The aim of this framework is to provide useful guidance and support for senior management in Momkn to secure online and mobile payments against risk of fraud. This document established the policy and the procedures that would support Momkn to build a sound internal control system.
Security risks are a significant concern for users of online and mobile payments. The risk of fraudulent access or unsecure transmission of personal or payment data are the main threats related to online and mobile payment services. This framework document introduces the process of implementing mitigation tools to ensure a sound Internal control system is implemented across all Momkn services transactions.
TFraud monitoring and investigations are managed within Risk Management Department at Momkn and have the primary responsibility for implementing the required controls to manage/detect fraud so that the residual risk of fraud is within Momkn tolerable limits.
1. The key responsibilities of Risk Management Head are as follows:
- Perform a Fraud Risk Assessment (FRA) as part of “Enterprise Risk Assessment”.
- The FRA should be performed on an annual basis or as required by the Executive Management and/or Board of Directors to identify specific potential fraud scenarios for its existing products and services. It must map these fraud scenarios to appropriate mitigating controls.
- All new products and services should be reviewed by Risk Management Head prior to their launch to ensure proper controls are in place to mitigate relevant risks and minimize their potential impact on Momkn.
- Put in place an effective mechanism to monitor the effectiveness of internal controls and report the monitoring results to the concerned stakeholders, senior management and the Board for timely action and follow-up, if needed.
2. Different types of Fraud Risks
- Unauthorized transactions in customer accounts
- Misappropriation of customer funds
- Accounting Fraud, Abuse / Misuse of sensitive personal information of customers
- Identity Theft – fraudulent acquisition and use of sensitive personal information
- Friendly Fraud – transaction denied, though goods or services were received.
- Pharming – re-directs website traffic to an illegal site where customers unknowingly enter their personal data.
- Phishing – sending seemingly official communication from legitimate source to steal sensitive personal information
3. Measurement Tools for Mitigating Fraud Risk
All financial transactions that are processed through Momkn e-Wallet should be secured against fraudulent incidents by implementing the following system controls:
- Account is locked out after 3 invalid login attempts.
- No sensitive information is stored on the device, since any debit/credit cards information associated with the e-wallet will also be encrypted on the Payment Gateway. This ensures no one will ever be able to see the full number/s while logged in to customer’s e-Wallet device.
- Multifactor authentication like OTP verification is built in Momkn Applications.
- Secure Protocol to encrypt card information is built in Momkn Applications.
- For webpage payment link, all payments against Credit Cards & Mada cards, 3D secure authentication is built in Momkn Payment Gateway Application.
- Whenever a payment is made using Momkn payment gateway, the retailer/merchant receive limited customer’s details along with a unique transaction reference.
- For the Momkn Payment Gateway, the retailer/merchant receive only the last 4 digits of the payment card details.
- System restricts to authorize the payments from Credit Cards and Mada cards that are issued by only Banks located in Saudi Arabia to ensure the implementation of 3D secure authentication.
- Automatic deactivation of merchant’s account when high number of credit cards are declined within a short period. Thus, the fraudster attempting to use number of credit cards in Momkn Payment Gateway.
4. Representations and Undertakings of Merchant
- Shipping address does not match the billing address.
- Order is for an unusually large number of items and high amounts.
- Large amount of order items is requested from another country – provided that the requested items can be easily obtained in Saudi Arabia.
- Customer purchases large amounts of the same item.
- Multiple orders come in with same shipping address as well as IP address but paid using different cards.
5. Monitoring Fraudulent Scenarios
The Risk Management Head should put in place a systematic tool to monitor the payment gateway transactions to detect any fraudulent transactions based on the below defined red flags. Also, to assess the severity of any deficiency identified and report the monitoring results to the concerned business process/control owner who is in position to implement the required corrective measurements.
6. Red flag in Payment Gateway Services:
By paying close attention to identify how fraud or suspicious activity may occur, we can minimize the occurrence of fraud transactions in e-wallet and merchant services.
Once the suspicious transaction has been analyzed, and findings have been drawn from it, the Risk Management Head should report the results along with the appropriate recommendations / corrective measurements to the concerned stakeholders for the required action steps to be taken.
7. Conducting Investigation on Customer/Merchant Dispute Caused by Fraud
Fraudulent claims fall in two categories as follows:
- Claim request received from merchant account holder.
- Claim request received from external party (Eg: card issuing banks)
8. Claim request received from merchant account holder:
If the reported transaction claims are not performed by the authorized merchant account holder due to issues like mobile being stolen, etc the following steps should be taken:
- The merchant is obliged to report the loss of his mobile phone/fraudulent transaction immediately.
- Merchant’s account should be blocked immediately.
- Request the claimer (i.e. Momkn merchant) to re-activate his account with a new PIN.
- Conduct a full investigation of the claimed transaction and if found legitimate.
9. Claim request received from third party:
If the reported transaction claims are performed by the authorized merchant account holder using third party credentials (E.G. using Mada, Credit cards, etc.) the following steps should be taken:
- Merchant’s account holder should be blocked.
- Verify and confirm that the card used already had 3DS enabled.
- Request the claimer (i.e. external party) to contact his issuing bank to do the required investigation steps and update Momkn with the result of the investigation along with the supporting documents. If the claim is valid and the transaction amount is available in Momkn merchant’s account, then the claimed transaction will be made void on the payment gateway and accordingly refunded back to the card.