The Identity Trust Pulse

Beyond Mule Accounts: How Indian Banks are Building Fraud Intelligence

LexisNexis® Risk Solutions

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 23:41

In this episode, Ankit Sharma from LexisNexis® Risk Solutions speaks with Manish Agrawal of HDFC Bank about how mule accounts are being used within organized fraud networks and why stopping them means looking beyond traditional controls.

They discuss the role of social engineering, where data still falls short and the challenge of connecting activity across institutions.

Drawing on experience from one of India’s largest private sector banks, the conversation reflects patterns seen across the globe.

DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice.  The views and opinions expressed in this episode are solely those of the speaker/s and do not necessarily reflect the views or positions of LexisNexis Risk Solutions.  LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.

SPEAKER_02

Hi everyone, welcome to the Identity Trust Pulse Podcast powered by LexisNexis Risk Solutions, where we bring you the latest insights and trends from the fraud and identity industry. I'm your host, Anke Sharma. Every day, billions of transactions move through the banking system, but behind the scenes, fraud risk teams are fighting an invisible bore. As someone who's part of this industry, it really intrigues me how institutions detect fraud and how the technologies are shaping to fight against scammers. And what's the future, more importantly, of the fraud risks? Today, joining us is Mr. Manish Agarwal, Senior Executive Vice President and Head Credit Intelligence and Control at HDFC Bank. And we're discussing about Beyond Money Mules, how Indian banks are building fraud intelligence. Thank you for time, Manish. Welcome. Thank you for joining us today.

SPEAKER_01

Thank you so much, Ankeet, for having me here. It's an absolute pleasure. I hope our podcast gives some two, three points to the listeners. Because fraud, personally, I believe it's not an individual's problem, neither a one particular bank's problem or any one particular institution's problem. It's the collective responsibility that we share, and we have to get over this.

When Fraud Turns Into Organized Networks

SPEAKER_02

Absolutely, that's well said. And I think let's, with that thought, jump into the first question that's in my mind and getting you someone who's had close to about three decades of experience, Manish. Uh, in your long, illustrious career, has there been a moment or some pivotal change where you have realized that fraud and risk vectors have fundamentally changed? Uh, and then essentially you're not dealing with isolated incidents but organized networks?

SPEAKER_01

So, Ankita, very, very interesting uh point. Uh, in fact, this point of uh realization came in. Uh and it came in uh when I observed two fundamental shifts in the uh fraudster's profile and the modus operandi emo that we call. Uh sometimes back, now it's probably a decade, I would say. Uh, we observed that the age of the fraudsters were not in early 20s or a 30, it was mid-40s. Okay. Then you realize that the person has taken this up as a profession. And when you take something as a profession, then this becomes an organized structure. The second point of realization, if you ask me, uh, in fact, I was reading some of the federal report of uh the financial crime in US, they also have a detailed report. Believe me, if you download that particular report, it is easily available on the uh internet. You will observe that the modus opportunity which is written there and the amount of money people have lost in the cyber-enabled crime. If you delete the dollar, you will find that it is for any other country as well. So when you see the commonality in the MO, which means that industrialization of the fraud industry has happened. And that's where it's quite clear today that fraudsters have taken it as a profession. They have a very well-oiled network. One thing which happens in any geography across the world, I'm not talking for any particular country, it is bound to travel to others because now we are dealing with the organized crime, not with the crime uh which is concentrated or located in one particular pocket.

Social Engineering Versus System Security

SPEAKER_02

Absolutely. That makes sense. I mean, I think very importantly, we are seeing these crime syndicates, um, you know, crime networks. Obviously, they're not just kind of scamming people, they also are part of the organized crime syndicate, where we're seeing um, you know, they're involved in predicate crimes, money laundering, uh, and so on and so forth. So we'll talk more about that uh as we go along in this conversation. Um, but just kind of keeping that basis of what we discussed uh as crime as a service or it becoming more networked and organized. Uh, if we specifically talk about India Manish, um, you know, we've seen India take a leapfrog when it comes to digitization. Uh, so are you seeing you know this um exposure of, let's say, the Mule accounts, uh, which are rampant um unfortunately right now, uh, you know, and fraudsters are kind of manipulating the system. And there's this whole concept of uh, you know, uh trust versus uh you know, technology versus you know, uh how can one trust the system essentially, right? I mean, banking is built on trust. Um, so how how how is that influx point right now?

