the risk, and most important part of the framework to develop the appropriate strategy to do development is the risk identification, so. Once completed, the risk management evaluation, and treatment strategy framework can be monitored and development. A broad group of individuals reviewed. It is very important that the with diverse backgrounds should risk framework is a living document, and participate in the risk identification used to actively report on risk occurrence, process. Desk reviews, historical as well as to be reviewed and updated reviews, and reviews of current project periodically or upon occurrence of a major aspects can all be used to tease out all event. 86 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 87 04_INSIGHTS AND TOOLS 04_ Part IV Insights and Tools Lessons Learned Most institutions interviewed in our research had some type of risk management framework for their core business that had been extended to DFS. The implications of how DFS change the risk profile, reducing some risks but adding new potential liabilities, are understood by some whilst others are unsure of how to react. There is a growing need for guidance about DFS risk management that is relevant and accessible to all types of providers. Key lessons extracted from our research and discussions with a range of providers are summarized in the following observations. Most importantly, there is a need for comprehensive risk management frameworks. As DFS around the globe continue to grow and extend the range of services available, they become more vulnerable to unforeseen or new risks. Increased public awareness of services and increased volume and value of transactions may attract attention from unwanted places and people. To protect these new and growing businesses, their customers, and their partners (such as agents), there is a clear need for most DFS providers to improve risk management awareness, approach and implementation. Whilst a minority has developed effective risk treatment strategies, many DFS providers currently have a superficial approach, with little to no risk treatment in place. Risk registers have been created by some DFS providers, but it is not clear that these are widely used in the running of the business. There generally seems to be limited understanding and awareness14 of how to implement them. The registers are typically limited to risks that would result in immediate financial losses, such as fraud or technical issues, and do not cover broader and more deeply rooted risks such as strategic risks, reputational risks, cyber risks, partnership risks, or political risks. Their creation is often seen as the end goal (to appease auditors or governance committees) rather than the start of an ongoing process to reduce the risks to the organizations. Finally, they are not often clearly or critically linked to the achievement of objectives. 14 In preparation for this publication, the IFC interviewed a range of DFS providers, technology providers, NGOs, and other related organizations 88 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT SO N Technology, strategic, and • Multiple customer service points 1 LES agent management risks including call centers, as well as email, can all lead to reputational SMS, roaming sales staff and trained risk branch staff If customers cannot access their money • Technology that is always working, i.e. when they need it, there is a potential data and voice connectivity is available; reputational risk that can lead to reduced software service is available; hardware customer uptake, decreased activity rates, device is operable; and there are no and dormant accounts: all of which will transaction delays or failures during any inflict potentially large losses on a provider point in the communication as it cannot meet targets set out in its • Accurate and timely SMS receipts business plan. When that happens, there • Customers are always refunded for are even more serious repercussions if fraudulent activity boards and management lose confidence and reduce budgets or reorient business • Fees are easy to understand resources and rely on alternative (non-DFS) • Menus are easy to follow strategies to drive customer and revenue • Agents are always available and liquid growth. Thus, it is of utmost importance • Agents are well trained to service that the customer experience is seamless, customers with superior customer service and • Agents are clearly and consistently competitive pricing. Technology, strategic, branded and agent management risk all play a role N in providing a superior customer service SO Fraud can have a huge 2 LES and include: impact on reputation • Products meet the needs of the Fraud can cause direct financial losses customers as a result of unauthorized withdrawal • Channel design meets the needs of the of funds or unauthorized creation of customers e-money. Moreover, the full impact of • Pricing is competitive fraud can extend further. When made • Accounts can be open at the agents public, fraudulent activity is known to and ideally accessed by the customer reduce consumer confidence in DFS, as instantly well as core services of the provider such • Customers can also access their as MNO voice or retail banking businesses. accounts through other channels if Consumer confidence issues can also spill required, such as branches and ATMs over to other providers, and affect the market as a whole. For this reason, there • Well-staffed, well-trained call centers have been several major fraud incidents DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 89 04_INSIGHTS AND TOOLS with associated losses which the providers be used for risk management purposes strategic risk if there is a high reliance on have prevented from becoming public. by utilizing call center logs to identify a single partner; the partner may not have Others have not kept their losses secret, to potential risks to the DFS, as well as to exclusivity agreements, and may be using the detriment of both their DFS and core monitor key risk indicators. the partnership to learn and replicate on business. One institution implemented a their own. Once issues are raised to a call center, mitigation strategy of going to the press institutions should aim to resolve the All partnerships should be entered first about a case of fraud in the hope that it majority of them within the first call. only after thorough due diligence and would minimize the reputational damage, Anything longer, or requirements for comprehensive discussions on roles and but it was felt that in hindsight this just follow up calls, will reduce trust in the responsibilities. Partnership agreements brought attention to the issue and scared service and have reputational risks and can be in the form of contracts, customers. There is still disagreement potential financial losses. memoranda of understanding between among providers about the best way to providers, or service level agreements with handle large cases of fraud. Because of the SO N Poor reconciliation and vendors. MOUs and SLAs should clearly potential damage fraud can inflict on the 4 settlement processes LES define the outputs of each side, fault whole DFS market, there is a good case for leave institutions open to potential losses escalation paths, service availability, costs, better industry sharing of experiences and Settlement and reconciliation is a laborious payment terms, intellectual property lessons learned. However the challenge process that can have significant impacts rights, and confidentiality agreements. of persuading providers, who are also on operational costs as well as reduce For the smaller partner the most critical competitors in DFS and other areas, to customer confidence if transactions end element of such partnerships is protection cooperate should not be underestimated. up in suspense accounts for significant and clarity in the partnership agreement N SO The utility of the call center as to when and how the partners can 3 periods of time. For example, refunds of LES debit without disbursement transactions enter into competition with each other. can take up to one week, leaving customers Well thought out agreements can go a The utility of the call center is wide- frustrated and cash-poor. Automatic, long way in protecting an institution from reaching, well beyond the primary goal daily reconciliation is recommended not unanticipated failure to deliver or lack of of resolving the needs of customers. Call only to reduce the numbers of suspense compliance from partners. However, it centers can be used for customer education, transactions, but also as a useful tool in is worth noting that agreements cannot customer feedback, and improving the early fraud detection. always guarantee accountability. If the brand value of the institution. Call center partner is very big and more powerful, you operating hours should be extended to SO N Choose partners carefully, may not be able to hold it accountable, 5 LES evenings and weekends to service high call and then hold them or if the partner is very small, it may volume when customers are most likely to accountable simply not have the capacity to meet the be transacting and cannot go to a branch Partners can refer to other providers that requirements set out in the agreements. or service center. There should be a process collaborate on joint products or services, or In most instances, it is wise to avoid to alert and update call center staff to any vendors that provide technology or agent exclusivity. For technical service delivery, system issues so that they can reassure management services for example. In the multiple channel suppliers should be concerned callers. Call centers can also context of joint products, there is a strong sought wherever possible. 