Fraud and Risk Management Policy
· This record has been created through Sec2pay India Pvt.Ltd No section of this record may additionally be distributed, reproduced, or used by means of any way besides as licensed by means of a specific consent of the Sec2pay India Pvt. Ltd. The copyright and the foregoing restrictions prolong to copy in all media.
· At Sec2pay with the advance in I.T and increase in payment transactions have moved to digital channels like Mobile Banking and payment cards. Fraudsters have additionally accompanied clients into this space. However, the response to frauds in these areas needs improvement, thereby fending off placing the complete onus on the customer. There is additionally a lack of clarity amongst agencies on the reporting of these cases as frauds. A want is consequently felt to have an industry-wide framework on fraud governance with a unique emphasis on tackling digital channel-based frauds. This notice endeavors to convey the challenges and suggests a framework that can be applied throughout groups to correctly address the digital fraud menace.
· It would be beneficial to recall the definition of fraud at this stage. ‘A deliberate act of omission or commission by using any person, carried out in the route of a banking transaction or in the books of money owed maintained manually or underneath laptop machine in the regulated entities, ensuing into wrongful obtain to any man or woman for a brief duration or otherwise, with or barring any economic loss to the bank’. This definition has been advocated as per para 9.1 of the Report of the Study Group on Large Value Bank Frauds set up via the Reserve Bank of India in 1997. It follows that like different financial institution frauds, a range of IT-related frauds want to get captured via the fraud reporting machine and companies ought to take sufficient steps to mitigate such risks.
· Responsibilities and Organizational Structure for Fraud and Risk Management for the Banks and Other Select Financial Institutions
· Governance and Management of Fraud Risks
· Sec2pay has included suitable tactics into their governance and risk administration packages for identifying, analysing, monitoring, and managing risks, inclusive of compliance threat and fraud risk, related with the portfolio of digital price merchandise and offerings on a persistent foundation in a holistic manner and Sec2pay shall periodically risk assessments with regard to the security and safety of digital payment merchandise and related techniques and offerings as suitability and appropriateness of the identical vis-a-vis the goal users, each prior to setting up the services and usually thereafter taking into account the ‘Fraud Risk’.
· General Guidelines Laid Down with the aid of RBI & Sec2pay Adherence
· The Reserve Bank of India requires the Chairman and Managing Directors/Chief Executive Officers (CMD/CEOs) to furnish focal point on the "Fraud Prevention and Management Function" to enable, amongst others, high-effective investigation of fraud instances and instantaneous as prompt as correct reporting to suitable regulatory and law enforcement authorities which include the Reserve Bank of India itself. Sec2pay imbibes this exactly and ensures that the center of attention of the Senior Management is certainly effective investigation and reporting to the authorities liable.
· The fraud management, fraud monitoring, and fraud investigation characteristic are mutually owned by means of the CEO, Audit Committee of the Board and the Special Committee of the Board.
· The policy for fraud risk management and fraud investigation function, primarily based on the governance requirements bearing on to the possession of the feature and accountability resting on described and devoted organizational setup and running approaches have been set up and put in the region by way of the board of Sec2pay.
· Fraud Classification by The Reserve Bank of India
· In order to have uniformity in reporting, frauds have been categorized by using the RBI as under, primarily based frequently on the provisions of the Indian Penal Code
- Unauthorized deposit amenities prolonged for reward or for unlawful gratification
- Criminal breach of trust and misappropriation, Forgery and Cheating.
- Fraudulent Transactions related to foreign exchange
- Fraudulent encashment via forged instruments, manipulation of books of account or through fictitious debts and conversion of property
- Any different kind of fraud no longer coming underneath the particular heads as above
· In regard to the cases above, transactions ensuing from negligence and fraudulent foreign exchange transactions involving irregularities or violation of guidelines additionally shall be reported by Sec2pay as fraud if the intention to cheat or defraud is suspected or proved.
· Reporting of Frauds to the Reserved Bank of India
· As required, Sec2pay shall submit fraud reviews in instances the central investigating corporations have initiated criminal complaints Suo moto and or where the Reserve Bank has directed that such instances be suggested as frauds. If required Sec2pay shall furnish Fraud Monitoring Return (FMR) in character fraud cases, irrespective of the quantity concerned to RBI as mandated inside three weeks from the date of detection.
· Sec2pay shall additionally file frauds perpetrated in their subsidiaries and affiliates or joint ventures in the furnished FMR format. In case the subsidiary or affiliate or joint assignment of the financial institution is an entity which is regulated with the aid of Reserve Bank of India and is independently required to file the instances of fraud to RBI in phrases of suggestions relevant to that subsidiary/affiliate/joint venture, Sec2pay shall now not be required to furnish the FMR declaration in admire of fraud instances detected at such subsidiary/affiliate/joint venture.
· In addition to the FMR, if required Sec2pay shall furnish a Flash Report (FR) for frauds involving quantities of ₹50 million and above inside a week of such frauds coming to the be aware of Sec2pay’s head of Risk & Compliance as advised. The FR, inter alia, would consist of the amount involved, nature of fraud, modus operandi in brief, names of events involved, their constitution, names of owners/ partners and directors, names of officers concerned, and lodging of grievance with the authorities. Further, Sec2pay shall additionally furnish reports in the fraud case thru the FMR Update utility as required.
