Identifying Suspicious Subscriber Activities for Mobile Wallet Providers

Telecoms are privy to fraud from different avenues. One avenue is subscribers acting as agents and performing forex buying and selling activities. Identifying, investigating, and addressing such behaviour is extremely important from a regulatory, anti-money laundering, subscriber protection, and revenue standpoint.

What’s suspicious and what’s not?

Telecom operators often have merchants and agents operating across their network for legitimate activities like conducting recharges, selling airtime, and more. To weed out malicious agents from the real ones, CSPs must first replicate the behaviour of agents to define what is ‘suspicious activity.’ This is difficult because simply conducting high-value transactions is not always a red flag. There could be many individual subscribers who move large sums for personal reasons.

Coming up with a threshold for suspicion is another grey area. This sometimes depends on the economic climate within a specific region and hence requires some business and regional understanding.

There is typically no way to separate informal merchants using their subscriber lines to receive payments and fraudulent subscribers. Activity patterns across both these groups are similar. Perhaps the only underlying difference is that informal merchants deal with products and services, whereas suspicious subscribers deal in foreign currency in exchange for mobile money.

Addressing these challenges needs a unique approach because of the nuances in segregating genuine activity from suspicious ones. In the example below, Subex used a mix of industry, market, and business understanding to configure a solution that helped a CSP stay ahead of suspicious subscriber activity and related fraud.

How Subex did it: A real-world example 

A major communications service provider with a renowned mobile wallet services platform wanted to stay on top of its subscriber activity to discern suspicious behaviour so that immediate corrective action could be taken. This was important for the CSP to comply with regulatory terms and safeguard the business from malicious forces. It would also support Anti-Money Laundering (AML) and Combating of Financing of Terrorism (CFT) capabilities and foster positive brand perception.

The operator sensed that certain subscribers were acting as agents and performing unscrupulous money transfer activities. They wanted to identify, investigate, and address such behaviour on priority.

They chose an approach that delineated behaviour based on specific traits that correlated to suspicious activity. These three behaviour types were:

• High financial activity like transferring unusually high values
• Connection density like finding subscribers transacting with an unusually high number of subscribers
• Volatility or a surge in financial activity or connectedness of a subscriber

Subex was brought in to implement one of its proprietary solutions to help the CSP get insights into these three categories of subscriber activity.

Two modules were created – one to identify subscribers with suspicious activity and another to assist the investigations with relevant data points on all suspicious subscribers. Considering there were nearly 4.5 million nodes on the network and approximately 45 million Edges, the task was a difficult one.

In a nutshell, Subex performed the following actions:

• Modelled cash selling behaviour using techno-analytical rigour
• Identified each subscriber’s connections across the massive network using a graph theory-based degree centrality model to discern legitimate transactions from suspicious ones.
• Investigated transaction behaviour to identify subscribers whose transacted values diverged from usual

The values and connection density across the three defined behavioural buckets were finalized using a combination of data-driven exploratory analysis and business acumen. Rather than choosing fixed, rigid values as the threshold for suspicion, Subex configured the tool with flexible threshold options that could be custom-set. Thresholds were then assigned to maximize true positives and minimize false positives. These values were used to narrow down the suspicious subscriber base.

Results from the analysis were shared with the compliance team, giving them a 360-degree view of the subscribers with the main investigation markers. This included subscriber value segments, location details, device information, connection, and value profiling, and national ID reuse details, among others.

Soon, the solution gained popularity with the telco, and Subex upgraded it with an automated, scalable, flexible, and democratized front-end for ready access for users across the organization. The tool is helping set custom thresholds of suspicion for value transfers and connection density, get the distribution for the reason of suspicion, and capture markers for investigation of these subscribers.

In a span of two months, the solution identified 161,400 subscribers that were possibly acting as agents. It also gave the CSP valuable insights such as:

• 64,800 subscribers increased values while 49,200 increased connections. These could possibly be agents who were barred and now operating on subscriber lines.
• 12,460 subscribers from this base have reused national IDs and can be considered highly suspicious.
• 40% of suspicious subscribers are concentrated in the capital city, which is also where the concentration of agents is the highest.
• 47,500 subscribers use basic/feature phones and have suspicious behaviour. These could possibly be vendors and can be considered low-risk.

Benefits of subscriber activity analytics

In the short term, performing subscriber activity analysis helps telecom operators periodically weed out subscribers acting as agents and improves how they manage regulatory expectations. In the medium to long term, it discourages fraudsters from building networks to deal in foreign currency. It also saves telecom operators from incurring heavy regulatory fines.

To bear in mind, AML/CFT compliance is quite common, especially in the financial services domain. However, the case of subscribers acting as agents to trade foreign currency tends to be specific to hyperinflationary economies where people tend to buy foreign currency to hedge against inflation.

In summary, fraudulent understanding activity across subscribers often requires a niche approach founded on strong technical expertise and a sound understanding of the telecom industry and local market forces. All of these factors blend to create environments ripe for fraud. Mitigating such risk is up to telecom providers that ought to leverage well-informed strategies as well as technical expertise in terms of data analysis, dashboarding, and automation.

Mobile wallet provider identified suspicious subscribers with Analytics

Download the case study to learn more