90 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Conclusions This handbook provides a guide to the kind of risks that may be encountered in the deployment of a DFS strategy. Many of the case studies point to the overarching importance of strategic risk, the risk that the strategy fails to meet its objectives due to deployment of inappropriate services, poor technology, customer behavior not aligning with initial models, or unanticipated market developments. It is always risky to provide a list of risks, and possibly more so to provide a list of future risks, but a number of trends are already emerging that will probably shape the evolution of risk management in DFS. • One of the most important risks is Financial institutions wishing to develop linked to the speed of innovation and a DFS strategy will need to develop the disruptive change to existing DFS technical knowledge on how to manage channel strategies which can make such risks. a DFS strategy redundant before the • In markets such as Kenya where agency technology is fully deployed. The rate banking has been successful, merchants of change in technology and platforms now have a bewildering number of POS is unprecedented. Not only do service devices and phones on which to handle providers need to determine what transactions for an increasing number platforms to support, but customer of institutions. It is thus probable that requirements change fast. A bank in agent banking will evolve from a service Mozambique deployed POS devices in in which each bank seeks to enable as taxis; two years later, Uber was serving many agents as possible to a situation the same market in seven of Africa’s in which any merchant can handle a largest cities with smartphones and deposit or withdrawal on a single device direct billing to credit cards. for any bank or MNO provided they have • With the rapid increase in smartphone signed up to a standard set of rules. This usage, more and more DFS deployments will once again change the competitive will rely on either the customer’s or the dynamics. Some institutions will agent/merchant’s smartphone. This specialize in agent services, while others should reduce some of the difficulties will focus on customer services and use operators have experienced with the agent banking services provided by managing POS technology and with others. the limitations of SMS and USSD. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 91 04_INSIGHTS AND TOOLS • Regulation of DFS enabled services such as mobile money and agent banking is likely to increase and will also change the competitive dynamics. In an increasing number of jurisdictions, regulators are starting to mandate interoperability between payment services including mobile money, as well as preventing providers from signing exclusive arrangements with agents. • Although cash remains popular in all markets in the world, as electronic transaction costs fall there will be a gradual reduction in the need for cash in/cash out services, which need to be factored into the DFS strategy. In the long term, as reliance on cash declines, some merchants will see their cash sales decline and will thus be less able to support the cash liquidity requirements of agent banking services. No DFS provider will be able to escape the risks associated with the implementation of new technology and business models. The case studies have highlighted however how it is possible to manage these new risks in order to achieve business objectives in support of the growth of financial inclusion. 92 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Tools Risk Management Checklist Risk architecture • Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the board • Risk management responsibilities • Arrangements are in place to ensure the availability of appropriate competent advice on risks and controls • Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk maturity • Sources of risk assurance for the Board have been identified and validated Risk strategy • Risk management policy produced that describes risk appetite, risk culture and philosophy • Key dependencies for success identified, together with the matters that should be avoided • Business objectives validated and the assumptions underpinning those objectives tested • Significant risks faced by the organisation identified, together with the critical controls required • Risk management action plan established that includes the use of key risk indicators, as appropriate • Necessary resources identified and provided to support the risk management activities Risk protocols • Appropriate risk management framework identified and adopted, with modifications as appropriate • Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner • Procedures to include risk as part of business decision-making established and implemented • Details of required risk responses recorded, together with arrangements to track risk improvement recommendations • Incident reporting procedures established to facilitate identification of risk trends, together with risk escalation procedures • Business continuity plans and disaster recovery plans established and regularly tested • Arrangement in place to audit the efficiency and effectiveness of the controls in place for significant risks • Arrangements in place for mandatory reporting on risk, including reports on at least the following: »» Risk appetite, tolerance and constraints »» Risk architecture and risk escalation procedures »» Risk aware culture currently in place »» Risk assessment arrangements and protocols »» Significant risks and key risk indicators »» Critical controls and control weaknesses »» Sources of assurance available to the Board Source: Enterprise Risk Management (ERM) and the requirements of ISO 31000, AIRMIC, Alarm, IRM: 2010 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 93 04_INSIGHTS AND TOOLS Risk Register Template Risk Category: Choose one of: Strategic, Regulatory, Operational, Technology, Financial, Political, Fraud, Agent Management, Reputational, Partnership Secondary Categories: Choose one or more of: Strategic, Regulatory, Operational, Technology, Financial, Political, Fraud, Agent Management, Reputational, Partnership Name: Name of risk Description: Short description of risk, which may need to include a brief cause and effect in order to accurately describe Owner: Person responsible for monitoring risk and deploying treatment strategies Cause: The reason why the event occurs Effect: The impact the risk has if realized Probability: The likelihood the risk will occur. Can be ranked on a scale of 1 - 5 or assigned a percentage of 0 – 100% Impact: The potential losses if the event was to occur. Can be ranked on a scale of 1 – 5 or assigned a value of the actual costs of risk realization Risk Strategy: Choose one of: Tolerate, Treat, Transfer or Terminate Treatment Strategy: Policy implication of the institution to control risk either before, during or after event occurrence Treatment Tactical Response: Specific actions to be taken in the case of event occurrence Key Risk Indicator: An indicator used for the early warning that the potential of a risk’s adverse effects may occur Current status: Choose one of: Has not occurred, Occurred and treated, Occurred with impact 94 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Database Risk 15 Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Strategic Risk The DFS fails to reach The DFS does not meet Any Use market research and industry benchmarks to Net revenue sustainability in the