· Submission of Reports To The Board.
· Sec2pay shall make sure that all the frauds of ₹0.1 million and above are mentioned to their Boards quickly on their detection. Such reviews would, amongst other things, take note of the failure on the phase of the worried officers and controlling authorities, and provide a print of motion initiated in opposition to the officers accountable for the fraud.
· Quarterly Review of Frauds
· The statistics concerning frauds for the quarters ending June, September, and December to be positioned earlier than the Audit Committee of the Board of Directors of Sec2pay at some point of the month following the quarter to which it pertains if any.
· These shall be accompanied with the aid of supplementary inspecting statistical data and important points of every fraud so that the Audit Committee of the Board of Sec2pay would have sufficient material to make a contribution in regard to the punitive or preventive factors of frauds.
· A separate evaluation for the quarter ending March shall now not be required in view of the Annual Review for the year-ending March prescribed at para below
· Review of Frauds Annually.
· Sec2pay shall conduct an annual evaluation of the frauds and area a word earlier than the Board of Directors/Local Advisory Board for data if any. The evaluations for the year ended March to be put up to the Board before the end of the next quarter i.e. quarter ended June 30th.
· The foremost elements that shall be taken into account whilst making such an assessment to, inter alia, consist of the following:
- Whether the structures in Sec2pay are ample to become aware of frauds, as soon as they have taken place, inside the shortest feasible time.
- Whether frauds are examined from the staff’s perspective
- Whether deterrent punishment is meted out, anywhere warranted, to the individuals determined responsible.
- Whether frauds if any, have taken place due to the fact of laxity in following the methods and, if so, whether or not nice motion has been taken to make certain that the structures and approaches are scrupulously accompanied via the workforce concerned.
- Whether frauds are said to the authorities, as the case may also be, for investigation, as per the hints issued in this regard.
· The annual critiques by using Sec2pay shall also, amongst different things, encompass the following details:
- The total number of frauds detected in the course of the year and the amount involved as in contrast to the preceding two years;
- Modus operandi of foremost frauds stated at some point of the 12 months alongside with their existing position
- Detailed evaluation of frauds of ₹0.1 million and above;
- Estimated loss to Sec2pay at some point of the year on account of frauds, quantity recovered and provisions made;
- Analysis of frauds in accordance to specific classes and additionally the special enterprise areas;
- Number of instances (with amounts) the place Sec2pay’s team of workers were involved and the motion taken towards them;
- Time taken to observe frauds (number of instances detected inside three months, six months and one 12 months of their taking place);
- Position with regard to frauds pronounced to the authorities;
- Number of frauds the place last motion has been taken by way of Sec2pay and instances disposed of;
- Preventive/punitive steps taken through Sec2pay all through the 12 months to reduce or minimize the incidence of frauds
· Sec2pay shall produce a copy of circular on modus-operandi of fraud issued via them for alerting their teams, on precise frauds earlier than the Audit Committee of Board (ACB) in its periodical meetings.
· A special committee of the Board
· While the Audit Committee of the Board (ACB) of Sec2pay shall reveal all the instances of frauds in general, Sec2pay shall additionally represent a Special Committee of the Board for monitoring and comply with-up of instances of frauds (SCBF) involving quantities of ₹10 million and above exclusively. The Special Committee shall be constituted with three (3) individuals which include one (1) from the Board of Directors one (1) member from ACB and the legal advisor. The periodicity of the conferences of the Special Committee may additionally be determined in accordance with the wide variety of instances involved. In addition, the Committee has to meet and evaluate as and when a fraud involving a sum of ₹10 million and above comes to light.
· The fundamental features of the Special Committee shall be to screen and overview all the frauds of ₹10 million and above so as to
- Identify the systemic lacunae if any, that facilitated perpetration of the fraud and put in order to plug the same;
- Identify the reasons for the delay in detection, if any, reporting to pinnacle management;
- Monitor growth of the investigation through the authorities and the recuperation position;
- Ensure that personnel accountability is examined at all stages in all the instances of frauds and workforce facet action, if required, is accomplished shortly besides loss of time;
- Review the efficacy of the remedial motion taken to stop recurrence of frauds, such as strengthening of interior controls.
· Cases of Attempted Fraud
· Sec2pay shall now not be required to document instances of tried frauds of ₹10 million and above to Reserve Bank of India. However, Sec2pay shall proceed to place the record on character instances of tried fraud involving an amount of ₹10 million and above earlier than the Audit Committee of its Board. The record ought to cowl the following:
- The modus operandi of the tried fraud.
- How the try did no longer materialize into fraud or how the strive failed/ used to be foiled.
- The measures taken with the aid of Sec2pay to support the current structures and control
- New structures and controls put in area in the region the place fraud was attempted.
