Adopting international standards can help include cyber risk in fintech regulatory sandboxes.
The success of financial technology (fintech) in bringing banking solutions to millions in developing countries stems from its pace of change and the rapid emergence of new banking solutions such as mobile phone payments or cloud banking.
Governments from Papua New Guinea to Viet Nam are looking to reap the rewards of fintech by creating so-called regulatory “sandboxes” to test the proliferating fintech innovations and to promote competition and efficiencies. Crucially though, governments should ensure that sandboxes also prioritize cyber security safeguards that are built into the design, not added as a retro-fitted afterthought.
For fintech, sandboxes are frameworks of rules established by financial regulators for private companies to try out new technologies, products, or services that would otherwise not be possible under existing regulations. If the new technologies catch on, the regulator can provide full authorization for the new technology or alter regulations to accommodate it. Creating this controlled environment allows countries to encourage innovation while still maintaining oversight over the overall financial system.
Sandboxes are particularly useful in promoting financial inclusion. They can spur development of affordable products or services to those who are unbanked, new distribution channels for hard-to-reach populations, or fresh business models to serve marginalized communities.
Good cyber security that protects customers from a loss of money or identity is not only an individual product’s unique selling point, it is also important for the whole ecosystem, since a hack breaking into one fintech will reverberate across the whole sector.
Having an effective regulatory sandbox that includes requirements for adequate cyber security measures would benefit all fintech products and players within the sandbox. This would, in turn, boost consumer confidence, bring greater societal benefits, fintech industry business success, and help meet regulatory mandates for maintaining financial stability and security.
Including cyber security requirements into the sandbox will mean developers and software engineers need to spend more time testing code and identifying risks in development and integration.
This may be time-consuming and expensive, but is vitally important not least because non-banked and under-banked consumers may be new to technology and therefore more susceptible to phishing and other socially engineered online scams. Online hackers and real-world criminals will pounce on this vulnerability.
Data privacy—through the collection and use of personally identifying information—also needs to be addressed.
As we create more and more digital citizens, their online footprint is growing. This makes them vulnerable to exploitation and abuse where poor documentation can be taken advantage of and used for illicit purposes such as money laundering. We need appropriate rules and regulations on the collection and use of commercial data and cross-referencing with customer data, including meta-data.
Luckily, international standards are available to identify cyber risk and introduce appropriate controls. Two prominent and leading sets of standards are showing the way.
One is the ISO-IEC 27000 standard for information security management, a joint effort from the International Organization for Standardization and the International Electrotechnical Commission to help organizations of all shapes and sizes manage the security of assets such as financial information, intellectual property, employee details, or information entrusted by third parties. The other is the US National Institute of Standards and Technology’s Cyber Security Framework, a flexible and cost-effective approach consisting of standards, guidelines, and best practices to manage cyber security risks.
Individual governments and regulatory bodies need to adopt and expand on these standards when they are setting up their fintech regulatory sandboxes.
A regulatory sandbox environment should demand suitable risk management tools and techniques relevant to the fintech product or service being developed. Clearly, the goal is not to stymie innovation. Rather, it is to insert the necessary rigor into risk management and cyber security surrounding useful technological innovations.
Change will be ever-present as societies ride this wave—artificial intelligence and automation will make sure of that—yet with balanced regulation and rules in place we can stop innovative cyber criminals before they target valuable online financial services.