revenue and expense targets base assumptions. Active customers timeframe designated. and results in negative Iterate financial model as implementation net revenue and return on Transactions per progresses. customer investment. Ensure targets are disseminated and aligned with Active agents KPIs. Revenue generating Monitor performance and update strategy as transactions needed. Float interest earned Provider does not fully An incorrect understanding Any Use market research to develop product Active customers vs. understand its target of the customer leads to specifications, channel design, and decide on registered customers market for DFS. development of products and appropriate technology interfaces. Active agents vs channels not suited for the Monitor customer uptake and activation. registered agents target customer. Use focus group discussions, call center logs and Transactions per agent feedback to inform DFS design. customer Lessons learned in other markets. Provider does not fully Staffing and marketing are Any Ensure adequate resources are allocated upfront Staff costs actual and as invest in resources under-resourced and provider for staffing and marketing based on industry a % of total costs required to meet is unable to meet targets for benchmarks and local costs of staff and marketing Marketing costs actual targets. customer acquisition and activities. and as a % of total costs. activation. Commit resources throughout period until sustainability is achieved or strategy revised. De-prioritization Poor performance leads to Any Resolve the main issues within the DFS department Net revenue of DFS products or de-prioritization of DFS and (e.g. technological, reputational, or operational Active customers channels organization reorients around risks). competing priorities. Active agents Execute market research to identify customer needs vs the service being offered. Competition Competitors are gaining Any Improve service quality through agents and call Market share of active market share due to superior center. customers service or lower prices. Re-evaluate pricing and commission structures. Market share of Re-evaluate product features. transactions Authors own as well as sourced from: 15  Mobile Financial Services Risk Matrix, USAID, 2010 Fraud in Mobile Financial Services, Mudiri, MicroSave Mobile Financial Services Technology Risks, Alliance for Financial Inclusion (AFI), 2013 Risk Management in Mobile Money: Observed Risks and Proposed Mitigants for Mobile Money Operators, Lake, IFC, 2013 Digital Financial Services Risk Assessment for Microfinance Institutions: A Pocket Guide, The Digital Financial Services Working Group, 2014 Risk Management Case Studies, Fidelity Bank, Kopo Kopo, FINCA DRC and Tigo Tanzania, IFC & Genesis, 2015 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 95 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Customer Branches and agents Bank or MFI Develop joint KPIs to prevent silo operations. Customers served cannibalization poaching each other’s banking through agents vs customers to meet their own branches KPIs. Services offered through agents vs branches Competitive threat Partner is directly competing Any MOUs with partners to define exclusivity and Market share of active from partner with provider to acquire ownership of customer. customers merchants, agents or Provide quality service to customers and agents. Market share of customers resulting in slower transactions growth rates or loss of Diversify dependence on partner by using multiple customers. partners. Marketing and awareness campaigns. Market research for additional differentiators and product innovations. Develop joint marketing strategies. Lack of network Closed loop networks with no Any Integrate to other providers and allow customers P2P transaction volume interoperability capability to transfer funds to move funds between parties and perform off-net Overall transaction prevents customer between account holders of transactions. volumes from transaction with different account providers’ desired party. payment networks due to lack of interoperability. Interoperability Developing interoperable Any, but Monitor transactions during pilot phase for trends in Market share of active increases churn. systems with partners may mainly MNOs cash movement and customer behavior. customers lead to loss of core business Joint marketing campaigns. Market share of customers as they no longer transactions need to be your customer to Incentives to drive customer retention. access your services. Customer activity Key person risk Management, founders, Any Deploy team approach to projects. Net revenue or board members leave For each position, have a substitute in waiting. Total budgets vs project organization which has direct expenses. impact on sustainability or Ensure sharing of learning and information. leads to de-prioritization of the DFS. Financial Risk Provider loses The trustee bank becomes MNO Identify trustee bank through adequate due Capital adequacy of customer funds due to insolvent, trust accounts that diligence to ascertain its financial stability. trustee bank failure of trustee bank. are not legally segregated Trust funds holding the value of items in transit are ROE & ROA of trustee from the general pool of bank legally segregated from the trustee’s own assets in bank assets available to satisfy bankruptcy. creditors may be pulled into the bankruptcy process, with Trust accounts are divisible and transferable. access blocked. Diversification of deposits into multiple banks. Asset – liability DFS customers may be more Banks, MFIs Diversify the service to add savings capabilities as Average account balance matching likely to deposit small, short well as short term lending. Number of cash in and term deposits compared Incentivize long term deposits through interest cash out transactions to other bank customers, bearing accounts. per month per customer meaning that the provider is less able to intermediate funds into longer term, more profitable revenue sources. 96 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Credit risk of On account of the new Banks, MFIs Closely monitor customer behavior patterns. Portfolio at Risk customers distribution structure, the Develop systems to alert loan officers when loans clients may feel a diminished are not repaid on time. obligation to repay loans as they no longer have a direct Incentivize agents to collect loan repayments similar relationship with the provider. to incentive structures for loan officers. Credit risk of agents Non-repayment of loans given Any Develop credit risk policies, loan due diligence Portfolio at Risk and merchants to agents or merchants. procedures, and diversify credit risk. Implement loan loss provisions based on portfolio aging. Use algorithms for validating loan approvals and monitoring ongoing loan performance. Foreign Exchange Risk Local currency devaluation Any Hedge borrowings in foreign currency. FX rates increase costs and devalues assets. Settlement risk The risk that one party fails to Any Use real time gross settlement systems for bank Number of transactions deliver funds to another party transfers. in suspense accounts at the time of settlement. For MNOs, bilateral agreements to control for Time it takes to reconcile settlement. and settle transactions in suspense accounts Technology Risk Breach of customer or Customer or agent account Any Institute controls to reduce the likelihood for Algorithms for detecting agent account is breached and access is unauthorized release, or theft, of personal suspicious behavior gained to security credentials, information through encryption, two -factor Call center escalation account information, or authentication, and tiered user rights. logs transaction history, which could result in loss of funds, processing illicit transactions, or identify theft. Customer account information could be improperly accessed through: SMS history Poor encryption of WAP Cross-site scripting of USSD sessions Unauthorized access or usage by provider staff or agents DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 97 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Customer cannot Customer cannot access Any The provider should test end-to-end transaction End-to-end transaction access account due account through application availability on a periodic basis. success rate to lack of system or agent due to: All transaction interfaces to be defined with clear availability and/or Mobile network is not completion boundaries, allowing clear rollback transaction failure. available procedures in the event of uncertainty. The provider’s system is Service