12 min read
Our Take: The proliferation of fintech has taken Nigeria by storm. Fintech applications and services have become extremely important in the lives of everyday Nigerians, replacing the traditional banking system among many users. Such usefulness and value is a natural attraction for cybercriminals, even more so that it involves the financial sector. Thus, Fintech companies have to invest in cybersecurity from the onset, so as to have a solid cybersecurity foundation for protecting their products, services, data, reputation and perhaps more importantly, the data of their customers.
Abstract
In 2016, the Cyber Security Experts Association of Nigeria (CSEAN) estimated that Nigeria loses N127,000,000,000(One Hundred and Twenty Seven Billion Naira) annually to cyberattacks. With the emergence of FinTech and Digital Businesses in Africa, the figure is bound to triple. Several FinTech and E-commerce startups overlook the importance of the position of a Chief Information Security Officer (CISO) in the early development stages. The concept of “waiting till there is a breach” can cripple businesses when a data breach finally occurs. Big companies strive to ensure that the private information of all its users are protected and these firms strive to be transparent on the information they access and how it is been used. The purpose of this Article is to throw into limelight the hurdles FinTech and Digital Business go through such as Regulations, Data protection, Cybersecurity and cyberattacks, and Intellectual Property thefts; and the best solutions to these hurdles.
1. INTRODUCTION
Financial Technology “FinTech”/Digital Businesses are a great ecosystem. It is already in the process of disrupting the old financial institution structure and also making people realize that money exchange, insurance, investment, and other financial service are going to be totally different in the next 10 years. With FinTech, the change is wide-reaching; increasing operational efficiencies and productivity, providing alternative funding and, importantly, financial inclusion. Such developments include mobile payments, big data, natural voice recognition and response, use of crypto or virtual currencies, and artificial intelligence.
Investments in FinTech in Nigeria and other parts of Africa have moved from about $198 million in 2014, to $800 million currently. Though global investments in FinTech were put at $19 billion in 2015, indications have shown that investors are increasingly attracted to the industry’s potential to tap Africa’s huge un-served/underserved population (NIPC, 2016). While this investment and transformation are taking place across the Finance industry, the momentum of growth is under attack wherein the security and safeguarding of assets and data are becoming increasingly important due to its proliferating threats which pose an ever-increasing danger to FinTech and the customers who use the services. This essay, therefore, explains why FinTech companies must plan and build from the very beginning effective ways to address, data breaches, cybersecurity, and privacy issues.
2. THE EMERGENCE OF FINTECH AND DIGITAL BUSINESS INNOVATION
Today, FinTech is a cliché. It is the innovative approach by financial sectors in the world to deliver payment solutions and services to customers with the ease of a button. The mobile applications built by various startups and tech companies are instances.
What is FinTech? FinTech which stands for Financial Technology is a concept, a movement, a transformation, and a disruptive innovation that addresses the customers’ issues and needs as it pertains to payment or financial services through automation of new and emerging technologies (Palermo, 2017) such as Artificial Intelligence, Machine Learning, Data Analytics, etc.
The concept of FinTech can be traced to the 1950s (Desai, 2015) when credit cards were introduced into society. The movement started shortly after the introduction of credit cards, to the installation of Automatic Teller Machines (ATMs) to replace cashiers and tellers in bank branches. The transformation continued to the 1970s when electronic and thereafter, online stock trading was introduced in the Stock Exchange markets to improved record and data keeping of banking customers. The disruption came towards the end of the 20th century and the beginning of the 21st century. The rise of the internet and E-commerce business drew digitized and faster financial services for users. These services are categorized into robo-advisors for wealth, assets and retirement plans, crowdfund platforms, payment apps, mobile wallets, alternative lending platforms, and alternative investment opportunities. These categories of financial services serve a singular purpose – addressing the needs of the consumers. This is rather different from traditional banking services, which is the institutional legacy. Banks are programmed to offer services and enhancements that will improve the lending, savings, and investment opportunities of its customers through the traditional modality. But as Philippe Gelis, CEO of Kantox pointed out, “FinTech is changing the finance sector just like the internet changed the written press and the music industries.(Uzeb, 2018)”
Thus, from ALAT to Cowrywise, to Flutterwave, to Mpesa, to PayStack, to Remita, to VISA, to Zoona (Gulamhuseinwala & Bull, 2017), all these FinTech firms across the world share two basic characteristics, which are customer propositions’ focus and novelty in the application of emerging technologies.
