Advanced Search

Address by Mr Y Googoolye, First Deputy Governor Bank of Mauritius at the launch ceremony of a Visa Awareness Campaign on Card Safety and Security at Labourdonnais Hotel, Caudan Waterfront, Port-Louis on Monday 16 March 2009

Mr Niehaus1
Distinguished Guests
Ladies and Gentlemen

Good afternoon

It is indeed a great pleasure for me to be among you today to launch this “Card Security Week”. The immediate effect of an awareness campaign on card safety and security is that users of cards are encouraged to exercise greater care in keeping their cards safe, and other stakeholders, banks, card issuers, merchants etc to better appreciate the risks involved in the use of cards. As time passes, people tend to relax their attitude because they start feeling that it won’t happen to them or firms start believing that they have foolproof systems. Therefore it is important to run such campaigns regularly.

In the course of this week, a lot will be said and discussed on card safety and security. Card safety and security forms part of a broader issue, which is the fight against financial crime. Today, I have chosen to share with you some thoughts on how a proper understanding of the responsibilities of the main stakeholders, that is the Bank of Mauritius, financial institutions and consumers can help in that fight. Before proceeding any further, let me set the scene and briefly touch on the situation regarding the use of cards in Mauritius.

Background
The growth in ATMs and in the number of transactions using credit and debit cards has continued to be positive. In December 2008, we had 364 ATMs and the number of transactions using credit and debit cards stood at around 5 million for an aggregate value of Rs11 billion. The number of cards in circulation was 1.2 million, that is more than one card per adult population. The increased use of cards mirrors an increased sophistication of users of financial products as well as increased financial capability. Further, as I had mentioned in one of my previous addresses, it has been empirically established that increased use of credit cards is positively correlated with economic growth and exports. One of our banks introduced some two or three years ago the Chip and PIN card, an innovation in the card business. I won’t go into the technical details of this type of card, but as Sandra Quinn of APACS, the UK payments association remarked in the Banking Technology Magazine, Chip and PIN has proved to be instrumental in reducing card fraud in the UK high street. The increase in card fraud losses in 2008 in UK was due to UK card details being stolen and cloned for use in countries not yet upgraded to Chip and PIN.

This brief overview gives you an indication of where we actually stand. I now return to the theme I want to address you today, the responsibilities of the central bank, financial institutions and consumers in fraud prevention. The Bank of Mauritius has a critical role to play in creating an environment where adequate standards are maintained. It establishes expectations, norms and responsibilities through regulation. Financial institutions on their part need to have adequate IT systems and controls to address the risks in their businesses. They also need to provide access to relevant information to consumers of their financial products. Informed consumers have the responsibility to protect themselves from the risks that they can best manage.

Bank of Mauritius
The Bank of Mauritius has the responsibility of maintaining the stability of the payments and financial system. This responsibility hinges on the orderly  development and efficient functioning of the system. The Bank has taken a number of initiatives to further modernize the payments system among which are the Cheque Truncation Project, the implementation of the International Bank Identification Number (IBAN) and the upgrading of the MACSS. The main objective of Cheque Truncation is to enable cheques to be exchanged and cleared on the basis of electronic presentment of cheque images and cheque MICR Codeline data. It provides a number of benefits: faster clearing cycles, faster cheque tracing and cost reduction, the most important one being operational risk reduction through enhanced security and automatic detection of forged instruments. Our banks are increasingly engaging in cross border transactions and the Bank of Mauritius implemented the IBAN, which provides a secured and transparent means of international fund transfer via Straight Through Processing (STP). With a view to furthering facilitation of cross border transactions in the region, the Bank will be a participant and the settlement bank in the Regional Payment and Settlement System (REPSS) of the COMESA Clearing House. The MACSS represents the main architecture for local electronic payments involving the Bank of Mauritius, banks, government and large taxpayers. This core application, which is based on international best practice, was recently replaced. It provides for advanced queue management for liquidity purposes, enhanced security, increased availability and reduced transaction costs. The application is very versatile, allows for multi-currency transactions to be effected and provides a single platform for local and cross border payments. The Bank is currently carrying out on-line auctions of Treasury Bills, and their automatic settlement using the new MACSS application will follow shortly.