level agreements with system providers and experiencing temporary partners and penalties for non-conformance system downtime. Agreed escalation processes to resolve issues. System upgrades. Use USSD as a fallback to 3G-enabled POS to reduce reliance on data connectivity. Malware Viruses, Trojans, or worms Any Use a combination of anti-virus software, fire Reported successful infect files, gain remote access, walls, intrusion detection systems, proxy servers, attacks on the service install malicious software web content, email attachment filters, and data to steal data, conduct encryption techniques. unauthorized transactions, or Develop procedures for staff, agents and customers block authorized usage. to report suspicious activity. Transaction replay by MNOs often have automatic Any using Disable retry requests. System reports on the network retry requests to deliver an SMS Use SMS receipts for transactions for customers to duplicate transactions SMS to a destination if it is applications monitor if there are duplicates. not successful on the first try. When used in mobile money transactions, some systems can interpret as multiple transaction requests. Transaction delays System lags may cause Any Limit system’s ability to retry transactions. Complaints of duplicate transaction delays or receiving Educate agents and customers to do balance checks transactions of SMS receipts to be delayed. if they do not receive SMS receipt immediately. Calls to customer care about SMS not received Hardware failure POS devices fail due to poor Bank, MFI, or Service level agreement with hardware providers Transaction failure rate construction or inability to PSP including penalties for non-conformance. POS failure rate connect to software. Maintenance agreement with hardware provider. Loss of data Breakdown of primary storage Any Provide separate mirrored databases to record all Transaction records lost and backup facility (including transactions in real time. cloud-based systems) resulting Export transaction information to storage regularly. in loss of transaction records. Hosting environment System is not available Any Regular technical & financial audit of hosting System availability failure because of technical issues environment and vendor. Number of outages with the DFS hosting Use of service level agreements with hosting environment. Time taken to recover organization/ storage vendor. from outages Use of cloud-watch software to monitor health of cloud provider. Documented procedures for service failure and disaster recovery. 98 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Regulatory Risk Potential customers When initially registering for Any Customer education campaigns to acquire ID and Customer awareness vs. do not have ID or other an account, the customer is KYC requirements before account registration. customer registration KYC requirements unable provide ID. Regulatory lobbying to allow for reduced Agent feedback on requirements and/or ID substitutes customers refused registration Transaction taxes Governments decide to tax Any Lobby government and opinion formers to prevent Sharp or unexplained transaction fees in order to taxation reduction in transactions increase revenue which could Potentially lower fees (i.e. pay all or part of the tax negatively impact customer on behalf of customers) demand. Agent does not Agents may not fully comply Any Agent education. Percentage of customer adequately KYC with KYC requirements as Align incentives to properly registered customers registrations rejected by customer commissions are designed to only. DFS provider incentivize account opening and performing transactions. Where regulations allow, open tier one accounts with reduced KYC until full information can be collected. Mystery shopping. Penalties for non-compliance. Changes in regulations Regulator changes laws that Any Build alignment and communication channels with Formal communication are no longer conducive for regulators. of impending regulatory DFS operations or prevent changes providers from obtaining Complaints from licenses. regulator of non- compliance Lack of compliance Provider does not comply Any Compliance department ensures full compliance Internal audit reports, with applicable laws and with regulatory laws. external audit regulations resulting in fines, Monitor any plans to change applicable regulations management letter regulatory intervention and and provide feedback to regulator. Regulator compliance ultimately loss of license. Ensure the system is upgraded to comply with any planned changes to regulation. Political Risk Inability to access Post-election violence, civil Any Service disruption plan developed for agents and Report number of hours accounts or conduct unrest, war, or terrorist staff. or days without service transactions. activity disrupt normal Business Continuity plans. Compare downtime business operations. with key competitors Communication plan. Agent Risk Lack of agent Customers cannot access Any Conduct agent recruitment campaigns in the Number of customers availability funds or conduct transactions vicinity of overburdened active agents. per agent. due to a lack of agents in their Ensure agent density coverage is adequate. Agent activity vicinity or existing agents are inaccessible due to excessive Customer activity rates queues. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 99 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Lack of agent liquidity Customer cannot perform Any Use of agents and super-agents for liquidity. Monitor agent e-money cash out or cash in transaction Use call center logs to identify problem agents and balances because the agent does not work with them to resolve liquidity issues. Number of customer have sufficient cash on hand or complaints about cash e-money. Roll out agents in conjunction with customer registration to ensure adequate incentives to liquidity manage customer needs. Reports to identify agents that are not meeting liquidity requirements. Manual/automated alerts to agents when their e-money float is running low. Pre-fund agent capital requirements through loans or lending institution partnerships. Mystery shopping and good agent management. Agent robbery Agent is robbed. Any Require/recommend that agents purchase theft Track and document insurance. agent robbery by area, Educate agents not to keep excessive amounts of time of day, nature of cash on the premises. theft Carry out background checks of potential agent employees, or suggest that agents do so. Agents to conduct daily reconciliations of transactions, float, and account balances. Require agent proximity to police. Physical cash security through safes, secured booths, etc. Agent inactivity Provider fails to properly Any Roll out agents in conjuncture with customer sign Agent activity rate identify, train and manage up. agents well and/or there are Monitor agent activity rates and increase education insufficient customers to keep and monitoring for poor performing agents. agents active. Systems to flag and report early detection of inactive agents. Cease business with consistently inactive agents. Review incentive and pricing structures to ensure appropriateness. Agent error Data capture errors, key stroke Any Provide phone number look up to verify account Transaction reversals errors, typos etc. made by name during transaction processing. rate the agent or staff that result Potentially require entry of key data twice to Account registration in inaccurate registrations or confirm. rejection transactions. Agent training for owner/operator and agent staff. Agent call center for reversals and inquiries. Back-office processing unit to verify KYC details. 