Understanding user onboarding and fraud in Africa

This year, fraud attempts in Kenya grew by 7%, while it only grew by 5% in Nigeria. For a country almost four times the size of Kenya and with a global reputation for cybersecurity scams, one would expect its fraud attempts to be of greater proportion. But that's not what Smile ID's report reveals. Nonetheless, both countries' fraud numbers grew over the review period, from January to June 2023.

“Fraud rates move up and down across countries as growth and user behaviour changes in response to new products, services or changes in regulations,” says Smile ID. “As more businesses across Africa adopt biometrics for identity verification and fraud prevention, more fraud is being caught.”

According to Smile ID, 43% of ID fraud caught in the last six months were face mismatches indicating that stolen or lost IDs were used, while 41% were selfie spoofs.

Last week, Benjamin Dada, Publisher and Editor-in-Chief of Bendada.com moderated a conversation with Mark Straub, CEO of Smile ID and Wiza Jalakasi, Director of Ebanx Africa Market Development, to discuss the state of “Know Your Customer (KYC)” in Africa.

Editor's Note: The interview has been slightly edited for clarity

What's KYC?

Mark: KYC means Know Your Customer. It is a term that comes from the banking industry. Historically, before banks what with someone they will want to know about the individual or organisation as part of their risk assessments before they can decide if they should do business with the customer. This involved inviting the customer to a physical office to discuss with them.

KYC is an increasing part of compliance for most companies today because they are required by regulators to collect some information before providing financial services to consumers or businesses, especially digital financial services. Another part of it is trying to prevent is to prevent fraud.

We can sum it up into two; regulatory requirements and to prevent potential fraud.

Should startups build their KYC system or they should leverage providers?

Wiza: From my experience as Chipper Cash when we started our South African expansion, I was tasked with figuring out the quality of customers we were getting to avoid fraudulent sign-ups. We considered building our own solution but you will find out the complexity and difficulty of designing a solution that captures and validates information.

It is actually more work compared to building a payment solution, especially because in some markets you will need integration with various databases including the National IDs, this can be expensive and quite difficult for a small fintech that is not known in the market.

Just like in telco and payments, identity has this characteristics that are subject to aggregation; so, it is better to go to one provider that can get it for you in several locations to avoid the hurdles that come with building yours.

We worked with that and we got improvement in our onboarding.


Three factors of authentication. Design by Benjamin Dada

What should founders look out for when choosing a KYC provider?

Mark: The first thing people tend to focus on is price, but this is not always the most important thing. I think the best way to approach it is to start thinking through the internal metrics that you are trying to drive for your business.

The other needs you might have to consider are certain sets of information because of compliance requirements for reporting purposes, so you might want to look through the provider's API documentation to be sure they have these responses that you are looking out for and if they have the coverage that you need.

The third part is the integration piece. Here you consider the internal technical resources that you have and how you find customers and go to market; is it through mobile apps on iOS or Android or agents on the field? Generally, the founder needs to understand their customer acquisition modalities and then you need to make sure that the provider can deliver on it.

It is about coverage and data completion, integration, reliability and stability. And then pricing is also a component but often times people start with it and forget that the other factors are the real differentiators, especially in the African market where there is high variability of these things, as opposed to the US and Europe where there is more consistency.

What's top of your mind when it comes to user onboarding?

Wiza: Primarily, you are thinking about the experience that you can create to onboard high-quality users in the fast possible time. This involves creating what lets the good users in and tips the bad ones out without making it cumbersome.

I also think the flexibility from providers like Smile ID makes it easy for you to get through to what you are optimising for. In practice, you might say what a user needs to sign up on your fintech app is an email or a phone number but before they can make their first transaction, you will require them to provide an ID number, and then after that, you can ask for more details like proof of address and a copy of the ID card.

Generally, it is thinking about the flexibility of the process first.

