Protecting Digital Financial Data: What Standard-Setters Can Do

Posted by Louis de Koker and David Watts from CGAP
12 Oct 2016

Digital financial services (DFS) provide important solutions to financial inclusion challenges. Indeed, without appropriate use of DFS, it is unlikely that the global objective of broad-based financial inclusion will be achieved.

While the benefits of DFS are generally acknowledged, it is also appreciated that they pose risks. The 2016 Global Partnership for Financial Inclusion (GPFI) white paper, Global Standard-Setting Bodies and Financial Inclusion: the Evolving Landscape, highlighted privacy and data security risks and called for international financial Standard-Setting Bodies (SSBs) to explore these risks as well as potential solutions. Why are they concerned and what steps can SSBs take to improve data security?

Significant opportunities and increasing risks

When cash and payments are digitized, the value previously represented by coins, notes and book entries are embedded in data. The data can improve customer centricity and the delivery of cheaper and more appropriate services to customers. Many of these benefits are already evidenced in services provided to and used by millions of customers. The data can also serve development objectives of governments. Data, however, are also a new frontier of crime and war, and financial data in particular are under threat. Policy makers are therefore challenged to ensure that data are appropriately protected and can be accessed by appropriate users, while shielded from those who would abuse it.

Risks may present themselves in various forms. Personal information of customers, for example, may be lost or stolen. When the IT system of a financial service provider is attacked, large-scale loss of personal data may occur. According to Symantec, more than 500 million digital identities were exposed or stolen in 2015.

IT systems may also be accessed and manipulated to effect criminal payments. A scheme by the so-called Carbanak cybergang reportedly targeted more than a 100 financial institutions in 30 countries, diverting millions to dummy accounts. The 2016 theft of $81 million from Bangladesh’s official account at the Federal Reserve Bank of New York shows that even central banks and the SWIFT messaging system can be targeted. Cyber attackers may also aim to shut down a service or bar access to data to benefit competitors or extort money.

Attacks are not necessarily aimed at criminal enrichment. The objective of cyber war and cyber terror attacks may be to destroy or contaminate data to ruin a provider or destabilize a country’s financial system. In 2013 South Korean banks were targeted with data-wiping malware. The attack on Sony Pictures in 2014 combined theft of data and destruction of data with privacy breaches, when personal information of current and former employees was posted online.

While such risks are common to modern data-driven institutions, DFS that drive financial inclusion have to contend with a range of contextual challenges, too. These include users and agents who may lack an understanding of appropriate data security practices and the use of equipment that may not provide adequate protection against malware. The challenges to ensure appropriate practices by all parties increase in a developing country context where privacy frameworks may be absent or under-developed.

To date, the impact of data security breaches in respect to low-value products has been limited. While this is unlikely to continue as DFS in these markets expand, policy makers are also keenly aware that imposing overly cautious control measures may increase the costs of the services. Regulators are therefore confronted by difficult questions regarding the nature and the timing of appropriate policy and regulatory interventions.

Technology presents solutions

While technology gives rise to these challenges, it also produces potential solutions. PIN-based security may, for example, be improved by biometrics supported by appropriate privacy and security frameworks. Blockchain technology and similar approaches using distributed electronic ledgers provide an increasing number of privacy-enhancing identity assurance solutions that could lend themselves to broader adoption by DFS providers. Semantic web technologies providing smart contract solutions and enabling embedded compliance, privacy and data protection measures may mitigate or avoid some of the data risks in the current system.

GPFI recommendations

In its 2016 white paper, the GPFI made two important recommendations for SSBs to move forward on privacy and data security:

  • Jointly explore consumer data privacy and security risks in digital financial inclusion and potential solutions driven by new technology. Such a joint exploration could study the use, abuse and protection of customer data, including the challenges faced in data protection and the impact of appropriate regulatory measures, and the emerging new technologies relevant to customer data and the protection of privacy.
  • Develop guidance on data protection, privacy and minimum data security standards for technology and business models used in digital financial services.

The recommendations are ambitious, but we believe they correctly identify the need for SSBs to collaboratively study these important topics to produce guidance for national supervisors. Data security and privacy, however, extend far beyond financial services, and the SSBs will therefore need to collaborate with nonfinancial stakeholders, too, including technical standard-setters such as the International Telecommunication Union and the International Organization for Standardization.

Appropriate action by SSBs will support the trust required to ensure that DFS continues to broaden financial inclusion.