资源描述
BRINGING SMART POLICIES TO LIFECYBERSECURITY FOR FINANCIAL INCLUSION: FRAMEWORK Bank Al-Maghrib; Central Bank of Nigeria; Bank of Namibia; Central Bank of Sudan, and Reserve Bank Fiji. AFI is also thankful to Paul Makin for helping the subgroup conduct relevant research and draft the document.AFI also acknowledges and appreciates the private partners, experts and stakeholders who contributed to the document. Among them are the European Central Bank, GSMA, Mastercard, Visa, IMF, ITU, CGAP and the World Economic Forum.Ali Ghiyazuddin Mohammad and Kennedy Komba from the AFI management unit also provided inputs and comments for the framework.The digital financial services workstream is supported by AFIs Funding Partners.1 INTRODUCTION 31.1 Background 31.2 Cybersecurity Risk Guide 31.2.1 Purpose 31.2.2 Methodology 32 DIGITAL PAYMENTS AND FINANCIAL SERVICES MODEL 43 PRINCIPLES OF CYBERSECURITY 63.1 Introduction 63.2 Principles for Regulators, Policy Makers and Supervisory Authorities63.3 Principles for Service Providers 63.4 Regulators 73.4.1 Principle I: Regulation and Compliance 73.4.2 Principle II: Cooperation 83.5 Financial Service Providers 83.5.1 Principle III: The Customer 83.5.2 Principle IV: Delivering the Service 103.5.3 Principle V: Managing Internal Risks 113.5.4 Principle VI: Understanding Your Partners 133.5.5 Principle VII: The Longer Term 133.6 Risk Summary 143.7 Of Special Note: USSD, SMS and Cyber Risk 164 BACKGROUND: EXISTING FRAMEWORKS 174.1 Introduction 174.2 Supranational Frameworks 174.2.1 NIST 174.2.2 FFIEC 174.2.3 CPMI-IOSCO 174.2.4 ECB CROE 184.2.5 FSSCC Cybersecurity Profile 184.2.6 Center for Internet Security the CIS 20 Controls 184.3 National Frameworks 194.3.1 Introduction 194.3.2 Armenia 194.3.3 Ghana 194.3.4 Nigeria 19GLOSSARY 21ANNEX A STAKEHOLDER INTERVIEWS 223CYBERSECURITY FOR FINANCIAL INCLUSION: FRAMEWORK To serve as a reference point for the recommendations themselves, giving context to each element.OPERATIONAL SERVICE DOMAINCUSTOMER ACCESS DOMAINBANK(S)CREDIT BUREAUSOTHER PFSPsPAYMENT GATEWAYSMERCHANTS, BILLERS, UTILITIES, AGGREGATORSRETAIL PAYMENT SWITCHESREGULATORY AUTHORITIESFINANCIAL SERVICE OPERATORS SYSTEMSSTANDARDS AND STANDARD SETTING BODIES5CYBERSECURITY FOR FINANCIAL INCLUSION: FRAMEWORK identifying customers; keeping their data private, and ensuring their effective identification during client on-boarding and in transactions.PRINCIPLE IV: SECURE DELIVERY OF SERVICESUnderstanding the service delivery channels and infrastructure that interface between FSPs customers, and ensuring that information remains private and transaction integrity is maintained.PRINCIPLE V: MANAGING INTERNAL RISKSEnsuring that the integrity of FSPs service is preserved through internal controls and processes that provide effective enterprise-wide risk management for secure service provision.PRINCIPLE VI: UNDERSTANDING YOUR PARTNERSMaking sure that partners are engaged through appropriate process without significantly increasing the risks to either customers or your service.PRINCIPLE VII: THE LONGER TERMEnsuring that your service maintains its security as new threats emerge; that regulatory authorities are informed of both existing risks and your plans to address these; carrying out audits regularly, and ensuring that all reporting requirements are met etc.3 PRINCIPLES OF CYBERSECURITY3.1 INTRODUCTIONThis Guide provides seven key principles for cybersecurity aimed specifically at financial inclusion initiatives. Two principles are for regulatory and supervisory authorities, to enhance their supervisory frameworks, regulatory approaches and cooperation on matters related to the cybersecurity of financial services with a significant component intended to address financial inclusion challenges. The remaining five principles set out the requirements to be placed on service providers and are intended to assist regulatory authorities in their supervision of service providers activities.3.2 PRINCIPLES FOR REGULATORS, POLICY MAKERS AND SUPERVISORY AUTHORITIESCybersecurity is not just an issue for service providers. Two essential principles in ensuring the security of services and the protection of customers are fulfilled by regulatory and supervisory authorities.PRINCIPLE I: REGULATION AND COMPLIANCEEstablishing and maintaining the regulatory requirements that service providers must comply with; informing and assisting service providers in demonstrating their compliance with the regulatory environment; adapting regulations to changing environments; applying principle-based approaches, and monitoring the safety of critical public infrastructure.PRINCIPLE II: COOPERATIONEnsuring that action is taken in concert with international counterparts; cooperating with multiple national agencies that are active in the field of cybersecurity; sharing information about threats and incidents, and ensuring that FSPs have appropriately skilled human resources to deal with cybersecurity