Executive Summary

The provision of digital finance services (DFS) involves a complex ecosystem with the participation of different stakeholders such as banks, DFS provider, mobile network operators (MNOs), DFS platform providers, regulators, agents, merchants, payment service providers, device manufacturers, application developers, token service providers, OEMs, and clients. The interconnectedness of these system entities and reliance on several parties in the ecosystem extends the security boundaries beyond the digital financial service (DFS) provider to the customers, network providers, mobile phone manufacturer, and other third-party providers in the ecosystem (see sections 4.1 and 4.2 of the report).

In addition, DFS providers must also deal with an increasingly complex mobile ecosystem, developing applications for multiple versions of operating systems each with their specific vulnerabilities and support different types of mobile devices. In this fast-evolving dynamic environment, DFS providers face certain challenges concerning knowledge about the actual security threats and possible security controls to mitigate the risks.

The DFS Security Assurance Framework provides an overview of the security threats and vulnerabilities facing the DFS providers (banks, non-banks providing mobile money services), mobile network operators, customers, payment system providers, merchants, and technology services/third-party service providers. Regulators including telecom authorities, banking, and payment regulators could also make use of the DFS Security Assurance Framework for establishing security baselines for the DFS providers as well.

The framework, when implemented, would complement established risk and information security management practices of the stakeholders involved in DFS ecosystem. For example, the security control measures in the document can be included as part of the ICT Security programme of the DFS provider.

The DFS Security Assurance Framework recommends a structured methodology for managing security risks that the DFS providers offering digital financial services could implement to:

• Enhance customer trust and confidence in digital financial services.

• Clarify the role and responsibilities of each of the stakeholders in the ecosystem.

• Identify security vulnerabilities and related threats within the ecosystem.

• Establish security controls to provide end to end security.

• Strengthen management practices with respect to security risk management that is inclusive of all DFS stakeholders.

The DFS Security Assurance Framework provides a systematic security risk management process for assessing threats and vulnerabilities and identifies appropriate security control measures to be implemented by the DFS provider and mobile network operator for threats targeting the user, mobile device, mobile network operator and DFS provider. Threats related to merchants, payment service providers and other financial services organizations and the specific mitigations for addressing the threats that they face are out of scope for this document. The report complements the work undertaken under the Cybersecurity workstream in the Security, Infrastructure, and Trust Working Group, on the methodology for financial services organizations to manage and respond to cybersecurity incidents.

The DFS Security Assurance framework consists of the following components:

1. A security risk management methodology based on ISO/IEC 27005 –Security techniques -Information security risk management (Section 7 of the report).

2. Assessment of threats and vulnerabilities to the underlying infrastructure of the mobile network operator and DFS provider, DFS applications, services, network operations and third-party providers involved in the ecosystem for DFS delivery.

3. Mitigation strategies based on the outcome of (b) above. The mitigation measures identify 117 security controls for the security threats which are outlined in Section 8 of the report.

Section 9 of the report provides a template for security best practices for mobile money smartphone applications which could be included in an app security policy document by DFS providers. The template strictly considers the mobile application on the device unless stated otherwise, and subsections describing recommendations deal with various aspects of the operation or underlying policy relating to the mobile application. The focus is primarily on Android applications given their large market share, though many recommendations are applicable across mobile operating systems. Section 10 of the report provides a framework for managing security incidents related to DFS.

The report is meant to be a living document and should be kept updated over time to take into account new platforms and application services as well as threats that would evolve over time and new vulnerabilities.