Mobile money is a national security risk!

In 2015, Commercial Court Justice Christopher Madrama ruled in Katuntu vs Mtn Uganda Ltd & Anor that mobile money services offered by telecommunication companies, although acting as financial institutions lay outside the purview of the Bank of Uganda.

This development prompted lawyer Mathew Kiwunda to sue the Attorney General, to prohibit government from continuing to levy, impose and collect taxes on all mobile money transactions in the country until proper legislation is enacted.

Prominent lawyer, Fred Muwema has also put his gloves on in the ring and has threatened to sue the state, arguing that passing the mobile money tax would be in contravention of the constitution since there is no law regulating their operation.

The Bankers Journal spoke to Mustapha B. Mugisa, a cyber security and forensics expert at Summit Consulting Ltd, about the merits of the case for regulation of the mobile sector and what that regulation should include, among other things. Below are excerpts of the conversation.

The Bankers Journal (TBJ): Mobile money constitutes a large portion of the Ugandan economy, commanding transactions worth sh63.1 trillion in 2017 and over 20 million accounts. Could you take me through some of the concerns you have about the platform?

Mustapha B. Mugisa: I don’t have any concerns. Mobile money is the best innovation that has transformed financial inclusion. When you look at mobile money, it is an innovation which came as a value-added service for telecom companies. If you go to many developed markets now you find that there is decreased reliance on voice as a contributor to their total revenue. Telecom companies must continuously innovate aggressively to see how they leverage from their network and many subscribers to optimize.

It is always very difficult for laws to be ahead of innovations. This is why internet came long-time, but it has taken Europe just last year to come up with the General Data Protection Regulation (GDPR) and America is also just drafting one.  In Uganda we do not yet have one; we even do not have a private data protection law yet every entity keeps lots of people’s private data from banks to utility companies to private companies like legal firms.

Mobile money has given people convenience, using the customers mobile phone number as the user ID or their unique ‘mobile bank’ account. I do not mind you calling it mobile banking because for the customer, there’s no need to worry about what is happening in the back end. The simple test is can I access my money whenever I need it.

Telecom companies are offering a huge subscriber base which banks could not reach; anybody who has a mobile phone is a potential customer of the mobile money service. My mother in the village receives mobile money in rotation from all her children and grandchildren. I don’t think that would have been possible without mobile money. The nearest bank branch is 25 kilometers away. And the mobile banking agent is in Buhimba, another 13 kilometers away. Nothing beats MoMo.

TBJ: Do you think commercial banks should make a move to acquire telecom licenses?

MM: Well, I do not think so since most, if not all, commercial banks do not have the required capital and infrastructure to operate a telecom license. Telecom business is capital intensive. On the other hand, it is easy for the telecoms to get a banking license and play that space because they have everything needed to operate as a commercial bank. Unbundling mobile money business into a fully-fledged bank is possible. It only needs registering a new entity and obtaining a banking license as per financial institutions act, laws of Uganda! The deal breaker would be deposit mobilization and customer acquisition. Telecoms have these in plenty.

Also, it is easier for customers to switch between banks than it is to switch between telecom companies in absence of number portability – using one number to access all telecom services across all networks. Today, if one stopped being an MTN customer they may lose their contacts saved on the SIM card unless they are tech savvy. Majority are not. They use cheap phones with small phone memory and therefore the SIM card doubles as storage device for contacts and messages. Most critical, they would be unable to use their mobile money profile.

Telecommunication has become a big enabler of the economy. If telecommunication systems were to collapse today, the economy would go backwards to pre-1998 before MTN came into the market, a time when one had to send letters by bus to relatives in the village or visit to give money to relatives that is less than the transport spent!

TBJ: What salient issues should be included in regulation for the platform?

MM: There are several issues when it comes to regulating mobile money. Major concerns based on research are the exchange of cash.

For instance; who can issue mobile money and what minimum operating standards must they observe? There should be proper regulations on how to appoint and manage telecom agents. Of course, this is a big issue since there has been a lot of fraud attributed to telecom agents in the past.

Then, there is the issue of compliance with the anti-money laundering laws re Know Your Customer (KYC). Most telecoms have integrated their systems with commercial banks and somebody could infiltrate the banking system through the money mobile system.

You find that the KYC has properly been done for some telecom customers but not for others; it is hard to tell the extent sim cards have been verified, that is for government to determine.

As telecom fraud examiners, we still find very big challenges. People can use their cards to hack an agent or go through someone’s account through sim-swaps or other schemes. So there can be theft and you cannot know the identity of the person who stole from you.

When opening a bank account, there are clear requirements by the Central Bank for KYC. So the same stringent requirements should be applied to the telecoms. We (Summit Consulting) have investigated bank fraud cases in the past where fraudsters transfer money from people’s bank accounts to several fictitious mobile money registered numbers and withdraw at various mobile money agents. These frauds were possible because banks would not link a specified mobile number in the core banking application to the mobile banking application. Meaning any one with a correct bank account number in the bank’s core banking would be allowed to register any mobile number for mobile banking.  We discovered that over 130 mobile money numbers had been registered fraudulently by a single telecom Agent code at the same time, and the same numbers had been used to commit the fraud. The starting point in the investigations is to trace the Agent who registered the numbers. They would tell you someone asked them to register and they never kept their IDs. Because their targets is to register many people, they lack the risk management element. This case happened in June 2016 after UCC issued instructions for total SIM card registration!

Mobile banking law must define clear regulations for all parties involved in the mobile banking ecosystem. Mobile money agents are a weakest link in the banking ecosystem as they could be conduits for money laundering since their systems have a connection lag to update transactions for purposes of money laundering reporting especially where criminals deliberately split transactions across multiple agents.