threats.7CYBERSECURITY FOR FINANCIAL INCLUSION: FRAMEWORK informing and assisting service providers in demonstrating their compliance with the regulatory environment; adapting regulations to changing environments; applying principle-based approaches and monitoring the safety of critical public infrastructure.REFERENCE RECOMMENDATIONR-1 Develop or adopt a cybersecurity framework to guide FSPs as to what is expected of them. Such a framework should take into account appropriateness to the size of the regulated institution and the risks it presents to customers.R-2 Consider liability issues that may arise if security standards are not followed by FSPs, especially if non-compliance results in financial loss. Issues to consider include: Mandatory communication to both the authority and affected customers Requirements to refund losses from customers accounts Potential liabilities for customers consequent lossesR-3 Consider allowing lower technical security standards (including, for example, USSD) by balancing the higher risk with stricter liability see also Recommendation Reference C-10. R-4 Develop a policy to address the practical aspects of implementation of oversight procedures, to include the development or adoption of a cybersecurity assessment framework.R-5 Place particular emphasis on assessing the quality, availability and continuous transaction monitoring facilities by FSPs. This is especially in the context of additional risk incurred by using USSD and SMS for mobile financial services.R-6 Where possible, appoint a Chief Information Security Officer (CISO). This individual will be responsible for developing and implementing an information security program to protect both internal systems and data, as well as the sensitive data provided by FSPs as part of their reporting obligations.The CISO role should exist outside any IT or MIS departments. The benefit of sch a role will be derived only from a direct reporting function to the Directors, thus avoiding the risk of cybersecurity concerns being filtered through the interests of specific departments. This industry best practice applies as much to regulatory authorities as it does to FSPs. R-7 Sensitive data supplied by FSPs to supervisory authorities, including data about their customers, should be subject to many of the same internal cybersecurity measures that are required of FSPs. To this end, regulatory/oversight authorities should consider the adoption of international best practice technical cybersecurity controls for internal use, both where they offer digital services, and where they are the recipient or repository of confidential data from regulated entities.R-8 Establish a national baseline for a common assessment of cyber-readiness reports across the financial sector. FSPs are required to conduct annual assessments of their level of cyber-readiness and provide the resulting reports to the supervisory authority. R-9 Develop an approach to providing a proper, standardized assessment of each FSPs proposed approach to addressing any identified shortcomings. Shortcomings identified in an FSPs cyber-readiness assessment are commonly addressed in an addendum to the annual assessment report. R-10 Review suspicious transaction reports (STRs) received from individual FSPs, comparing them to those received from the rest of the financial sector, and act if they differ significantly either in expected numbers of reports, or the level of detail provided.R-11 Visit FSPs operational centers on a regular basis to verify that the documented processes and control points are being followed. Also verify that active transaction monitoring (including AML monitoring) is in place, where appropriate.R-12 Build internal capacity to satisfy the supervisory requirements set out in this document.R-13 Develop cybersecurity awareness programs for delivery to the staff of both FSPs and regulatory/supervisory authorities.R-14 Incorporate enforcement clauses in all national cybersecurity guidelines and frameworks, such that an FSPs non-compliance will result in sanctions according to national regulations.R-15 Take measures to monitor the safety of critical digital infrastructure, including digital identity systems, payments systems, financial switches etc. and act to alert FSPs if an issue is identified.8CYBERSECURITY FOR FINANCIAL INCLUSION: FRAMEWORK cooperating with multiple national agencies that are active in the field of cybersecurity; sharing information on threats and incidents, and ensuring that FSPs have appropriately skilled human resources to deal with cybersecurity threats.REFERENCE RECOMMENDATIONO-1 Where an FSP suffers a failure in cybersecurity that leads to a data breach, or in the case of fraud being reported to supervisory authorities, those authorities should review the associated cyber threat and, if appropriate, warn other regulated entities of the attack.O-2 The creation of a national cyber-awareness and warning body should be considered; if the