PawaPass CEO Sylvia Brune doesn’t want compliance to be seen as a growth killer

As internet accessibility expands across Africa, the region is witnessing a surge in cyberattacks and online fraud incidents. This alarming trend is exacerbated by the increasing interconnectivity between applications and services, inadvertently creating new vulnerabilities that malicious actors can exploit. 

Cybercrime costs Africa a staggering $4 billion annually, according to a 2017 report. This situation has raised concerns among players in the financial sector, with some of Africa’s largest fintech startups working on a joint strategy to tackle fraudulent transactions within their networks. African financial leaders rank cybercrime as the top threat, surpassing even political instability, due to a rise in system breaches and financial losses, according to Deloitte's 2023 African Financial Industry Barometer.

While the financial sector might appear to be the most concerned, cybercrime affects every sector. “As long as there’s an exchange of value happening remotely,” Sylvia Brune, CEO of PawaPass, a startup specialising in ID verification and compliance solutions, says, “there’s going to be a need to verify who a user is.”

This is where her startup PawaPass, which is utilised in the gaming and sports industry across Rwanda, Uganda and Ghana, comes in. PawaPass's identity verification and compliance solutions are instrumental in safeguarding financial transactions and mitigating fraud risks within these sectors. Notably, the startup's robust systems verify over 6,000 payments annually, facilitating secure payments totalling up to $132,000. They also facilitated the pay of $2 million worth of shares to 200,000 betPawa customers.

Over a call, we talk about how the compliance space has evolved in the last decade, what’s different about Africa and PawaPass’ approach to improving compliance and reducing fraud on the continent.

How did PawaPass come about and what’s different about your startup’s approach?

PawaPass was born from a critical need: tackling fraud and abuse for businesses across Africa. One glaring issue was the ease with which users could create multiple accounts. A user blacklisted on one phone number could simply use another. Similarly, slight variations on an ID or name could bypass security measures.

This boils down to a fundamental challenge – verifying uniqueness and aliveness. These are essential metrics for combating fraud and abuse in any industry, not just financial services. It applies equally to e-commerce, logistics, and insurance.

In a region striving for financial inclusion, offering services to a broad base of users is crucial. But inclusivity can't come at the expense of security. We needed a solution that balanced access for legitimate users with robust measures to deter bad actors.

I believe you call that solution a single point of…

We call it a single point or source of truth. The ideal scenario for identity verification is a single point of truth, like a National Identity number used across various documents like passports and resident permits.  Unfortunately, this system isn't universally available.

In many markets, the lack of a centralised ID system makes it difficult to establish a reliable single source of truth. This is where the challenge lies: finding a practical and user-friendly alternative.

Considering that nearly half of sub-Saharan Africa's population is without basic identity documents, PawaPass bridges this gap, enabling their inclusion in the formal economy and access to digital financial systems.

That must be very challenging but you already rely on biometrics which appears to be a no-brainer. Am I right?

You’d think so. There's no silver bullet for fraud detection. Each method has limitations, forcing businesses to choose the "lesser evil."  The key lies in tailoring solutions to specific use cases. A one-size-fits-all approach won't work.

The ideal solution minimises friction for legitimate users while maintaining strong fraud prevention.  Different businesses have varying risk tolerances, impacting the level of friction they're willing to implement.

Biometric face scanning technology offers a powerful solution not only for businesses to verify identities but also for users to exercise greater control over their personal security. It empowers individuals to proactively safeguard their accounts and financial transactions. For instance, users can request face scan authorisation when transferring substantial amounts from their accounts, adding multiple new recipients or beneficiaries in a single day, or logging in from an unfamiliar device.

This approach extends beyond merely protecting businesses; it enables users to actively participate in securing their own digital identities and assets. Every time they authenticate themselves through biometric face scanning, users gain a heightened sense of account safety and assurance that their sensitive information is protected. Ultimately, this technology fosters an environment of trust, allowing individuals to engage in online activities with confidence, knowing that their accounts are fortified against potential hacking attempts.

This sounds very simple. Is it?

Nothing good is ever simple. We try to make it simple for users. The first time people do the face scan, they’re a bit thrown off but afterwards, it’s easier. We’ve tried to make it really simple and user-friendly without compromising on the integrity of information; hopefully, we can keep on doing that.

Correct! Despite several solutions, I imagine the bad actors aren’t sleeping. Let’s step back a bit, how has compliance evolved over the past decade?

Technology is a double-edged sword. It streamlines processes for everyone, making services like banking and car sales more accessible. However, this very ease of access also benefits fraudsters. The problem isn't a one-time fix. Fraudulent activity is constantly evolving alongside technology. As applications and services become more interconnected, new tools and approaches are needed to stay ahead of bad actors.

The rapid pace of technological innovation is another challenge. Compliance regulations struggle to keep up with the ever-changing landscape. This "catch-up" game is especially difficult in financial services, where the demand for faster transactions clashes with robust security measures. A decade ago, a week or three-day window allowed for fraud detection. Today's instant payments leave little room for error. This matter is often further complicated by regulators introducing different regulations.

Artificial intelligence (AI) presents another layer of complexity in the compliance space. While AI can offer powerful tools for fraud detection, concerns remain about its ability to definitively distinguish real from fake users.

Yes, deep fakes are here to stay. Are there any peculiarities about compliance in Africa?

Of course. One of the things we don’t want to happen when we take a biometric test is we don’t want there to be any intermediary because the data can be stolen, so we rely on only browsers with end-to-end encryption. In Africa, because people are data-conscious, they use a lot of browsers that have proxies. The browser sends a user's site to another server which compresses and sends it back to the user as a light page. 

The problem with that is that you can’t do end-to-end encryption. There are a lot of browsers like this which are good for saving data but not for running verification processes. 

We’ve been educating people to assuage their concerns.  Sometimes people are concerned about why they need to scan their faces. We constantly explain that captured images are not stored, but deleted immediately after the 3D face scan. Despite transparency, convincing users of the necessity for end-to-end encryption remains an ongoing struggle.

While biometric verification offers a single source of truth for user identity, convincing them of its necessity requires a delicate balancing act. After all, in most scenarios, it might not matter. However, for situations involving sensitive data, a little awareness goes a long way.

Yes, there are tradeoffs. You might have already alluded to it, but I’m curious to learn more about sectors where this matters more.

As long as there’s an exchange of value done remotely, there’s going to be a need to verify who a user is. Whether it’s a loyalty program we built out where it’s not money but shares or locker room bonus, there’s a transaction. You don’t need to have the ID of people, because it’s a small amount. The company that’s giving this needs to know that the intended people are getting the money. 

Now many social media sites are trying to incentivise people to verify themselves due to issues with trolls and impersonation. 

In Africa, there needs to be trust, so that people’s first encounter with online transactions doesn’t scar them and cause them to be scared from doing stuff online. This is important because communicating and transacting online has real use cases and benefits, especially for people in remote areas.

As we wrap up this conversation, can you share any noteworthy best practices for compliance?

Compliance should not be viewed as a growth killer; instead, it should be embraced as a necessary step to ensure long-term sustainability and success. By acknowledging the trade-offs and understanding that repeated security breaches can erode user trust and invite regulatory scrutiny, teams can approach compliance with a more holistic mindset.

On high-performing teams, compliance is not solely the responsibility of a dedicated department; rather, it is a shared responsibility integrated into the team's workflows and decision-making processes. This integrated approach encourages open dialogue and knowledge-sharing, where team members actively discuss and learn from real-world examples of how other companies have implemented effective compliance measures.