Editor’s note: This article was first published on the “Beyond Fintech” newsletter on 16 September 2024. Republished here as part of Finance in Africa’s payments intelligence archive, and slightly updated with new developments.
Fraud isn’t going anywhere — and the deeper you look into Nigeria’s financial ecosystem, the clearer that becomes. When this story was first written, it followed months of reporting: conversations with executives across banks and fintechs, interviews with verification and cybersecurity providers, and even a trip to the Ikeja High Court to understand how fraud cases are actually handled.
Those conversations revealed a system where fraudsters move faster than regulations, faster than onboarding controls, and faster than the ecosystem’s fragmented attempts at collaboration. It’s a reality that the CBN has now acknowledged with its new APP fraud draft guidelines, which attempt to restructure liability and strengthen consumer protection across the rails.
The conclusion then, and now, is the same: fraud is a permanent feature of the system. The real opportunity lies with the companies building the verification, security and infrastructure layers needed to contain it.
Fraud on every street
Over the past few years, Nigerian financial institutions have reported massive losses due to fraud. Since 2020, approximately ₦159 billion ($201.5 million) has been lost to various fraudulent activities. This includes fraudulent transactions across point of sales devices, internet banking, ATMs, mobile apps, and digital loan activities. There are also cases of chargeback fraud and erroneous transactions on the part of users.
A digestible rundown of major fraud cases
- Access Bank: In 2023 alone, Access Bank suffered losses amounting to ₦6.15 billion due to fraud. They have since filed lawsuits to recover these amounts, highlighting the scale and persistence of the problem.
- Fidelity Bank: Fidelity Bank lost ₦2 billion in three major fraud incidents in 2023. The bank has taken stringent measures, including blocking transfers to neobanks like OPay and Palmpay, in an effort to curb fraud.
- First Bank: In a particularly egregious case, a First Bank employee allegedly diverted ₦40 billion to various accounts, including those of close associates. The fraud went undetected for nearly two years until a customer complaint triggered an investigation.
- Flutterwave: Africa’s most valuable fintech startup, Flutterwave, reportedly lost ₦11 billion in a security breach in April 2024. This incident followed a previous loss of ₦2.9 billion to a cyber attack in 2023, despite the company’s insistence that no customer funds were lost.
- Wema Bank: In 2023, Wema Bank reported losses of ₦685 million ($594,943) due to fraud and forgery. This led to the suspension of seven fintech partners from its payment gateway platform.
- MTN Mobile Money: The mobile money service of Nigerian telecoms company MTN lost over ₦10.5 billion ($13.3 million) in 2022 to unauthorised transfers caused by a glitch one month after it re-launched as a payment service bank.
The Aftermath
- Union54: Last year, Union54, a Zambian fintech, was forced to halt operations over an attempted $1.2 billion chargeback fraud.
- Blocking of Fintech Accounts: Many banks have started blocking transactions to fintech platforms suspected of being involved in fraudulent activities. For instance, Fidelity Bank and Wema Bank have taken such measures against neobanks.
- Suspensions and Legal Battles: Numerous fintech partners have been removed from payment gateway platforms following fraud allegations. Wema Bank suspended seven fintech partners after reporting significant fraud and forgery losses. Legal battles are ongoing as banks seek to recover stolen funds and hold perpetrators accountable.
- PoS Fraud and Regulatory Response: To combat the rising tide of PoS fraud, the Corporate Affairs Commission (CAC) has mandated that all PoS agents register as businesses. This move aims to increase transparency and accountability among mobile banking agents, who have become popular targets for fraudsters.
Interestingly, a lot more of these incidents are not reported.”How many do they want to report?” asks a seasoned financial crime expert. “Regulations require them to do so, but you have to consider that every customer’s deposit is only insured to N500k (now 5 million), so they have to be careful to avoid trouble.”
The most common method fraudsters use makes it difficult to track. Fraudster team A steals 500 million, moves the money to 20 accounts within the same bank, then moves that money to 60 different accounts outside of the bank
According to our source, once this fraud happens, it’s so difficult to track the money. “I see people complaining that they move it to digital banks or PoS, but that’s not the only way. They can move it to wallets, move it to betting accounts, or take it to a BDC and change the money to dollars. Some withdraw cash at ATMs with a decoy and use the cash to buy stuff in a store. How do you expect all these parties to know where the money is coming from?”