supervisory body feels there is insufficient capacity for this, then it should consider identifying regional or international partners to establish such a service.O-3 Set up an industry-wide Cybersecurity Operations Centre (CSOC) and Computer Emergency Response Team (CERT).O-4 Facilitate cooperation between the national CSOC/CERT and regional/international CSOC/CERT that is in place.3.5 FINANCIAL SERVICE PROVIDERSThe requirements set out in this section specifically apply to the activities expected of FSPs with a specific financial inclusion element. They are also intended to assist regulatory authorities in their supervision of service providers activities in the fulfilment of their requirements.3.5.1 PRINCIPLE III: THE CUSTOMERUnderstanding customers financial service capacities; identifying them; keeping their data private, and ensuring you know who they are when they return. REFERENCE RECOMMENDATIONC-1 Financial Service CapacityFSPs should have a program of support and education in place for customers with limited digital and/or financial literacy. The program should include relevant aspects of cybersecurity risks and associated steps customers can take to mitigate them.C-2 Proportionate, Risk-Based KYC and Due DiligenceIt is vitally important that every customer of an FSP is subject to a robust identification and verification process during registration, making appropriate use of technological innovations such as analysis of a customers digital footprint and shared or utility-based KYC services. This does not mean that every customer must present robust evidence of their identity. Instead a proportionate approach to KYC should be adopted: every customer must present whatever identity documentation they have. This should then be subject to verification, and their degree of access to financial services should be built on the output of that process, in a model that follows the FATF Recommendations.This way, a potential customer with a digital identity, issued by a government and subject to robust biometric authentication, who can also provide a passport and evidence of their residential address, would typically be offered the full range of financial services (subject to further checks on a case-by-case basis, such as determining credit worthiness). In contrast, a customer who is only able to provide a single paper-based identity document, such as a voters card, and is unable to provide any additional documentation, will be offered only basic access to a transactional account, with strict balance and transaction limits.It is assumed that there would be a gradation of access between these two extremes, possibly consisting of three to five levels. In all cases, these should be defined in accordance with the requirements set out in national regulation, or in agreement with the regulatory authorities (if this is not otherwise defined).C-3 It should be possible for customers to “upgrade” the level of service they are able to access, by providing additional identity documentation to the FSP. C-4 Consideration should also be given to providing service to customers who are not able to produce any form of identity documentation, as long as an existing customer of the financial service provider presents an attestation of their identity. Naturally this must be subject to strict provisos: It must take place only in agreement with, and under the supervision of, the appropriate authorities; If the attesting customer becomes subject to investigation for any reason (identity comes under question; links to fraud, or money laundering or the funding of terrorism), then the attested customers account should be immediately suspended.9CYBERSECURITY FOR FINANCIAL INCLUSION: FRAMEWORK but in a manner in accordance with the previous recommendation. C-10 Customer LiabilityCustomer liabilities should be defined by both the capacities of customers and the feasibility of their influence over the reliability and security of the service. During interviews conducted, some stakeholders observed that a number of FSPs have a customer agreement that sees customers liable for any losses in the customer access domain (see Figure 1). The unfortunate result is that there has been little or no investment in better cybersecurity in that domain, even though customers have no influence over, for example, the security of a mobile network. This approach is not acceptable or sustainable, as it affects customer confidence in the FSP, and, more broadly, the whole financial sector. Customers may not be aware of this liability, and this reinforces the need to have robust consumer protection mechanisms in place.One remedy would be a liability shift, in a manner similar to that seen in the European Unions PSD2 initiative. This would mean that any loss is automatically assumed to be the FSPs liability until proved otherwise and should be refunded to the customer immediately. However, if a subsequent investigation reveals it is in fact the
展开阅读全文