· Further, a consolidated overview of such instances detected at some point of the year containing data such as place of operations the place such attempts had been made, the effectiveness of new strategies and strategies put in location at some point of the year, and such instances at some stage in the remaining three years, want for in addition modifications in procedures and procedures if any, and so on as on March 31 each and every year shall be put up to the ACB inside three months of the quit of the relative year.
· Closure of Fraud Cases
· If directions by, Sec2pay shall report to RBI, the details of fraud instances of ₹0.1 million and above closed alongside with motives for the closure after finishing the technique as given below.
· Sec2pay shall shut instances the place the movements as noted under are complete:
- The fraud instances pending with authorities/Court are subsequently disposed of.
- The examination of body of workers accountability has been completed
- The amount of fraud has been recovered or written off.
- Declaring Insurance and if anyplace relevant has been settled.
- Sec2pay has reviewed the structures and procedures, recognized the causative elements and plugged the lacunae and the reality of which has been licensed by means of the appropriate authority (Board / Audit Committee of the Board of Sec2pay)
- Sec2pay shall additionally pursue vigorously with the regulation enforcement authorities for ultimate disposal of pending fraud instances particularly where Sec2pay has carried out the workforce action, if warranted.
- Sec2pay may additionally at its discretion, for confined statistical / reporting purposes, shut these fraud instances involving quantities up to ₹2.5 million, where:
- The investigation is ongoing or challan/ cost sheet has no longer been filed in the Court for extra than three years from the date of submitting of First Information Report (FIR) through legal regulation enforcement authorities or
- The trial in the courts, after submitting of cost sheet/challan by legal regulation enforcement authorities, has now not started out or is in progress.
- Sec2pay shall comply with the tips referring to to searching for prior approval for closure of such instances from RBI and observe up of such instances after closure as noted below
- Sec2pay shall post proposal, case wise, for closure to RBI. The instances might also be closed after getting the approval of RBI.
- Sec2pay shall hold the document of important points of such instances in a separate ledger. Even after closure of the fraud instances for confined statistical purposes, Sec2pay shall diligently observe up with the investigating regulation enforcement authorities to make certain that the investigation technique is taken to its logical conclusion. Sec2pay shall proceed to make sure that they are in many instances and correctly represented in the court lawsuits as and when required. All the applicable information pertaining to such instances ought to be preserved until the instances are in the end disposed of via the authorities or Courts, as the case might also be
- Notwithstanding the reality that Sec2pay may additionally shut instances of fraud even when the law enforcement investigation is in development or instances are pending in the courtroom of law, Sec2pay shall complete, in the prescribed time, the procedure of examination of team of workers accountability or conclude group of workers aspect actions.
- For closing frauds of Rs 0.1 million and above, Sec2pay on being guided by the points mentioned above, have to put up their closure proposals to the RBI. In the case of frauds under Rs 0.1 million, Sec2pay may additionally shut the case with the aid of the use of the FMR updated application.
· Guidelines for Reporting Frauds to Police / CBI
· In dealing with instances of fraud/embezzlement, Sec2pay shall no longer simply be actuated through the necessity of recuperating expeditiously the amount involved, however it shall additionally be encouraged via public interest and the want for ensuring that the responsible individuals do now not go unpunished.
· All fraud instances of price over ₹10,000/- shall be referred to Audit Committee of the Board (ACB) of Sec2pay who would scrutinize every case and record the count to the law enforcement authorities for in addition legal action and recovery.
· All fraud instances of valued under ₹10,000/-, at the discretion of the ACB and in addition approved by way of the CEO might also be referred to the Head of Finance & the Legal Advisor at Sec2pay, who would scrutinize every case and deem whether or not it need to be said to the regulation enforcement authorities for further legal action and recovery.
· Separate Department to manipulate frauds
· Fraud prevention, monitoring, investigation, reporting and cognizance advent have to be owned and carried out by using the Audit Committee of the Board (ACB) of Sec2pay specially consisting of the CEO.
· The Different Types of Online Payment Fraud
· Irregular economic transactions may additionally be categorized into three wonderful classes as follows:
- Transactions meant to finance terrorism and different such nefarious activities;
- Transactions meant for money laundering to disguise illicit profits and/or keep away from tax by using developing fictitious remitter/beneficiary accounts;
- Phishing, Vishing, Spoofing, Hacking, Session hijacking, Man In The Middle (MITM) assaults through cybercriminals with the intention to steal money.
· The most frequent type of online fraud appears by using phishing or spoofing, information theft, and chargeback or fraud. These are defined in brief below.
· Phishing or Spoofing Online:-
· Phishing is a process where a person tricked into revealing his/her sensitive information via fraudulent e-mails or web sites that declare to be legitimate. The information gathered this way can consist of usernames, passwords, deposit card numbers, or financial institution account numbers. In this scam one would possibly approach for phishing by acquiring an e-mail that seems to be from a reputable commercial enterprise and is asking you to replace or confirm your personal information through replying to the electronic mail or journeying a website. The e-mail might also be convincing ample to get you to take the motion requested. User is thereby tricked into revealing private data that person would ideally now not divulge to all of us else. But as soon as you click on that link, you’re dispatched to a spoofed internet site that would possibly appear almost equal to the actual thing—like your financial institution or deposit card site—and requested to enter touchy records like passwords, deposit card numbers, banking PINs, etc. These faux web sites are used entirely to steal your information. Phishing can additionally happen through different digital potential such as SMS, on the spot messaging, and on email. User can be redirected to make a fee on a internet site that appears legitimate, however which is created to seize consumer card small print so they can be used later.