The difference in user onboarding behaviour across sectors in Africa

Mark: There is so much variability and it is usually challenging to do it for companies that are in various markets on the continent. I spent a lot of time in India and I have seen an evolution of KYC in the market, from paperwork to digital verifications.

When we talk to customers in Nigeria, they know about National Identification Numbers and Bank Verification Numbers; there is a lot of sophistication now, and in a market like South Africa, the users are more mature when you talk about digital KYC processes.

So, there are markets where users are already aware that they will be required to provide certain documents, and in other places, they do not want them at all. In other markets like Ethiopia and Côte d'Ivoire, they operate with handwriting documents.

Across the continent, the variabilities are quite radical. Where it gets very tricky is when you have a company operating across five markets and they are trying to maintain consistency in their process but on the other hand, they also need to abide by market regulations.

The trick here is giving them the option to customise across markets.

At what point should a company start to tackle fraud on its platform?

Wiza: From my past experiences, I will advise that you should not even launch your product without fraud mitigations built-in, this is because fraudsters are amongst your first adopters. Fraudsters are on top of everything that is happening in fintech, their common tactic is referral fraud.

You are going to start seeing fraud losses from the day you launch your product; and the sooner you can mitigate it, the better.

🗞️
A few days after its launch last year, MTN Nigeria's Mobile Money Payment Service Bank suffered a breach losing about ₦22.3 billion that was "erroneously transferred to 8,000 bank customers".

Typically, most apps start with partners to deploy their services but when you scale, you get the attention of the regulators.

So, you need to start to engage with the regulators to get your licence and a big part of that conversation is your ability to demonstrate that you have been thinking about protecting your users and platform.

How did Smile ID realise that KYC and identity verification can mitigate fraud?

Mark: There are some places where fraudsters have been able to get added to the national identity databases multiple times under different names and identity numbers but with the same face.

The only way we were able to catch that was we started doing face de-duplication on every user that signed up with a selfie check; we saw some faces that registered more than 50 times although it seem like a valid KYC check. Then, we started realising that the database has already been poisoned; that fraudsters have figured out a way to create multiple ID numbers.

Businesses that are running referral campaigns and lending businesses need to be aware of this tactic because it is the way that you are going to lose money.

What would you want to improve about how KYC is done in Africa?

Wiza: The big thing is identity interoperability.

Nigeria has done a decent job with the BVN, where you can use the number to query the database and the users' details can come up. It still has loopholes—like people having multiple BVNs—but if you have a biometrically authenticated digital native identifier that is interoperable across the system. Like a BVN, but with a fingerprint; this deals with duplication.

It is sort of what is happening with Worldcoin, I have my own thoughts and feelings about the premise but then the actual authentication with the iris biometric ID is unique and difficult to duplicate. However, it creates a friction point because you need hardware to authenticate the biometric, but smartphones do not come with inbuilt iris scanners.

But, if we have an interoperable that African governments can adopt, it will make it easier and it will make a lot of sense.

What is the future of KYC in Africa?

Mark: What Wiza just described is the future; the way things could and should go. Also, the African government needs to build a basic ID infrastructure that is easy to use and reliable.

At Smile ID, we have built "fail safes" that make sure that all the traffic sent to us is processed because the national ID infrastructures go down all the time; sometimes throughout the day and that is a real point of friction for everyone.

🆔
In 2022, National ID databases in Africa experienced an average daily downtime of 6%, according to Smile ID's KYC report. This frequent downtime hinders their reliability as a sole verification step in onboarding customers on the continent.

In summary, we need to build basic infrastructures and make them reliable and also create standards. And the longer term, more exotic technologies like iris biometrics can now be introduced but basic infrastructures are the starting point.

Ben: Personally, I think iPhones will get to the point where they can scan iris, making the hardware cheap and more accessible.

Also, for identity interoperability, I think there will be a need for an open ID framework within the ambit of regulations and data privacy. For instance, if Smile ID has authenticated me on a platform that they are a provider, they should be able to identify me on another platform—where they are a KYC partner—without hassle.