These incidents have led to an ecosystem where everyone is wary of their own shadow. This is just the run down, but any stakeholder looking to the root of this problem might as well hold up a mirror.
Every major fraud loophole
Every financial ecosystem includes diverse stakeholders with critical roles. Financial traders, journalists, mom and pop shops are all important part of the ecosystem. The usual suspects include the financial institutions themselves, tech companies, and regulators. Every party play in a connected ecosystem that fraudsters can exploit at one time or the other.
The KYC loophole
Every financial institution is required by law to know its customers. That’s how we got things like the BVN, or why your bank asks you to bring a utility bill once a certain amount of money hits your account.
However, Nigeria’s KYC process is a fertile ground for several fraudulent practices. One ex-fintech executive describes the BVN as one of the worst things to happen to the financial system. A heavy statement, but we’ll touch on that later.
Between rapid onboarding and security: Several neobanks and fintech platforms prioritise user experience and speed to onboard thousands, if not millions, of users. Now, make no mistake, the usual suspects have done an amazing job in both bringing people into the financial system and in making banking pleasant for those already in. Creation of virtual accounts and wallets made things fast and easy. But this speed and ease come, sometimes come at the expense of security.
Regulations introduced 3 tiers for KYC. Each level lets you send and receive more money. The Tier 1 KYC accounts require only the most basic information from users. Most times, just a phone number. Good for inclusion? Yes. But this has allowed fraudsters to create multiple accounts that allow them to spread the proceeds of ill-gotten money.
Documents we saw reveal that as of June 2023, the CBN and industry stakeholders resolved that the NIN should be the minimum KYC requirement for Tier 1 accounts, in order to combat fraud. However, as of December 2023, some fintechs either did not enforce this requirement or didn’t perform any verification to ensure users were not putting in the wrong KYC details.
The idea was, not everyone has a BVN or even access to a public utility, but most Nigerian adults have some form of ID like the NIN. It’s taken a public CBN directive to force NIN as a mandatory requirement for Tier 1 accounts, but that’s not the end.
Tight measures still have loopholes: Legacy banks typically have high KYC walls, but fraudsters are already scaling them. Here you hear things like the BVN, Utility bill, mother’s maiden name, father’s first primary school (sorry, just joking). However, even these hallowed KYC documents have loopholes that are typically harder to target.
Remember the comment earlier about the BVN? A source explains that fraudsters can get multiple BVNs or fake BVNs from corrupt agents who bypass biometric verification for invalids or disabled people. Sometimes, they used the CBN of deceased people, and the bank is none the wiser.
Worse, data harvesting and reverse engineering from compromised databases for the BVN and the NIN allow fraudsters to open accounts from multiple sources, another source reveals. The recent news on the sale of NIN details for N100 on the black market is further proof of this.
Internal Collusion
They say no matter how many evil spirits plan against a man, that plan will come to nothing unless his chi has a say in the matter. Chi here is an Igbo term that broadly includes personal god, guardian spirit, internal agency, or, in the context of this piece, internal parties at banks or fintechs.
According to the Financial Institutions Training Centre (FITC), Nigerian financial institutions have reported losing ₦159 billion ($201.5 million) to fraud since 2020. A significant portion of these losses, around ₦24.4 billion ($30.9 million), has been attributed to internal fraud and collusion. This includes fraudulent activities across point of sales devices, internet banking, ATMs, mobile apps, and digital loan platforms.
Again, a lot of these instances are unreported, and the KYC loopholes mentioned above, such as the creation of multiple BVNs, are largely possible due to the amount of internal collusion happening in banks.
“Internal fraud is much bigger than you think,” says another fintech executive. “One of the most difficult is a distributed network of colluders spread across different banks. So it’s difficult to detect one breach before it spreads.”
Many banks and fintech companies suffer from weak internal controls that fail to detect and prevent fraud. Employees can exploit these gaps to facilitate fraudulent transactions.
But that’s not where the loophole ends.
User loophole
KYC processes are not foolproof, and one of the biggest loopholes for fraud comes from banking and fintech customers. Many users inadvertently expose their financial details through social engineering tactics employed by fraudsters.
