Are communications providers ready to take on the responsibility for delivering more advanced financial services over the phone? Bank failures have occurred all over the world, raising fears that communications providers could also begin to fail if they lend money but are not subject to rules about capital reserves and competent regulatory supervision. But it would also be a mistake for governments to suffocate services like mobile money that have transformed the lives of millions of Africans, Asians and Latin Americans who were previously unbanked. How much financial risk is it acceptable for communications providers to take, how should they upgrade their own competence to deal with those risks, and how does the increasing popularity of online and mobile banking change the risk profile for frauds like SIM swaps? These are some of the questions debated with Joseph Nderitu, a Director at Integrated Risk Services. Joseph started his telecoms career at Safaricom and has since advised many of Africa’s leading operators on the risks surrounding the delivery of mobile money services and other financial services.
Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hello, my name is Eric Priezkalns and this is the Communications Risk Show, the live streaming conversation show about the risks faced by comms providers and their customers. Every Wednesday, we discuss topical issues with experts from around the world of electronic communications and we stream the show live so you can also join the conversation, asking questions and making observations as we go along. To ask a question, simply type it into the messaging field immediately beneath the streaming window on our website at tv.commsrisk.com. Messages are anonymous, include your name if you want me to read it out. This show is also streamed live on LinkedIn, so you can also leave comments there. One of our team will be keeping an eye and let me know about the questions and observations you make there too. We'll try to read out as many as we can in the time during the show. And today's show, we will be discussing the very fine line that now divides some telcos from financial service providers, the risks that result from handling customers' money and how to get the regulatory balance correct. It's a topic that has really come to the fore at Safaricom, the Kenyan telco that started the mobile money revolution with the creation of M-Pesa faces a billion dollar lawsuit over how it's regulated. Safaricom also faces mounting pressure over the number of crimes where customers have had their mobile money accounts hijacked. There's no better person to talk about these topics than our good friend Joseph Nderitu, who will join us later. Joseph is the Director of Integrated Risk Services and one of the first men to provide assurance of mobile money services when he was a manager at Safaricom. But first, let's engage in some topical chat with my co-presenters, Ed Finegold and Lee Scargall. Ed joins us from Chicago, where he's an author, analyst and strategic advisor to tech and telecoms businesses. And Lee joins us from Manama, capital of Bahrain. Lee's career has seen him switching between executive management and freelance consulting for a wide variety of commerce providers in the Middle East, Europe, Caribbean and Asia. Hello, Ed. Hello, Lee. It's great to have you both back on the show again. I will kick us off in fine style. I'm going to pick on you first for this one, Ed. Have telcos gone too soft? That's a little play on words there. The triumph of software makes everything cheaper. Of course, we live in an era where everything is run by software, but having the same code over and over again on more and more machines, well, it might be saving us money, but there's a danger here that if there's a vulnerability, especially with a networked computer, that that vulnerability is going to be exploited by bad actors all around the world. And it seems that telcos, like other businesses, are increasingly at risk. There was the enormous data breach at Optus, where the data of 10 million Australians was compromised because of a leaky API. There has been a reported 627% increase in ransomware attacks per data security provider. Watch out for all kinds of businesses, not just telcos. It must be something that telcos worry about too. And hackers used a supply chain attack to insert data stealing malware into the 3CX VoIP software system used by 600,000 organizations, including BMW, McDonald's, and the UK's National Health Service. So, starting with you, Ed, should we be thinking in all seriousness, this is a tech analysis problem here, in all seriousness, thinking about the tech, thinking about the security, thinking about the risks, should we be starting to think that actually migrating towards common platforms to save money, that might be a mistake and we should be thinking about keeping businesses a little bit more diverse than they would otherwise choose to be? Yeah. I mean, I think going back, I think three years, when I started looking more at the cyber side and talking to people that are experts in defense in depth, I think they've been making that kind of argument as one of many items on a list of important things that aren't always done as consistently as maybe they could be from a security point of view. And so, again, it depends on the practitioner you talk to. It's so hard to generalize, but I think what ends up happening is the people who are making these attacks are finding the inconsistencies. I think that's the problem that you're pointing to. And then when there's an inconsistency that, to your point, effectively goes viral, and the communication about it goes viral, I think is what we've seen. You and I have talked about that before, especially a lot of the way these groups work in information sharing and people knowing where to find the information to go repeat a scam or hack. And we see that kind of effect in parallel finding those weaknesses. So yeah, I mean, I think that commonality issue points to a need for diversity, but let me throw this back to you, Eric, and Lee as well. I think for any of these issues, what I keep coming back to is whether we like it or not, we're all living these digital lives. We have digital selves. A lot of times they're being forced on us, especially as more and more brands want you to go digital and not necessarily go physical or manual, right? That whole trend. So this is being forced on you and the digital life is under attack. And I don't want to be the, oh, it's the war on drugs, it's the war on terror. I'm not going down that line, but I think we need to step back and say, hey, are we thinking about things the right way to have the right structures and laws and enforcement in place to classify these things the way they should be classified? I started thinking about this a few weeks ago. I'll quickly say when we were talking about police officers not recognizing an MZ scanner or sniffer, right? And only grabbing it because they thought it was a bomb, right? And then going down that path and thinking about the fact that like, hey, the stakes are higher than maybe we're giving them credit for. And so I think that's some of the issue that then points back to what you were saying, Eric, which is like, yeah, identifying where a lack of diversity creates those big gaps is absolutely necessary, right? That's part of defensive depth, continuous monitoring, and all those good best practices that the cyber folks, they're real smart cyber folks will talk about consistently. Lee, do you want to jump in here? Yeah. So, I mean, this is like one of those final year university questions on cybersecurity, right? So, you know, I want to start by saying that no kind of exploit, right, is prevented by diversity, right? That's the first thing I want to say. But diversity, it simply ensures that no one can take over the entire network from just one exploit, right? So, in a way, diversity is a good approach. However, it's a difficult question to answer. Because what if diversity brings more vulnerabilities, right, because of bad coding or lack of security testing, right? So, I think diversity can be a good thing, providing like software developers and device manufacturers, if they adopt best practices, like print or principles like security by design, and they use the security frameworks to ensure that all the vulnerabilities are kind of ironed out before the product is launched, then we kind of get the best of both worlds. So we get the resilience from the diversity. And we also get more