· Theft of Information/Data:
· Data Theft is the act of stealing information stored on computers, servers, or other devices from an unknowing victim with the intent to compromise privacy or obtain confidential information. Sometimes, dishonest personnel or partners can steal credit card from agencies and use this for committing fraud. Most payment gateways, pay aggregators and on-line web sites take strict measures to make certain that such privateness breaches do no longer occur.
· Sec2pay does now not save any card details, and is working on implementation of tokenization structures with regulated provider carriers like Visa & Mastercard. Furthermore, Sec2pay is a licensed PCI-DSS compliant organization, which capability we endure stringent audits on records privateness processes.
· Account facts theft: Malware can seize the keystrokes for your login information. Malware can additionally probably display and seize different statistics you use to authenticate identification
· Hacking is an act compromises of digital devices through unauthorized access to a login or a computer system
· It is most commonly associated with illegal activity and data theft by cyber criminals.
· Hacking includes compromise of susceptible login credentials in the infrastructure which manages live consumer data. These are enormously convenient for a criminal to compromise. The structures and functions are exploited with dictionary of brute pressure assault until the proper password or credentials are obtained, and an organization’s database and patron archives are leaked. Sec2pay oftentimes conducts gadget audits and penetration testing, multi-factor authentication for Login, implementation of WAF (web software firewall), etc.
· Hacking refers to the misuse of devices like computers, smartphones, tablets, and networks to cause damage to or corrupt systems, gather information on users, steal data and documents, or disrupt data-related activity.
· Fake internet site substitution: Malware can generate internet pages that show up to be legit however are not. They change a organization’s official internet site with a web page that can seem identical, without that the net tackle will differ in some way. Such a “man-in-the-middle attack” website permits an attacker to intercept consumer information. The attacker provides extra fields to the replica of the net web page opened in the browser. When a character submits the information, it is dispatched to each the organization and the malicious attacker barring his/ her knowledge. To forestall this, Sec2pay ensures that each request/data packet is validated by means of a special checksum and the statistics is constantly transmitted over encrypted channels.
· Pleasant Fraud or Chargeback Fraud:
· For instance, a consumer makes an on-line purchase. Later, they declare that the purchase was once made fraudulently and ask for a chargeback – even although they made the purchase themselves! This is regarded as chargeback fraud or pleasant fraud; the place enterprise approaches a transaction considering the fact that it appears legitimate; solely to be issued with a chargeback later on.
· Fraudsters may additionally first order the high-priced gadgets/products from the online purchasing web sites the use of faux credentials. Later, when the cargo gets delivered, they may additionally do away with the gadgets from the bins and substitute with duplicated items, accusing the agents of sending sub-standard items.
· Chargeback frauds purpose the Merchant’s losses and are a problem for any enterprise inclusive of that of Sec2pay. To mitigate this, Sec2pay has an exhaustive and sturdy Chargeback and Refund Policy that shall help the service provider recognize why chargebacks show up and take steps in opposition to fraudulent charges.
· Security Protocols and Processes :-
· With the developing range of e-commerce customers and transactions, it is essential that agencies are conscious of the obligatory protection protocols for e-commerce websites; so that they can keep away from fraudulent situations. We at Sec2pay follow:
· TLS Encryption
· Data protection on an online payment starts off evolved the second consumer land on the site. The TLS Certificate tells customers that the statistics transmitted between the internet server and their browser is safe. Sec2pay makes use of the perfect assurance SSL certificates on its site which is the EV SSL (Extended Validity SSL) certificate.
· Without TLS Encryption in place, all information over the Internet is unencrypted and is seen to everybody with the capacity and intent to intercept it.
· The Payment Card Industry Data Security Standards (PCI-DSS) Compliance
· The PCI Security Standards Council is a international organization that continues and promotes compliance guidelines for managing cardholder statistics for all e-commerce web sites and online payment procedures. The Payment Card Industry Data Security Standards (PCI-DSS) is in impact a set of insurance policies that govern how cardholder records need to be handled.
· The PCI Security Standards Council was created as a joint initiative by way of the 4 most important credit-card providers: American Express, Visa, MasterCard, and Discover, in the year 2004. Over the years, the PCI-DSS popular has end up the guiding precept for on line safety throughout the globe.
· Sec2pay in order to be PCI-DSS compliant follows positive directives:
· Maintains a impenetrable community to process payments: This includes the use of strong firewalls which can shield in opposition to malicious safety threats. Sec2pay does no longer use default credentials like producer furnished PINs and passwords, and approves clients to trade these statistics as needed.
· Ensures all information is encrypted at some point of transmission: When cardholder records is transmitted online, it is quintessential that it be encrypted. Sec2pay encrypts all records consumer shares the use of checkout by Transport Layer Security. This prevents information interception in the course of transmission from person device to organization.