Then we also have the issue of mobile money system transparency. Transparency is a strong indicator of good governance. Are telecoms opening up their house for us to be able know what is actually going on? Do they publish their results as far as mobile money is concerned? What is the frequency? What are the user right facts? Unlike banks that are required annually to publish accounts, telecoms have never published their detailed results in respect to mobile money. So far, we don’t know the treatment of possible interest earned on deposits. Telecoms never enforce next of kin details, what happens to one’s mobile money balances when they die intestate? How much of such money is with mobile money unclaimed? Where does it go? Which law provides for its management? How is an idle mobile money account defined? We have never seen a published list of idle MoMo accounts with balances.

And then of course, there is need to monitor how the telecommunication companies apply exchange rates for foreign money transferred. You see there is a lot of money which is put into mobile banking environment, sometimes from abroad. If you are going to do international transfers of mobile money, there is need to protect the customers from being cheated by the exchange rate. If I want to exchange money, I go to the forex bureau and negotiate or I can call my bankers and negotiate but this does not happen with the telecom companies; this is the case because the transaction is automatic. The future of mobile money is facilitating international money transfers. Already we see partnerships being signed with international money transfer players like Western Union, Money Gram and Remit to mention but a few. The issue of exchange rate is critical as someone stands to lose at currency conversion.

The other area of big concern would be transfer of money between different parties. In this case we are looking at what is the mobile money platform because if you look at mobile money eco-system, there are so many parties involved. These parties include; the regulator (telecom regulator), the telecom company, the telecom agent, the merchant, and you, the customer. Because this concerns money, the banking regulator, the Central bank is also critical.

When you are having so many actors in your eco system, there are so many risks at every point in process of making the transaction. So questions arise. For instance, what should the regulators do incase somebody sends money and it is not received by the intended recipient? Do they get refunded? How do you assure transaction security and authenticity, while protecting innocent parties?

I have seen people complain on social media that they received messages that a portion of their mobile money taxes had been refunded but there was no change in their balances. How can they ensure the money reaches their account? How can regulators enforce this? What level of access must be given by the various players to effectively regulate the industry.

There is also the issue of system security. When you look at security, we are basically looking at platform integrity, confidentiality and availability (CIA). When it comes to your mobile banking, you find that most of the transactions are a clear text transaction. Suppose someone hacks your mobile money account and steals your money from you, who can you blame? User training and awareness over mobile security is poor. People often leave their mobile phones unattended to in which case someone with knowledge of one’s MoMo code could initiate a transaction. Sim swaps makes such frauds easy as well.Now that is the issue of platform security.  The telecom company may not be interested because they will tell you that you did not take the necessary precautions. But they have the responsibility to educate the customer about personal security.

Then we talk about privacy issues. This is still a big problem; a mobile money agent could give your mobile money details to somebody else. There are no regulations on this.

And now you know the risk they have on the economy in terms of money laundering; how do you tell whether someone else has not registered using your phone number.

Then there is the issue of transaction limits; are these limits actually being implemented but whether these limits are applying in practice, one cannot tell. This still goes back to mobile money system transparency, are the limits you see actually working in practice or not?

And then there is the issue of competition. In Uganda, we have seen several mergers and at the same time, we have seen government moving away from critical sectors like telecom which need to have local ownership. Of course, we are aware of the push to have MTN Uganda listing on the stock exchange. Let’s wait and see how this unfolds. As a critical national service for enabling commerce and national security, telecommunications ownership must be of key interest to government.

The question is going to be; how does government regulate this kind of industry especially if telecom companies, that control over 95% of the market and therefore controls the economy are based in a foreign country? MTN and Airtel actually have an oligopoly over the Ugandan market.

So supposing the two of them shut down tomorrow and exited the market wouldn’t this affect the Ugandan economy? That is why many people who are exposed have said that government cannot leave the economy to the private sector. Meaning that there are some flagship sectors where government must take priority and significantly invest for purposes of stabilizing the economy.

The telecom sector is one of those sectors where government should be heavily invested because telecom is the number one tax payer in the country. This is in addition to   being a national security player; telecommunication drives internet and everything we are doing.

Government should revamp UTL and create a company where it has majority shareholding. Controlling telecom sector is better than controlling the national airline!

Finally, there is the issue of investment of net balances on mobile money. You find that if I am keeping sh2m on my bank account for six months, it can be invested on a fixed deposit and I get to earn interest.

But for mobile money, there is no requirement for the telecom company to empower the customer to fix the money on a fixed deposit basis or keep the money on demand. Keeping the money on demand means any time I need the money to use it.

Going forward, with proper regulation, it should be possible to create a regional mobile money eco-system. That means the law has also to provide for global collaboration.

This article first appeared in The Bankers Journal.

Share this



Related Articles

Summit Consulting Work in an Ethical Penetration Testing On Our Network and Database

The above subject refers. This is to confirm that Summit Consulting Ltd, represented by Mustapha B Mugisa, was contracted to conduct an attack penetration

Team building and team cohesion events.

Are your staff working as a team or as individuals? For your next staff meeting, have them enjoy great team-building exercises. Below are some

Five steps to fighting fraud with professional skepticism

CHICAGO, June 11, 2014  /PRNewswire/ — Deterring and detecting fraud within an organization is the responsibility of several groups: financial executives, boards of directors,

Yahoo Under Fire For ‘Reckless’ Email ‘Scheme’

Yahoo continues to come under fire over its recycling of old email addresses and user IDs. Back in June, the company announced its plans

About Author