A sound regulatory framework for financial institutions under the purview of the Bank of Mauritius complements these initiatives. Our action is targeted at making financial institutions understand that financial crime risks of which fraud risk is an integral part, are risks that need to be managed like any other. In our Guideline on Operational Risk Management and Capital Adequacy Determination, we require banks to collect information on internal loss for business lines, which includes loss related to internal and external fraud. This information would allow us to compare fraud experience across the industry and to better understand the anatomy of fraud risk events. We are not directly engaged in fight against financial crime but our objective is prevention. So, as regulator, our focus is on building the defences, our regulatory framework. For example, a financial institution, as defined under the Banking laws cannot do business without the authorization of the Bank of Mauritius. Before granting the licence to a financial institution, the Bank does an intensive screening of the shareholders and senior officers as we need to be satisfied that persons of doubtful integrity are not in control within or appointed at top positions in financial institutions. We set down requirements for financial institutions to establish and maintain effective systems and controls for managing their risks, including countering the risk that their institutions are used to perpetrate financial crime. If a fraudster forces the gate i.e. if an actual fraud is perpetrated, it’s not our role to investigate into the fraud, it’s that of the police. However, we would look at the systems failures and require corrective measures from the financial institution. Our action complements that of other stakeholders i.e. financial institutions, police, government, other regulatory bodies, other institutions engaged in fighting financial crimes, as well as the consumers themselves.

Financial Institutions
Financial institutions have strong incentives to fight fraud. Frauds costmoney. Frauds can have damaging effects on financial institutions’ reputation, customers and markets. In this context, financial institutions usually develop fraud strategies, and put in place policies and processes to manage fraud risk. However, for any fraud strategy to be effective there should be strong internal governance. Board members and CEOs should be involved. The Board and senior management should be proactive in taking responsibility for identifying and assessing fraud risk and the adequacy of the controls put in place. They should allocate the responsibility for the dayto- day management of fraud risk to a senior officer. There should be clear lines of communication whereby fraud incidents are reported to senior management and the board.

Two areas which financial institutions need to address with respect to card fraud immediately come to mind. Firstly, there should be appropriate technology to protect against cloning and adequate IT security to prevent data leakage. Secondly, frauds are not the work of outsiders only. Sometimes they come from within the financial institutions themselves. This is where financial institutions are called upon to exercise due care when recruiting. There should be proper screening of employees, anti-fraud training of staff, staff need to apply customer due diligence and take appropriate measures to prevent money laundering and credit delinquencies. The culture of compliance should be embedded throughout the organization.

Financial institutions have more and more recourse to outsourcing in their endeavour to cut down costs. This is not a bad thing in itself. However there is too much reliance on the terms of the contracts and not enough assurance for example on how third parties vet their employees and on how secure customer information is. Our Guideline on Outsourcing for Financial Institutions sets down the risk management framework and assists financial institutions in identifying the nature of risks involved in outsourcing and in addressing them effectively.

Consumers
In the fight against financial crime, consumers also have an important role to play. While financial institutions and the regulator need to make available easily accessible information, consumers have the duty to inform themselves. An informed consumer is a better protected consumer. The Bank of Mauritius launched as part of its 40th anniversary celebrations a customer education programme to create better awareness in the public. The Mauritius Bankers Association is also actively involved in informing and educating consumers. There are things though that consumers can best manage themselves; it may happen that they become victims of fraud out of their own negligence. They are responsible for the safekeeping of their cards, they should keep their PIN secret or disclose their Card Verification Value (CVV) only in secured payments sites. Consumers have the responsibility to be honest and may also become whistle-blowers. This leads me to an important aspect of the fight against financial crime, the need for the collaboration of all.

Cooperation
Financial crime causes real harm to society, from the retired consumer losing his life savings, to the financial institution losing hundreds of millions of rupees and reaching as far as financing terrorist activities. It just cannot be the job of only one body. Already there exists industry cooperation but it needs to go further. There should be increased sharing of intelligence. Collaboration is crucial; financial institutions, government, regulators, police, consumer associations and public need to work together in this fight.

Conclusion
There are already plenty of good practices in the industry. In the face of the increasing inventiveness of fraudsters, the industry is most of the time lagging behind. We have more and more sophisticated criminals constantly on the lookout for new methods to defraud. The Financial Services Authority UK has recently published its Financial Risk Outlook 2009 and has highlighted that the tighter economic conditions could increase the incidence or discovery of some types of financial crime. This poses real challenges to the financial sector and brings the importance of effective regulation to the forefront. Regulatees often view regulation as an impediment and this is where a change in mindset is required. In most cases of frauds, it has been found that they had occurred because regulations were short-circuited. Regulations are here to help regulatees to conduct their business better and should not be viewed as a barrier.

To conclude I would like to add that just like the financial crisis has triggered the need for concerted efforts to prevent the global financial system from crashing, I am of the opinion that the fight against financial crime can only be effective if each stakeholder brings in his own contribution. The financial sector can then become a very uncomfortable place for the would-be fraudster. It is a matter of comfort, though, that we in Mauritius have not had to experience serious frauds in recent years, which is a testimony to the good regulatory framework we have, the effective processes at the financial institutions and the fact that the public is well informed.
 

1 Mr Charles Niehaus is the General Manager, Sub-Saharan Africa, Visa International CEMEA Region