robust security measures at the same time. Well, I've heard you say before that you tend to like situations where the telco uses multiple suppliers and not to depend upon one supplier. So you could say that that's already an example of some form of diversity here. But are we just are we talking at the right level here? So is it also a case that we just too many things are being done in the same way across businesses as well, that we're turning to follow certain patterns of behavior that make ourselves vulnerable? I mean, to give you an example, more and more businesses, they have their call centers, the call centers aren't even in the same country as the business. Why? Because the call centers itself a form of business model, and we just get these people in these warehouses to just make these calls, handle these calls for us. Are we then surprised that these people then become very easy targets for criminals? Criminals who say, look, these people don't get paid very much money, but they have access to systems, they have access to the data we want, they can change around the customer's profile. Is there an argument here that we should be looking for more diversity in how we work as well as the technology we use, Ed? Yeah, it seems like any individual would say, oh, I'm not surprised that this logically happens when you put people who, for various reasons, are easily turned to the negative and to participate in schemes at various levels. Many individuals, I think, would say, oh, we shouldn't be surprised. But as a society, or maybe even in the media, we kind of talk about it every time, like we are surprised, like, look at this breach that happened, look at this horrible thing that happened with this corrupt call center, or with this person who was bribed, and we look at it kind of in the specific and say, oh my, and then walk away from it, as opposed to recognizing this happens all the time, constantly. And what are we doing about that aspect of it other than saying, hey, this makes for an interesting story where we can be outraged and say, oh my, right, that's the thing that concerns me. And that's why I keep saying, hey, we'll take it more seriously. You know, your digital life is under attack, and I'm going to keep beating that drum, however annoying it might be. I think you should keep beating it. Lee, it's the problem that we're not putting the right value here. We're not pricing in risk in the correct way that we keep running towards the cliff edge and falling over the cliff edge. You've talked before about the effect on share price of data breaches. Is it a case here that, I mean, how does a business start putting a value on just having some diversity, have greater strategic approach to security, even though if it works, well, you're not going to have the hacks, you're not going to have the problems, you're not going to have the impact on the share price. Is there some way that we're missing a trick here in terms of appreciating the value over a longer term in terms of changing and making our approach to securing our businesses more sophisticated? Yeah, I mean, I've always said that businesses need to have resilience, right, no matter whatever it's around security or whether it's around operations, you need to have resilience in there. We've seen, you know, there's been lots of examples where resilience hasn't been kind of, hasn't been kind of implemented in a particular organisation, and that has a big impact on the share price. And it really can, because if you look at the statistics, it probably goes and impact your share price by about, you know, negative 10%. Well, this is a topic we'll come back to later in the series as well when Carson Knoll will be telling us about security vulnerabilities we found, he found in cloud containers used by telco operators, and of course, lots of businesses may be using the same kind of cloud containers, making them also vulnerable to the same kinds of hacks. But now, here's a message from our service sponsors, Bluegem. Bluegem provides testing services to telcos, government and software businesses on a global basis. They do this using real phone devices. That means they can generate genuine network events, including video music streaming. They can even replicate fraudulent bypass calls using real SIMs situated across their global network platform. These real network events allow Bluegem to advise your business about a range of key areas including roaming service assurance, customer journey testing, SIM box detection, and OTT and refiling fraud detection. They can detect SIM box fraud using a hybrid developed system of automated devices and crowd testers, which means they detect a higher rate of fraud than others. And the popularity of OTT applications like Viber, WhatsApp and Telegram, well, that's been leading to an increase of OTT bypass fraud, which means that you should be thinking about Bluegem's OTT solution, which automatically detects IP voice and chat apps for any fraudulent activity. Bluegem's approach to fraud bypass is to use a risk-based test methodology, which means they strategically target high-risk routes and countries to detect both on-net and off-net fraud. With automated alerts, their customers are able to profile fraudulent routes quickly, and Bluegem's flexible solution can adapt to ensure fraudsters remain unaware of their detection. So if you want assurance of your internet routes, and you want to tackle SIM box, OTT, or refiling frauds, or you want to deal with a host of other issues that require proper network-based testing of how the equipment and services run, then you should call upon the experienced team of specialists at Bluegem. Their URL? blugembluegem.com. So back to the topical chat, guys, let's continue the theme. Leasing Manama, which rhymes with banana. And I've been thinking about bananas because this biodiversity thing, it's not just the electronic domain, it's also the organic domain that we can learn about the importance of diversity and biodiversity, whether it's diseases that spread across the planet, like wildfire, and cause us all to stay home for two years in a row, or the diseases that plague bananas, because the bananas that we find in a typical store, it's all the same type of banana, the Cavendish, which makes it susceptible to the disease being passed from one to another to another. So should we be thinking about more variety in how we provide services online, so that therefore, criminals at least have to go to the extra effort of devising different ways of attacking different services, rather than now increasing just using the same method and porting it from one business to the next business to the next business with the telco, the telecommunications service being the sweet spot, and in particular, SIM swaps, SIM swaps being the issue. Is there a way, Lee, that we could start to take a kind of diversity of banana type theory here, and apply it to say how we identify users, how we determine or authenticate human human being is, so it's not always the case that all you have to do is take over their phone account, do a SIM swap, and there you go. Suddenly, now you can pretend to be someone else who can access the older services that are built on top of them. Yeah, so it's actually amazing how much our lives now are centered around the mobile, right? So not only do I use mine for messaging, I also use it for banking, I use it for like monitoring my home security, tracking my fitness, social media, all this type of stuff. But the problem is, one of the main things that we use our mobile device for now is for two-factor authentication, right? So that's receiving OTPs via SMS, which makes it a target for fraudsters, right? Now, when you look at, there's actually three things, or three common factors that are used for authentication, right? So it's something you have in your possession, right, such as a device, something you know, right, such as a password, or something you are, right, which is a biometric marker, so it's like a fingerprint, facial recognition, or an iris scan, right? The problem is, is that most of this two-factor authentication, it uses something you have, right, and something you know. So when your mobile account is taken over via a SIM swap, right, it completely bypasses the something you have element of that, because the device is effectively being controlled by somebody else. Now, personally, I'd like to see more use of biometrics, right, such as fingerprinting, you know, very easy on the phone, yeah, facial recognition technology being used