Just like the Baby boom, the FinTech boom is associated with the millennial (Villasenor, 2016). These are customers within the age of 22 – 34 years. These brackets grew up in the age of internet and tech-gadgets and as such will value simple, convenient, readily personalized and transparent services than the traditional system of long waits and queues. The attraction to these services whether in wealth or financial management, retail banking or insurance is the ease in accessing them with mobile devices.
The birth of FinTech cannot be told without E-commerce. The e-commerce business models helped radicalize and revolutionize how consumers transact businesses. Therefore, the era of rushing to the bank to make a cash deposit, while hoping that the transaction will be marked completed before the official closing time of a bank, has been relegated to the background with the advent of emerging technologies in the financial sector.
Now, mobile banking apps have helped customers simply make an order online and make payments without leaving a pinpoint location. Hence, digital businesses are online marketplaces where for product-focused or service- focused companies or firms strive to deliver personalized and seamless user experiences to consumers.
These experiences are either targeted through data and analytical research to ensure an increasingly recurring effect. Therefore, the FinTech firms and digital businesses have created a ripple effect through the digitalization of traditional processes to draw consumers to its products and services through innovative, disruptive and emerging technologies. The pertinent question to ask is if the emergence of FinTech would be porous to cyber attacks and if such will likely to affect the solid foundations of banking systems?
3. THE MISMATCH BETWEEN FINTECH AND REGULATION
The innovation with the FinTech world is happening at a light-speed, unlike their slow and laborious counterparts, thereby creating a wide gap between FinTech solutions and regulation. This gap is acute in FinTech and particularly so with respect to cybersecurity in the FinTech context (Oloyede, 2018).
Faced with this gap in Nigeria and with the rising nature of cybercrime around the world and Nigeria having its own fair share, leading to a huge financial loses, loss of trust with the potential risk of exploitation of design vulnerabilities, identity theft, malware attacks, and malicious use that post risk to security and safety of individual[8]; prompted the Central Bank of Nigeria (CBN) to release a set of guidelines sometimes in June 2018 to curb/fend off these attacks across Deposit Money Banks (DMBs) and Payment Service Providers (PSPs) as a requirement to increase cybersecurity (CBN, 2018).
The proposed guidelines by the CBN are set to come into force on January 1st, 2019. The increased sophistication of attacks has resulted in the huge financial losses, loss of trust with the potential risk of exploitation of design vulnerabilities, identity theft, malware attack, and malicious use that post risks to security and safety of individuals.
Good governance and regulation is profitable for FinTech as they increasingly rely on automated and electronic systems thereby posing as a risky venture for differently sophisticated cyber-attacks, regulators will have to calibrate its regulations and policies within the FinTech industry to ensure data protection and privacy, consumer protection and cybersecurity and ensuring FinTech firms be bound to maintain a level of security without stifling innovation
What Regulators should not do? Regulators should not rush into implementing hasty regulations that could end up stifling innovation; this does not suggest that Regulators should do nothing at all.
Regulators should be proactive; there should be a constant collaboration FinTech firms and Regulators, these will immensely assist regulators in understanding the technology surrounding FinTech, thereby giving the Regulators clearer perspectives that can help ensure that any new regulations will not have collateral damage to the FinTech innovation ecosystem.
In addition, this engagement can benefit FinTech firms to have a better understanding of pertinent cybersecurity issues such as data protection and privacy.
4. PROBLEMS OF FINTECH AND DIGITAL BUSINESS
There are several problems plaguing FinTech and Digital Businesses across the globe but in the course of this essay, only four (4) pertinent problems shall be addressed.
a. Regulations
A huge barrier to FinTech firms and Digital businesses globally are Regulations. Regulation Laws are constantly a hindrance to the growth and scaling up of these disruptions.
