How we manage fraud risk
Fraud risk is managed by mytalu in several different ways. These can be broken down into various categories as detailed below:
- Log-on protection
- Third-party compliance firewall
- In-house fraud detection
- Encryption of data
Mytalu, at its core, is a money transfer business. To that end, our primary focus within the context of fraud risk management revolves around preventing unauthorized access to accounts and preventing movements of funds from the UK to African (Kenyan and Ugandan) sub wallets that were not intended or permitted by the sender account owner. Similarly, on the recipient end, our aim is to prevent unauthorized access to a mytalu sub-wallet and restrict fraudulent mobile money payments in the mytalu e-money ecosystem.
Users are required to set up an account with a personal email address, password, security question and PIN number. Additionally, as mytalu is an application targeting smartphone users, account holders are able (and actively encouraged) to enable face ID as a method to maintain the security of their account and ensure access is limited to only the original account creator and owner.
If an email address and password combination are entered incorrectly three times, then the account will be temporarily frozen until the account holder is able to answer their security question, which will, in turn, enable them to reset their password and regain access to their account.
The personal security information is also required at certain action points within the mytalu app, more specifically when a new sub-wallet is being created or if money transfers are being made to a new destination. This helps to ensure that there are barriers in protecting the security of the account and more specifically protecting the movement of funds.
Third-party compliance firewall
As part of our agreement with Railsbank, we are required to integrate and make use of the Railsbank Compliance Firewall. This is a tool that mytalu is able to use in order to manage fraud risks. The Railsbank compliance firewall consists of two parts. The first of these is the partner firewall and the second is the customer firewall.
The flow of information that occurs in order to successfully pass through the two firewalls is simple. The first step is that the request must meet the requirements of the rules set out in the customer firewall. Following which, it must then pass through all the rules set in the partner firewall. Only at this point will the corresponding request be approved and permit an action to take place such as creating an account or permitting a money transfer. The risk policy is hardcoded into each of the partner and customer firewalls. If the request fails in some capacity to adhere to the rules then the request enters quarantine (assuming it hasn’t failed a stricter ‘auto-decline rule’). At the point of quarantine, the responsibility falls onto the compliance officer to check the entity/transaction and decide whether to decline or pass.
In-house fraud detection
Mytalu is also building its own in-house fraud detection capabilities. In its first iteration, it will involve creating ‘expected’ profiles for the types of customers that mytalu will be engaging with. Our initial due diligence and research leads us to believe that the average amount of money being remitted will be £250 per sender per month. Using this as a basis point, we will be able to detect abnormalities that substantially deviate away from these expected values. In later iterations, mytalu intends to employ machine learning algorithms to analyze the data we obtain in our earlier iterations in order to improve the efficiency of fraud detecting capabilities but also to reduce the number of false positives as mytalu whishes to create a seamless user experience. We will also be able to create more tailored fraud detection capabilities on a user by user basis, creating adaptive and dynamic models which map out expected usage/transaction volumes for each individual mytalu user, allowing us to be more specific and not generalist in our approach. Similarly, to the quarantine method employed by Railsbank’s compliance firewall, mytalu will flag any user activity, or transaction attempt that appears fraudulent, at which point, the compliance officer will inspect the activity and make a decision as to the next steps. We will also be employing a transparent fraud detection system in that we would want to keep our customers informed if additional checks were being run via push notifications.
Security of confidential information is of critical importance to mytalu. To that end, mytalu ensures all user information and Personal Identifiable Information is encrypted to ensure maximum security is being achieved. Encryption is also relevant for mytalu specific information and not just our users’ information.
The scope of this document is therefore covering both the UK main account holders and the African sub-wallet account holders. The tools and methodologies employed and discussed in this document are occurring in real-time so as to be best positioned to prevent fraud from occurring.