For instance, fraudsters often impersonate bank officials or create fake customer service profiles on social media to trick users into revealing their personal information, such as OTPs (One-Time Passwords), account numbers, and passwords.
Sometimes, users mistakenly send money to the wrong person, the person stops responding, and that would be the end. Seeking redress is quite difficult.
Why is the fight so difficult
Law Enforcement
The nature of Nigeria’s law enforcement and judicial system does little to help the matter. The issue is quite complex, so I’ll oversimplify by grouping scenarios into two. When money is lost, the process of catching the fraudsters begins.
When money is lost: When there’s suspicion of fraud, the CBN regulations require banks or individuals to obtain a court order in order to recover these funds. Whether individual or company, the process for getting a court order to aid investigations is slow and cumbersome.
“The process of obtaining orders is lengthy and bureaucratic. Sometimes, you even have to go outside of Lagos to other high courts to seek redress. At the courts, you now meet clerks and other staff who demand bribes to speed up the process.”
Choosing to involve members of law enforcement, you’d also have to pay them to get them interested in the issue.
The process of catching fraudsters: When you’ve gotten the court order or law enforcement on board, the nature of the fraud typically leads companies facing dead ends. “Once you split money into 60 or 200 different accounts. That’s how many court orders? How many letters? That’s a paper trail spanning over a thousand pages. Where does the police start from?” asks our source.
On occasions where fraudsters are caught by law enforcement, they could easily escape with a bribe.
Global payment networks
A lot of Nigeria’s financial transactions still route through Visa or Mastercard. If you don’t have a Verve ATM card for example, every cash withdrawal, POS payments, or online payment you do with your card goes through those payment giants.
Add the rise of virtual dollar card providers, and you have an interesting situation on your hands. Although Verve usage has been increasing in 2020, these companies still have a major foothold in the Nigerian market.
Unfortunately, these companies are not fully aware of the unique contexts of the Nigerian market, and penalise banks and fintechs for any irregularities they spot. There’s sometimes a lag between a fraud alert from a local bank or fintech before these global payments companies able to respond on time.
I’m glad that Verve usage is increasing, but there needs to be clear regulatory harmonisation.
Regulatory Gaps
While the CBN mandates the use of BVN for customer verification, the implementation across financial institutions has not been consistent. The resolution to implement mandatory NIN was reached in June, but it took several months before it became enforced. But that’s one of the issues.
Sources reveal that several fintechs do not have access to NIBSS’ fraud monitoring systems, and a lack of unified efforts typically leads us to scenarios where a fraudster gets flagged by a bank, goes on to commit another offence at a fintech, and then ends up biting the bank in some way.
Lack of Collaboration
Collaboration, or the lack thereof, is a significant factor that complicates the fight against financial fraud. But this is more complex than you think. For a long time, I used to think fintechs were disrupting the banks or competing. But that’s not the case 90% of the time. Most fintechs still need commercial banks to settle payments and offer other services.
Also, contrary to popular belief, a lot more communication goes on in the fintech space regarding fraud and flagging bad actors. The key here is, it can be much more, and it can be standardised better.
Last year, Flutterwave and a bunch of other fintechs came up with initiatives like Project Radar, but little has been heard of it to date. In his blog post, Olowe, founder of Lendsqr, attributes this to low trust and high levels of competitiveness.
Jude Dike, founder of Getequity, points out that fraudsters are quick to spread the word when they find a loophole, but fintechs are not quick to do the same. One of many traits fintechs can learn from fraudsters is collaboration.
But everything I just discussed is not unique to Nigeria.
Fraud is a big deal globally
Stripe and Adyen are the biggest fish in payments on opposite ends of the pond, but they recently signed a partnership deal with Capital One that will enable them to share data on an open-source platform. They struck this partnership for good reason – financial fraud is a big issue in advanced markets.
According to a report by TechCrunch, the total cost of financial fraud is expected to reach $40.62 billion by 2027, a significant increase from previous years. In the United States, the Federal Trade Commission reported that consumers lost over $3.3 billion to fraud in 2020, a 45% increase from 2019.
This includes losses from identity theft, imposter scams, and online shopping fraud. Similarly, in the UK, Action Fraud, the national fraud and cybercrime reporting center, recorded losses of over £2.4 billion in the same period.