SPEAKER_01

So, Ankita, to put the things in perspective, let me assure you that financial ecosystem is safe, secure. Okay, we have a regulator who has ensured that there are enough and more guardrails which make sure that the financial ecosystem is fully uh secured and fenced. Whatever we are talking today, in terms of frauds, if you talk about the fraud as a victim, whatever the frauds are happening, they are happening because of the social engineering, okay, where the fraud where the fraudsters are using the age-old techniques of uh, you know, greed, threat, and uh help or uh love, etc. Where they create a narrative and socially with through social engineering influence people to make the transfer. So that comes from the security perspective. At the same time, it is it is it is uh our fiduciary responsibility and the ecosystem has realized it that while there may be a scenario or there are scenarios where the customers have fallen through the narratives of the fraudsters and ended up sending the money or parting up with the money, institutions are also responsible because when the funds are departing from the customer's account or the victim's account, at the end of the day it is going into some other account where probably the onboarding of that particular account wouldn't have been proper. Did we they did they have a proper transaction monitoring? Was it matching with the profile of a customer's okay? So that's where this entire system is coming into play. And if we have to break the backbone of the fraud or the cyber-enabled crime, what we have to do is to break the backbone of these mule accounts or the channels or the organized crime whereby they open these accounts and operate these financial networks. So because so if you if if we are able to stop the channel of our money after the fraud has taken place, ultimately the fraud will reduce. Okay, so this is where banks and institutions have to work at the same time. The system is secure, but if you come into an influence and part with the money, then it's the reactive uh you know uh stage and prevention is always better than cure.

Mule Accounts As The Crime Backbone

SPEAKER_02

Agreed, but you rightly said, I think it's a national security threat. And then when you started the conversation, you said it's it's not every you know single person's uh responsibility, like everyone has to come together uh to stop this, right? So absolutely makes sense. And kind of if if I just pick on what we just discussed, umish, I mean, you said there are guardrails, and then of course, uh, you know, the regulator has done a fantastic job in laying the framework. Uh, and we see that many institutions like yourself has have very strong controls, but yet we are seeing fraud networks you know are able to infiltrate and man manage to move money around, uh, unfortunately. But where are you seeing the biggest blind spots in banks and institutions? Um in how we are responding to, let's say, the scam and mule activity specifically, Manish.

SPEAKER_01

So, Ankira, as we discussed, that the this is we are dealing with the organized crime. We are not dealing with the petty crime. Point number one. And if you have an organized crime, what is needed? Needed is that fraudsters share their mode of sovereignty and the database in a much better way than what intermediaries or the institutions or the banks who are involved are doing. And I think that is where we need to do a uh better job. The biggest blind spot comes, if you ask me, on the two two specific points. One, there is no common identifier across ecosystem when a customer when when where you can flag that this particular account is a mule or a suspect mule or a uh fraudulent uh has a fraudulent activity. The second biggest uh uh gap uh which and I'll I'll give you when when I talk and identify, let me let me uh take a few seconds on that. Like you take an example of a device today. The device ID is calculated by each bank, each institution, each service provider in a different way.

SPEAKER_03

Okay.

SPEAKER_01

So, how will you give that variable as an industry? Because it does not have the common identifier. And the second point is the data plumbing, even within the respective institution, the data plumbing is in such a fashion that when the multiple institutions come together, it becomes a task to have a common data uh workflow. So I think these are the two items on which the industry has to work uh a lot more, uh, I would say. And that will be the only method, and a lot of things are happening. We have got the DPIP framework ready, the the the country has done a great job in terms of uh creating um you know I4C as an institution, which has a direct uh you know, focus coming in from the Ministry of Home Affairs, uh uh and uh the and the country has invested, the government has invested a lot of money on creating that today. If there are any any any incidents which are happening, the way this system is tracking the layer by layer and forcing or enabling uh institutions to take an action is superb, superb it is.

SPEAKER_03

Yeah.

SPEAKER_01

So a lot is done, but a lot more needs to be done.

SPEAKER_02

Absolutely makes sense. And I think you touched on the point that, of course, institutions and and the whole government backing and framework along with the regulators' uh help and support is there. But I think, as you rightly said, I think more can be done and should be done because you know uh this is this is a far-fetched problem. Uh, and then that's why kind of uh the banks coming together or institutions coming together along with telco providers and the other players in the in the game, in a form of a consortium where uh you know that intelligence um is shared, be it on device or account or mule or uh or other parameters, um, so that you know together we can we can we can fight that broad network through a very rich digital identity network. I think um uh you're right, more needs to be done on that. Um so so you know, we've talked about the frameworks uh and and and uh the processes and and what more can be done. I think uh that was the first part of the conversation, but uh I think you've spent uh so much time uh into building these processes and frameworks, Manish. But you know, um as someone leading the institution and your department, you know, uh you must be all sometimes asked that what is what is the perfect intersection when it comes to making something secure uh and also making sure that there is no customer experience friction, because that's ultimately important as well. So, what is your recommendations to institutions uh about striking that balance where you know one aspect is stopping the mule and scam activity, but also to make sure that the digital banking uh experience is frictionless and and customers uh benefit from it.

Blind Spots In Shared Identifiers

SPEAKER_01

So, Pankit, please understand that experience should not be made at the cost of security, because if the security is breached, the experience will anyway go for a toss. The two fundamental differences that we have to bring in, and I'm telling you, don't look at it like a like a uh very techy guy. Look at it as a simple normal human being. If you and me know each other, our conversation will start in a different way. But if you and me are meeting for the first time, I'm sure there will be an introduction. You will explain to me what you do, I will explain to you what I do. Okay, before meeting me, you would have read my LinkedIn profile, understood what I do, uh what are my strengths. Correct now? Yeah, the same thing has to be followed when the customers are doing a financial transaction. Okay, and the banks and institutions have to build in and bring in the friction by differentiating the two. If a customer is dealing with the known person with whom he has done the dealing, made the payment, that will go in a certain way. But if for the first time or in a recent past only the customer has started dealing with one particular customer, uh one particular person where the payment is being made, that has to be dealt into a separate way. And for that, if the friction has to come, it has to come.