· All the details entered by a person like their name, address, etc. are used solely to method and entire the order. Sec2pay does not save confidential data like deposit / debit card information, CVV numbers, PINs etc.
· Keep infrastructure secure: This directive entails Sec2pay preserving abreast of the new PCI-DSS mandates and the use of up-to-date software’s and adware to shield towards recognized software program vulnerabilities, going for walks normal device and software program scans to make sure most records protection.
· Restrict statistics access: A vital phase of securing online repayments on e-commerce web sites is limiting get right of entry to personal facts so that solely licensed personnel will have get entry to cardholder data. Cardholder information ought to be protected at all instances – each electronically and physically.
· Fraud management
· Financial crimes have assumed complicated character. Sec2pay knows how fraud, compliance and cybersecurity are interlinked and takes a holistic method to mitigate these complications via using facts analytics, artificial intelligence and getting to know technological know-how to:
- Intelligent self-learning Fraud and Risk Management (FRM).
- Provide assist to all Network Participants with a bouquet of options which are applicable throughout the complete monetary crime spectrum
- Consistently monitoring and correct detection of risks, whilst maintaining false positives under minimal applicable threshold
· Know Your Customer (KYC) procedures
· A sturdy KYC system is the spine of any fraud prevention activity. Such a manner allows Sec2pay to stop unscrupulous factors from gaining entry into the organization’s environment, which offers them an probability to raise out their fraudulent intentions. Similarly, due diligence techniques earlier than recruitment of personnel are critical to forestall regarded fraudsters or people with fraudulent factors to have get admission to the organization’s channels. Sec2pay imbibes sturdy approaches to elevate out due diligence of viable retailers & personnel earlier than they are enrolled.
· Merchant fraud happens when anyone creates a faux or bogus organization with no intention of promoting any product to the customer. The commercial organization seems legitimate; however, for the reason that it presents no goods or services, all customers who make an online purchase solely cease up dropping their money.
· Sec2pay implements strict tactics in areas to vet each and every corporation which makes use of gateway for processing payments, such as:
· KYC & Background checks: Adhering to strict KYC norms even earlier than Sec2pay onboards a enterprise is an crucial phase of fraud mitigation exercise followed. Sec2pay shall have in place an in-house ‘Risk’ crew that runs background checks on new agencies and vets them earlier than they are ‘live’ on this platform.
· Physical security: Sec2pay shall put in place a committed crew to take care of the protection of the infrastructure. This group shall maintain ordinary safety audit of their workplace to take a look at for deviations/lapses. It shall be the accountability of this group to make certain that physical belongings and information copied do no longer go out of the workplaces of the corporation except authorization.
· Creation of fraud cognizance amongst group of workers and customers: Awareness on how to stop and observe frauds is the groundwork of fraud management. Sec2pay adopts a variety of measures to create attention amongst workers and clients as specified under in this policy.
· Detection of Fraud.
· Fraud Detection
· In positive cases, no matter sturdy prevention controls aimed at fraud deterrence, fraudsters do control to perpetrate frauds. In such cases, faster the fraud is detected, the higher the chance restoration of the losses and bringing the culprits to justice. The system triggers that throw up of terrific transactions, opening up channels that take observe customer or employee alerts or disputes, seeding or mystery purchasing workouts and encouraging employees or customers or well- wishers to document suspicious transactions or behaviors are some of the strategies that are used for detection of frauds at Sec2pay. The suspicious transactions/activities pronounced thru these mechanisms are investigated in element as soon as pronounced by means of the Risk & Operations Team.
· Transaction monitoring
· Within the Operations Team, a transaction monitoring unit is assigned that is accountable for monitoring a number sorts of transactions, in particular monitoring of practicable fraud, via capacity of which, early alarms can be triggered. This unit has the knowledge to analyze transactions to realize fraud traits and has the authority to right away set off alarms and droop the account. This unit works in conjunction with the technical crew inside corporation for information extraction, filtering, and sanitization for transaction evaluation for deciding fraud trends. Sec2pay has put in vicinity automatic structures for detection of frauds based totally on superior statistical algorithms and fraud detection techniques.
· Alert technology and redressal mechanisms
· Sec2pay has mounted terrific mechanisms to take notice of the disputes / exceptions or suspicions highlighted by using more than a few stakeholders which includes the transaction monitoring group to look at them thoroughly. Furthermore, Sec2pay additionally contains a robust whistle blowing mechanism as a policy.
· Contact for reporting suspected frauds
· At Sec2pay, clients can record any fraudulent endeavor that they can also word on:
· A devoted workforce shall reply to client queries and worries related to frauds via the above e-mail ID.
· Importance of early detection of frauds
· An organization’s fraud administration feature is positive if it is capable to decrease frauds and when fraud occurs, it is capable to become aware of the fraud so that the loss is minimized.
· Sec2pay files and implements the configuration components for figuring out suspicious transactional behavior in recognize of rules, preventive, detective sorts of controls, mechanism to alert the clients in case of failed authentication, time body for the same, etc.
