Share, Educate & Tighten Controls: How to Instill a Strong Telecom Risk & Anti-Fraud Culture

Industry consultants are a vital resource, and they are especially key in a niche sector like telecom risk, revenue assurance (RA), and fraud control.

Telecoms typically staff only a small crew of analysts and experts, so it’s useful to have independent consultants to call on to: fill in knowledge gaps; give impartial advice; improve processes; provide training; recruit talent; and help select systems and vendors.

Fortunately, there are a few deep bench-consultants active in the field and I’m proud that Black Swan has published interviews with independent experts such as Jan Dingenouts, Mark Yelland, Colin Yates, Eric Priezkalns, and Michalis Mavis.

And now we’re pleased to welcome Luke Taylor into the ranks of telecom risk/RA/fraud consultants.  Luke is an industry veteran and a frequent Black Swan contributor.  Many will recall that for many years he was the Chief Commercial Officer at Neural Technologies in the UK.  He has now founded his own business, Lateral Alliances.

In our discussion, Luke dives deep into risk issues that affect the African continent, having just returned from a Risk & Assurance event in Nairobi, Kenya.  He also covers the steps operators should take to educate staff and customers in fraud prevention and do a better job of assuring against mobile service abuse.  Finally he explains the philosophy of the Risk Reward Awards program he started and his advice for improving conference programs and industry sharing.

	Dan Baker, Editor, Black Swan: Luke, you’ve spent a great deal of your career working with operators in Africa.  What’s your perspective on risk and telecom trends on that continent?

Luke Taylor: Dan, it’s hard for people living in mature markets like North America and Europe to fully appreciate what the African market is like.

In developed economies, the telecom space is a saturated marketplace and even though the margins of profitability are somewhat leaner, there’s much more business opportunity to pursue due to the facility of credit.  The financial infrastructure and post-paid billing in advanced nations buttresses telecom and generates far greater revenue per customer/subscriber.

By contrast, with the exception of South Africa, about 85% of consumers in Africa use pre-paid phones, the market for broader consumer financial services in Africa is still immature.

The vast majority of the African population is “unbanked”.  Now a few years ago McKinzey did a study to measure the size of the unbanked population around the world.  They found, for instance, that 8% of the population in advanced countries are unbanked.  But the unbanked number is Asia was a high 58% and in Sub-Saharan Africa it’s 80%.

This is why the great popularity of mobile money in Africa is a big factor driving economic progress.  People are using mobile money to send money to one another, to save cash, and to buy things right off the phone.  It’s given consumers a financial capability and empowerment they never had before.

	And I imagine another big issue is the lack of national credit bureaus.

Yes, in North America, there are 5 or 6 independent credit agencies that can evaluate the credit risk of a potential customer.  Is the guy buying a car a safe risk to entrust a five year automotive loan to for example.

But in Africa, debit and credit cards are a rarity.  With the exception of South Africa, you rarely find a proliferation of banks or ATM machines except in the big cities.

When I was Chief Commercial Officer at Neural Tech, I worked closely with Safaricom in Kenya, who has the biggest mobile money operation in Africa by far.  And they’re using that leverage, to offer loans, sell insurance, be paid a salary, pay utilities, hire taxis, etc. — and all that business is done through the phone.

Since a fully developed financial credit infrastructure does not exist in Kenya, Safaricom itself must essentially become its own credit bureau.  So how do you do that if there’s no reliable street address, zip code, etc for so many people?

You do it by analyzing user behaviors and transactions on the phone.  When you do that properly, you’ve created an invaluable credit database that can be extremely useful for taking commerce to the next level.  It gives you the risk intelligence to: identify low-level corruption or measure the business risk of a loan.

I foresee telecom service providers making great inroads, further diminishing the number of unbanked on the continent.  They will also provide a platform to instigate wider credit and lending facilities that ultimately allow more commerce and increase gross domestic product.

I am excited for the future of the Africa continent: they can adopt newer technologies; they are not hindered by legacy infrastructures; and they are innovators when it comes to commerce.  There are over 1.2 billion people in Africa, imagine what that 80% unbanked can do when they become ‘banked’.