100 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Agent solvency risk The inability for an agent to Any Agent due diligence to select only reputable and Agent closure rate honor his/her liabilities and stable agents. results in insolvency and Process to remove DFS branding and hardware from closure. failing agent premises. Poor quality customer Agent staff who serve Any Regular re-training for agent and all staff. Customer activity rate experience at agents customers may not have been Agent call center for inquiries. Customer complaints trained by the provider and have a poor understanding of Mystery shopping and good agent management. the service. Agent branding Inconsistent agent branding Any Make sure there is a contractual arrangement with Records of non- due to removal by agent/other agents to have a minimum branding standard at all compliance made by merchandisers or inability to agent outlets. agent managers place branding due to presence Sales support to check branding and availability of of other branding materials. other materials during regular visits. Mystery shopping. Agent business case Risk that agents may not Any Well-structured agent incentives. Agent activity rate have enough customers Strategic rollout of agents with adequate customers or commissions to sustain and territory. operations. Agent commission for account sign up to drive customer penetration. Agent support through agent officers and call centers and training. Fraud Risk Customer defrauded by outside party Stolen identity Customer identity is stolen Any Consider use of biometric devices to reduce fraud. Records of non- and used to open an account Adoption of policies and procedures to enhance compliance made by or conduct fraudulent fraud detection. agent managers transactions. Utilize PINs and conduct customer education on PIN protection. Good policies on PIN resets to deter fraudulent activity. Rapid collection of original documentation from the agent or account opening staff. Ideally get electronic documentation that can be transmitted to the provider immediately. Vetting agents for character during the appointment process. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 101 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Impersonation of An individual poses as a Any Educate customers to receive SMS confirmation Records of non- provider or agent provider employee or agent before they handover cash. compliance made by and accepts deposits or Customer education campaigns to identify valid agent managers gains unauthorized access to agents and keep PIN secret. customer accounts to conduct fraudulent activities. Call centers for customer complaints. Clear customer escalation and feedback process to report fraud cases and trigger market sensitization of the fraud. Daily reconciliations of payments and receipts against internal systems. Clear and consistent agent branding. Phishing Fraudsters pose as official Any Minimize information reported on transaction Records of non- representatives of agents reports to only what is absolutely necessary. compliance made by or providers to gain access Request customers to report any threats and fraud agent managers to agent or customers’ occurrences to law enforcement authorities. PINs, account capabilities, transaction records, or Awareness campaigns to educate agents and account balances. customers on account security and keeping PIN etc. secret. Develop clear procedures and guidelines for identification, communication and management of fraud. SIM swaps A customer’s (or agent’s) SIM Any using Document a clear SIM swap process which limits Records of non- card is swapped for a new one mobile people/organizations that can carry out SIM swaps compliance made by without authorization. The devices and establishing time limits between the time agent managers holder of the SIM card can then that the SIM swap is carried out and the time it is access the customer’s account implemented. and transact without their Keep track of swaps carried out through reports. knowledge. Voucher fraud Vouchers and transaction Any Develop clear processes that define generation of Customer complaints codes that are generated to vouchers, expiry periods and notifications on expiry. enable payments to merchants Vouchers should not be visible to anyone except for pre-defined goods or for the recipient and when misplaced, the recipient cash out are stolen and used can notify the business and get fresh ones re-issued without authorization. directly. Preferably, in the case of unregistered customers, they must be required to register before they access funds. Customer defrauded by agent Unauthorized fees Agent may overcharge Any Providers use clear contracts that fully disclose all Customer complaints or charge an additional fees to be charged, tailored for various customer unauthorized cash fee to the situations, including different languages and consumer. illiteracy. Service charges clearly posted at each agent’s location. Disclosures reasonably comprehendible to all customer groups. 102 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Agent receives cash Agent receives funds from a Any Customer education campaigns to verify the Customer complaints from client but service user but misdirects transaction has occurred before leaving the agent fails to perform the funds to the agent’s own premises. transaction. benefit. Utilize call centers for customer complaints. Policies and procedures for agent misuse of customer funds including penalties and closure of agent. Agent pays out cash Agent may use cash out Any Require agents to use counterfeit detectors to Customer complaints that proves to be payments to distribute ensure they don’t erroneously collect counterfeit counterfeit. counterfeit currency or may funds. Make tools available to customers at agent pay out counterfeit currency shops. received from customers Customer education campaigns. without realizing it is counterfeit. Policies and procedures for agent misuse of customer funds including penalties and closure of agent. Unauthorized access Agents accesses customer PIN Any Develop a comprehensive due diligence process for Customer complaints to customers’ PIN and uses it to withdraw funds. the recruitment of agents to minimize recruitment Due to poor customer literacy, of agents with poor reputation or those likely to customer may share PIN with commit fraud. agents willingly. Carry out periodic and planned consumer and market awareness on PIN security, discouraging PIN sharing. Ensure that relevant campaign documentation is also in all outlets. Customer education to change their PINs when they receive them and keep them confidential. Customer education on how to perform transactions securely. Split withdrawals Agents force customers to split Any Use data analytics tools to flag suspicious Duplicate transactions withdrawals in a number of transactions. Customer complaints smaller transactions in order Develop a comprehensive due diligence process for to trigger higher customer fees the recruitment of agents to minimize recruitment and higher agent commission of agents with poor reputation or those likely to fees. commit fraud. Carry out mystery shopping activities and channel audits. Policies and procedures for agent misuse of customer funds including penalties and closure of agent. Customer defrauded by provider internal staff Employees link wrong Collusion between employees Any Maintain separate accounts for receipts and Customer complaints mobile numbers to and fraudsters to link disbursements to limit the exposure of clients to bank accounts fraudsters’ mobile numbers fraud. to the customers’ accounts For accounts linked to wallets, ensure that facilitating withdrawal of customers sign authorization for account linkage. funds from the customers’ accounts. Use SMS receipts to notify customers of linkages. Bank audit of linked accounts. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 103 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Illegal reversal of Employees collude with the Any Use SMS receipts to notify customers of Suspicious activity customer payments / paying party and illegally transactions. reports transfers reverse customer payments. Ensure maker/checker procedures for all reversals. Customer complaints Create reports to monitor suspicious customer and staff behavior. Illegal transfers from Illegal transfers by employees Any Use SMS receipts to notify customers of Suspicious activity mobile accounts from customer accounts to transactions. reports fake accounts or accounts of Ensure maker/checker procedures for all reversals. Customer complaints fraudsters. Create reports to monitor suspicious customer and staff behavior Agent defrauded by customer Agent takes in cash Counterfeiter manufactures Any Agents use counterfeit detection tools. Agent complaints that proves to be false notes, deposits to Agent education. counterfeit. account at an agent and then withdrawal valid currency Agent call center. from another agent. Mystery shopping and good agent management. Unauthorized access Customers access agent’s Any Require agents to keep a separate business handset Agent complaints of agent’s device. transaction tools to conduct and SIM card if mobiles are being used and practice fraudulent transactions. good handset management practices. Restrict device SIM cards to only performing DFS related activities. Limit calls to the transaction device to originate from a few pre-authorized numbers of the provider. Agent call center to report fraud. To enable online transactions, use two-factor authentication. Each agent staff should have unique log in and password. Should employees be terminated, their passwords should be disabled. Customer requests Customer requests cash out. Any A clear process to manage repudiation and ensure High levels of recipient reversal of valid Customer then denies receipt that the interests of all parties involved are taken refusing to allow transaction. and requests provider to care of. reversals reverse transaction. Transaction can be reversed, denied or put in to suspense until an investigation is completed. Agent education to report suspicious customer behavior. Agent defrauded by internal staff Provider employee A provider employee uses Any Carry out background checks of potential provider Agent complaints defrauds agent unauthorized access to employees. agent accounts in order Limit staff access to agent accounts. to manipulate balances or conduct transactions to their Use SMS receipts for agent transactions. own benefit. Train agents on keeping PIN/login details secret. 