· Systems for Detecting Merchant Fraud
· Sec2pay takes this test one degree greater through monitoring all suspicious and probably fraudulent businesses, and the transactions that originate from them:
- Transaction monitoring: We observe an inherent ‘Risk’ judgment that may additionally notice a feasible fraud. For instance, a service provider (Merchant) who gets 20-40 on line orders in a day all of sudden starts off evolved to get 300-500 every day orders and continues escalating in the identical manner. A surprising spike in transaction speed (number of transactions per minute/hour/day), extent (amount transacted for), or sample (international orders for a nearby brand) is an indicator of fraud and Sec2pay structures right away flag such transactions for in addition investigations. ‘Risk’ judgment additionally entails commercial enterprise guidelines for monitoring the lots of transactions on Sec2pay platform on a day-by-day basis. This judgment ought to be designed in accordance to the merchant, and logical pathway have to without problems differentiate between daily transactions and these that lift an excessive likelihood of risk.
- Third Party Background Checks: Sec2pay makes use of third party applications as well such as __________________ that conducts a thorough past checks.
- E-KYC: E-KYC is carried out to in addition confirm the documentation furnished by using the Merchant at the time of on-boarding.
- Extensive Documentation: We are seeking exhaustive company and director documentation to verify, maintain file and suit with the authorities’ databases for safety and risk mitigation.
· Fraud Preventive Movements & Improvements
· The capacity of deception that fraudsters and criminals these days can vary from forging identification documents, developing faux enterprise profiles/storefronts, forging invoices/ receipts, restructuring transactions to fall beneath reportable thresholds and different techniques. Sec2pay in order to efficaciously reveal fraud, keeps a holistic approach, involving the merchant’s whole portfolio and gorgeous technological support.
· Sec2pay thinking about the up-to-date relevant regulatory mandates comprising pre-on-boarding Know-Your-Customer (KYC) and screening, and post-on-boarding monitoring of service provider (merchant) behavior and transactions. These do on the other hand allow risk-based flexibility with actionable customized solutions. Furthermore, inner chance profiling, periodic updates, and fraud reporting if relevant (to the Financial Intelligence Unit of the Government (FIU-IND), Central Bureau of Investigation/Police, Reserve Bank of India’s (RBI) Department of Banking Supervision, and others) shall additionally be undertaken. Even the place there are no mandates, Sec2pay contains out these measures with the aid of self-imposed tests to discover transactional anomality’s and feasible frauds.
· Sec2pay’s exclusive assessments enable recognizing one-of-a-kind frauds, and in the procedure additionally stumble upon challenges:
· Payment’s innovation: Detection of Fraud techniques carried out at Sec2pay continues of vulnerabilities coming out of new repayments innovation (Wallets, Unified Payments Interface, fintech participation via open banking/Application Programming Interface get admission to and different new price channels that are opening up). Sec2pay’s transaction monitoring algorithms additionally would want to end up extra clever for transactions routed thru such channels, for example, the facts factors to be assessed would differ.
· Digital on-boarding processes: Sec2pay inculcates the exercise of digital assessments backing increasingly popular digital on-boarding strategies and follows the RBI and Insurance Regulatory and Development Authority’s Video KYC norms, as properly as the Securities and Exchange Board of India’s (SEBI) e-KYC permissions. Although there is the problem of faking a storefront online through apparently expert commercial enterprise websites, regardless of whether or not an genuine brick and mortar storefront exists. Sec2pay on such suspected merchants, does extra assessments various from verifying area domain name, identify buy dates, authentic web page visits and activities on social media alongside with assessing the enterprise authenticity thru licensing/registration checks, credit score exams and analyzing balance sheets if required.
· Merchant internet site checks: Manual normal assessments on a merchant’s website additionally presents indicators, like reviewing product listings and online consumer evaluations to assist pick out the sale of prohibited/fake products. This assists Sec2pay in reassessing service provider (Merchants) threat degrees publish on-boarding, like figuring out retailers and looking at the transactions who maintained an artificially low-risk profile at the time of on-boarding.
· Money laundering/tax evasion detection: Detecting money laundering or tax evasion is project given the repayments chain’s complexity, which can contain more than one intermediary or versions in payment cycles. For instance, the service provider (merchant) can route patron funds via a couple of payment intermediaries to allow a direct disbursement to fraudulent recipients thereby, enabling laundering, or so the funds in no way attain the merchant’s reputable financial institution account. This aids in concealing income and averting tax obligations. To mitigate this, Sec2pay conducts a helpful proprietor test that helps figuring out cash laundering/terrorist financing concerns, in this instance, a promoter/director/investor recognized from the company’s filings with the portal of the Ministry of Corporate Affairs, whose title suits one on a sanction, Politically Exposed person (PEP) or global Anti-Money-Laundering/Combating Financing Terrorism list.
· Real-time fraud detection at scale: Further, seamless on-boarding and agreement today, requires real-time fraud detection mechanisms. The proliferation of digital repayments and several new retailers (like micro-merchants) additionally requires tremendous fraud prevention at scale. New age anti-fraud science can provide the requisite equipment here, including:
- Automated underwriting
- Thorough monitoring of transactions for figuring out illicit service provider web sites or repayments processing thru unreported/ shadow sites,
- Automated indicators for transaction anomalies (Merchant Code Category violations, URL mismatches, uncommon transaction/refund/chargeback frequencies/patterns, or exceeding accredited limits, to a few.
