Crosscutting Issue #3: Safeguard financial inclusion and the G20’s achievements of the past decade in this area.
Problem Statement: Innovative Digital Financial Services Bring New Risks
Financial inclusion has been a top priority for the international community since the G20 recognized financial inclusion as one of the main pillars of the global development agenda in 2010. According to the latest Global Findex report, between 2014 and 2017 alone, 515 million adults opened accounts at financial institutions, raising the percentage of banked adults worldwide from 62 percent to 69 percent.1 This rapid increase has been facilitated by innovative DFS that do not require the infrastructure of traditional banks. In low-income economies, there are twice as many mobile money accounts as bank accounts per 1,000 adults.2 This trend is not slowing down. It is projected that by 2022, 1 billion people in Africa will have internet access, thereby also expanding opportunities to advance financial inclusion.3
In some countries, DFS have become critical. As early as 2016, Kenya’s National Treasury was expressing concerns that M-Pesa, a mobile phone-based money transfer service, was becoming indispensable to the function of the payments system.4 According to John Walubengo, a member of the faculty of Computing and Information Technology at the Multimedia University of Kenya:
M-Pesa has grown from an option to literally being a must-have financial service for millions of Kenyans. It has also become integrated in the lifestyles of Kenyans in terms of paying for anything, ranging from groceries to school fees and even bribes. . . . Whereas it is not the only mobile money service in the country and in theory Kenyans do have options, the reality, however, is that it is the only such service with the prerequisite agent network that has a geographic reach and depth to serve its close to 25 million mobile money subscribers. Twenty-five million subscribers is more than the adult population in the country. It is more than the whole of the voting population, and is way more than the employed population of this country.5
Financial markets in sub-Saharan Africa, Asia, and Latin America have already experienced an increase in cyber attacks, and markets with more DFS transactions are targeted more often.6 For example, financial markets in Asia see the highest volume of mobile banking and digital payment applications, and they also experience the highest volume of cyber attacks on financial institutions.7 One African cybersecurity firm estimated in 2017 that the cost of cyber crime to Africa’s banking sector was at least $248 million.8
Focusing on cybersecurity is important because DFS introduce a new element of cyber risk. For one, mobile banking is vulnerable to basic cyber attacks. Mobile money systems are vulnerable to several basic attacks and types of fraud. Hackers can exploit vulnerabilities in hardware, software, and at the network level. SIM swaps allow hackers to circumvent two-factor authentication protocols. Banking trojans and mobile malware infect smartphones. Transactions are usually carried out using insecure devices, mostly feature phones, that do not offer the end-to-end encryption that smart phones do.9
At the network level, the fundamental problem is that mobile networks rely on insecure communications protocols that are not designed to protect financial information.
Mobile phones rely on protocols like Unstructured Supplementary Service Data and Short Message Service, which hackers can exploit over the network. One exploit involves hackers eavesdropping by setting up a fake mobile network base station to intercept phone traffic.10 This means that DFS providers must implement their own security measures and can never rely on mobile network operators (MNOs) or other external providers for security.11
The specific challenge is that unbanked and underbanked customers are easy targets for cyber criminals because they tend to have lower levels of digital literacy. For example, it is common practice for PINs to be shared among local communities for convenience.12 Even if individuals are aware of cyber risks, they are pressured to choose affordable products over secure products. For instance, pirated software is more prevalent in developing countries, making its users more vulnerable if the software does not get patched.13
Cyber criminal activity has shifted in response to the growth in online banking by less cyber mature customers in developing regions. Experts have observed cyber criminals moving their activity away from high-income countries and refocusing on less cyber-mature financial markets.14 Banks and payment service providers in emerging financial markets experience a high volume of cyber attacks. For example, in 2019, Kaspersky Lab reported a 56 percent increase in mobile banking malware.15
Most governments are unprepared to counter cyber criminals, and developing countries are especially under-resourced. According to the International Telecommunication Union, “cybercriminals see Africa as a safe haven to operate illegally with impunity.”16 Symantec reported that, out of fifty-four countries in Africa, thirty lacked specific legal provisions to “fight cyber crime and deal with electronic evidence.”17 DFS providers are also constrained by the significant dearth of cybersecurity talent in Africa.18
It is important to note that the most significant cybersecurity risk for DFS providers is still insider threats like employee fraud. Multiple surveys show that insider threats are the most common and greatest concern among DFS providers.19 Paul Makin, an expert at the intersection of financial inclusion and cybersecurity, explained that three separate African MNOs almost faced financial ruin as a result of internal thefts from employees.20 In 2017, a major MNO in Kenya reported that they fired fifty-two staff members caught engaging in fraudulent activities.21
Mapping the Status Quo: Nascent but Fragmented Efforts
A key challenge to strengthening cybersecurity in the context of financial inclusion over the coming years is the fragmentation of the ecosystem. Today, a plethora of institutions focus on advancing financial inclusion, but the space is fragmented by regional initiatives, by competing international institutions, and by inconsistent focus. The most cohesive initiative is the G20’s GPFI, a platform for G20 states, nonmember states, and other stakeholders that implements the G20 Financial Inclusion Action Plan (FIAP). The FIAP aligns efforts with the UN’s 2030 Agenda for Sustainable Development and the G20’s “High-level Principles for Digital Financial Inclusion,” and it aims to provide an evolving financial framework for states, regional organizations, and industry.