104 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Instant commission For commission models that Any Provide digital information to facilitate agent Agent complaints fraud pay instant commission, reconciliation of transactions, cash and electronic business owners find it difficult float. to reconcile commissions Aggregation of commission payments to agents for earned as they become mixed payment after a scheduled period of time, preferably up with other transactions. monthly. Employees take advantage of this mix up to defraud their A report should be generated periodically specifying employers. commission earned, the mode of payment and any reference number for the payment. Agent officer defrauds Agents give their PINs away to Any Educate agents to keep PIN confidential. Agent complaints agents the provider staff, giving them Agent officer must ideally only have role-based full access to the agent’s float rights and not login rights to access funds at the account. agent device. Agent defrauded by master agent Unauthorized Master agents carry out Any Detailed contracts and guidelines for operation of Agent complaints withdrawal of agent unauthorized withdrawal master agents regarding obligations, staffing, and funds or commission of funds from sub-agent’s requirements for sub-agent recruitment. accounts or deduct Implement guidelines on commission sharing commission. between master agents and sub-agents. Provide sub-agents with adequate feedback forums including hotlines, email addresses, and sub-agent forums to receive feedback. Detailed agent commission statements for agent reconciliation. Provider defrauded by customer Erroneous Customers receive erroneous Any Organizations must develop a clear process for Customer complaints disbursements deposits of funds and disbursement of funds to minimize errors. withdraw funds and close Comprehensive process that covers identification, accounts before funds can be monitoring, communication and management of frozen and returned. fraud. Daily reconciliations of payments and receipts against internal systems. Provider defrauded by agent Split deposits Agents split deposits Any Use data analytics tools to flag suspicious Suspicious transaction in a number of smaller transactions. reports transactions in order to Develop a comprehensive due diligence process for generate higher commissions the recruitment of agents to minimize recruitment at the cost of the provider. of agents with poor reputation or those likely to commit fraud. Carry out mystery shopping activities and practice good agent management. Education of agents. Call center for customers to report suspicious activity. Enforcement of penalties for agent mismanagement and closure of agents. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 105 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Direct deposits Agents deposit funds directly Any Carry out consumer education campaigns to create Suspicious transaction to a recipient’s account - awareness about these types of fraud. reports instead of to the customer’s Analyze and review agent commission structures account followed by the regularly to detect any anomalies and address them. customer conducting a P2P transaction - in order to bypass Mystery shopping to detect incidences of agent transaction fees. willingness to commit fraud. Use GSM network data to identify location of customer and agent to ensure that transaction is being conducted at the same location. Registration of fake Agents register fake accounts Any Customer registration commission to be split Account registration accounts or customers without full KYC between registration and first transaction. rejection rates documentation in order to Back-office processing and compliance departments earn commission. verify KYC. Commission paid on fully KYC’d accounts only. Provider defrauded by outside party Hacking An outside party hacks in to Any Firewalls, encryption, role-based access rights, etc. IT audit results the system to gain access to Daily account reconciliation. provider accounts to perform fraudulent transactions or to steal data. Provider defrauded by internal staff Ghost accounts An employee uses Any Daily account reconciliation. Internal audit unauthorized access to Staff vetting and training. IT audit results create fake accounts with fake deposits. Collusion with Adequate policies and procedures to investigate fraudsters allows them to suspicious activity. withdraw funds from agent. Operational Risk Reconciliation and The risk that the actual value Any For MNOs, system integration into bank accounts % of transactions in account variances in trust accounts is different so all changes to main bank account is reflected suspense accounts than amount reflected in automatically. % end of day variance system. Risk that off-net Use separate accounts for business revenue and transactions (e.g. ATM commission disbursement. withdrawal, bill payment) is not reconciled with internal End-of-day variance reports managed and signed off accounts. by appropriate business management. Robust system authority approver and checker function. Daily reconciliation at provider and agent. Robust internal policies and procedures for reconciliation of transactions in suspense accounts. Customer is unable to Customers are not able to Any Efficient dispute resolution processes. Call center resolution dispute a transaction resolve disputes with an Call centers are adequately staffed and trained with rates. or account charge. account provider and recourse clear escalation policies for issue resolution. to a government body or regulatory authority to Clear, published, service standards. arbitrate disputes is weak or non-existent. 106 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Lost card or mobile Customer is unable to transact Any Card replacement policies. Card replacement rates phone due to lost debit card or SIM Call center for reporting and issue resolution. PIN reset rates card. Agent training to provide first level customer service. Lack of operational Operating manuals are Any Review operating manual against list of procedures Internal Audit manuals and business incomplete, lacking the being undertaken. Add any missing procedures, Risk & Compliance processes exception processes and are update existing procedures as required, and add reviews not regularly updated resulting the exception use cases to all. Ensure that relevant in poor operating procedures departments sign off each process. Time taken to resolve being followed disputes Create process checklists and ensure all processes have been documented and updated if required and circulated to relevant staff. Lack of operational Current operational Any Risk audit needs to be performed to identify issues Internal Audit audits procedures are not optimized and ensure operational efficiency and integrity. Risk and Compliance with regards to reconciliation reviews and revenue processing. PIN resets Lengthy or complicated PIN Any Efficient policies for PIN reset procedures Time taken to resolve resetting procedures creates PIN resets poor customer experience Debit without When an ATM debits a Any using Deepen relationships with interbank settlement Number of incidents disbursement (DWD) customer’s account but ATM enabled systems for off-net transactions. does not dispense the cards Improve operational procedures for resolutions. corresponding cash causing delays in reimbursement to Increase human resources dedicated to dispute the customer. resolution. Upgrade ATMs. Lack of internal No procedures to monitor Any Implement internal controls to monitor entity and Internal Audit controls, internal agent, employee