for authentication, right, instead of there's something you have element, right, especially when it's a mobile device, right? For me, I mean, biometrics seems like a much better way to go than OTPs sent to a mobile device. That's like comparing a banana to an apple, isn't it? Whereas instead of like the disease attacking a banana, now we've got a different kind of fruit, and it's got to be a different kind of attack, and therefore, we now have to take over, we have to replicate how your voice sounds, or we have to replicate how your face is, and of course, this can be done, but it adds another layer. Do you agree, Ed, that we're not putting in enough layers, enough variety into the way that we're authenticating people, and that's making us vulnerable? Yeah, I mean, I definitely agree with Lee in the way that he characterised the way that the something you have tests are consistently being defeated. There is, I think, a critical mass of something you are, like sensors and what have you built into devices out there to start to really not just make that a good argument, but make it an implementable argument on a wide scale pretty quickly, right? So it would be good. I agree that biometrics is definitely helpful in the solution, but the other piece we talked about that's a fundamental weak link in this, and Eric, forgive me if I jump the gun here, but the phone number, the relationship with the phone number in all of this, and the fact that a phone number is not really something you typically own, but it is a core part of your digital identity that a lot of other tests link off of, or a lot of other communications paths for authentication tests ride over, that's a problem that we created for ourselves, right? We kind of painted, accidentally painted ourselves into a corner as an industry, and that's, I think, one of those elephants in the room that really needs to be addressed and discussed. We can do a whole show on why nobody wants to talk about that too much. If you look at SMS and A to P type revenues, things like that, right? But, yeah, I think that that relationship, that underlying relationship of the digital identity to the phone number and the fact that no one really owns the phone number, which is why it can therefore be hijacked at all in a similar swap in various ways, whether it's technical or bribe or coercion or whatever it is, there's just a fundamental problem that can be attacked in the system that I think needs to be addressed much better to solve some of these problems. Now, here's the thing that I find strange. We had the guys on from Latro on last week, and of course, a lot of effort is put in to identify where people are when a crime occurs. Why are we not putting any effort into working out where people are when they're using their phones? Because surely one of the most straightforward ways of indicating that you are the genuine person that you are and not somebody who's taking over your phone account is where your phone is when you're trying to engage in some kind of transaction. A criminal doesn't live in my house. They could take over my phone number, but they're not going to live in my house. You can see from my patterns of movement and behavior. What I find strange is that whenever I go abroad and I get my credit card out, almost certainly straight away, the credit card company will say, oh, you've never been in that country before. We won't let you use your credit card abroad, which kind of is super annoying because the whole point of me taking a credit card is that I wanted to use it abroad. But at the same time, it seems as though phone companies, who should have a lot more granular data about location, don't seem to be making any use whatsoever of location. Is that correctly? Am I painting the industry wrong here? Is there more being done to take advantage of location data? Another source of data that we should have on users, but doesn't seem to get much use at all whenever you hear about SimSwap fraud. Well, it's actually interesting you mentioned this because a couple of months ago I was actually reading an article that there is actually an Australian company which are actually trialing this right now. So with banks. So when you go to an ATM, you put your ATM card in, it actually checks to see your location to see if you're actually within that cell site, within that vicinity of the ATM. So some companies are doing it. Check out the ones in Australia who are doing it. But I think I think it's a good approach to go. Yeah. So comment here from Marcus. For me, this comes back to KYC. If you understand what you have sold, who you've sold your SIMs to, bypass fraud becomes very difficult, even with modest detection capabilities, because the fraudsters lose the ability to replace their cancelled SIMs. Also a critical challenge in the payments. Well, that's a fascinating point of view. I will come back to it in a second. Because next, I need to do another one of our adverts. And this is our Symmetry Prism Fact of the Week. Now, each week, the Symmetry Prism team supply me with an interesting fact to read out to the rest of you. And that fact will be about the fraud intelligence that they gather by combing through the underworld and discovering the things that they're doing to trick and deceive us all the time. And here's a fascinating fact that they've given me to share with you this week. Bad actors are advertising services that would allow criminals to send over 100,000 fraudulent SMS messages for the very low price of just 40 US dollars a week. Not only do they get all those messages for that cost, but the customers of those services can also choose whichever call ID they want to be the apparent source of those messages. And to make life really easy for bad actors, they let their customers, the criminal customers, run the entire process from an app installed on their own phones. How hysterical is that? That you can use an app on your phone to commit crime with other phones. So contact Symmetry Solution and their Prism Fraud Intelligence team if you want to learn more about methods used by criminals and the ways you can anticipate and prevent them from succeeding. Reach out to them at symmetrysolutions.co.uk. Now, Ed, obviously, we're going to have Joseph on in a little while here. And we, in some ways, Safaricom are a great example of a business that's taking the lead. We're trying to deal with some of these issues. For example, they've agreed with six Kenyan banks that Safaricom's API will be used to check if a SIM has been replaced recently. Because if you check that it's been replaced recently, then the bank doesn't necessarily have to allow a big transaction to go through. It's a common sense way of maybe filtering out the most obvious kind of crime and giving the customers some chance to get back control of their account, report that something's happened to their account before a crime is taken. However, a French anti-fraud service claims that 51% of mobile-based transactions in Kenya are flagged as suspicious. And Safaricom has for years now adopted a policy of including in their annual financial reports the number of staff fired for mobile money fraud. It fell to 24 in the last financial year, which we've got a report for, which ended in March 2022. But it was 52 back in 2017. So it's coming down. But nevertheless, they've been trying to eradicate the problem. There's still going to be staff who attempted to commit and abet crime. And it's difficult to work out what's going on sometimes because of all this flagging of suspicious transactions. Ed, thinking about the privacy aspects as well as the security aspects here, is it time for telcos to start implementing more rigorous monitoring of their own staff in order to stop these crimes? I think that I have to unpack that. I mean, the obvious answer is yes. But is it? I mean, I don't know, because now you've got a spy on your computer, people are monitoring your behavior at work. I mean, there's privacy issues here too. So that's why I'm saying it may not be obvious. I would say this, that having done a lot of work in the last few years on the banking side and seeing how technologies like analytics and real time communication are used, it's not over engineered. These things can be used very effectively to do detection and warning or triggering of a process. It's capable if the technology exists in the world to go do this kind of thing pretty effectively. And so the same, I think more or less, it's the same suppliers in many cases to telecoms in the fraud space who do these