For instance, a firm may decide to expand its financial services beyond the boundaries of its country and the shores of its continent, only for the progress to be hindered by varying regulations laws. In the USA alone, there are ten (10) Regulations laws (Chritiansen, et al, 2018) while in Nigeria, the Central bank of Nigeria (CBN) guidelines for regulation and licensing of financial firms are daunting. Also, a part of the Regulations barrier is legal fees for application and filing of the licenses. To ensure that startups gearing towards financial ease are not suffocated at the early stages of business, these Regulations ought to be relaxed.
b. Data
The fuss about data protection and privacy came into limelight with the data breach of millions of Facebook accounts. The data breach was linked between Facebook and Cambridge Analytica. It drew attention to what happens when private data are mined and sold on the dark web.
By May 2018, the European Union (EU) pushed for the General Data Protection Regulation (GDPR) which offers guidelines on how personal information of EU citizens is to be handled. It mandated all companies in the EU, including companies outside the EU but with clients/customers/servers located in the EU to comply with its laws or face penalties.
Thus, companies were mandated to be transparent on how personal information of its users are accessed and used either for analytical, marketing, advertising, or research purposes. Thereafter, the new European Payment Services Directive (PSD2) which mandated Payment Service Providers to be transparent to its customers on how their information is used or shared.
c. Cyber Security and Cyber Attacks
FBI Director, Robert Mueller in the RSA’s Cyber Security Conference in 2012 stated that “I am convinced that there are only two types of companies: those that have been hacked and those that will be.” It is increasingly difficult for FinTech firms in the early stages of development to consider the risks of cyber- attacks and the issue of cybersecurity. Cyber Security Analysts are canvassing for a full-time position of a Chief Information Security Officer (CISO) in every FinTech startups or firms, and digital businesses, but mostly due to limited funds, companies rarely heed the call until they are hacked.
Firms ought to establish some level of protection especially when it pertains to personal information including credit cards information of its users. This is one of the crucial problems plaguing FinTech and Digital Businesses, especially in Africa.
d. Intellectual Property Theft
With the advent of innovative and emerging technologies comes increased theft of intellectual property rights. There are several cases pertaining to Patent trolls, theft of copyrights, and trade secrets. It is strongly canvassed that individuals and companies should ensure that their ideas are always protected.
It is no surprise that there is a strong clamor for Non-Disclosure Agreements and Transfer/Assignment of IPR Agreements where necessary. This is to restrict the pains and expenses associated with long legal battle or litigation. These problems are not only restricted to FinTech firms but are also seen in E-Commerce businesses across the globe. Addressing these problems will be of tremendous impact on the growth of innovative disruptions in Africa and the world.
5. MEASURES IN SAFEGUARDING FINTECH AND DIGITAL BUSINESS
As the FinTech industry is evolving heavily, it is potentially vulnerable to attacks by malicious entities. FinTech companies must, therefore, endeavor to build and plan, from the very beginning effective ways to address cybersecurity, data security, and privacy protection right from the onset.
This is absolutely essential because these particular threats are proliferating and thus pose an increasing danger to FinTech companies and the customers who use their services. So what is the best measure acceptable for the adaptation and protection of FinTech companies and Digital businesses for its customers?
Cybersecurity should be a top policy priority in the FinTech industry. Cyber-attacks have potential systemic financial stability risks and can discourage adoption of FinTech. Thus, there is an urgent need to adopt proactive measures that should be extended throughout the products and services lifecycles.
This will create room for the anticipation of wrong moves and porous measures; thereafter, put in place a robust, and effective measures to prevent, and mitigate itself from having serious problems in the areas of privacy protections, cybersecurity, denial of service attacks, insider threat, malware injection, insecure APIs, shared vulnerabilities and data security.
a. Proactive Measures
The proactive measure that should be adopted are:
- The development of a comprehensive cybersecurity framework that includes prevention, detection, monitoring, information sharing, financial and technology literacy, and recovery plans.
- The adoption of solemn responsibilities by FinTech companies and digital businesses to protect their overall architecture. Transactions usually take place across the interconnected global data communication enterprise which increases the overall vulnerability. New technologies should integrate security measures into their design.
- Regulatory oversight should ensure that the FinTech industry has cybersecurity implemented throughout its payments chain.
- Investments in technologies that prevent cybersecurity should be accompanied by training programs to increase awareness amongst staff, to prevent weak links which cybercriminals can exploit.