or customer transaction activity through internal reporting and Risk & Compliance reporting and data activity. Potential non- data monitoring. Reviews monitoring compliance with regulatory requirements. Reconciliation Lack of effective reconciliation Any Have clear defined efficient reconciliation processes % of unreconciled processes procedures creating backlogs. that are ideally automated. amounts Time taken to reconcile Data input errors Data input errors, typos, key Any Use maker and checker functions to perform tasks. Reconciliation controls stroke errors conducted by Segregation of duties. Internal Audit back office provider staff. Partnership Risk Relationship Significant relationship Any Detailed MOU with roles, responsibilities and clearly Internal audit results difficulties between difficulty within the provider defined value proposition for each player in the IT audit results the owners of the consortium results in service partnership. service – leading unavailability for customers. Clear contractual arrangements for service to service outage continuity during disputes. (for example in collaborations between FIs, MNOs, vendors and/or other service providers) DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 107 04_INSIGHTS AND TOOLS Risk Description Type of Policy Options & Potential Mitigation Key Risk Institution Tools Indicators Unreliability of Partners do not meet Any Conduct due diligence on partners. Internal audit scope partners expectations and deliverables Use performance guarantee contracts where results of agreements. payment is made upon sign-off. Invoke non-conformance penalties. Partner systems are Partner systems downtime Any Inform agents/customers via SMS when there are IT Audit results down disrupts service. system downtimes as appropriate. Avail customer support lines. Use SLAs for partners to guarantee service uptime and apply non-conformance penalties. Develop back-up partners to spread the risk. Reputational Risk Fraud Widespread fraud deters Any Limit fraud exposure. Fraud losses customer trust and creates Proactive, prudent communications strategy for reputational risk for provider managing fraud exposure. and market as a whole. Transaction failures Transaction failures impact Any Improve technology / performance. Transaction failure rates confidence in organization, Impose SLAs with vendors and partners. and reduce client activity and retention. Customer education and marketing campaigns. MNO connectivity Agents located in low Bank, MFI & Develop better relationships with the MNOs to Volume of transactions connectivity areas disrupt PSP enhance service quality. in specific geographies customers access to services Use dual SIM devices with the two strongest MNOs leaving customers frustrated in each particular area. and reducing trust in the provider. Poor customer Poor customer support, Any Incident resolution process and escalation matrix Time to answer calls experience untimely resolution of in place. % of calls unanswered incidents, inability to contact Well-resourced customer care department. provider. Call resolution rate Brand risk from Failure of partners to add value Any Customer communication and advertising Press reports on partner partnerships to provider’s brand, and even campaign to develop brand. brands to diminish brand based on Develop multiple partnerships to reduce impact of poor reputation or quality of one relationship. service. 108 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT Glossary TERM DEFINITION Agent A person or business contracted to process transactions for users. The most important of these are cash in and cash out (that is, loading value into the mobile money system, and then converting it back out again); in many instances, agents register new customers too. Agents usually earn commissions for performing these services. They also often provide front-line customer service, such as teaching new users how to complete transactions on their phones. Typically, agents will conduct other kinds of business in addition to mobile money. Agents will sometimes be limited by regulation, but small-scale traders, microfinance institutions, chain stores, and bank branches serve as agents in some markets. Some industry participants prefer the terms ‘merchant’ or ‘retailer’ to avoid certain legal connotations of the term ‘agent’ as it is used in other industries. (GSMA, 2014) Agent banking Banking services, often limited, carried out by an agent. Alternative Delivery Channels that expand the reach of financial services beyond the traditional branch. These include ATMs, Internet banking, mobile Channels (ADC) banking, e-wallets, some card /POS device services, and extension services. Anti-Money Laundering AML/CFT are legal controls applied to the financial sector to help prevent, detect, and report money-laundering activities. AML/ and Combating the CFT controls include maximum amounts that can be held in an account or transferred between accounts in any one transaction, Financing of Terrorism or in any given day. It also includes mandatory financial reporting of KYC for all transaction in excess of $10,000, including (AML/CFT) declaring the source of funds, as well as the reason for transfer. Automatic Teller An electronic telecommunications device that enables the customers of a financial institution to perform financial transactions Machine (ATM) without the need for a human cashier, clerk, or bank teller. ATMs identify customers via either a magnetic or chip-based card, with authentication occurring after the customer inputs a PIN number. Most ATMs are connected to interbank networks to enable customers to access machines that do not directly belong to their bank, although some closed-loop systems also exist. ATMs are connected to a host or ATM controller using a modem, leased line or ADSL. Application Program A method of specifying a software component in terms of its operations by underlining a set of functionalities that are Interface (API) independent of their respective implementation. APIs are used for real-time integration to the CBS/MIS, which specify how two different systems can communicate with each other through the exchange of ‘messages’. Several different types of APIs exist, including those based on the Web, TCP communication, and direct integration to a database, or proprietary APIs written for specific systems. Call center A centralized office used for the purpose of receiving or transmitting a large volume of requests by telephone. As well as handling customer complaints and queries, it can also be used as an alternative delivery channel to improve outreach and attract new customers via various promotional campaigns. Channel The customer’s access point to a financial service provider, namely who or what the customer interacts with to access a financial service or product. Digital Financial The use of digital means to offer financial services. Encompasses all mobile, card, POS, and e-commerce offerings delivered to Services (DFS) customers via agent networks. Electronic banking The provision of banking products and services through electronic delivery channels. Enterprise Risk The process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of Management (ERM) risk on an organization’s capital and earnings. e-money Short for ‘electronic money’, it is stored value held in accounts such as e-wallets or on cards. Typically, the total value of e-money issued is matched by funds held on one or more bank accounts and usually held in trust, so that even if the provider of the e-wallet service was to fail, users could recover the full value stored in their accounts. E-wallets An e-money account belonging to a DFS customer and accessed via mobile phone. DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 109 04_INSIGHTS AND TOOLS Financial Institution (FI) A provider of financial services including credit unions, banks, non-banking financial institutions, microfinance institutions, and mobile financial services providers. ISO 31000 ISO guidelines established for the implementation of Enterprise Risk Management (ERM). Key Risk Indicator (KRI) A Key Risk Indicator is a measure used to indicate how risky an activity is. It differs from a Key Performance Indicator (KPI) in that the latter is meant as a measure of how well something is being done, while the former indicates how damaging something may be if it occurs and how likely it is that it will occur. Know Your Customer Rules related to AML/CFT that compel providers to carry out procedures to identify a customer and that assess the value of the (KYC) information for detecting, monitoring, and reporting suspicious