The three primary implementing partners of the GPFI are the AFI, CGAP, and the International Finance Corporation. Other key initiatives include the UN Secretary General’s Special Advocate (UNSGSA) for Inclusive Finance for Development, and on-the-ground initiatives, like Suricate Solutions, which provides cybersecurity resources directly to the underbanked.
Despite the prevalence of leapfrogging and growing reliance on DFS, most financial inclusion efforts have only recently begun to seriously consider the cybersecurity risks that may ensue. The first more visible efforts to address cybersecurity risks with respect to financial inclusion occurred in 2017 when the AFI hosted a workshop dedicated to this issue.22 A year later, the UNSGSA for Inclusive Finance for Development published a brief focusing on cybersecurity.23 In November 2019, the AFI published “Cybersecurity for Financial Inclusion: Framework and Risk Guide,” which provides key principles and best practices to assist regulatory and supervisory authorities dealing with cybersecurity risk in the financial sector.24 The same month, CGAP published “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion.”25
Another sign that cybersecurity is rising on the financial inclusion agenda is in the Bill & Melinda Gates Foundation’s grantmaking. A crucial funder of financial inclusion efforts worldwide through its Financial Services for the Poor program, the Gates Foundation awarded the first grant explicitly focused on cybersecurity in DFS in 2018, to Columbia University’s DFS Observatory. In November 2019, the Gates Foundation awarded four grants to CREST, the Alan Turing Institute, Carnegie Mellon University, and ID4Africa, and an additional grant focused on AML/financial crime to the Royal United Services Institute.26 (These are grants focusing specifically on cybersecurity. Other grants also touch on cybersecurity but without an explicit focus.)
The DFS Observatory at Columbia University was established in 2016 with a focus on the expansion, innovation, and regulation of DFS around the world but particularly in developing countries. In addition to conducting research, the DFS Observatory houses a legal library with a collection of over 800 DFS-related laws, policies, and regulations across fifty-eight countries, plus an archive of regulatory sandboxes.27 With respect to cybersecurity, the DFS Observatory is also developing an “actionable Cybersecurity Risk Management Framework” (A-RMF) for actors in the DFS ecosystem in developing countries.28 The A-RMF is designed to first evaluate a user’s cybersecurity maturity, based on international cybersecurity standards, principles, and processes, and then conduct a DFS-specific risk assessment based on that evaluation. The A-RMF also provides a tailored threat matrix based on the user’s risk assessment, including specific vulnerabilities and potential responses to address them.
A unique challenge to strengthening cybersecurity in the context of financial inclusion efforts is the potential unintended consequence that too strong a focus on cybersecurity could chill the development of financial inclusion initiatives and their capacity for innovation. A separate challenge is that financial inclusion often involves a new set of actors that provide technologies like mobile money, digital currencies, and other variations of distributed ledger technologies that are not yet fully embedded in ongoing policymaking processes. Resource constraints and the need to focus on the overall mission of financial inclusion may further complicate efforts to integrate cybersecurity in financial inclusion.
- Recommendation 6.1: The G20 heads of state should strengthen coordination among existing financial inclusion and cybersecurity efforts so as to align limited resources and maximize their impact, especially in the wake of the pandemic. They should also initiate an annual conference to assess latest developments and coordinate next steps; the convening should include major donors, the World Bank, IMF, AFI, CGAP, and other relevant stakeholders.