· In-house Fraud Prevention System
· In-house customized Fraud Prevention System in region approves Sec2pay to block transactions based totally on the guidelines to reduce fraud. The regulations can deal with IP addresses, Geo location, consumer details, etc. Following are the aspects supplied with the aid of our Fraud Prevention System:
- Block IP Address: It approves the admin to block particular IP addresses from being in a position to system transactions into their account. Once blocked, consumer need to now not be allowed to try any transactions into their account. Any transaction made to use of these IP addresses needs to be rejected.
- Whitelist IP Address: This permits the admin to whitelist IP addresses to make lists of relied on IP addresses or IP stages from which solely these customers can get entry to the domains. It restricts and gives access solely to trusted users.
- Block Issuer Countries: This lets in the admin to block card transactions that are issued from a few specific countries.
- Block Email Address: It approves the admin to block transactions based totally on e-mail supplied whilst initiating the transaction.
- Limit Transaction amount: It permits the admin to specify the minimal and Maximum amount restrict for the transactions from the same accounts a day. So that heavy transactions frauds and steeply-priced chargebacks can be avoided.
- Block Card Bin Range: It permits admin to block precise Card Ranges for processing transactions to their account. Admin needs to give the first 6 numbers of a card that specifies the details of the card.
- Block Phone Number: It lets in the admin to block transactions primarily based on telephone that is furnished whilst initiating the transaction.
· Sec2pay additionally endeavors to constantly enhance the business/enterprise guidelines such that;
- Fraud losses are decreased with the aid of figuring out and difficult fraudulent transactions
- Authorize authentic transactions that are interrupted and carry them back on track as shortly as viable with computerized tools
- Obscure patterns and rising developments in facts – which are in any other case not possible to discover for the human eye – are recognized
- Customer experience is not compromised via lowering false positives.
· Fraud Investigation
· At Sec2pay, a distinct and thorough fraud investigation shall be performed to become aware of the fraud and set up personalized mechanism to stop such frauds.
· Fraud manage function, shall be informed about frauds and educated in the following competencies and areas of expertise:
- Investigative methods and procedures;
- Cardholder and service provider training methods to forestall fraud;
- Fraud control methods and their usage;
- Operating Scheme/ Card regulations;
- Data processing and evaluation and liaising or speaking with the law enforcement agencies; and
- The requisite abilities required to (i) set and replace rules as required, (ii) display the exceptions based totally on the regulations on a non-stop groundwork and take critical movements promptly, (iii) communicate or implement wherever required to the authorities, and (iv) differentiate false positives from the rest
· Furthermore, Sec2pay shall preserve updated contact of the providers, intermediaries, exterior businesses and different stakeholders (including different organizations) for coordination in incident response. Sec2pay shall put in a mechanism with the stakeholders to affirm such contact information and additionally formulate precise SOPs to cope with incidents associated to price ecosystem to mitigate the loss both to the customer or organization.
· The examination of a suspected fraud or a transaction or a client dispute/alert in the business enterprise to be undertaken by:
- Fraud threat administration group
- Specific committee of personnel constituted to take a look at the ‘suspected fraud
- External agencies, if any, as appointed with the aid of the organization.
· Fraud Investigation function
· It is broadly regular that fraud investigation is a specialized function. Thus, the fraud administration team at Sec2pay shall endure non-stop education to beautify its abilities and competencies. The first step in the investigation technique will be gathering the whole transaction details, files and complete details of the customer or employee or vendor. To look at into suspected cases, the team would undertake a variety of superior strategies together with laptop forensics, forensic accounting and equipment to analyze massive volumes of facts as required.
· The investigation group will in addition behavior oral interviews of clients or personnel to apprehend the history and small print of the case. In case an interview of an individual accused of fraud is required to be undertaken, the investigation crew shall comply with a prescribed technique and report statements appropriately.
· The investigation to do would be carried out discreetly and in a distinct time line. The investigating crew shall take into account all the relationships of the events (with the organization, if required) whilst investigating and an investigation report.
· The investigation record will assist the respective commercial enterprise agencies take a selection on the case and in addition if the case may also be, all the relationships of the purchaser with the organization. The investigation document ought to conclude whether or not a suspected case is a fraud and thereafter the document would structure the groundwork for actions such as regulatory reporting as mandated.
· In case of an worker involvement in the fraud, the investigations would shape the foundation of group of workers accountability and HR actions. It is cited explicitly, that for the duration of the direction of the investigations, Sec2pay would undertake solely skill approved by way of law, guidelines and code of habits of the business enterprise and any inconvenience to clients or accepted public shall be fairly avoided. Sec2pay knows that positive investigations are high-quality carried out via regulation enforcement authorities and that Sec2pay shall refer critical/complicated instances to such authorities at the appropriate time, to allow them to elevate out their obligations efficaciously and in addition if required, the investigating crew shall seek the assistance of different specialized agencies in the organization, such as the audit team to raise out investigations efficiently.
