Inclusive fintech provides fertile ground for cyber crime. What can be done about it?
This is a guest post by Pietro Rocco di Torrepadula, a current Master's candidate at Columbia University' School of International and Public Affairs. Pietro is currently enrolled in the course "Financial Inclusion: Models and Products to Enhance Access for the Poor", a course co-taught by MIX CEO, Camilla Nestor.
For fintech startups, business is booming. Global investment in fintech topped USD $100 billion in 2018, nearly double the previous annual record set in 2015. Given this growth, the opportunity within fintech is massive – as is the opportunity cost of ignoring it. The result of this reality has been a rush to market, with new products and services rolling out at a rate so rapid it is difficult to track. At the same time, investors, donors, and other industry advocates are pushing for more impact and more innovation. No longer limited to payments, inclusive fintech extends across the spectrum of financial products and services, covering savings, investment, and insurance, even for the poorest consumers.
Figure 1: Global Fintech Investment
Source: KPMG, The Pulse of Fintech 2018 (February 2019)
However, the boom times aren’t without risk. Cyber-crime is a major challenge, and research shows that neither geography nor maturity correlate with stronger cyber-security. In fact, the damage from cyber-crime is expected to exceed USD $6 trillion by 2021. In developing countries, even a small loss can be catastrophic. The major question, then, is how cyber-crime impacts low-income populations and, further, what can be done to stop it?
Recent research from the International Monetary Fund (IMF) suggests that more players operating more closely – connected through APIs, switches, and other integrations – increases the points of entry for crime. The unpredictability of cyber-crime and its increasing sophistication enhances the risk of successful attacks. Following the WannaCry attack of 2017, where total damages were in the billions, the global financial industry was accused of wilfully ignoring the risks. After years of inaction, companies paid a heavy price in both financial and reputational costs.
Though expanding financial services to underserved populations is laudable, it is not without risk. Researchers at Harvard identified inclusive fintech as a key vulnerability in the global financial system. Developing countries include high numbers of new-to-technology users with little knowledge of cyber-security threats like phishing. Compounding that are unsecure communications networks, which make users and systems more vulnerable to attacks. Across Africa, for example, the number of successful cyber-attacks doubled annually over the past few years, with mobile services a primary target. The biggest risk for inclusive fintech remains human error, with the poorest customers particularly susceptible.
Figure 2: Impact of Successful Cyber Attacks
Sources: World Bank; IBM, 2018 Cost of Data Breach Study (July 2018)
In their push for growth, some providers have been naïve in their approach. From a reputational standpoint, cyber-crime can undermine customer acquisition, especially for low-income demographics unable to absorb losses and already cautious of digital products. The potential for irreparable damage is significant, not only for the financial institution but also the customer. Losing income could mean the difference between supporting a household and not. Yet, there has not been enough action. Budget constraints, competing priorities and a technology lag all contribute to insufficient and ineffective cyber security investment.
One possible solution may be to highlight the reputational risks for fintechs. A security breach that exposes customer data could have a negative effect on customer acquisition and retention rates, critical indicators of traction that are of great interest to investors. Since customers can just as easily drop a service as they can adopt it, fintechs could use cyber-security policies as a selling point.
There are other signs that the industry is getting serious about the risks related to cyber-crime. The Smart Campaign organized and hosts the Fintech Protects Community of Practice, which brings together several investors, financial institutions, and fintechs to share best practices around consumer protection, including data security. Separately, Accion Venture Lab is developing a set of resources to help early-stage fintechs implement better information security and data privacy policies. While these efforts are important early steps, a coordinated approach across the inclusive fintech ecosystem is needed to ensure cyber-crime doesn’t unravel the progress of financial inclusion across an increasingly digital world.
Pietro Rocco di Torrepadula is pursuing a Master’s of International Affairs in Economic and Political Development at Columbia University’s School of International and Public Affairs (SIPA). Prior to Columbia, Pietro worked in banking where he was most recently an Associate in Standard Chartered’s Financial Institutions team focussing on large-cap insurance companies expanding into emerging markets. Pietro holds a Bachelor of Arts in Arabic & Islamic Studies from Oxford University in the UK. Over the summer, Pietro will be interning in London where he will join the product development team for an international inclusive education finance initiative.