kinds of things. And so I think it makes sense. Again, forgive me, I'm going to keep beating that drum, but if you take a step back from it, it's that greater conversation of saying, okay, we see what the scammers are doing, not just looking at it as a million pinpricks, but looking at it like as the entire threat surface and saying, okay, we see attacks, for example, on the scenes between telecom and banking, because that's where the money's at, and that's where identity is at. That's why we see phone numbers get attacked, which then lead to bank accounts being taken over. So those are the really big, obvious pieces that you can start with that probably impact the most people and start to say, well, what are we doing wrong? And there's endless literature on what's being done wrong, which is why we then get into these conversations about is there enough action? Is it time to take action? It is past time to take action. People are being attacked. There's not enough teeth. And that was why I came back to what you were saying about to stop these crimes. I'm not sure the powers that be yet care about stopping the crimes if they're not liable to do so. So what's the soft spot that gives them a reason to act to solve the problem? I think that's really the question that probably everybody's challenged to find. Anyone who's trying to sell them something is trying to figure out as well. To sell a solution to this is trying to figure out as well. Yes? Yeah, I hear you. Lee, have you looked at alternative ways of trying to address these frauds? And in particular, what can be done in terms of keeping an eye on your own staff? Well, I'm hearing a lot more stories these days, Eric, that customer service agents are actually being contacted via direct messages over LinkedIn and attempting them to perform SIM swaps and offering anything up to about $50,000. So that's a lot of money, right? And would probably tempt most people in the kind of situation, right? So long gone are the days when fraudsters used to hang around car parks, the contact sensors. These days, what they do is they just connect directly and they can connect from anywhere in the world. So if you don't believe how simple it is, just go on to LinkedIn, type your telcos name and type customers name and put customer services in and you might be surprised what you find, right? So just prior to coming on here, I actually did it and I did it for AT&T in the US and that returned 51,000 results, right? So, you know, you've only got to get lucky once by contacting these people. Just to be fair, I did it for Vodafone in the UK as well. That returned five and a half thousand results, right? But this is the interesting thing. When I researched for T-Mobile in Germany, it only returned 17 results and a lot of those profiles, they were all restricted views. So I couldn't see who they were and I couldn't connect to them, right? So maybe T-Mobile, they might have a policy in place which kind of restricts their employees from doing that, which I think is a good thing. Maybe, maybe, maybe it's a language difference, I don't know. It could be, it could be. This could come back to the diversity point again. Maybe T-Mobile don't have many people working in customer services anymore, I don't know, but I doubt that's the case, right? I'm sure this is a policy of T-Mobile. Well, it's fascinating that you mention AT&T because of course they've got a terrible reputation for SIMS rock fraud. I'm sure that they wouldn't like me saying it but the newspaper headlines speak for themselves. They're always being named over and over and over again by celebrities, famous people, wealthy people. There's been a string of lawsuits involving them. In fact, they got off one recently, a big case where a cryptocurrency investor had initially sued them for 224 million US dollars. And you talk about how cheap it is to find people. They did catch in the end the thief who stole, the leader of the thieves who stole the money, a kid, Ellis Penske, who was just 15. I know what we said last week. Young man, again, despite you insisting it's the women doing it, Lee. Another young man, Ellis Penske, he agreed in the end after he was caught to pay 22 million dollars in restitution, but he would help his victim, Michael Turpin, to sue AT&T. And he was helping him by pointing out how easy it is to bribe the staff of AT&T and other telcos. He was talking about, you only need $200 to bribe these people in order to get them to do the SIMS rock fraud. But in the end, the judge throughout the case said that AT&T weren't liable, which I don't know if that sets a bad precedent in terms of your staff being bribed and then no one being held accountable for that. That seems to me to be opening the door to encouraging a lot more bribery, which is why I say maybe you need to be thinking, Lee, about putting spies inside the technology that your staff are using, keeping an eye on their behavior, keeping on their movements, because the legal system doesn't seem to be up to speed with supporting or assisting companies in doing this. But we are at risk as telcos of being sued for enormous amounts of money because somebody relies upon their phone, the home gets hacked, and you don't know about how much is held in their cryptocurrency wallet or how poor the security is around that. But they're going to look and want somebody to reimburse them. Who are they going to turn to? They're going to turn to the telcos. The telcos got a deep pocket. Comment here from Mahmoud Farouk. He says, relationship checks would help flag suspicious transactions. That's a good point as well. We've continued the chat, but now another little ad break, but this isn't really like an ad break because this is from our good friends at OneRoute. Now, each week, Jeffrey Ross of coal authentication, fraud prevention, and geolocation specialist OneRoute takes us on a trip around the world via our phones. And this week, Jeffrey is going to take us on the journey to Italy. So producer, James Avanti. Hey everyone from OneRoute. I'm Jeffrey Ross, and this is the world in your phone. Let's talk about Italy. Now, as we say in Texas, Italy. Now there's a lot of fun facts about Italy as it is one of Europe's most visited countries with a long history, rich culture, and really good food. How much do you know about this amazing country? Did you know that Italy is actually one of the world leaders in protecting our kids online? In fact, in 2021, Italy ordered TikTok to block underage users after the unfortunate death of a 10-year-old girl while trying to film a viral challenge. So now TikTok has been ordered to block access to users whose age cannot be confirmed. Italy also has the Italian Safer Internet Center, which promotes safer and better use of the internet among children, parents, and teachers. It also helps students to be informed about important matters, to get in touch with influencers, journalists, and politicians through live video chats. Pretty cool. But did you know that Italy is actually one of Europe's, Western Europe's, youngest countries? Now Italy's been around for thousands of years, but it's actually only been a country since 1861. And did you know that Italy is one of the world's largest cities in the world? Did you know that 13 of Shakespeare's 38 plays are set in Italy? And one more fun fact, Texas has cities named Italy, Rome, Naples, and Florence. Go figure. Be sure to subscribe to One Route on YouTube to catch up on all of our episodes, and watch the shows and companies making a positive difference in the telecom industry. Now, Eric, back to you and more of this great communications risk show. Cheers. Now let's welcome back one of the recurring guests on our show, Joseph Nderatu. Joseph is a director at Integrated Risk Services, a consulting business providing advice about corporate governance, forensic investigations, and business assurance. He's worked with many of the biggest telcos across East Africa. Prior to becoming a consultant, Joseph worked at Safaricom, where he was one of the first revenue assurance managers who had to tackle the new challenge of assuring mobile money services. As well as being an expert on risk for comms providers, he's also a pilot, a farmer, a part-time journalist, and a thoroughly good chap. Hi, Joseph. It's great to have you back there. Hello, Eric, and I'm happy to be back. How are you doing? I'm doing good, Joseph, and I'm always enjoying our conversations because I always learn so much. And you are the perfect person to ask about what the heck is going