- Enrich financial security literacy through multiple platforms to reach consumers, investors, and small business owners who need it most. The FinTech industry is also expected to educate its customers on the “whys” and “whats.”
For instance:
- Why they keep their bank account details and electronic devices?
- The Security and safety of FinTech applications.
- Why their data and personal information is at risk.
- What customers should look out for in terms of suspicious situations?
- What is okay to share and not okay to share?
Though educating customers on why it is necessary and how it helps mitigate risks will not only help protect the FinTech industry customers, but it will also strengthen their trust in the FinTech brand and its ability to protect customer’s information
b. Clear laws and regulations to FinTech transactions and licensing requirements
The FinTech industry needs a dynamic regulatory architecture that can address risks as they emerge in the fast- changing landscape which can be relied upon. This will help identify gaps and restrictions in the law and regulations that hamper innovation and can enable development of a comprehensive and systematic roadmap for reforms. Regulatory sandboxes can facilitate a better understanding of the risks posed by FinTech firms and enable the appropriate design of regulations.
6. EMBRACING FINTECH
As previously stated, FinTech is a novel idea with a ripple effect on the banking and financial landscape across the globe together with immeasurable opportunities for emerging economies like Nigeria.
The CBN as a Regulator will have to find the right balance between protecting customers and creating non-stifling regulations. By doing so the CBN has undertaken a range of measures to promote financial inclusion, and one of them is supporting the FinTech ecosystem by the unveiling of a smart initiative to create a regulatory sandbox programme to support budding FinTech companies.
The objective of having a regulatory sandbox is to empower small companies, which we refer to as start-ups, innovators, technology companies and young Nigerians that have great ideas but lack the financial wherewithal to bring out their products or even integrate the ideas with the banking sector.
This is in recognition of the roles that FinTech play in the financial industry and the need for regulatory support, to assist them to play these roles within the market fit and security benchmark.
Regulatory sandboxes provide an environment of reduced regulatory constraints on innovative financial products and services. They enable financial services innovators – both incumbents and startups – to test new products and services in a “safe area”, providing greater flexibility or even exemptions from existing regulation.
Sandboxes can be highly valuable to financial services institutions in three important ways:
- They reduce the time and cost of getting innovation to market. They provide innovators with greater access to finance by reducing risks of client adoption and increasing returns on capital investment.
- They enable innovators to work with regulators to ensure new development of technologies and a business model aligns with regulations. The increasing reliance on automated and electronic systems FinTechs represents a risky venture because it requires them to be secure from cyber-attacks.
- Financial information is a high-value target for many cybercriminals, and it is imperative that both startups and established companies be bound to maintain a minimum level of security.
Fintech firms have increasingly attractive targets and typically have fewer resources dedicated to cybersecurity, as they prioritize growth and product-market fit. Regulators have to calibrate their policies and regulations to ensure an adequate level of cybersecurity and data privacy while encouraging innovation.
7. CONCLUSION
There may be ongoing debates on the unexplored areas of FinTech, Digital Businesses, and Cybersecurity for a decade to come. But, the foreseeable option for emerging digitized businesses disrupting the financial sector should be security.
The importance of security cannot be overemphasized. When big companies globally get hacked, the smaller ones with porous firewalls becomes a testing ground. Thus, while there are innovative disruptions that address the customers’ needs, there should be cybersecurity measures to protect customers’ personal information.
- Why wait for the panic mode of a security breach when you can take preventive measures to erode and avoid them?
- Why make unnecessary expenses later on recovering hacked data when you can spend less protecting them?Security, Protection, Privacy, and Transparency should be the bedrock of every FinTech firm and Digital business in Africa.
Recommendation(s):
• Fintechs must put cybersecurity at the forefront of all their operations. They must invest in cybersecurity protection tools, expertise, and education.
• Financial regulators should provide fintech startups with regulatory sandboxes where they can safely launch and test their ideas without incurring heavy costs.
• The CBN and other regulators in the field should enact laws that ensure organisations prioritise cybersecurity, data protection and encourages innovation without being overly strict.
Source: SSRN
Keywords: Cybersecurity; FinTech; Digital Businesses; E-commerce; Data; Regulations; Cyberattacks.