	Educating the African consumer to avoid fraud risks must be another big challenge.

It is, and Wangiri fraud is a perfect example of that challenge.  It is important to note: this is not a new fraud. It has been around a while and impacted most countries around the world.

In Wangiri fraud, the fraudster is banking on people’s natural courtesy to return a missed call.  I suspect this is a massive problem in Africa and Asia because people in those regions naturally enjoy talking on the phone, whereas Western countries have seen a trend to communicate more through messaging and emailing.

Communication Service Providers need to invest in educating through advertising, social media, in their shops, outlets, agents, their customer care departments, through texting their customer base, etc.  The consumer of course also needs to ensure they do not ignore such information.  It takes two to tango as they say.

This is not Africa specific: globally there needs to be more awareness, social responsibility, education, etc.

The goes for using social media safely.  Global consumer fraud education is poor.

Information you post about yourself on your Facebook page and other social media platforms is basically an open invitation for fraudsters.

Over time, the fraudster — with some social engineering — can build up enough info to replicate you as a person, then hack into some of your accounts and do an account takeover.

There are about 7.7 billion people in the world, about two thirds of these have a mobile phone.  The mobile phone has become an extension of ones’ self.  It’s rare when you don’t see someone with a phone stuck to their hand or face.

Yet people don’t realize the risks posed by not properly guarding their mobile phones.  My laptop computer is far more protected because it’s equipped with up-to-date firewalls, anti-virus software, and is physically located in my home or in a bag I always keep near me.

But do people take the same precautions with their mobile phone?  Does it have the latest security, password controlled?  Left unattended, on a table top, on their desk, a fraudster can find your entire life, your social life, your business life, your friends, contacts, memories, your finances, etc.  If you leave your mobile phone unattended and it falls in the hands of a fraudster, what could they do with this device?  My bet is a lot.

Most banking authentication processes use your mobile phone.  Many of us do financial transactions and authenticate ourselves on a mobile phone via a call or SMS.  So what happens if a fraudster uses social engineering to successfully redirect all communications and access to your banking? 

This goes for mobile money as well: consumers are being duped into providing info that results in them being robbed of their cash, savings, etc.  Mobile Money has taken some amazing and significant steps to bank the unbanked, but these security issues need to be locked down before they cause irreparable damage.

So awareness and crucially education of fraud risks in telecommunications needs to be raised on all continents.

	When you go in and consult an operator, how do you address the issue of educating on fraud and risk awareness?

Dan, telcos need fraud training from top to bottom: from the C-level execs right down to the customer care agents.

If C-Level execs don’t fully understand and appreciate the principles and culture of good fraud prevention, they are not going to instill that mission in the lower departments.

And I’ve found the best way of educating C-Level people is to emphasize the hard dollar losses experienced in IRSF, Wangiri, and roaming fraud.  These are costs the service provider has to physically pay out.

For instance, if a typical IRSF hit is a loss of $40,000 cash, what’s that really mean in terms of ROI — a language execs understand?  Well, if the profit you expect on any investment is 10%, then a $40,000 IRSF loss is the same as investing $400,000 in a new service that earns a zero return.

Frankly, in the middle management ranks, there’s often push back against having a strong fraud, risk, or revenue assurance culture.  People view it negatively, as in “If we push too strong on risk control, we restrict our customer on-boarding; we will not be competitive or won’t make our revenue targets.”

This fear is overblown.  The biggest remedy is to simply tighten up in certain areas.  For instance, when new services are launched with a bucket of free calls, they need to put clauses in their contract about how phone calls can be used, etc.  This enables you to prosecute illegitimate use of the service.  You need to review the proposed offer, the tariffs, the margins, the fluctuations in interconnect, currency exchanges, etc. that could impact profitability of a new tariff.

By the way, all sorts of training is required, such as 1) teaching the management team to cooperate in identifying fraud and risks; 2) learning to properly work with third parties and consultants; and 3) sharing information with independent bodies.