on in Kenya. Now, last time we had you on the show, we didn't have the time to discuss all this fuss that's occurring in Kenya surrounding the regulation of Safaricom, and whether it's M-Pesa service should be split off into a separate company. For my benefit, for the guy's benefit, for the benefit of all the viewers, can you please explain to us what is happening, what is the significance of M-Pesa to Kenya, to Kenyans, to the Kenyan economy, and who is wanting M-Pesa to be split from Safaricom, and why they want it split? Okay, cool. As to the first question, what the significance of M-Pesa, I think suffice it to say that it's become a way of life. I was just telling someone the other day that in the past, you would be afraid of forgetting your wallet in the house if you went out. Nowadays, it's not a big deal. I'm more worried in case I run out of battery power because then I would not have access to money. So I know I can transact as long as I have money. I can go on public transport, go to any restaurants, go to any hospital, pay for anything on the way, pay for fuel, anything really I can do using M-Pesa. And therefore, the service has grown since the launch was done back in January of 2007, has achieved a lot of growth over the years. The product suit has grown from just basic money transfer to really lending services, overdrafts, and things like that. So a story of growth, that's a good part. But as you know, there's always the good, the bad, and the ugly. Complexities have come with that. And the complexities were, of course, not envisaged in the launch. At the time, there were no regulations about the service coming on board. And the Central Bank of Kenya actually gave what is called a letter of no objection, allowing the service to go because there was really no law to regulate it. By leaps and bounds, the service has grown. And now there are questions as to, are we regulating it as we should? And especially with the risks that are being seen, as I'm affecting customers, is all that needs to be done, is it being done? And that's where we are. So as to the split, that's a whole story that has been going on for quite a number of years, has been fought, or rather has been fronted, even in parliament. As late as 2021, there was a member of parliament who raised the motion of splitting Safaricom and having M-Pesa as a separate company. Our members of parliament, however, not quite known as being the sharpest tools in the shed, did not see the merit in discussing that topic. And therefore, it did not progress far beyond parliament. But the question as to whether Safaricom should be split has been there, has been raised through parliament, has been raised by industry analysts, and has also been raised by consumer protection groups. But here's the thing I don't understand, Joseph. Is there not now a lawsuit about the fact that Safaricom has not been regulated like a bank? And I'm not clear as to why Safaricom would be sued. Wouldn't you sue the regulator instead for not making a decision to regulate like a bank? How can you blame the business for not being regulated sufficiently? What's really going on with this lawsuit? Who's bringing it? Why are they bringing it? Why is Safaricom being sued? Yeah. Okay. That's a good question. And I think you're right. So the lawsuit has been brought by an individual who claims that Safaricom, by the fact that he's engaging in lending services and has also shown sometimes not the best of due diligence in conducting those lending services, should be sued. I think I share your sentiment. You know, really, the lawsuit should be directed towards the regulatory bodies for not putting in the required laws. And, you know, it's not exactly correct to say that the required laws have not been put in place. Back in 2011, the National Payment Systems Act was actually drafted. However, again, through basic complacency of parliament, it was not enacted or made into law for quite some years. So there has been that drug. And in the meantime, the challenges with things like fraud happening while growing up, the public awareness also growing up, as you know, also with the proliferation of social media. Right now, there's quite a bit of spotlight on anything that happens, not just in Safaricom, but also in any large corporate organization operating in this part of the world. And I think there were also concerns, especially as the service grew, and cross border transfers started happening, whether we were actually having a safe monetary system, because now a lot of our transfers will happen through mobile money. And especially within the period of 2011, let's say, 2014, there are quite a number of terrorist attacks in Kenya, through the Al-Shabaab terrorism group based in Somalia. And at least on one occasion, at least in January 2019, it was established that part of the money for financing that terrorism attack had actually been moved via Safaricom's mobile money, M-Pesa, in conjunction with the Diamond Trust Bank, and the Diamond Trust Bank branch manager responsible for not highlighting that was arrested. The question then became, okay, but you have arrested the bank manager, what did you do about Safaricom? So these concerns have been there. And I think they are valid concerns, they are valid concerns, they need to be addressed. But I think the question is, do we then use this as an opportunity to have a conversation about properly regulating mobile money services, and annual digital payments? Or do we then go after Safaricom and say, hey, we're coming after you, even though there is no regulatory framework for, for enabling, or rather for guiding a lot of these things. So that it's, we are caught up in a situation where the concerns are there, they are valid, but the legal framework has dragged far behind the innovation that has happened on the service. These issues are serious. And I'm, you know, I'm not going to argue with you about the seriousness of wanting to pursue a regulatory framework to protect customers from crime, to protect shareholders in the bank from the collapse in the bank, because it's lending the money. Therefore, if telcos is lending the money, where's the money coming from to be led, that it doesn't stretch itself too far. We've seen plenty of banks collapse recently. And we've seen plenty of blanks collapse in the past as well. We don't want to see telcos collapsing, because they're starting to do the same things as banks, but without regulation. However, we're going to have to do that regulation. However, although the topics are serious, is this specific lawsuit serious? It seems to be generating a lot of interest in the Kenyan press. But do people take this lawsuit as being serious as having a real chance of victory? Or is it more just a talking point that's making people think about the same issues again? And if the issues are gaining traction, if people care about the issues, why are the government getting involved? Why isn't the regulator offering these guys? Is there a reason why they haven't been more proactive in this space? Yeah, so in terms of the seriousness of the lawsuit, if I were to hazard a guess, I think the lawsuit will be thrown out. I don't see it going far. As to why the government has not done much, I think there was always this, and I think you touched on it in an article spoke about a data breach that happened in Optus, where you talk about the fact that we have kind of prioritized the good news so much and not looked at the reliability and asked the hard questions. I think if I'm paraphrasing something, it's it. So I think the story of success is very well known. And I think Kenya has been touted as a very successful case of mobile money. Inclusion of the poor has been one of the things that government has also been very proud of. We see during campaigns, you know, politicians, or people running for presidency talking about some of the things that they are going to do to make sure that even more people are included in the economic system. So it's, you know, success has many fathers, and everybody wants to be associated with that, with that success. So I would say that then the government has not has not treated the service, has treated the service more as a bragging points thing, as opposed to really taking the responsibility for regulating it. Now, it's not to say that the service is not entirely looked at. Certainly, the Central Bank of Kenya does get returns from mobile money service providers. There is a financial reporting center where companies or telcos can file suspicious