Fintech
Data protection gaps in fintech
In our previous article, “Regulatory gaps in Nepalese fintech” (March 14, 2024), we discussed some regulatory gaps in fintech. In this article, we will focus on regulatory gaps mainly related to cybersecurity and data protection that Nepal Rastra Bank (NRB) needs to fill quickly. The fintech ecosystem in Nepal is growing, but remains fragile in terms of cybersecurity and data protection. The NRB Regulation should promote fintech innovation while also considering the importance of data protection and security.
Technology evolves and with it so do cyber attacks. In 2019, hackers stole nearly 18.9 million rupees from 13 Nepalese banks using ATM terminals. They spoofed the Nepal Electronic Payment Systems Limited (NEPS) link using fake cards, which allowed them to withdraw money from ATMs by independently verifying all customer information of the Nepalese bank. This incident was one of the most notable cases of cross-banking transactions via ATM hacking and could happen again. Therefore, the NRB should be aware of such incidents. The court decided to punish the perpetrators of the crime; however, since it was not a physical loot, a detailed investigation to uncover the root cause would have been an appropriate action by the central bank. Such investigations could provide insights and further strengthen the system security of such banking and financial companies and institutions in Nepal.
Article 44 of Payments and Settlement Regulations, 2077 (First Amendment, 2080) addresses the liability of payment system operators (PSOs)/payment service providers (PSPs) in the event of disputes or any other losses resulting from incidents such as cyber attacks. However, the absence of explicit guidance on the extent of liability raises concerns. For example, a PSO with a paid-up capital of 50 million rupees must be given clear guidelines on its liability in a worst-case scenario, or there must be a limit on the amount of its clients’ funds it can retain.
Furthermore, it is the right time to introduce a government guarantee fund, such as the Deposit and Credit Guarantee Fund (DCGF), to protect the public from losses resulting from data breaches and other cyber incidents. If the government had established such funds, it would have been more vigilant and strict on cybersecurity measures. This would be a win-win situation for all parties.
Additionally, there are no insurance products available in Nepal to protect businesses against any losses due to data breaches or similar security incidents. Lack of insurance coverage makes businesses vulnerable to hacks and losses. It may be appropriate for the regulator to open a path for Nepali companies to obtain cyber insurance, including from foreign companies, until Nepali insurance companies launch such products.
Similarly, article 45 of the Statute and Directive no. 3 of NRB Unified Payment Systems Directive, 2079, discusses security policies and practices for PSO/PSP. Implementing a uniform requirement for the Payment Card Industry Data Security Standard (PCI DSS) and the International Organization for Standardization (ISO) 27,000 certifications across all financial institutions involved in payment processing would ensure a foundation of data protection, mitigating the risks of cyber threats. The language of the Directive is clear: an authorized institution must adhere to PCI DSS, Europay, Mastercard and Visa (EMV), EMV Contactless Standard, etc. standards. However, a mechanism to ensure that these standards are followed is unclear. If it had been mentioned that certification like PCI DSS is mandatory, it would have made more sense since an independent third party always issues a certification.
Likewise, regulatory requirements always serve as the basis for safety, and these NRB guidelines are the minimum requirements spread throughout the industry. Furthermore, data security is not a matter of just protecting it for a certain period of time; it is a regular and ongoing activity that requires the attention of stakeholders. Likewise, if we look at the websites of most payment-related companies, except for a few big players, we don’t find much information related to their security and related certifications.
It is necessary to introduce a provision requiring each authorized institution to disclose its licenses and certifications, commitment to data security and other related matters on its website and to update it regularly to increase public awareness and invoke dialogue between stakeholders. Similarly, Article 45 of the Statute contains a provision for system audit while also mentioning a provision for an annual system audit. On the contrary, the Directive establishes that a system audit is mandatory after one year of operation and every two years when there are no changes to the existing system. These two provisions are contradictory to each other and the regulator needs to provide clarification on this matter. Two years to conduct a system audit is quite a long time, so payment-related institutions need to conduct at least an annual system audit in light of the increase in cyber threats in the current environment.
Awareness of cyber threats and cybersecurity is an urgent need today as most occur due to human negligence. Social engineering is the most common way intruders can collect data and find loopholes in a payment system. To improve cyber risk measures, you need visibility into your organization’s risk dashboard, covering all inherent risk levels to provide a picture of what is being defended. Finally, continuous monitoring ea proactive approach Risk management is the only way against cyber attacks. The country’s payments industry is still in its infancy, and before something worse happens, all stakeholders must join forces to protect the public interest.