FIGI Topics

Regulatory aspects of Fintech payments and Consumer protection

The emergence of fintechs and big techs represents a major source of disruption in the market for financial services. Regulators are gradually adjusting their policy frameworks in order to cope with the risks that the new products and players pose, but without jeopardising the benefits they bring in terms of competition, efficiency and financial inclusion. The series of sessions during the FIGI symposium of 2017-2021 on this topic highlight the challenges of regulators in addressing the evolving fintech payment landscape and the issues for consumer protection. The experiences of FIGI country implementations in China and Mexico are discussed during those sessions.

Security of mobile payments

The applications that a use of digital finance would use to access these services are mostly Unstructured Supplementary Service Data (USSD), Short Messaging Service (SMS). And STK which work on basic and feature phones and when where smartphones are being used, Android and iOS mobile payment apps would be used.  USSD and SMS have long been known as “broken” and have many published vulnerabilities, some over 20 years old, which enables attackers to commit fraud and steal funds. The series of sessions explores the vulnerabilities that can impact the security of digital financial services applications operating on basic and feature phones. Some of the threats and vulnerabilities that are examined in this session include man in the middle attacks, social engineering, phishing, bypassing authentication, replaying of sessions and SIM card vulnerabilities.  In addition, the process for cybersecurity risk management for DFS ecosystem and security best practices to be adopted by developers of mobile payment applications and regulators and methodology for conducting security audits of mobile payment application for compliance assessment are also discussed.

SS7 security

In most developing countries where digital finance is popular, most of the end-users do not have reliable and accessible means to connect to Internet and thus, rely heavily on the mobile communications infrastructure which could be vulnerable to attacks to the Signaling System No. 7 protocol, if not properly secured by mobile network operators. Signaling System No. 7 (SS7) is a stack of signaling protocols, which was initially developed by ITU (CCITT) in the mid-1980s. Since then, SS7 standards has become a generic stack which are widely applied in public switched telephone network (PSTN) all over the globe. With the growth of mobile telecommunications and appearance of the MAP and CAP protocols, SS7 stack has become suitable for public land mobile network (PLMN), e.g. 2G, 3G networks. Furthermore, the SS7 logic migrated to DIAMETER which is currently widely used for interconnection of IMS-based networks, including 4G (VoLTE/ViLTE). There have been multiple cases where SS7 vulnerabilities have been used for different hackers’ attacks (e.g telephone spam, spoofing numbers, location tracking, subscriber fraud, intercept calls and messages and denial of service attacks). As of now, more and more stakeholders are using SS7-based ICT networks for over the top services including digital finance services (DFS). However, the vulnerabilities of SS7 have increased the risk of illegal usage of customers’ applications, resulting in the unlawful take-over of their assets. In this series of session, the vulnerabilities of the underlying SS7 protocol are explained as well as the security measures to be implemented by regulators and mobile network operators to mitigate such threats to the mobile communications network.

Digital ID & authentication

KYC linked with digital identity authentication is critical for numerous financial processes from onboarding a new client to making payments and insurance claims. In addition, A secure DFS system requires reliable form of customer identification in order to generate secure credential for authenticating clients. Many current online DFS systems still rely on the use of insecure password solutions for client authentication. In order to enhance security, some solutions use multifactor authentication (MFA) to protect against account takeover. The series of expert talks on this topic discusses the Digital ID Toolkit developed by the FIGI ID Working Group which provides policy guidance and practical implementing approaches to regulatory authorities when adopting Digital ID and the recommendations for electronic KYC linked with Digital ID and adoption of strong authentication technologies in digital financial services.

QoS

Quality of service (QoS) issues can affect the availability of the mobile network resulting in the consumer being unable to complete a DFS transaction. The series of sessions held during the FIGI Symposiums provided insights on the methodologies that were developed by FIGI Security Infrastructure and Trust working group, specifically on how regulators can implement them to assess the key performance indicators (KPIs) for digital financial services for interoperability and cross border mobile money transactions use cases. These methodologies have become international standards under ITU-T Study Group 12.

Women’s financial inclusion

Addressing the gender digital divide is a precondition for the digital revolution to reach its full potential, and this is also true in digital financial services. Women play a large role in this transformation – both as consumers and leaders. The sessions explore how women can be better represented in leadership roles within the financial sector and how women can be better prepared to contribute to the digital financial services industry more broadly and also the digital competences and skills required for women to be able to use digital financial services.