transaction reports regarding anything happening on the mobile money system. So there's that oversight. The missing link, at least in my view has been that we are in a situation where we see all these bad things happening along with a good, we are seeing a lot of same swaps and people complaining. We are seeing scam artists using mobile money. We have cases of even prison prisoners in maximum security prisons, working together with guards to get cell phones in, and then running a whole call center from prison. That is actually enticing people to send money for, you know, to donate to this other charitable cause. So there's this nasty and inconvenient stories there, but they have, the missing link is whatever Safaricom or whatever, even Airtel, because they also have a money service running, whatever action that they do take in conjunction with the law enforcement agencies, there's not much communication as to how the close looping of that is happening. And therefore, there's this perception and much well deserved among the people that is everything in control. And therefore, that kind of creates a lot of anxiety around the service. And it's not helping that then we are not seeing much coming through the media from the various telcos saying, you know, this is what we did. You know, the law was applied in this case. These are the number of people who actually went to jail and all that. So there's a communication problem. And that is really, I think that's, that's a danger, because I know they're, they're probably, I'm not probably, they're, they're, they're 100%, they're people working hard in this technical cause in Safaricom trying to fight fraud. Safaricom also does the publishing of people, internal staff who are found to have committed these things. But you know, there is something missing in terms of informing the public and providing actual metrics that things are going in the right way with regard to fraud management. And I think that's an opportunity for Safaricom, for Airtel, and for the law enforcement agencies to make sure that people get that conflict. Because otherwise, what we know is everybody knows somebody who has fallen victim to a same-swap or some other type of thing. Now, we talked about Kenya's situation, because obviously, you're in Kenya, and you know all about the Kenyan situation, but you've also worked in a lot of the countries that surround Kenya as well. So when we say that perhaps the regulatory environment isn't as tough as it might be in Kenya, how does that compare to the regulatory environment, the legal environment, and other countries in East Africa? Yeah, so I say Africa kind of seems to run on extremes. And so we have a very permissive or understanding regulatory environment in Kenya. So there's quite a bit of leeway provided or given to the telcos. And then you have on other cases where the regulators have taken a very sort of almost very restrictive approach to mobile money. I think I would, for example, mention the case of Tanzania, where it's become really a surveillance tool, or at least in the years under the previous presentation, it was a surveillance tool where, you know, the telcos had to send every bit of transaction data to the regulators' servers. And we know that that data was not really just being used for assuring quality of service or for checking adherence to their laws, but also being used to profile, you know, opposition members and things like that. So that is there. So striking a balance is not exactly very evident in a lot of countries. But I think the challenges are known in terms of its opportunity for mobile money in all the African countries, because banks, you know, traditional mortar and brick banks are not serving the people, they have not served the people for a long time. But then there are these real concerns as to what are we doing to make sure that the service is running as it should, we are protecting consumers as we should. So Tanzania, I've mentioned that one. The other thing is, of course, security in terms of the integrity of the mobile money system, and the risk of it being used in things that I mentioned, for example, terrorism, we know also the security situation in DRC, where again, mobile money is really growing up, growing very fast. And where there's an insurgency from the rebels who are claimed to have been sponsored by different countries. So again, we've seen especially in the case of DRC, Vodacom, they are putting in measures to make sure that they're able to monitor transfers in areas where those insurgents are known to be operating and making sure that the level of transaction monitoring is high. So I think there's a mix and match of approaches, but that you will be struck that on some levels, there's quite a bit of lax approach. And then on others, there's quite a bit of restrictive approach. In both cases, I think the consumer is still not served well. So those two extremes, you need to get a balance, where we actually serving the consumer by making sure that there's a proper legal framework, the telcos adhering to it, where they're not adhering to it, they are being penalized, or rather, they're also being supported in case they have valid reasons as to why they cannot comply. Great observations. Now, there's a couple of observations coming from some of the viewers as well. So I'll share them with everybody who's on the show and who's watching as well. Lorenzo Francisco from Mozambique says, Hi, Joseph, he's glad to see you again on the show. He's concerned that there's a risk that regulators will apply fines for M-Pesa mobile money providers in other countries too, so we'll come back to do. Marcus Bryant is backing up your point by saying, from his experience at MTN Group, that there are some countries that require banking licenses for mobile money, others that don't. Now, Lee, I want to bring you up on this point, you've dealt with mobile money as well. Do you find that when you're dealing with international groups and mobile money, there really is a lot of inconsistency in how different countries deal with the regulation of whether they're treating telcos like banks, or they're basically giving telcos free rein to do what they like? Yeah, I mean, each different jurisdiction has its own set of rules, right? So you're always going to find that. From my experience, most of the countries that I've worked in, a lot of the telcos needed to have a banking license, they were treated as a bank. And I mean, you mentioned a point earlier, you were talking about, there's lots of banks going bust, and you were concerned about some of these telcos might end up going bust. Now, one of the things that we, when we set these up in the past is, you'd obviously set a firewall up. So you'd set up a separate company, which has the banking license. So if anything happened to that, obviously, that provides a bit of protection for the telco. Here's the thing that frustrated me. When we travel down to Nairobi to hold the RAAC conference there, I would have loved to been able to get a Vodafone SIM and been able to use mobile money because Vodafone's in the UK, we've got Vodafone affiliated telcos all around Africa, why wouldn't I want to have the advantage of using mobile money as I go from country to country? It is mobile after all, this stuff is supposed to make life easier. And yet somehow or other, in the Western countries, in Europe, in the USA, in Canada, and the rest, we don't seem to want mobile money. I don't understand it. Why would I not want mobile money? And this makes me wonder, I'm going to blame the Americans. So this is why I'm going to bring you in here, Ed, so I'm warning you now. Is this really a problem here that we don't have leadership in regulation in this area? Because the United States of America, which tends to be the leader in international banking regulation, doesn't want to have mobile money for poor people in the United States of America. They've already frozen out people who are unbanked in the USA. And as a result, they see no need to get involved. They only want to get involved in the over-the-top banking. They don't want to get involved in this calm stuff. And are they making a mistake by doing that, Ed? Why am I talking nonsense? Thanks for asking a really loaded question, Eric. Are they making a mistake by not taking up the banner of the poor and marching to the... I don't know, man. The US, for better or worse, is a capitalist country, and its banks are permitted to act in all kinds of unbelievable and heinous ways that hurt lots and lots of people, right? So that's a whole different show that we could... But this is what I mean. Why are American telcos... 