Register to comment and receive news in your inboxRegister or Log in

Fighting payment fraud is a shared responsibility

As payment fraud remains an area of concern for South African businesses, there is debate about what more can be done to tackle the problem and whose responsibility it is. There are layers of complexity that make what appears to be a deceptively easy question to answer much more nuanced. Businesses, banks, as well as individuals all have a role to play, says Ryan Mer, CEO of eftsure Africa, a Know Your Payee™ (KYP) platform provider. “Banks have, in general, implemented decent security measures when it comes to accessing bank accounts and initiating payments, such as two-factor authentication. There are also systems in place to flag suspicious transactions.”

But several challenges often thwart these systems, he says. “Banks are dealing with the challenge of legacy systems in a constantly changing dynamic business landscape. Not only do banks have a responsibility to pick up fraudulent transactions, but they also have to ensure that robust KYC and KYB processes and identity checks are followed when accounts are opened.”

Ryan Mer – CEO at eftsure Africa

The problem is certainly also not unique to South Africa; it’s global. “One of the biggest challenges is that account numbers are not matched with names when a payment is made. So, fraudsters can use a legitimate name with an incorrect account number, and the funds would go to the specified account number. It’s very difficult for a bank to protect against this when the person making the payment uses incorrect details. It’s akin to handing over goods to someone claiming to be from a courier company without verifying their identity. If those goods are lost or stolen, you would have a very hard time claiming from an insurance company. There is a shared responsibility for security.”

And it’s not as straightforward as setting up checks that match names and account numbers, because a person can link an account to their own name or to a registered business entity but still trade under a different name.

At the same time, he says, banks do have a responsibility to check suspicious activity in an account, such as a sudden large transaction in an otherwise near-dormant account. “Identity theft is also a big challenge that needs to be addressed. At this stage, it’s very possible for a criminal to copy legitimate documents and open an account using those documents. A payment could then be made to the correct name even if a bank were to match names and account numbers, but still go to a fraudulent account.”

There are some solutions available to businesses who wish to safeguard themselves, such as banks’ account verification services. But these processes are still manual because someone has to request the verification every time a payment is made, with a fee charged every time. This means that even businesses that do these checks tend to do them only once – leaving future payments at risk.

“Currently, it is still possible to stop incorrect payments between different banks if a mistake is spotted soon enough, because of the delay in that transfer. But instant payments would mean that as soon as a payment clears one account, it would be too late to stop it – and you can bet those fraudsters will be taking advantage of that,” says Mer.

Businesses also have a crucial role to play by having the right internal controls in place to combat payment fraud. “In the same way that banks carry out KYC checks, organisations should take their own KYB checks seriously. If you are doing business with another company, you have every right to ask them for their company documentation to do an internal verification that the company exists. There should be strict internal mechanisms that ensure a business is dealing with a legitimate entity at the point of onboarding them as a supplier, and that approval processes are consistent enough to make it very difficult for payment fraud to happen at all,” explains Mer.

He adds that leaving the full responsibility for verification checks and KYC as the sole responsibility of banks is a massive risk simply not worth taking. “It’s essential that an organisation’s accounts payable team has measures in place to verify account names with numbers, and that there’s collaborative oversight between a business’s procurement and accounts payable teams.”

Automatic account verification systems, such as those offered by eftsure, give users the ability to run account verification on every single line item before payment – as well as safeguard incoming payments.