Modern society holds an optimistic view of technology and its increasing variety and sophistication. Digital technology has succeeded in transforming our observation and experience of the world. It is increasingly becoming apparent to businesses worldwide that they operate in digital ecosystems and the constellation of key actors that consistently erase transaction barriers. Businesses, including banks and other providers of financial products and services, rely on these ecosystems to buy and sell their ideas and output. More importantly, transactions in these ecosystems transcend both traditional allies and potential competitors.
With the immediate requirement for a more digital approach, digital transformation has become a key priority for banks and other financial institutions within the country and across the globe. The COVID-19 pandemic has significantly influenced how businesses and consumers utilise banking products and services, and how they interact with other providers.
This development has urged banks to increasingly manage their services as products, deploy information technology (IT) professionals to oversee their digital strategies, and to take proactive steps toward increasing internal effectiveness to affirm their enviable role in a highly competitive market. The foregoing ensures enhanced efficiency in the delivery of financial products and services, and effectiveness in internal product and operations management.
Digital transformation and banks’ services delivery
Information technology services have been identified as an essential component of digital transformation. Realising the digital transformation objective without adequate investment in information technology remains a challenge in many global organisations, including banking institutions in the country.
Generally, customers envisage and look forward to having exceptional product experience from their respective banks, and that banks that are successful in their strides tend to reduce churn, increase loyalty, and have tangible impact on growth. Contemporary digital transformation strategies of banks provide economic support for various business capabilities. Banks that are noted for rigorous pursuit of digital transformation and provision of improved digital services are often characterised by responsiveness and efficiency with its attendant benefit of customer centrism and stickiness.
Improvements in internal efficiencies allow banks to be effective and innovative, and to deliver a better customer experience. Banks’ responsiveness to digital transformation would enable them to remain agile and receptive to the market and its growing needs. Thus, improvements in the business capabilities of financial institutions are of the essence in the era of digital transformation and its attendant risks manifesting in fraudulent digital activities.
The digitisation age is believed to have increased access to businesses, organisations, banking and financial services. Unfortunately, the digitisation drive has brought in its wake growing appetite of individuals and syndicates for bank, physical and cyber fraud. One of the overarching responsibilities of any bank or financial institution is to protect the institution’s integrity, and integrity of financial transactions in a manner that exudes confidence in the banking population.
However, realisation of the foregoing becomes feasible when banks strategically invest in protective infrastructure, and work hard to secure the financial assets that they hold and manage. A major threat to adequate protection of banks’ assets is fraud which explains the growing appetite of system hackers, individuals and syndicates for unethical and criminal access to and possession of funds and assets of targeted banks, their clients; or both.
Undoubtedly, the pace of digital transformation remains a common knowledge to most people in technology and business. And although the adoption and uptake were gathering steam prior to 2020, the pace is believed to have witnessed further acceleration during the pendency and after the COVID-19 pandemic. Increasing use of digital technology makes cybersecurity a top priority among banking institutions; and unfortunately, for cyber miscreants alike.
Banks remain flexible in their adaption of digital technology; and response to changes in the digitisation age. This flexibility has influenced IT teams in banks and other financial institutions to shift their focus from project-oriented approach to product-oriented approach. Stated differently, the IT teams in financial institutions including banks are concerned about how they could leverage the massive investment in technology infrastructure by their respective institutions to create more digital financial products and services to meet growing specific needs of existing customers and prospects.
Technology is no longer seen as an enabler of banking services, it is actually now the business of banks. Indeed, the orientation of banks towards digital technology has resulted in iterative improvements and provision of more value-added services; while keeping banks aligned to critical business outcomes.
It remains a fact that sophistications in modern technology keep changing on continuous basis; and these changes enhance competitiveness, profitability and growth of banks and other financial institutions. The foregoing notwithstanding, the incidence of fraud within the banking sector appears to run parallel to the improvements in financial digital technology and infrastructure. That is, increased digital transactions have created conduits for high risk transactions in the banking sector. Stated in different terms, increased volume of transactions through electronic payments (e-payments) heightens fraud attempts in the banking sector; albeit most fraud attempts turn out to be unsuccessful.
Recent trends in fraud
Generally, spike in fraud attempts on financial institutions tend to be on the ascendency whenever there are global crises such as pandemics, social unrest, crash of the financial system and economic downturn. During these unsocial periods, fraud is believed to be motivated by need or perceived need occasioned by heightened concerns over financial security. The incidents of fraud during these periods could be broadly categorised into loan fraud, cyber-attacks, employee fraud, Ponzi schemes and management fraud.
The recent economic lockdown that emanated from the outbreak of the portentous COVID-19 pandemic was described by some experts as perfect climate for fraud to germinate and gather pace, with banks being the worst victims. A recent study of over two thousand (2,000) executives across the globe by FTI Consulting (as cited in Durant, n.d.) revealed fraud was perceived as the number one financial crime during 2019 as 24 percent of the respondents reported their exposure to it (fraud), and implying a whopping £5billion was lost to bank fraud alone during the period.