7% of Americans are underbanked per the survey that's done by the FDIC, the insurance business that basically underpins banking in the USA. 7%? 7% of 300 million people is a lot of people. Why are there not businesses like telcos, like small regional mobile providers who are saying to themselves, we could learn a lesson here from Safaricom, we could provide a service? Or are they just being frozen out because the regulatory environment is so hostile to anything like that, it wouldn't make sense for them to even start down that road? I think there's probably a certain percentage of that, probably a pretty large percentage of that, that's like, I don't trust the bank, right? Or I never have any money to be banked in the first place, right? There's a lot of... There really is. I think if you broke down that mix from a statistical point of view, there's probably a lot of really odd reasons for why those people are unbanked, including some of them being, oh, I want access and don't have it, right? Is probably one of them. I'd want to see the data around that to comment on it, but I don't think it's a safe assumption that there's this large number of this market of people that are unserved. I find it a little bit hard to believe it. If they are, then they're being served now by things like Cash App and Venmo is starting to fill that gap. But what it brings us to, right, is more of this question of how do you regulate this stuff? Because there's a dissolution of like, well, what's a bank versus what's mobile? Are you regulating this as a mobile thing or a banking thing? It's like, well, there's money moving around. So, some of the things, and Joseph referred to this before about, look, M-Pesa was a pioneer in this, and I think that they should be lauded for breaking ground where others could not, like way before anybody else started getting into all digital banking for it, right? I mean, I remember covering it when it launched and very few, if maybe nobody else was doing those kinds of things. So, I think there's a lot of positive lessons to be taken from it. But one of them, coming back to the point, Eric, is that, yeah, there is this like blurring of the lines between what's mobile and what's banking. And it's being further blurred if you look at all the regulations and rules around open banking and all the APIs that will be introduced for different types of over-the-top banking, which also, if you have the time to go do a research deep dive on the regulatory regimes around the world on open banking, and I don't recommend it, there are resources to read about these things. They do break down the different categories of responsibility based on the type of transaction. And a lot of those things come back to stuff like is that making sure you're checking for money laundering, you're doing money laundering checks, you're doing terrorism funding checks, and those kinds of things that are kind of standard on the banking side. So, if you're dealing with money on the mobile side or on the telecom side, why wouldn't you, just by common sense, not be held to the same type of standard, right? I mean, I think all those gaps, to me, automatically make sense. And so, to look at those things as like separate categories does not make sense at baseline. And we keep doing it in technology and thinking that it's, you know, this is a horizontal thing. It's not a vertical thing. And these things are separate from each other, if that makes sense. Ross Coulthart Absolutely. I just get upset because people say, telcos, how do they turn their business model around? How do they start to generate new revenues again? Safaricom, they want to split up Safaricom because they've done so well at finding a new source of revenue. And Marcus makes a point here, again, another comment from Marcus. He says, a major issue with the US and Europe is the arrogance of the West refusing to learn from the African example. They find it very hard to accept they have anything to learn from Africa. I would turn it around and say, where's the lack of, why isn't there more entrepreneurialism here? Why isn't an American telco providing mobile money type service to the 7% of customers, the 7% of people who probably do have phones, but probably don't, as we've said, have a bank account because they don't trust the banks or they can't get an account or they've had a bad history or whatever. And why isn't Vodafone in this country? Why are they not giving me the option to get mobile money? It may be a niche play, but it could also be a very profitable play. Why are we being pushed onto other banking services and other apps and stuff like that? Marcus Levenson In defense of the US, I'm going to insult the US. In the US's defense, when I get to do deep data studies on adoption of all kinds of tech, like mobile money and real-time payments and all those kinds of things, or smarter ways to secure your digital identity, the US is almost always a laggard, right? Americans behaviorally like credit cards and text messages. No matter how archaic they start to become or how much they're attacked by fraudsters, credit cards and text messages, don't ask me to change. So look elsewhere for leadership is my point. Daniel Disney I will give the Americans a little kind of one-up here. Living in Canada and sending checks, whoa, that drove me crazy. Pieces of paper. I go to Nairobi and everybody's on their phone sending money backwards and forwards. And in Canada, you have to send pieces of paper across the country because that's how they still transfer money from one place. So it could be worse. Canada is probably the worst I've ever had to deal with in terms of dealers. But let's get back to the serious stuff because we haven't talked about the fraud side of things as well, though you brought it up there a little bit tangentially there, Ed, in mentioning Venmo and Cash App. And the same issue is now occurring in Safaricom, where a service like this becomes so popular, it attracts a lot of fraud, it attracts a lot of crime. Joseph, if you mentioned about the issue with international transfers, though, but what's been big in the Kenyan press recently is reports of ghost accounts. Criminals taking over a dead person's phone account to make purchases using M-Pesa. And this has become possible because Safaricom allows customers the equivalent of an overdraft facility. So even if we don't have money in the wallet, they can still make purchases using M-Pesa. In your opinion, Joseph, I know you're an ex-Safaricom employee, so you perhaps don't want to be rude about your former employer, but is Safaricom taking the appropriate steps to mitigate the risks involved in lending money to customers in general, and in particular, to the risk that criminals will abuse these lending-based services? Yeah, so I'm aware of some of the measures that are carried out, not just in Safaricom, but also in other telcos. So for example, basic ones keeping putting limits on what can be done on the account, putting dormancy on the account and all that. But obviously, those are not enough. I think, was it Lee or Ed who mentioned something like vicinity checks? And those are some of the things that we are seeing now being deployed, for example, making sure that you cannot have a SIM swap happen in this location, and then money is withdrawn in a location that is more than X number of kilometers away. So that technology does provide ways to do that. However, you're right, we are still seeing these things being reported in the media. And of course, it's easy for me to do a bit of Monday quarterback analysis and say, that should have been easy to catch. That should have been easy to catch. So I'm careful, I'm choosing my words carefully. But I think overall, we are not seeing information as to what is being done about these types of things and whether the solution is getting better or worse. That I think is what is creating a lot of this outside. So for example, cash advances or fleas, which is really an overdraft facility that you can carry on your line. All that it requires is that that line has been active on M-Pesa for X number of days, has carried this number of transactions. There's quite a bit of threshold on what qualifies you to a certain limit. And then the limit then is about for some, maybe up to 300,000 kilo shillings or something like $1,500, let's say. That's a lot of money in this part of the world. And therefore, this motivation for people