· Recovery of fraud losses
· The team at Sec2pay shall make all moderately feasible efforts to get recover the amount. They may also use specialized groups like legal (internal or external) or concerned authorities for this purpose. The investigating crew might also additionally be in a position to recover the amount throughout the direction of their investigation. The Police may also recover some amount at some stage in their investigation. If incase a court case has been filed, these recoveries shall be mentioned as obtained pending at the last adjudication or agreement or settlement reached.
· Customer awareness on frauds
· Creation of purchaser cognizance on frauds
· Customer attention is one of the main pillars of fraud prevention. It has been considered that alert clients have enabled prevention of countless frauds and in case of frauds which may want to no longer be avoided, helped in bringing the wrongdoer to the book by means of elevating timed alerts. Sec2pay accordingly objectives at always teaching its clients and solicit their participation in quite a number preventive/detective measure. It is the obligation of all the organizations in business enterprise to create fraud threat consciousness amongst their respective customers. The fraud risk team ought to share its grasp of frauds with every group, and notify the areas where customer focus is missing and if required, guide the organizations on programs to be run for creation of awareness amongst customers. The corporations must make certain that in every of their interplay with clients there is at least one message to make the consumer conscious of fraud risk.
· The following are some of the measures that may also be observed in time to create attention amongst customers:
- Interstitials on tv and radio
- Detailed ‘do’s and dont’s on the internet website of the organization
- Publications in main newspapers
- Messages printed on organization’s stationery such as envelopes, card covers, etc.
· It may also be ensured that the conversation to the client is easy and aimed at making them conscious of fraud threat and searching for their involvement in taking ideal precautions aimed at stopping frauds. Such conversation needs to be reviewed periodically with the aid of the fraud awareness administration team to choose its effectiveness.
· Employee recognition and training
· Creation of worker awareness
· Worker awareness is imperative to fraud prevention. Training on fraud prevention practices shall be furnished by way of the fraud administration group forums. Sec2pay may additionally use the following techniques in time to create worker awareness:
- Publication of newsletters on frauds overlaying more than a few factors of frauds and containing message on fraud prevention from senior functionaries of the organization
- E-learning module on fraud prevention
- Emails dispatched by means of the respective commercial enterprise heads
- Posters on more than a few security measures at the work place
- Messages/discussions at some point of day-by-day work huddles
- Class room education at the time of induction or all through threat associated education sessions
- Online video games based totally on fraud risks in precise merchandise or processes
- E-tests on prevention practices and controls
- Detailed ‘do’s and don’ts’ put up on the worksite of the employee
- Safety hints flashed at the time of logging into application, display savers, etc.
· Rewarding workers on fraud prevention
· A advantageous way of developing worker consciousness is to reward worker/s who have gone past their name of duty, and averted frauds. Awards might also be given to worker/s who have achieved exemplary work in stopping fraud. Details of worker/s receiving such awards may additionally be posted in the fraud newsletters by Sec2pay.
· Do’s and Don’ts to Prevent Fraud
- Do now not share personal important details like card number, expiry date, PIN, OTP etc. with anyone. Anyone of significance will by no means ask for your card data/passwords up front. The regulated entities and economic carrier carriers have a secure protocol to obtain get right of access to an account if the want ever arises. If you are requested for such important details by anybody posing as an organizational representative, please ask them to send an email. Reply to emails from authentic organizational domain;
- Passwords are safer when you don’t write them down. Keep robust passwords that you can remember, change them frequently, and do not write them down;
- You have the proper to dispute charges on your card or accounts. Raise a chargeback request for any unidentified transaction on your card. You have a right to a resolution; however, this must not be misused as the Payment Gateway’s/ Merchants have the legal right to contest unfounded Chargebacks as well.
- When contacted through a Fraudster, right away record the incident to your nearest cyber-crime cell and lodge an FIR presenting applicable details (Phone number, transaction details, card number, financial institution account etc.) to the police.
- Do not search for purchaser assist numbers on Google, Twitter, FB etc. Connect thru official accounts through a number of social media systems e.g., Website, Twitter, Facebook. Never name/reply to unverified cell numbers claiming to be customer support of any payment or banking organization.
- Do not uncontrolled enable get right of entry to third-party apps such as Screenshare, Any desk, TeamViewer;
- Always keep in mind do not ‘Pay’ or enter your UPI pin to acquire money;
- RBI Working Group on Information Security, Electronic Banking, Technology Risk Management, and Cyber Frauds - https://rbidocs.rbi.org.in/rdocs/PublicationReport/Pdfs/WREB210111.pdf
- RBI Master Directions on Frauds – Classification and Reporting by commercial the regulated entities and select FIs - https://www.rbi.org.in/Scripts/BS_ViewMasDirections.aspx?id=10477#7
- RBI Master Direction on Digital Payment Security Controls - https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=12032&Mode=0
- Article “Fraud Management for Merchant Acquirers & Payment Gateways’ by Somenath Auddy, Manipal Technologies Limited.