The statistics lend credence to the assertion that COVID-19 has had significant impact on the global landscape of cyber threats and that, fraud or cybercrime would cause substantial financial damage and pose a serious threat to society and the global economy. Further, cybercrime would have indirect effects in undermining the public’s confidence in digital transformation and overall trust in technology.
Data released by the World Economic Forum (2020) revealed cybercriminals steal an estimated US$600billion each year from governments, companies and individuals, while the overall loss of company revenues over the course of five years (that is, from 2019 through 2023) would be equivalent to US$5.2trillion. Recent report published by Interpol (2020), which surveyed 48 member-countries and four partners about the impact of COVID-19 on cybercrime indicated that 907,000 spam emails, 737 malware incidents, and 48,000 malicious URLs were detected between January and April 2020 alone.
Similarly, the 2020 Banking Industry Fraud Report released by the Bank of Ghana suggested that suppression of cash remained the dominant reported fraud case (56 percent), and more troubling was the fact that for 93 percent of all reported cash suppression cases, staff of the reporting institutions were found culpable. Statistics shared by the Bank of Ghana (2020) depicted persistent trend of staff involvement in fraud since 2017 through 2020, and this is in spite of numerous notices of caution to institutions within the financial sector.
In 2019, a surge in fraud related to E-Money transactions witnessed significant increase from 1.1 percent of total losses incurred to 4.1 percent during 2020, while the incidents of fraud related to E-Money surged from 0.6 percent during 2019 to 4.7 percent during 2020.
The reduction in rate of success for most fraud types during 2020 accounted for the minimal decrease in actual losses, albeit marginal increase in reported fraud incidents was recorded during the period. Additionally, the reported fraud value (including unsuccessful attempts) for 2020 of about GH¢1billion remained 8.7 times; or 765.73 percent more than the value recorded during 2019 (GH¢115.51million).
The FTI Resilience Barometer 2020 Survey (as cited in Durant, n.d.) identified fraud as the leading financial crime during 2020, with 28 percent of the sampled executives affirming belief in their companies’ exposure to fraud. Similar statistics released by ONS (as cited in Durant, n.d.) revealed fraud experiences that followed the 2008 financial crisis was 15 percent. The trends point to higher prevalence of fraud during 2020 and beyond. The survey findings suggested that in spite of the enormous benefits associated with digital technology, there are potential threats that lurk behind every technology device and platform.
Evidence suggests threats, including ransomware, phishing and accounts takeover, posed by modern technology to cybersecurity are not only real, but also menacing in some cases. For instance, bitcoins valued at over US$100,000 were stolen from some billionaires including Bill Gates, Jeff Bezos, Warren Buffett, Elon Musk, and others’ accounts on Twitter during 2020 (Raza, n.d.). During the same period, Zoom was saddled with myriad security challenges, with the most glaring being the sale of approximately 500,000 user accounts on a dark web forum (Raza, n.d.).
Statistics released by the Credit Card Association of the Philippines (as cited in Bworldonline.com, 2022) affirmed 21 percent increase in credit card fraud in the country since the outbreak of COVID-19. The high volumes of fraud cases recorded by the financial industry through various digital payment platforms are believed to be financially detrimental to banks and other financial services providers. A silver lining of COVID-19 in the Philippines, just like in Ghana, relates to the fact that it impelled the country to fully embrace digitisation.
In spite of its sterling attributes and positives, the digital transformation process of banks may be mired by factors such as lack of dedicated skills in emerging information technology, absence of organisational change management to handle process-driven fraudulent activities, and aggressive and evolving digital demands of customers. Other factors include lack of clear strategy to handle threats to digital expansion, budgetary constraints and concerns, inefficient business processes, ineffective data management, among other pertinent factors.
Cybersecurity challenges and priority areas
Undoubtedly, the banking sector represents a vital component of our nation’s critical information infrastructure. Nonetheless, large-scale power outages, recent natural disasters, and surge in the number and sophistication of cyberattacks demonstrate the array of potential risks confronting the sector. There is no gain saying that banks play a monumental role in the socio-economic development, financial stability and growth of the country. These giant economic strides notwithstanding, banks and other financial institutions are not immune from the snare of digital crimes.
Banks remain the number one target by the growing cybercrime syndicates in many jurisdictions across the globe. Predatory attacks on banking systems and infrastructure, and payment platforms by cybercrime syndicates can result in significant financial losses, reputation challenges, and considerable stress for customers and managers of these institutions.
