Why we need deeper discussions on security in FinTech

If you want to check out the video of the talk, head over here: https://www.youtube.com/watch?v=3PaxnNhPBV0

At an Open House in collaboration with the Centre for Internet and Society (CIS), the agenda was set to discuss the security practices of payment companies and a larger view of how security should be looked at in FinTech. The discussion was attended by security researchers as well as professionals from the FinTech industry.

The Open House began with the results of the research conducted by CIS on the security standards and practices in the FinTech industry in India. The goal of this research by CIS was to help the government and the industry create sectoral standards to govern security practices in FinTech industry in India and address the pressing need for consistency and in the clarity of legal requirements for digital finance organisations.

CIS’s first research question in this regard enquired into the fintech security practices that currently exist. Through its research, CIS found that at present there were no government-mandated fintech security practices besides the Reserve Bank of India’s Guidelines on the implementation of cyber-security in banks (which do not qualify as FinTech organisations). CIS also found that the alternative mechanism of co-regulation proved to be less intensive in terms of time and cost as compared to conventional regulatory mechanisms, and was more beneficial to the nascent FinTech industry in India. Co-regulation is when the government (which is responsible for the imposition and enforcement of regulations) and the regulated entity (FinTech organisations) collaborate to create a new regulation. The government imposes accountability and the standards, while the content of the regulation is decided by the industry. Co-regulation being relatively fluid and relevant to the industry, is therefore superior to conventional regulatory mechanisms.

Co-regulation in India exists under the Information Technology Act and rules which protects organisations/entities from liability in cases of security breaches, as long as they meet predefined security standards. These standards consist of either a simple ISO 27001 certification, or a government certified co-regulated industry standard. However, CIS has found that even though these laws were passed in 2001, no industry has fulfilled these standards there has been no instance of any industry fulfilling it.

Additional research included listing and categorisation of the requirements under existing standards, as well as interviews with community experts and industry practitioners. Through interviews with various community experts and industry practitioners, CIS found that there was a lack of coordination among the fintech regulators in India (Reserve Bank of India, Ministry of Finance and Ministry of Information Technology), and thereafter signed a Memorandum of Understanding with the National Critical Information Infrastructure Protection Centre (NCIIPC) earlier this year to help them engage with the Prime Minister’s office to ensure that there is uniformity in the approach adopted by the digital finance space towards security.

The second part of the Open House discussed the need for a system with regulated sectoral standards. In this context, CIS, based on reports concerning numerous security breaches in recent years, found a pressing need to implement for the implementation of security standards in India which could prevent similar breaches. For reference, CIS looked at countries that have active financial regulations like the UK, Singapore, and Australia, where it is mandatory for fintech companies to follow security guidelines and standards, before they provide services to the public. Additionally, CIS concluded that the Digital Payments sector was where the need for standards was greatest, and once implemented, these standards could be carried over to other sectors, with or without modification.

An application security professional at the event debated the need for regulatory standards by pointing out, bringing up the point that the global security industry has already put in place effective sectoral standards and therefore it was the need of the hour for India to do so as well. An additional, national security standard would only serve as another barrier for entry, and a better solution would be to create awareness around what already exists. The professional also listed a few existing standards that could fill these roles: The PCI DSS for infrastructure security, the Top 20 Security Controls for critical security, and the OWASP standard for application security.

However, the problem in the Indian context is to ensure compliance from, even with the largest fintech organisations, is failure to comply with the standard, which is often due to the absence of regulatory impetus. Effective regulation is the only way to ensure the binding nature of existing standard. While there are several problems with the existing certification mechanisms, the government is very keen on modifying certification processes for financial technology. One of these changes includes the setting up of an independent body to regulate the fintech industry where the industry could make representations to create an easy, cost effective, openly enforceable, and even self-certifiable standard.

Other responses to this point included the observation that increasing regulation without an effective system of enforcement only results in an industry where the barriers to entry have increased even though there is stagnation in the compliance to security standards. Further observations pointed out how self-certification has been counterproductive in the past, and that the barriers of entry into the fintech industry automatically increase with any kind of government involvement. However, the situation in jurisdictions where different fintech regulatory systems exist show that the enforcement of regulated standards, at the risk of slightly increased barriers to entry is much more preferable from a security standpoint to a scenario where standards remain unregulated. There was also discussion comparing the sectoral standards to government imposed regulations, with the former being established as more successful due to ease of compliance, and ease of communication between the industry and the government.

The next part of the open house dealt with the components of the sectoral standards. Management components include policy drafting, breach handling and reporting procedure, response periods, and disclosure mechanisms. Suggested documents that could be referred to as model for these components were the securities governance document of Amazon Web Services, and the Google SRE Handbook. The participants also brought up the issue of unplanned costs, that are incurred when a breach occurs, followed by media coverage, and subsequent reputation loss. Cybersecurity insurance has become popular as a solution to this problem, in other jurisdictions. Insurance companies like AIG audit the security infrastructure of fintech organisations, and calculate the odds of a breach, as well as safeguards in place to deal with them. Pursuing insurance acts as an effective counter to high costs, sometimes making it cheaper for companies to pay the premium to cover all loses than to alter their infrastructure to actually implement adequate security measures. However, balancing the costs through insurance is one of the best ways to ensure cybersecurity practices are followed, especially in India where cybersecurity insurance remains fairly nascent.

Another management component that was discussed dealt with the merits and demerits of breach disclosure. Prior instances of security breaches in large and small companies were discussed, and it was concluded that while absolute disclosure to consumers is not advisable, mandated disclosure either in a limited extent to the consumers, or an absolute extent to a government body would serve as an effective and adequate incentive to follow security standards.

Concerning technical components of sectoral standards, the discussion was focused around framing specific details in the standard including how specific, or generic the standard is, and trying to achieve a middle ground between the two. CIS aims to create an exhaustive list of types of sensitive information, that would give organisations clarity over what storage mechanisms to use for different types of information, so they could remain compliant with the relevant standards. This would be similar to PCI DSS’s practices in dealing with sensitive information.

The final part of the session dealt with, in CIS’s opinion, the most difficult aspect in creating a standard, which is balancing industry and consumer interest. In its experience on the AP Shah committee, helping to draft the Privacy bill, CIS observed that it is impossible to create a draft that makes every stakeholder happy, and also impossible to even make a fraction of the stakeholders happy. A natural conclusion will involve every stakeholder being dissatisfied, and strongly disapproving various aspects of the draft, and will spend a lot of time, money, effort, or a combination of the three, to make sure respective inclusions exclusions are made. This method of arriving at a policy solution is inherently a politically flawed task. Hence, for fintech security standards, CIS aims to categorise the various interests, put forth by various stakeholders on the basis of negotiability. CIS hopes that discussions centred around this categorisation, at various roundtables across the country, will result in the creation of a common ground between the needs of the stakeholders, who will then be able to contribute meaningfully and effectively to the draft security standards.

The summary was drafted by CIS India for the 50p blog. 
To receive these posts in your inbox every week, sign up for the mailing list.

50p by HasGeek focuses on conversations surrounding technology, policy and regulations in the Indian digital payments ecosystem. The third edition of conference is scheduled on Feb 8,9 in Bangalore. Head over to https://50p.in/2018/ to get your tickets now!

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.