SPEAKER_03

It is not a zero and one scenario. Understood.

SPEAKER_02

So just on that, I mean, if I may ask you, um you know what's what's one thing that's of immediate priority to you? I mean, what's the trend as as someone who's part of the industry and who's such a uh big advocate and a thought leader in the industry?

SPEAKER_03

What's that one trend that you are tracking very closely, Manish? The one trend, if you ask me, is a very, very simple thing.

Sharing Intelligence Across The Ecosystem

SPEAKER_01

I will break it into two one from the victim perspective, second from the beneficiary perspective. Okay, from a victim perspective, it is quite clear that please follow simple basic. There is not going to be any scheme which will give you 20-30 percent return in a month. There is no authority which will call you and put you under digital arrest. There is no authority agency who will send you on a WhatsApp an APK file to download and see your chalan. Plain and simple, please be aware, do not fall to these tactics. In case of any doubt, please reach out to your respective RM branch, police, helpline numbers, 1930 as a helpline number. That's all we have to do it from the victim's perspective. But as I told you, that if we have to break this system of a financial crime, which is actually a national security threat, what we have to do is that till date we thought that account onboarding is an easier job. A proper underwriting framework which is used for opening for advances has to come in here. And this is where we are working. In fact, we have we have launched uh a proper underwriting framework. There are a few things. If a guy is bad, he's a bad. Gone are the days where you have to believe that if you have a doubt on the character of a person, it is good to take his money, but not to give his money. It is equally bad to take his money.

SPEAKER_02

Yeah. And then from a from a medium or long-term perspective, Manish if I could pick your brain and we do some sort of crystal gazing. Uh, you know, what are like let's say in the three to five year or three to ten year kind of uh time frame, how do you think banks in their journey of evolution of wherever they may be, uh, some banks are are in the uh you know infancy of setting up a uh risk fraud prevention framework? Others, institutions like yourself are very advanced and developed in that journey. But how will how in that long run? I mean, you and I and on the back of India winning the T20 kind of World Cup, but let's say we have to prepare for the test championship as well. In the longer run, uh, how do you think banks will differentiate? Like, what will be the differentiating factor? I mean, will risk prevention be a differentiating factor in the long run? Absolutely. If yes, like what should be the considerations?

Security Versus Friction In Banking

SPEAKER_01

Absolutely, it will be a risk differentiating factor because one would want uh uh safety of his deposit, his deposits, rather than just on the fly that you can uh and I think one differentiating factor, uh uh Angit the way I see it, a some sort of uh friction that will come, which will be out of band. Okay, and when I say out of band, in a digital economy, all the dynamic factors are now bound to your device and channelized through telco. I think that's where the key differentiation will come because if if if you are doing a transaction on your mobile and the authentication is coming on mobile, authorization and confirmation happening on mobile, then the security by design is compromised. And we we already have started the journey now in app notification where we are trying to break it through the uh the the channel, okay. Uh in in some of the cases we observed that some of the communication only the SMS does not help. Other modes of communication of a social media also help. So we have started that also. That while you take a confirmation, while OTPI will be sending you on the SMS, which is which is uh which is prescribed by the guidelines. But another intimation, apart from a mail, we can send it through a other social media platforms because half the times you are there. Correct. And that has given us a good result. We actually have launched uh multiple features of uh, you know, the security feature like coverage, where you do not require you uh or do not rely on the OTP uh for doing a transaction, the semen device is bound, but at the same time as I told you, uh that is still the same mode. And now over a period of time, we will definitely move to a bit of an old uh for a certain transaction. I'm not saying it for everybody, as I told you that the person with whom you are having at regular interaction, you may not want to deal with uh those people in that way, but definitely for the new beneficiary. For the recently known beneficiary, we will have to uh move a bit away from the single channel.

SPEAKER_02

Absolutely. I mean, this has been such an interesting conversation. I'm sure we can talk for hours. But as they say, all good things come to an end. And so has our conversation. But we'd love to kind of have you back. Manish, first of all, thank you again for taking the time from your busy schedule. I know you were in the middle of some uh very important work, but I appreciate you taking the time and talking to our um listeners. I'm sure they've you know picked up more than three things as we started, uh, you know, you being humble and starting by three things. I'm sure, like me, they've picked up many things in this conversation. Uh, and if there's anything that uh you would like to hear more uh in our next uh episodes, please uh comment and get in touch with us and let us know. Thank you again for listening and making sure to tune in uh for the next episode, which we will be launching soon. Thank you for connecting with the RegTech Pulse Podcast. See you soon. Thank you. Thank you so much, Anti. Thank you.

SPEAKER_00

The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice. The views and opinions expressed in this program are solely those of the speakers and don't necessarily reflect the views or position of Lexus Nexus Resolutions. Lexus Nexus Resolutions does not warrant that the information provided in this podcast is accurate or error free.