This blog was co-authored by Silvia Baur-Yazbeck, a financial sector analyst at CGAP, whose recent work focuses on data protection and cybersecurity.
Mobile financial services have been a significant driver of financial inclusion over the past several years. As of 2018, the mobile money industry continued to show marked growth, with more than 866 million registered accounts in 90 countries and over $1.3 billion transacted every day among users, many of whom were using financial services for the first time. However, the rise in fraud, system outages and data breaches in developing countries is eroding consumer trust in mobile financial services. Cyber-attacks also threaten the mobile industry with potentially irreparable reputational damage that could, in turn, lead to loss of market share and weaken incentives to innovate. For these reasons, cybercrime poses a real threat to financial inclusion and efforts to close the digital divide.
In a recent stakeholder workshop on cybersecurity in emerging financial markets, industry players considered these challenges and identified two main ways to help financial service providers become more cyber-resilient.
1. Harmonise industry standards
In developed and developing economies alike, the digital financial services industry recognises the growing risks of cybercrime and its responsibility to protect the global financial system. However, there remains a need for uniformity in the industry’s approach to cybersecurity. Partnership agreements, industry associations and local regulatory requirements are seldom uniform, making compliance management a difficult task, especially across markets. In addition, national regulatory frameworks and supervisory practices vary greatly from one country to the next in terms of who and what they cover. The industry must continue to collaborate with regulators and policymakers to define and agree on smart data privacy laws that are horizontal and technology-neutral.
As a stopgap measure, the use of industry standards across jurisdictions can help ensure uniformity in the level of data protection and privacy across markets. International standards, such as ISO and NIST, provide a principles-based, harmonised approach to security that addresses the gap in national legal and regulatory frameworks. This uniformity is useful for providers, as it builds consumer trust and confidence and increases the uptake of services. Ultimately, it can boost innovation and incentives to invest in the sector. Sector-specific initiatives can further enhance the security of providers and systems and put them in a stronger position for compliance once legal and regulatory frameworks are developed. This is particularly important for markets with low-income populations that may access financial services via less secure devices and transmission channels.
The GSMA Mobile Money Certification defines and promotes excellence in the provision of mobile money services. It advocates eight principles, including “Security of Systems” and “Data Privacy,” and provides standards that can be measured against global industry best practices. The certification is open to all mobile money providers, whether they are a mobile network operator, a bank or an over-the-top provider.
However, industry standards alone will not be sufficient. Legal and regulatory frameworks also need to be harmonised across jurisdictions and follow principle-based approaches that reference international standards. Additionally, policy makers must play a key role in enforcing standards and developing cooperation mechanisms for the investigation and prosecution of cybercrime across jurisdictions. The public and private sectors can become much stronger by collaborating and maintaining an open dialogue on cyber-related issues.
2. Collaborate across the ecosystem
As cybersecurity concerns continue to grow, the broader financial services industry recognises the need for collaboration across all players in the sector. Banks, mobile money providers and other third-party providers in the financial ecosystem are coming together to share intelligence and create solutions to address the cybersecurity challenge.
Examples include the mobile money and fraud risks forum led by Safaricom, which has strengthened Kenya’s digital finance ecosystem and facilitated collaboration to reduce mobile money fraud. The Nigeria Electronic Fraud Forum, led by the Central Bank of Nigeria, is working proactively to safeguard the country’s e-payment platforms. At a global level, the World Economic Forum’s Global Centre for Cybersecurity, launched in 2018, aims to counter organised digital crime.
These forums have one goal in common: to promote cybersecurity by facilitating collaboration, exchanging information and developing common standards among governments, businesses and law enforcement agencies. For these forums to succeed, a high level of trust and confidentiality is of the essence to facilitate open discussions on the key cyber-related issues facing the industry. Experience from industry-led fraud and security communities, such as the South African Banking Risk Information Center (SABRIC) or the GSMA Fraud and Security Group, suggests that industry associations are well placed to lead the exchange with supervisors in order to maintain confidentiality and allow for open and frank discussions.
In the recent workshop, industry players unanimously agreed that a multi-stakeholder approach is required to address cybercrime in developing countries. Harmonised standards and more collaboration would greatly improve cybersecurity risk management practices in digital financial services. Other cybersecurity measures worth considering are the establishment of internal risk management frameworks and accountability mechanisms among industry players, shared monitoring systems for small- and medium-sized financial service providers, collaboration with universities and academics working on cybersecurity, and additional investments in training and coaching young cyber-professionals. Industry associations can also play a role in encouraging industry to develop adequate recourse processes for victims of mobile money fraud and cyber incidents. These initiatives can safeguard the integrity and reputation of mobile financial services, which are key to achieving financial inclusion.