Thank you! Your submission has been received
Nigeria's embrace of Open Banking and the sheer velocity of its instant payment systems are undeniably transforming our financial future for the better. Yet, for every legitimate transaction zipping through these new channels, a fraudster is probing for weaknesses, eager to turn innovation into an opportunity for illicit gain. This isn't just a background hum of risk; it's a clear and present challenge demanding a more sophisticated, agile response than ever before from our nation's fraud analysts and financial regulators. The old tripwires are no longer enough. As the speed and complexity of payments accelerate, the game has changed, and so must our rulebook.
To effectively counter these threats, financial institutions need to move beyond simplistic, single-variable rules. The future of robust fraud defense lies in composite rules – intelligent combinations of multiple data points and behavioral patterns that, when observed together, paint a much clearer picture of potential risk.
This playbook offers a selection of actionable composite rules specifically tailored for the Nigerian context. These rules are designed to be practitioner-friendly, providing clear logic and immediate steps for fraud analysts to implement and for regulators to understand as part of a resilient anti-fraud framework.
Here are some key examples from the playbook:
Rule 1: New Beneficiary, Big Money, Fast Transfer
The Fraud Pattern Unpacked:
Fraudsters frequently use a network of "mule accounts" to launder stolen funds or dissipate illicit gains. A common tactic involves quickly adding multiple new beneficiaries to a compromised account (or an account opened with stolen credentials) and then rapidly transferring significant sums to these newly added accounts. The newness of the beneficiary account itself is also a red flag, as legitimate users typically don't make very large, immediate transfers to brand new, untested recipients.
Why This Composite Rule Matters:
This pattern is particularly dangerous because it combines several high-risk indicators:
Rapid addition of multiple new beneficiaries: Suggests an attempt to quickly spread funds across various accounts, making them harder to trace and recover.
Large transaction amount: High-value transfers are prime targets for fraudsters aiming for a substantial payout.
Newness of the beneficiary account: Recently opened accounts (often less than 30 days old) have not established a history of legitimate activity and are frequently exploited as temporary conduits for fraudulent funds.
The Rule Logic (Pattern Summary):IF (new_beneficiary_count_within_last_2_days >= 5)AND (a_transfer_is_made_to_one_of_these_new_beneficiaries)AND (that_beneficiary_account_age_is <= 30_days)AND (the_transfer_amount_is >= ₦5,000,000)THEN Flag for Review
What to Do (Actionable Steps for Analysts):
Flag and Investigate: Implement a system alert when an account adds five or more new beneficiaries within a short timeframe (e.g., 2 days).
Scrutinize Transfers: If a transfer exceeding ₦5 million is initiated to one of these newly added beneficiaries, and the beneficiary's account is less than 30 days old, this transaction should be immediately flagged for urgent review.
Potential Actions: Depending on other risk factors, actions could include temporarily holding the transaction, contacting the initiating customer for verification, or escalating for further investigation into the source and destination accounts.
Rule 2: Deposit-Transfer Tunneling
The Fraud Pattern Unpacked:
This rule targets a classic money laundering and fraud "layering" technique. Fraudsters deposit cash (often from illicit sources or through smurfing – multiple small deposits) into an account and then almost immediately transfer the bulk of these funds out, often to another account or series of accounts. This rapid "in-and-out" movement is designed to obscure the original source of the funds and make them appear legitimate once they land in the next account.
Why This Composite Rule Matters:
Mimics Layering: Directly addresses a known money laundering methodology.
Speed and Proportionality: The immediacy of the outbound transfer relative to the recent deposits, and the high percentage of funds moved, are key indicators that this isn't typical transactional behavior. Legitimate customers rarely deposit large sums only to transfer nearly all of it out within hours without a clear, verifiable purpose.
The Rule Logic (Pattern Summary):IF (count_of_cash_deposits_within_last_3_hours >= 3)AND (total_transfer_out_amount_within_same_3_hours >= 0.90 * sum_of_cash_deposits_within_same_3_hours)THEN Flag for Review
What to Do (Actionable Steps for Analysts):
Monitor Deposit Velocity: Track the frequency and volume of cash deposits into accounts within short windows (e.g., 3 hours).
Link to Outbound Transfers: If an account receives three or more distinct cash deposits within this 3-hour window, and subsequently, over 90% of the total sum deposited is transferred out (again, within that same approximate timeframe), this should trigger a high-priority alert.
Potential Actions: Investigate the source of deposits and the destination of transfers. Review customer history for similar patterns. This may warrant filing a Suspicious Activity Report (SAR) if other red flags are present.
Rule 3: Weekend Activity + High-Risk Geolocation = Heightened Suspicion
The Fraud Pattern Unpacked:
Fraudsters often intensify their activities during periods when they perceive oversight might be reduced, such as weekends or public holidays. When this timing is combined with transactions originating from or directed to geographies known for high levels of fraudulent activity or lax regulatory environments, the risk level increases significantly, especially if the transaction amount is also unusually large for the customer.
