Introduction
Digital technology has spurred financial access to millions of people due to its ease of use through mobile phones, providing customer-centric financial services that are affordable, scalable and offer convenience.
According to the World Bank Global Findex database[1] “the share of adults around the world making or receiving digital payments increased by 11 percentage points between 2014 and 2017. In high-income economies 51 percent of adults (55 percent of account owners) reported making at least one financial transaction in the past year using a mobile phone or the internet. In developing economies 19 percent of adults (30 percent of account owners) reported making at least one direct payment using a mobile money account, a mobile phone, or the Internet”.
However, as providers harvest digital means to offer a wider range of financial services with greater reach, improved efficiency and minimal operating costs, the rapid growth and uptake of digital financial services makes its ecosystem uniquely vulnerable to various security threats. The interconnectedness of the system entities and reliance/involvement of a number of parties in the ecosystem extends the security boundaries beyond the digital financial service (DFS) provider to the customers, network providers, mobile phone manufacturers, and other third-party providers in the ecosystem.
In addition, DFS providers must also deal with an increasingly complex mobile ecosystem, developing applications for multiple versions of operating systems each with their specific vulnerabilities and support different types of mobile devices. In this fast-evolving dynamic environment, DFS providers face certain challenges concerning knowledge about the actual security threats and possible security controls to mitigate the risks.
The DFS Security Assurance Framework aims to bridge the above knowledge gap and recommends a structured methodology for managing security risks that the mobile money ecosystem of the digital financial services (DFS) ecosystem could implement to:
Enhance customer trust and confidence in digital financial services.
Clarify the role and responsibilities for each of the stakeholders in the ecosystem.
Identify security vulnerabilities and related threats within the ecosystem.
Establish security controls to provide end to end security.
Strengthen management practices in respect to security risk management that is inclusive of all DFS stakeholders.
The DFS Security Assurance Framework provides an overview of the security threats and vulnerabilities facing the DFS providers (banks, non-banks providing mobile money services), mobile network operators, customers, payment system providers, merchants, and technology services/third-party service providers. Regulators including telecom authorities, banking and payments regulators could also make use of the DFS Security Assurance Framework for establishing security baselines for the DFS providers as well.[KA1]
The framework when implemented would complement established risk and information security management practices of the stakeholders involved in DFS ecosystem. For example, the security control measures in the document, can be included as part of the ICT Security programme of the DFS provider.
An underlying assumption is made that organisations have already implemented good security governance principles and standards, like information security policy documentation, data classification, allocation of information security responsibilities, data privacy policies, security awareness and training for their staff, secure development, testing and maintenance of infrastructures, devices, applications and processes, vulnerability management, backup procedures, incident management, business continuity and disaster recovery processes as these are outside the scope of this document
Last updated