- Supporting Action 6.1.1: The G20 should clarify the role of international financial institutions like the World Bank, CGAP, and the IMF with respect to cybersecurity and financial inclusion. They should also emphasize the need to coordinate on issues that overlap across these institutions.
- Supporting Action 6.1.2: The GPFI should deepen the connections between financial inclusion initiatives and the cybersecurity community. As DFS continue to be expanded, especially in the wake of the pandemic, it is critical to develop greater collaboration between the financial inclusion and cybersecurity communities.
- Supporting Action 6.1.3: The GPFI should deepen the connections between financial inclusion actors and the law enforcement community. As more people gain access to financial services, the platforms they use will become increasingly attractive targets for cyber criminals. By strengthening the relationship between the financial inclusion community and the law enforcement community, stakeholders can more effectively address cyber crime that targets products and services used for financial inclusion.
From Recommendation to Implementation
Carnegie’s FinCyber initiative will host a conference on “Cybersecurity and Financial Inclusion” together with the IMF, the World Bank, and the WEF on December 10, 2020, as a first step to create more connective tissue among the relevant stakeholders.
- Recommendation 6.2: A network of experts should be created to focus specifically on cybersecurity and financial inclusion in Africa to complement other existing regional initiatives. The fifty-four countries in Africa are experiencing a significant transformation of their financial sectors as they extend financial inclusion and leapfrog to DFS. At the same time, this transformation makes African countries a prime target for cyber criminals who exploit soft targets and financial institutions with limited capacity to effectively protect themselves. Cybersecurity expertise across the African continent remains limited and scattered.
- Recommendation 6.3: The G20 should highlight that cybersecurity must be designed into technologies used to advance financial inclusion from the start rather than included as an afterthought. An example of such a foundational expectation is the reference in the GPFI’s “G20 Action Plan on SME Financing” to a strong credit infrastructure as a fundamental requirement for small- and medium-sized enterprises to have access to loans and other credit. By looking ahead and mapping initiatives that will come online in the coming years, GPFI can help ensure that cybersecurity will ideally no longer be an afterthought but be incorporated in future financial inclusion developments beyond payment systems.
- Recommendation 6.4: The GPFI, main funders, and DFS platforms should explore how financial inclusion efforts could be leveraged to increase general awareness of basic cybersecurity principles. Raising awareness of best cybersecurity practices is critical, especially among users in developing countries, who recently gained access to financial services and the internet, often via a mobile phone. Financial inclusion platforms could be leveraged to offer basic cybersecurity resources for the individuals and businesses using them.
From Recommendation to Implementation
To help foster a community of experts such as that envisioned in Recommendation 6.1, Carnegie is creating a network of experts focusing on cybersecurity and financial inclusion in Africa. Carnegie will leverage this network of experts to carry out research: (i) mapping key issues and challenges as well as the disconnect between global and local efforts; (ii) analyzing the threat landscape in Africa; (iii) identifying lessons learned from DFS in the Global South for the Global North; (iv) exploring how DFS could be leveraged to increase basic cybersecurity principles; and (v) assessing preliminary insights from the coronavirus’s impact on cybersecurity with respect to DFS.
1 “Disruptive Technologies in the Credit Information Sharing Industry: Developments and Implications,” Fintech Note, World Bank, 2019, http://documents.worldbank.org/curated/en/587611557814694439/pdf/Disruptive-Technologies-in-the-Credit-Information-Sharing-Industry-Developments-and-Implications.pdf.
2 “Data | GPFI,” accessed January 26, 2020, https://www.gpfi.org/data.
3 Nir Kshetri, “Cybercrime and Cybersecurity in Africa,” Journal of Global Information Technology Management 22, no. 2 (April 3, 2019): 77–81, https://doi.org/10.1080/1097198X.2019.1603527.
4 Kiarie Njoroge, “Treasury Report Reveals Fears over M-Pesa’s Critical Role in Economy,” Business Daily Africa, November 30, 2016, https://www.businessdailyafrica.com/markets/Treasury-report-reveals-fears-on-M-Pesa-critical-role-in-economy/539552-3469802-2v2gjcz/index.html.
5 John Walubengo, “M-Pesa Is a Critical Resource That Should Never Fail,” Daily Nation (blog), December 10, 2018, https://www.nation.co.ke/kenya/blogs-opinion/blogs/dot9/walubengo/m-pesa-is-a-critical-resource-that-should-never-fail-117234.