Why This Composite Rule Matters:
Weekend Exploitation: Some fraud systems or manual review teams may have reduced capacity over weekends, which attackers try to leverage.
Geographical Risk: Certain jurisdictions are well-documented sources or destinations for fraudulent funds.
Anomalous Amount: A transaction significantly larger than the customer's average, especially when combined with other risk factors, warrants scrutiny.
The Rule Logic (Pattern Summary):IF (day_of_the_week IS Saturday OR Sunday)AND (transaction_geo_location IS IN pre-defined_high_risk_countries_list)AND (transaction_amount >= customer_average_transaction_amount * 1.5)THEN Flag for Review
What to Do (Actionable Steps for Analysts):
Contextualize Weekend Transactions: Pay closer attention to transactions occurring on Saturdays and Sundays.
Maintain High-Risk Geo Lists: Regularly update and utilize lists of countries or regions flagged for higher fraud risk.
Benchmark Against Averages: If a weekend transaction originates from or is destined for a high-risk geography, and its value is, for example, 1.5 times (or more) greater than the customer's typical transaction amount, this should trigger an alert.
Potential Actions: This might require closer scrutiny, step-up authentication, or a delay in processing until further verification, especially if the customer has no prior history of transacting with that geography.
Rule 4: SIM Swap + USSD + Spike
The Fraud Pattern Unpacked:
SIM swap fraud is a significant threat where fraudsters gain control of a victim's mobile number. With control, they can intercept OTPs or exploit USSD channels for mobile banking. A sudden, uncharacteristic spike in transaction activity or value via USSD, shortly after indicators of a SIM swap, is a major red flag.
Why This Composite Rule Matters:
SIM swap frauds are often executed quickly over USSD channels because fraudsters rely on these low-friction interfaces once they've compromised the SIM.
The Rule Logic (Pattern Summary):IF (transaction_channel IS USSD)AND (transaction_amount >= user_historical_USSD_average_amount * 2)AND (user_profile_indicates_SIM_swap_within_last_72_hours IS TRUE)THEN Flag for High-Priority Review / Temporary Block
What to Do (Actionable Steps for Analysts):
Watch for USSD transactions that are double the user's typical USSD transaction value, occurring within 72 hours of a known or suspected SIM change/swap for that user's profile. This warrants immediate high-priority review, potential temporary USSD channel block, and customer contact via alternative channels.
Rule 5: Cross-Channel Confusion
The Fraud Pattern Unpacked:
Fraudsters may rapidly hop between different banking channels (e.g., mobile app, then USSD, then internet banking) in a short period to execute various stages of an attack or to create confusion. This unusual channel hopping, especially when accompanied by an elevated total transaction volume, is suspicious.
Why This Composite Rule Matters:
Legitimate users typically have preferred channels and don't switch erratically between multiple channels for a series of transactions in a very short timeframe, particularly if the total value is high.
The Rule Logic (Pattern Summary):IF (count_of_distinct_transaction_channels_used_by_user_in_last_24_hours >= 3)AND (total_transaction_amount_by_user_in_last_24_hours >= user_average_daily_transaction_amount * 1.5)THEN Flag for Review
What to Do (Actionable Steps for Analysts):
Monitor for user activity that occurs across 3 or more distinct transaction channels within a 24-hour period, especially if the total transaction volume during that time also significantly exceeds the entity’s usual daily volume (e.g., 1.5 times the average).
Rule 6: Ajo-style Cycles with Red Flags
The Fraud Pattern Unpacked:
Informal rotating savings and credit associations (ROSCAs), like "Ajo" or "Esusu" in Nigeria, involve regular contributions and payouts to members. While legitimate, the transactional patterns (regular payments to a group of beneficiaries) can sometimes resemble structured fraudulent activity if fraud rules are too rigid and don't account for these cultural financial practices. However, fraudsters might also try to mimic these cycles with illicit intent.
Why This Composite Rule Matters:
It's crucial to differentiate legitimate Ajo-style activity from fraudulent cycling of funds. The red flags appear when beneficiaries are very new, turnover is rapid, and amounts are consistently high without established history.
The Rule Logic (Pattern Summary):IF (count_of_new_beneficiaries_added_by_user_in_last_30_days > 3)AND (transaction_frequency_to_these_new_beneficiaries > user_baseline_frequency_to_established_beneficiaries)AND (average_transaction_amount_to_these_new_beneficiaries > ₦200,000)THEN Flag for Closer Monitoring
What to Do (Actionable Steps for Analysts):
Use adaptive thresholds. Don’t automatically flag single transactions that fit an Ajo pattern. Instead, watch for rapid cycling of funds (e.g., amounts over ₦200,000) to more than 3 new beneficiaries added within 30 days, where the payment frequency to these new beneficiaries is higher than the user's baseline activity with older, established beneficiaries. This suggests a deviation that needs review rather than outright blocking legitimate Ajo.