Given the enormity of cyberattacks in prior and recent periods, banks during the current financial year have considered it economically and technologically prudent to partner key state institutions, such as the Cyber Security Authority (CSA), to ensure effective minimisation of adverse impacts on the services and operations of banks and within the cyberspace. And to this, I say, the CSA has the full support from the banks to ensure effectiveness in operationalisation of the Cybersecurity Act of 2020, Act 1038 – compliance with current and future cybersecurity directives by the Bank of Ghana, maintaining sound cybersecurity practices, and contributing to the establishment of a resilient cyberspace.
It is therefore imperative for decision-makers, especially Chief Executive Officers, across the nation to spearhead Ghana’s cybersecurity efforts by joining the conversation on how to make the country’s cyberspace safe and more resilient. This would facilitate effective implementation of cybersecurity policies in government and public institutions.
Sector-Initiatives
Performance of the financial sector in recent years has been phenomenal. However, many analysts have attributed the positive strides to enhanced capital levels, strong liquidity profile improvement in corporate governance and the passage of Bank of Ghana’s directive on information and cybersecurity. The 2021 Fraud Report released by the Bank of Ghana depicted a significant decline (97 percent) in successful cyberattacks within the financial sector. It is hoped the new legislation and directive would improve Ghana’s security posture, attract more investors, and boost the economy.
In the absence of local legislation and directive, banks adopted and utilised international cybersecurity best practices and standards such as ISO 27000 and PCI DSS, in which banks are certified and compliant, thereby building trust between the banks and their partners – such as Mastercard, Visa and the international banks.
Recommended measures
The narrative reveals that many vulnerabilities have been exposed, owing to rapid transition to digital transformation. This notwithstanding, digital technology remains the bedrock of the future of banking and other financial services. This underscores the need for all key stakeholders to recognise the relevance of securing the banking sector and its financial system as critical information infrastructure (CII), and a major economic stimulant tool. In view of this, the following recommendations are proffered for implementation at the national and institutional levels.
National level measures
At the national level, the digital transformation that is earnestly required to drive financial inclusion, and to accelerate growth of the banking sector could be facilitated through practical implementation of cogent measures. First, it is instructive to state the success of any fight against cyber threats within the financial services sector; and the economy as a whole is pivoted around effective collaboration among major national institutions such as the Bank of Ghana, Cyber Security Authority, Financial Intelligence Centre (FIC), Economic and Organised Crime Office (EOCO), the Criminal Investigations Department (CID) of the Ghana Police Service, among others.
Second, it is imperative for the regulator (BoG) to ensure effective collaboration with key stakeholders such as the Ghana Association of Banks (GAB) and Cyber Security Authority to cause a thorough review of existing banking sector cyber security directive. The review could be based on the risk dimensions while ensuring its alignment with the national directive and the Cyber Security Act of 2020, Act 1038.
Third, content of the Memorandum of Understanding (MoU) signed by GAB and CSA could be practically implemented to help banks build the requisite capacity, create awareness, ensure regular engagements and professional exchanges, and build strong ecosystem of knowledge. Further, BoG, GAB and CSA could ensure effective collaboration toward sensitising the general public on recent trends and developments in cyber threats, and strategic ways through which customers could assure their personal safety and protection from the snare of predatory cyber hackers.
Fourth, it remains imperative for a multi-stakeholder engagement strategy to be adopted for implementation through partnerships. This initiative has the potential to enhance stakeholder knowledge of cybersecurity-related laws, and foster collaborative environment that would lend strong support to capacity-building and law enforcement across various sectors.
Fifth, the establishment and operationalisation of sectorial Computer Emergency Response Teams (CERTS) with clear mandates remain an important need in the fight against cyber threats. This would allow the Cyber Security Authority to maintain general oversight in the area of incident reporting. Further, it would effectively equip CSA to establish trends and devise strategies that would ensure its preparation for risks, and to minimise the incidence of recording potential risks.
Finally, collective and concerted efforts of key stakeholders toward organisation and operationalisation of industry-wide fora before the end of the current financial year would lead to the socio-economic benefit of the banking industry, and by extension, to the economy as a whole. This has the potential to increase engagements with other regulatory bodies, increase rate of information and intelligence-sharing.
Institutional level measures
At the institutional level, banks and other SDIs are entreated to initiate and implement proactive measures that will ensure their effective protection from the escalating risk of fraud. Proactively, it behooves banks to ensure adequate preparation for any unforeseen fraudulent activities through periodic updates, communication and testing of fraud response plans. Various banking institutions must conscientise their employees and customers on increasing cyber threats, including bank fraud and the tendency for cyber criminals to attempt to exploit the human element when staff are conducting business in a remote working environments.
Significant progress in the fight against bank fraud could be made if the risk and compliance departments liaised with human resources (HR) to roll-out updated awareness training on cybersecurity that is carefully tailored to underpin prevailing challenges and circumstances.