activities. Master Agent A person or business that purchases e-money from a DFS provider wholesale and then resells it to agents, who in turn sell it to users. (Unlike a super-agent, master-agents are responsible for managing the cash and electronic-value liquidity requirements of a particular group of agents.) Merchant A person or business that provides goods or services to a customer in exchange for payment. Microfinance Institution A financial institution specializing in banking services for low-income groups, small-scale businesses, or individuals. (MFI) Mobile banking The use of a mobile phone to access conventional banking services. This covers both transactional and non-transactional services, such as viewing financial information and executing financial transactions. Sometimes called ‘m-banking’. Mobile money service/ A DFS that is provided by issuing virtual accounts against a single pooled bank account as e-wallets, that are accessed using a mobile financial service mobile phone. Most mobile money providers are MNOs or PSPs. (MFS) Mobile Network A company that has a government-issued license to provide telecommunications services through mobile devices. Operator (MNO) Point of Sale (POS) Electronic device used to process card payments at the point at which a customer makes a payment to the merchant in exchange for goods and services. The POS device is a hardware (fixed or mobile) device that runs software to facilitate the transaction. Originally customized devices or PCs, but increasingly include mobile phones, smartphones, and tablets. Risk Assessment The process of identification, evaluation, and mitigation strategy development of risks. Risk Management A comprehensive set of policies aimed at reducing the impact of risks associated with DFS. The framework is a culmination of all Framework planning and assessment processes and includes the risk register as its main body and working document. Risk Register (Risk The central database of identified risks, along with their descriptions, causes, effects, and policies - whether it is to tolerate, treat, Matrix) transfer, or terminate. Short Message Service A ‘store and forward’ communication channel that involves the use of the telecom network and SMPP protocol to send a limited (SMS) amount of text between phones or between phones and servers. Smartphone A mobile phone that has the processing capacity to perform many of the functions of a computer, typically having a relatively large screen and an operating system capable of running a complex set of applications with Internet access. In addition to digital voice service, smartphones provide text messaging, e-mail, web browsing, still and video cameras, an MP3 player, and video playback with embedded data transfer/GPS capabilities. Super-Agent A business, sometimes a bank, which purchases electronic money from a DFS provider wholesale and then resells it to agents, who in turn sell it to users. Unstructured A protocol used by GSM mobile devices to communicate with the service provider’s computers/network. This channel is Supplementary Service supported by all GSM handsets, enabling an interactive session consisting of a two-way exchange of messages based on a defined Data (USSD) application menu. 110 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT References 1. Risk Management Toolkit, GSMA & Consult Hyperion, 2015 (http://www.gsma.com/ mobilefordevelopment/managing-risk-in-mobile-money-a-new-comprehensive-risk- toolkit) 2. MMU Managing the Risk of Fraud in Mobile Money, GSMA, 2012 (http://www.gsma. com/mobilefordevelopment/wp-content/uploads/2012/10/2012_MMU_Managing-the- risk-of-fraud-in-mobile-money.pdf) 3. Mobile Financial Services Risk Matrix, USAID and Booz Allen Hamilton, 2010 (http:// www.gsma.com/mobilefordevelopment/wp-content/uploads/2012/06/mobilefinancials- ervicesriskmatrix100723.pdf) 4. Bank Agents: Risk Management, Mitigation, and Supervision, CGAP, 2011 (http:// www.cgap.org/publications/bank-agents-risk-management-mitigation-and-supervi- sion) 5. Digital Financial Services Risk Assessment For Microfinance Institutions, A Pocket Guide, AFI, 2014 (https://lextonblog.files.wordpress.com/2014/09/dfs_risk_guide_ sept_2014_final.pdf) 6. Mobile Financial Services Technology Risks, AFI, 2013 (http://www.afi-global.org/ sites/default/files/pdfimages/AFI_MFSWG_guidelinenote_TechRisks.pdf) 7. Fraud in Mobile Financial Services, Mudiri, Microsave, 2012 (http://www.microsave. net/resource/fraud_in_mobile_financial_services#.VmWI9E10xes) 8. Risk Management in Mobile Money, Lake, IFC, 2013 (http://www.ifc.org/wps/wcm/ connect/37a086804236698d8220ae0dc33b630b/Tool+7.1.+Risk+Management. pdf?MOD=AJPERES) 9. Enterprise Risk Management (ERM) and the requirements of ISO 31000, AIRMIC, Alarm, IRM, 2010 (https://www.theirm.org/media/886062/ISO3100_doc.pdf) DIGITAL FINANCIAL SERVICES RISK MANAGEMENT 111 Lesley Denyes Lesley is a Digital Financial Services Specialist with the IFC who has worked in the sector for over fifteen years, specifically in the areas of business modelling, financial analysis, mobile banking, strategic planning, product development and channel management in Asia and Sub-Saharan Africa. Lesley has worked with commercial banks, mobile network operators, payment service providers, research institutes, mobile app developers, NGOs, and consulting companies to reach low income households through technology and branchless banking. She is based in Toronto, Canada, and has a BSc in Quantitative Economics from Dalhousie University, Canada, and an MBA from Edinburgh Business School, UK. Susie Lonie Susie spent three years in Kenya creating and operationalizing the M-PESA mobile payments service, after which she facilitated its launch in several other markets including Tanzania, South Africa and India. In 2010 Susie was the co-winner of “The Economist Innovation Award for Social and Economic Innovation” for her work on M-PESA. She became an independent DFS consultant in 2011 and works with banks, MNOs, and other clients on all aspects of providing financial services to the unbanked in emerging markets, including mobile money, agent banking, international money transfers, and interoperability. Susie works on DFS strategy, financial evaluation, product design and functional requirements, operations, agent management, risk assessment, research evaluation, and sales and marketing. Her degrees are in Chemical Engineering from Edinburgh and Manchester, UK. 112 DIGITAL FINANCIAL SERVICES RISK MANAGEMENT The Partnership for Financial Inclusion The Partnership for Financial Inclusion is a $37.4 million joint initiative of IFC and The MasterCard Foundation to expand microfinance and advance digital financial services in Sub-Saharan Africa. The Partnership is also supported by the Bill & Melinda Gates Foundation and the Development Bank of Austria (OeEB, Oesterreichische Entwicklungsbank.AG). It works with microfinance institutions, banks, mobile network operators and payment service providers across the continent to test and evaluate innovative business models for financial inclusion. The program has a strong knowledge sharing component. This handbook is the second in a series of handbooks on how to successfully implement digital financial services, and one of many knowledge publications of the Partnership. For further information and to access all reports, please visit www.ifc.org/financialinclusionafrica About IFC IFC, a member of the World Bank Group, is the largest global development institution focused on the private sector in emerging markets. Working with more than 2,000 businesses worldwide, we use our capital, expertise, and influence, to create opportunity where it’s needed most. In FY15, our long-term investments in developing countries rose to nearly $18 billion, helping the private sector play an essential role in the global effort to end extreme poverty and boost shared prosperity. For more information, visit www. ifc.org About The MasterCard Foundation The MasterCard Foundation works with visionary organizations to provide greater access to education, skills training and financial services for people living in poverty, primarily in Africa. As one of the largest, independent foundations, its work is guided by its mission to advance learning and promote financial inclusion to alleviate poverty. Based in Toronto, Canada, its independence was established by MasterCard when the Foundation was created in 2006. For more information and to sign up for the Foundation’s newsletter please visit www.mastercardfdn.org. CONTACT DETAILS Anna Koblanck IFC, Sub-Saharan Africa akoblanck@ifc.org www.ifc.org/financialinclusionafrica 2016