Rule 7: ATM Raids in Clusters
The Fraud Pattern Unpacked:
When fraudsters gain access to card details or a compromised account, they may attempt to maximize cash extraction quickly by making multiple ATM withdrawals from different locations in a short timeframe. They often test withdrawal limits at each ATM.
Why This Composite Rule Matters:
Multiple, rapid ATM withdrawals, especially if the amounts are significantly higher than the user's average withdrawal and spread across different ATM locations, strongly indicate unauthorized access and an attempt to drain funds before detection.
The Rule Logic (Pattern Summary):IF (current_ATM_withdrawal_amount >= user_average_ATM_withdrawal_amount * 3)AND (count_of_distinct_ATM_locations_used_by_user_in_last_12_hours >= 3)THEN Flag for Urgent Review / Temporary Card Block
What to Do (Actionable Steps for Analysts):
Track rapid ATM withdrawals. If a withdrawal is significantly higher than the user's usual withdrawal amount (e.g., 3 times the average) AND this is part of a pattern of withdrawals from 3 or more distinct ATM locations within a 12-hour window, this should trigger an urgent alert and potentially a temporary card suspension pending verification.
Rule 8: KYC Mismatch & Stale Information
The Fraud Pattern Unpacked:
Outdated Know Your Customer (KYC) information can be a significant vulnerability. If a customer's declared income or transactional behavior profile hasn't been updated in a long time, and then suddenly there are transactions vastly disproportionate to that old information, it could indicate account takeover or that the initial KYC was fraudulent or is no longer representative.
Why This Composite Rule Matters:
Infrequent KYC updates combined with a significant mismatch between declared financial capacity and actual transaction amounts suggest that the onboarding data might be outdated, inaccurate, or potentially fraudulent.
The Rule Logic (Pattern Summary):IF (current_transaction_amount >= user_profile_declared_income_or_expected_turnover * 3)AND (user_profile_KYC_last_updated_date >= 12_months_ago)THEN Flag for Review / KYC Update Request
What to Do:
Flag unusually large transactions (e.g., three times the declared income or expected turnover in their profile) for customer profiles where the KYC information has not been updated for 12 months or more. This could prompt a review and a request for updated KYC documents.
Rule 9: Business Impersonation via Instant Payment
The Fraud Pattern Unpacked:
Scammers often create individual accounts that they then use to impersonate legitimate businesses, tricking victims into sending payments for goods or services that will never be delivered. The payment goes to an individual account masquerading as a business.
Why This Composite Rule Matters:
Many sophisticated scams involve social engineering where victims are convinced to pay what they believe is a business, but the beneficiary account is actually an individual's. Large payments to a new business-type beneficiary from an individual, especially without prior trading history, are suspicious.
The Rule Logic (Pattern Summary):IF (source_account_type IS INDIVIDUAL)AND (beneficiary_account_type IS BUSINESS OR appears_to_be_business_named)AND (transaction_amount >= ₦1,000,000)AND (this_beneficiary_is_new_for_the_source_account)THEN Flag for Review
What to Do:
Alert if an individual account makes a large payment (e.g., ₦1 million or more) to a new beneficiary account that is classified as or appears to be a business account. This is especially relevant if there's no prior trading pattern between the two entities. Verification might be needed.
Rule 10: Instant Loan Flash Exit
The Fraud Pattern Unpacked:
The proliferation of instant loan services, while beneficial, has also opened avenues for loan fraud. Fraudsters apply for loans (often using stolen or synthetic identities) with no intention of repayment. Once the loan is disbursed, the funds are immediately funneled out of the account through transfers or cash withdrawals.
Why This Composite Rule Matters:
Loan fraud is rampant in ecosystems with instant loan payouts. The speed at which funds are moved out immediately after loan disbursement is a key indicator of fraudulent intent.
The Rule Logic (Pattern Summary):IF (a_loan_was_recently_disbursed_to_the_account)AND (total_cash_out_or_transfer_out_amount >= 0.90 * disbursed_loan_amount WITHIN 1_hour_of_disbursement)THEN Trigger Real-Time High-Priority Alert / Block
What to Do:
Trigger real-time, high-priority alerts (and potentially temporary blocks) when a significant portion (e.g., 90% or more) of a recently disbursed loan amount is cashed out or transferred out of the recipient account within a very short timeframe, such as one hour of the loan disbursement.
Final Note for Analysts & Regulators
The above mentioned rules illustrate how a composite rule strategy can significantly enhance fraud detection capabilities within Nigeria's Open Banking and real-time payment systems. These examples are composite by design, they combine multiple signals, time constraints, and dynamic baselines to reduce false positives. Always localize thresholds based on your institution's risk appetite and customer base. It's crucial to allow for legitimate behavioral exceptions (e.g., genuine Ajo contributions, informal trading patterns for certain customer segments) by using profile-based segmentation and adaptive analytics where possible. Continuous monitoring, back-testing, and refinement of these rules with AI, like auto-grapher from Loci AI are essential to stay ahead of evolving fraud tactics.