Banks have whistle-blowing policies in place with multiple channels for concerned employees, customers and members of the general public to voice out their concerns. Banking institutions developed requisite mechanisms, structures and incentives that encourage whistle-blowers to step forward with valuable information, including issues related to ethics in the workplace and compliance.
This initiative adds social and practical value to provisions in Section 12 and other related sections of the Ghana Banking Code of Ethics and Business Conduct which tasks individuals to report any major acts of irregularity observed in the workplace. Other financial institutions are encouraged to emulate the sterling examples of the banks. To ensure further improvements, boards of various banking institutions are entreated to deepen their knowledge in technology-related matters, and institute pragmatic measures that will enhance competitiveness and accelerate growth of their respective banks.
Internal fraud amounts to breach of trusts, and often leaves employers with the feeling of betrayal. The latter has the potential to trigger immediate action which may ultimately compound the situation. As a result, it is essential for employers to keep an open mind in such situations since there may be logical explanation for the discrepancy that may not be immediately obvious.
Extant research revealed intelligence-sharing is critical in preventing thematic frauds from replicating in several institutions. Indeed as a community of banks, we have made a lot of progress in this area; but more needs to be done to rid the system of cyber miscreants.
Conclusion
Digital ecosystems have come to stay. As a result, it is imperative for banks to actively engage in them to create value for stakeholders. However, there is a caveat. That is, realisation of the objectives hinge on the development of sophisticated, preventive and post-attack response programmes. Improved cybersecurity systems are analogous with adequate protection of data integrity and privacy in processing, transmission and storage which are essential prerequisites for successful delivery of digital financial services, products, and operations.
Actualisation of the foregoing by all key stakeholders would imply strategic and practical implementation of measures outlined in the Cyber Security Act of 2020, Act 1038, BoG’s cyber security directive for the banking sector, and actualisation of relevant Sections of the Ghana Banking Code of Ethics and Business Conduct. With this, I believe I have done some justice to the subject matter, and highly welcome other thoughts on the subject as the case may be.
>>>the writer is CEO, Ghana Association of Banks (GAB). He delivered this speech at a breakfast meeting by NetGuardians & BlueSpace in Accra.
Bibliography
1. Bank of Ghana. (2020). 2019 Banking Industry Fraud Report. Accra, Ghana: Bank of Ghana.
2. Bank of Ghana. (2021). 2020 Trends and Statistics. Accra, Ghana: Bank of Ghana.
3. Bworldonline.com. (2022). Protecting against Fraud in an Increasingly Digital World. Retrieved from https://www.bworldonline.com/special-features/2022/05/13/448617/protecting-against-fraud-in-an-increasingly-digital-world/
4. Chapman, M. (2021). Fraud in the Digital world: Prevention is better than investigation. Retrieved from https://www.azets.co.uk/news-insights/articles/fraud-in-the-digital-world-prevention-is-better-than-investigation/
5. Durant, A. (n.d.). Fraud against Banks Will increase in 2020 and Beyond Due to Lockdown Stresses. Retrieved from https://www.globalbankingandfinance.com/fraud-against-banks-will-increase-in-2020-and-beyond-due-to-lockdown-stresses/
6. Hyduchak, S. (2021). Identity fraud in the new, post-pandemic digital world. Retrieved from https://medium.com/goaver/identity-fraud-in-the-new-post-pandemic-digital-world-ec4008ae9efc
7. Interpol. (2020). Retrieved from file:///C:/Users/23350/Downloads/COVID-19%20Cybercrime%20Analysis%20Report-%20August%202020%20(1).pdf
8. KPMG. (2022). Ethics and business conduct in the banking industry – Survey. KPMG.
9. Oberoi, S. (n.d.). Tackling cyber security in a world of digital ecosystems. Retrieved from https://www.tcs.com/perspectives/articles/tackling-cyber-security-in-a-world-of-digital-ecosystems
10. Raza, M. (n.d.). Role of cyber security in the digital world. Retrieved from https://trainthelearner.com/role-of-cyber-security-in-the-digital-world/
11. Rogoyski, A. (2017). Managing fraud in a digital world. Retrieved from https://www.cifas.org.uk/insight/fraud-risk-focus-blog/managing-fraud-in-a-digital-world
12. Scholz, M. (n.d.). Can banks achieve digital transformation without a product manager? Retrieved from https://www.globalbankingandfinance.com/can-banks-achieve-digital-transformation-without-a-product-manager/
13. World Economic Forum. (2020). Partnership against crime: Insight report 2020. Retrieved from https://www3.weforum.org/docs/WEF_Partnership_against_Cybercrime_report_2020. pdf#:~:text=Cyber%20criminals%20steal%20an%20estimated%20%24600%20billion%20 per,the%20most%20disruptive%20and%20economically%20damaging%20criminal%20a ctivities.