Quick run-down of instances:
- KYC/AML loopholes – Danske Bank Money Laundering Case (2015)
The scheme, used by Russian criminals with ties to the Kremlin and the old KGB and FSB, involved moving money into the western financial system between 2010 and 2014. Read more
- Internal Collusion – JP Morgan Chase, internal scandal
The world’s largest bank lost over $20 million as three different employees did stuff ranging from selling personal information, investment scams to ATM cards.
- User loopholes – Singapore’s OCBC bank
Customers of the Oversea-Chinese Banking Corporation (OCBC) were hit by a string of phishing attacks and malicious transactions in 2021, leading to around $8.5 million of losses across approximately 470 customers.
These samples are from some of the world’s most advanced financial ecosystem, and I could share more, but I think I’ve made my point.
The winners in the fight against fraud
So what have we learned? Until Multivac or Ultron starts autonomously running the global financial system, fraudsters will keep getting better and better. The best we can hope for is a reduction in fraud and that people trust in the financial system. There’s an opportunity for those who will be in the business of making sure this happens. I’m calling them the winners of the battle against fraud, and their services lie beyond fintech.
Verification Companies: This is pretty obvious
As fraud techniques become more sophisticated, verification processes have become sacrosanct. Companies like Verifyme, Seamfix Smile, and Identitypass are at the forefront, providing advanced KYC (Know Your Customer) and AML (Anti-Money Laundering) solutions.
The verification industry has seen significant growth due to increased demand for secure onboarding processes. The global identity verification market size was estimated at $9.87 billion in 2022 and is expected to grow at a compound annual growth rate (CAGR) of 16.7% from 2023 to 2030.
The growing frequency of identity-related fraud and cybercrime has increased digitisation initiatives, and verification companies will be needed to proactively plug loopholes that fraudsters might exploit. Remember the use of details from deceased persons? Well, you should have noticed how fintechs are doing liveness checks to prevent this. You can check out my interview with Esigie, MD of Verifyme, here.
Security Firms: Innovations and Their Impact on Fraud Prevention
The cybersecurity market is big—as big as $185 billion in 2024. Security services, a subset of this market, will reach $97 billion. Banking, Financial Services, and Insurance are the largest revenue contributors to cybersecurity firms, and that’s likely going to keep growing.
[Insert chart]
Security firms have been crucial in the fight against fraud in Nigeria. You have companies like Signal Alliance, Cybervergent, and Cyberspace all playing in the space for as long as 28 years. You can check out my interview with Bamidele Obende, of Cybervergent (formerly Infoprive), on the battle against financial fraud.
AI and infrastructure companies
Before you start rolling your eyes, please hear me out. A lot is happening in Artificial Intelligence in Africa that’s not consumer-focused. Instadeep, one of the major acquisition success stories from Africa, runs an AI-powered service for enterprise companies. Months before the LLM hype we see now.
There are a bunch of other startups like Dataprophet, Aerobotics, Rxall that are building AI-powered products for industries in manufacturing, agriculture and healthcare. These are companies that have raised venture capital, but there are other upcoming companies building infrastructure to support other companies.
Tegence, a budding AI startup, is building an AI infrastructure for verification companies to account for more edge cases in verifications. One such edge case is to make sure people’s faces match the faces on their ID cards. This is especially relevant when there’s a massive age difference between the face on the ID and their current look.
These are opportunities in less regulated areas, and you mostly have to pay attention to NIMC regulations.
Other options: Training Services for startups and law enforcement, insurance fraud protection.
Fintechs Taking the Amazon Approach
Amazon did something great by turning cost centres into revenue-generating models. Banks and fintechs can tow the same line by changing their in-house fraud prevention and security infrastructure into services can be offered to other companies.
Stripe built a fraud prevention tool called Radar and now offers those services to other companies. Some fintechs I’ve spoken to are already talking about building their own internal KYC platform. When that happens, the landscape will be interesting to see.
Banks, with their Holdco structures, can also implement similar services, but that’s highly unlikely. Probably the same for fintechs, but my money is on them considering how nimble they are. Sterling Bank’s entrepreneur-in-residence approach makes it a compelling option.
Well, what do you know. That’s all I have the patience to write about. This was quite long, and sadly, I touched on these issues a bit. If you’d love to find out more about these issues, I’m more than happy to chat or do an intro to some of the executives.