to actually get, if somebody is dead, and that same kind is not well secured, you know, really performing the same sort of piece is not a big deal. And in some cases also there's internal staff involvement, where they're able to identify accounts that have not been active for a certain period of time. But again, you could put all those controls in your phone management system or your transaction monitoring system and be able to block them. So what I would say in summary is that I think there's a lot that is done. I'm sure there's a lot of good work that's being done, but there's a lot more that could be done. We'll be talking a lot about machine learning and all these types of fancy analytics, but are they being applied correctly to prevent some of these scenarios? The article that I think Commsrisk published today, an article on where somebody, a journalist has reported that over 51% of Kenyans have experienced mobile management. Not true. I mean, I think the articles, your article really also identifies that quite clearly. But the question is, by the time we are reaching a situation where such publications are picking up such statistics, we need to be able to show what is actually happening in the telcos to manage that. And I think there's somewhere that we are not communicating effectively. Whether we are doing good work, we are not communicating or we are lagging behind, we are struggling and we are not letting the public know that we are struggling and what more needs to be done. Now I've seen a lot of awareness campaigns being done to customers, how to guard their SIM cards, how to prevent against SIM swap. Lee also mentioned biometrics. Safaricom also has a biometric solution where your SIM swap, before a SIM swap is done, there's a biometric check. You could actually record your voice and then before your SIM swap is done every time, then you'll receive a callback and then once you answer and say a few words, then it authenticates and does a SIM swap. But is that very well known across all the subscriber base? I think not. I don't see much about it except that I think it was a very good service to have been launched. So there are definitely areas for improvement and I think not just Safaricom but all the other telcos, they need to be very clear in how they are communicating. The sustainability report that you mentioned where, you know, stuff that are caught doing internal fraud, they are fired and then reported. That's a good thing but I think we need more metrics than that and I think the boards, the auditries, committees in these companies, they need to step up the game. I think there's a lot more that can be done and I don't get the feeling that we are there yet. I think you're being perhaps a little bit, you're not being generous enough I think sometimes to the telcos like Safaricom because when you talk about something like vicinity check, I'd love to see a lot more telcos doing things like vicinity checks in order to determine whether a fraud has taken place and they're not doing it. Yes, there may be an issue about credit limits, whether the credit limit is too generous, especially right at the beginning, whether you should be just ramping up the credit limit a lot more slowly. But some of the things you're talking about are quite sophisticated. Lee, I want to bring you in here. There's not this sounds quite sophisticated and wouldn't you get a bit suspicious of you in a telco that the reason you're getting this class action lawsuit is that customers are basically just jumping onto a bandwagon to try and make money by suing you when they haven't necessarily had any loss. Some dead persons had their account taken over. Yeah. So, you know, it doesn't just happen on mobile money, right? So, I mean, this happens in real life in real banks, right, where somebody's died and then somebody carries on using their bank account, right? So, I don't think it's just specific to mobile money. But yeah, you're probably right, Eric. It sounds like people are just jumping on the bandwagon here. Joseph, what do you think? Do you think then this is another class action lawsuit here, people wanting to sue Safari come over these ghost accounts? Does it have any merit or is it just an attempt to get a cash grab out of what's a big and very successful company in Kenya? Yeah. As I said at the onset is, first, I don't think the lawsuit has much merit. And my guess would be that's going to be thrown out. But I think it would be tragic if with the case being thrown out, we then kind of, you know, let the conversation go away. I think that's not my concern, that the fact that this lawsuit may not go through, and I think in all likelihood it will not go through, I think does not excuse us from starting to really interrogate ourselves as telcos offering mobile money in this part of the world and asking ourselves the financial inclusion that we are driving, at what cost is it coming to some of the poor people walking on the street, for example. And I think this lawsuit has that the merits of the lawsuit, as it's being discussed, should bring that to board. I am hoping that the telcos will then take that as a moment of introspection and say, hey, you know, is there something more we could be doing? I'm hoping also the regulators also ask themselves, is there something we could have done about this? I'm hoping our parliament starts, you know, getting a proper set of regulations in place. And I'm hoping that there's going to be, you know, constant enforcement of these things. So I see it as an opportunity, not in the sense that there'll be much coming by way of the lawsuit, but rather in the debate that's going to be there. Unfortunately, I see our media the way they are covering the case. Obviously, they don't have the subject matter expertise that, for example, comms risk would have in covering it. And therefore, there's a lot of just, you know, reporting the big value that Safaricom is likely to pay in case this lawsuit goes through. Whereas I think we should be examining how did we get to the point that we are taking a big corporate to court and claiming such a huge amount because of something that could have been prevented or could have been managed by a set of actors who have clearly not done what they should have done. I think that's for me where the debate should lie. Well, I think you're absolutely right, Joseph. And the point I would re-emphasize there is keeping the conversation going. It needs to keep going in real life. And that's what we're trying to do on this show. And we will be keeping the conversation going with you in future, Joseph. If you keep coming back on this show, we definitely want you back. Though now we're going to have to stop the conversation because we've massively overrun today's show. So thank you so much for your insights, Joseph. It's a pleasure to have you on the show. And if you're willing to come back, we'll keep having you back, Joseph. No doubt about that. My pleasure, Eric. See you next time. Thank you so much, Joseph. Well, we've reached the end of the show. Ed, Lee and I will return next Wednesday when our special guest will be Silke Holtmanns, an expert and advisor on 5G security to INDISA, European Union cybersecurity agency amongst others. Join us live on Wednesday, April 19 at 4pm UK, 6pm in the East Africa and Standard Arabia time zones, and 10am US Central. Listing time zones though, I find it super boring to do it every week. So why don't you avoid making mistakes by adding the show to your diary using the link at the Communications Risk Show webpage. And you can even subscribe to the Communications Risk Show broadcast schedule, which means every weekly broadcast is added to your diary automatically in the right time zone for you. Thanks again to today's guest telecoms consultant, Joseph Nderitu. Thanks to my co-presenters, Ed Finegold and Lee Scargall for their thoughtful and entertaining insights. And to the hardworking producers of the show, James Greenley, who was assisted by Matthew Carter. That's a wrap for episode five of the Communications Risk Show. I've been your host, Eric Priezkalns. Visit the Communications Risk Show website at tv.comswiss.com to catch up with past episodes in this series. Stay up to speed with industry news by visiting our main site commsrisk.com. And if you're looking for free RAFM guidance, including the most comprehensive catalogs of revenue leakages and frauds, then check out the Risk and Insurance Group at riskandassurancegroup.org. Thanks for watching. We'll see you next Wednesday.