6 Silvia Baur-Yazbeck, Judith Frickenstein, and David Medine, “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion,” Consultative Group to Assist the Poor, November 2019.
7 Silvia Baur-Yazbeck, Judith Frickenstein, and David Medine, “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion,” Consultative Group to Assist the Poor, November 2019.
8 Serianu, “Africa Cybersecurity Report 2017: Demystifying Africa’s Cyber Security Poverty Line,” 2017, https://www.serianu.com/downloads/AfricaCyberSecurityReport2017.pdf.
9 Paul Makin, “Cybersecurity for Mobile Financial Services,” CGAP, August 2018, https://www.cgap.org/blog/cybersecurity-mobile-financial-services-growing-problem.
10 Paul Makin, “Cybersecurity for Mobile Financial Services,” CGAP, August 2018, https://www.cgap.org/blog/cybersecurity-mobile-financial-services-growing-problem.
11 “Cybersecurity for Financial Inclusion: Framework & Risk Guide,” Alliance for Financial Inclusion, October 2019, https://www.afi-global.org/sites/default/files/publications/2019-11/AFI_GN37_DFS_AW_digital_0.pdf.
12 Silvia Baur-Yazbeck, Judith Frickenstein, and David Medine, “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion,” November 2019.
13 Nir Kshetri and Jeffrey Voas, “Trusting Pirated Software,” Computer 52, no. 3 (March 2019): 87–90, https://doi.org/10.1109/MC.2019.2898719.
14 “Economic Impact of Cybercrime,” accessed January 27, 2020, https://www.csis.org/analysis/economic-impact-cybercrime.
15 “Kaspersky Lab Sees Spike In Mobile Cyberattacks,” PYMNTS.Com (blog), May 23, 2019, https://www.pymnts.com/news/security-and-risk/2019/kaspersky-lab-malware-mobile-banking/.
16 Nir Kshetri, “Cybercrime and Cybersecurity in Africa,” Journal of Global Information Technology Management 22, no. 2 (April 3, 2019): 77–81, https://doi.org/10.1080/1097198X.2019.1603527.
17 Symantec, “Cyber Crime and Cyber Security Trends in Africa,” November 2016.
18 Serianu, “Africa Cybersecurity Report 2017: Demystifying Africa’s Cyber Security Poverty Line.”
19 Symantec, “Cyber Crime and Cyber Security Trends in Africa”; “Cybersecurity for Financial Inclusion: Framework & Risk Guide,” Alliance for Financial Inclusion, October 2019, https://www.afi-global.org/sites/default/files/publications/2019-11/AFI_GN37_DFS_AW_digital_0.pdf.
20 Paul Makin, “Cybersecurity for Mobile Financial Services,” CGAP, August 2018, https://www.cgap.org/blog/cybersecurity-mobile-financial-services-growing-problem.
21 Hildah Nduati, “Cyber Security in Emerging Financial Markets,” Consultative Group to Assist the Poor, May 2018, https://www.findevgateway.org/library/cyber-security-emerging-financial-markets.
22 Alliance for Financial Inclusion, “AFI Holds Regulatory Training on Cybersecurity Challenges and Resilience Management,” August 2, 2017, https://www.afi-global.org/news/2017/08/afi-holds-regulatory-training-cybersecurity-challenges-and-resilience-management.
23 United Nations Secretary-General’s Special Advocate for Inclusive Finance for Development, Fintech Sub-Group on Cybersecurity, “Briefing on Cybersecurity,” accessed January 22, 2020, https://www.unsgsa.org/files/2815/3575/0134/Cybersecurity.pdf.
24 Alliance for Financial Inclusion, “Cybersecurity for Financial Inclusion: Framework & Risk Guide,” October 2019, https://www.afi-global.org/sites/default/files/publications/2019-11/AFI_GN37_DFS_AW_digital_0.pdf.
25 Silvia Baur-Yazbeck, Judith Frickenstein, and David Medine, “Cyber Security in Financial Sector Development: Challenges and Potential Solutions for Financial Inclusion,” November 2019.
26 Gates Foundation, “Grant Awards,” accessed July 22, 2020, https://www.gatesfoundation.org/ns/500.html.
27 Digital Financial Services Observatory, “The DFS Observatory at Columbia University,” https://dfsobservatory.com/, accessed September 26, 2020.
28 Digital Financial Services Observatory, “The DFS Observatory at Columbia University,” https://dfsobservatory.com/, accessed September 26, 2020.