Security in FinTech

Udbhav Tiwari, January 2018

At a HasGeek open house in collaboration with the Centre for Internet and Society (CIS) in late 2017, the agenda was to discuss the security practices of payment companies and a larger view of how security should be looked at in FinTech. The discussion was attended by security researchers as well as professionals from the FinTech industry.

The open house began with the results of research conducted by CIS on the security standards and practices in the FinTech industry in India. The goal of this research by CIS was to help the government and the industry create sectoral standards to govern security practices in the FinTech industry in India and to address the pressing need for consistency and clarity of legal requirements for digital finance organisations.

CIS’s first research question enquired into the FinTech security practices that currently exist. Through its research, CIS found that at present there were no government-mandated FinTech security practices besides the Reserve Bank of India’s guidelines on the implementation of cyber-security in banks (which do not qualify as FinTech organisations). CIS also found that the alternative mechanism of co-regulation proved to be less intensive in terms of time and cost when compared to conventional regulatory mechanisms, and was more beneficial to the nascent FinTech industry in India. Co-regulation is when the government (which is responsible for the imposition and enforcement of regulations) and the regulated entity (FinTech organisations) collaborate to create a new regulation. The government imposes accountability and standards, while the content of the regulation is decided by the industry. Co-regulation being relatively fluid and relevant to the industry, is therefore superior to conventional regulatory mechanisms.

Co-regulation in India exists under the Information Technology Act and protects organisations from liability in cases of security breaches, as long as they meet predefined security standards. These standards consist of either a simple ISO 27001 certification, or a government certified co-regulated industry standard. However, CIS has found that even though these laws were passed in 2001, no industry has fulfilled these standards and there has been no instance of any industry fulfilling it.

Additional research included listing and categorisation of the requirements under existing standards, as well as interviews with community experts and industry practitioners. Through interviews with various community experts and industry practitioners, CIS found that there was a lack of coordination among the FinTech regulators in India (Reserve Bank of India, Ministry of Finance and Ministry of Information Technology).They signed a Memorandum of Understanding with the National Critical Information Infrastructure Protection Centre (NCIIPC) in 2017 to help them engage with the Prime Minister’s office to ensure that there is uniformity in the approach adopted by the digital finance space towards security.

The second part of the open house discussed the need for a system with regulated sectoral standards. Based on reports concerning numerous security breaches in recent years, CIS found a pressing need to implement security standards in India which could prevent similar breaches. For reference, CIS looked at countries that have active financial regulations like the UK, Singapore, and Australia, where it is mandatory for FinTech companies to follow security guidelines and standards, before they provide services to the public. Additionally, CIS concluded that the Digital Payments sector was where the need for standards was greatest, and once implemented, these standards could be carried over to other sectors, with or without modification.

An application security professional at the event debated the need for regulatory standards by pointing out that the global security industry has already put in place effective sectoral standards and therefore it was the need of the hour for India to do so as well. An additional, national security standard would only serve as another barrier for entry, and a better solution would be to create awareness around what already exists. The professional also listed a few existing standards that could fill these roles: the PCI DSS for infrastructure security, the Top 20 Security Controls for critical security, and the OWASP standard for application security.

However, the problem in the Indian context is to ensure compliance. Even with the largest FinTech organisations, there is failure to comply with the standard, which is often due to the absence of regulatory impetus. Effective regulation is the only way to ensure the binding nature of existing standard. While there are several problems with the existing certification mechanisms, the government is very keen on modifying certification processes for financial technology. One of these changes includes the setting up of an independent body to regulate the FinTech industry where the industry could make representations to create an easy, cost effective, openly enforceable, and even self-certifiable standard.

Other responses to this point included the observation that increasing regulation without an effective system of enforcement only results in an industry where the barriers to entry have increased even though there is stagnation in the compliance to security standards. Further observations pointed out how self-certification has been counterproductive in the past, and that the barriers of entry into the FinTech industry automatically increase with any kind of government involvement. However, the situation in jurisdictions where different FinTech regulatory systems exist show that the enforcement of regulated standards, at the risk of slightly increased barriers to entry is preferable from a security standpoint to a scenario where standards remain unregulated. There was also discussion comparing the sectoral standards to government imposed regulations, with the former being established as more successful due to ease of compliance, and ease of communication between the industry and the government.

The next part of the open house dealt with the components of the sectoral standards.

Management components include policy drafting, breach handling and reporting procedure, response periods, and disclosure mechanisms. Suggested documents that could be referred to as model for these components were the security governance document of Amazon Web Services, and the Google SRE Handbook.

The participants also brought up the issue of unplanned costs that are incurred when a breach occurs, followed by media coverage, and subsequent reputation loss. Cybersecurity insurance has become popular as a solution to this problem in other jurisdictions. Insurance companies like AIG audit the security infrastructure of FinTech organisations, and calculate the odds of a breach, as well as safeguards in place to deal with them. Pursuing insurance acts as an effective counter to high costs, sometimes making it cheaper for companies to pay the premium to cover all loses than to alter their infrastructure to actually implement adequate security measures. However, balancing the costs through insurance is one of the best ways to ensure cybersecurity practices are followed, especially in India where cybersecurity insurance remains fairly nascent.

Another management component that was discussed dealt with the merits and demerits of breach disclosure. Prior instances of security breaches in large and small companies were discussed, and it was concluded that while absolute disclosure to consumers is not advisable, mandated disclosure either in a limited extent to the consumers, or an absolute extent to a government body would serve as an effective and adequate incentive to follow security standards.

Concerning technical components of sectoral standards, the discussion was focused around framing specific details in the standard including how specific or generic the standard is, and trying to achieve a middle ground between the two. CIS aims to create an exhaustive list of types of sensitive information, that would give organisations clarity over what storage mechanisms to use for different types of information, so they could remain compliant with the relevant standards. This would be similar to PCI DSS’s practices in dealing with sensitive information.

The final part of the session dealt with what CIS considers the most difficult aspect in creating a standard: balancing industry and consumer interest. In its experience on the AP Shah committee helping to draft the Privacy bill, CIS observed that it is impossible to create a draft that makes every stakeholder happy, and also impossible to even make a fraction of the stakeholders happy. A natural conclusion will involve every stakeholder being dissatisfied, and strongly disapproving various aspects of the draft, and will spend a lot of time, money, effort, or a combination of the three, to make sure respective inclusions and exclusions are made. This method of arriving at a policy solution is inherently a politically flawed task. Hence, for FinTech security standards, CIS aims to categorise the interests put forth by various stakeholders on the basis of negotiability. CIS hopes that discussions centred around this categorisation at various roundtables across the country will result in the creation of a common ground among the stakeholders, who will then be able to contribute meaningfully and effectively to the draft security standards.