	Telecoms have been at the risk and fraud control game for a long time, but fraud losses are still high.  Why is that?  And how can revenue assurance and fraud control departments have a greater impact.

It would be much simpler if telecom remained the same year after year.  But the industry is constantly evolving as telcos implement technology like 4G and 5G and launch new Value Added Services to retain or attract customers.

It’s a double-edged sword.  An operator differentiates itself by delivering and managing increasingly complex services and the billing to support them.  Yet complexity also opens up opportunities for operating errors to multiply and for fraudsters to abuse the system.

Revenue Assurance’s job is to screen new services to ensure the revenue is being collected and the margins are acceptable.  But what’s often missed is closing avenues for abuse of a new service.

Marketing introduces new promotional offers that potentially increase revenue but sometimes can do the opposite.  For instance, a customer could make thousands of phone calls under a new tariff plan and only later the service provider discovers they are losing cents on each call made due an oversight in interconnect rates, call costs, etc.  Or fraudsters discover possible ways of reselling services, undertake Wangiri or IRSF type frauds by abusing the new tariff.

The idea is to start putting roadblocks in front of the fraudsters.  If you make it awkward for them to make money, they may be deterred.  If you make it too easy for them, they will certainly abuse it.  To do this, you need to be vigilant.  Just as vital: revenue assurance, fraud, risk, marketing, finance, compliance, law enforcement departments must increasingly work together. .

	I’ve heard good things about your Risk Reward Awards program.  What’s it about?

The whole idea behind Risk Reward Awards is to raise the awareness of people who have contributed immensely to the telecom risk industry.  This is very different from awards programs where the vendors pitch in some money to get a table at a glitzy ceremony and are guaranteed to win an award with some thrown-in publicity.

We are trying to recognize “lifetime achievers”, the unsung heroes who have worked hard night and day but have not been adequately recognized.  Raising the profile of risk and the achievements and individuals within it, will hopefully help all — increase recognition, budgets, profile and respect.

The awards are across various areas: innovation and ways of tackling risk problems, vendor achievements, collaborative projects, raising the awareness of risk, etc.

Now to publicize Risk Reward Awards, I’ve teamed up with the Risk and Assurance Group (RAG) and I moderate some of the conference panels on their global events program.

	I’m reminded of the great value of attending conferences and hearing many points of view from experts in this risk and fraud control profession.

What I like about the RAG events is the discussions get people comfortable enough to talk freely about some of their issues and best practices.

It’s vital to give a speaking/presentation time to fraud analysts and RA professionals, who can share their local challenges and lessons learned.  This has nothing to do with owning and promoting a risk management system.

Failures happen all the time, and we need to acknowledge that and explain what went wrong.  Making mistakes is not a bad thing, if we can learn from them.  We can’t be too risk-adverse in this business.  We must continually push the boundaries of what we can do.  And we must emphasize collaboration.

To promote greater sharing, I’d frankly like to see bodies like the CFCA and GSMA open up their events more fully to the vendor and consultant community, because the vendors and consultant absolutely need to understand the challenges faced by the operators.  In turn the vendors need to contribute, not hard-sell their products in these forums.

Another problem our industry has is the perception by many service providers that vendors are “merely selling a system”.  Yes, vendors do provide a system, but they also serve a vital role in assessing fraud/risk issues and helping shape a comprehensive fraud/risk solution for the provider moving forward.

So the learning that goes on in open forums is valuable for all parties involved: telecoms, vendors, consultants, regulators, and law enforcement.

Invariably you come away from a conference with 3 or 4 things you didn’t know before you came.

For example, at the recent RAG conference in Nairobi, MTN Group showed what they had achieved in robotics and machine learning to improve their risk management activities.  And it was refreshing because instead of a vendor getting up and presenting 4 or 5 flashy but vague slides, MTN actually showed the real results they are achieving.

People could take away something very tangible and say, “Gee, look at what these guys have done.  Maybe we can replicate some of that”.

	Luke, this is all great perspective.  Best of luck as you roam the world and do your consulting.