Data protection gaps in fintech

In our previous article, “Regulatory gaps in Nepal’s fintech” (March 14, 2024), we discussed some regulatory gaps in fintech. In this piece, we will focus on the regulatory gaps primarily related to cybersecurity and data protection that the Nepal Rastra Bank (NRB) must quickly address. The fintech ecosystem in Nepal is growing, but it remains fragile in terms of cybersecurity and data protection. The NRB regulation should promote fintech innovation while also considering the importance of data protection and security.

Technology is evolving, and so are cyber-attacks. In 2019, hackers stole almost Rs18.9 million from 13 Nepali banks using ATM terminals. They spoofed the Nepal Electronic Payment Systems Limited (NEPS) link using fake cards, which enabled them to take money from the ATMs by independently verifying all the information of the Nepal bank’s clients. This incident was one of the most prominent cases of cross-banking transactions via ATM cash-out hack and could happen again. Hence, the NRB should be aware of such incidents. The court decided to punish the perpetrators; however, as it wasn’t physical loot, a detailed investigation to find out the root cause would have been an appropriate step by the central bank. Such investigations could provide insights and further strengthen the system security of such companies and bank and financial institutions in Nepal.

Clause 44 of the Payment and Settlement Bylaw, 2077 (First Amendment, 2080) addresses the liability of the payment system operators (PSO)/payment service providers (PSP) in case of any disputes or any other loss arising from incidents such as cyber-attacks. However, the absence of explicit guidance regarding the extent of liability raises concerns. For instance, a PSO with a paid-up capital of Rs50 million must be given clear guidelines on their liability in the worst-case scenario, or there must be a limit on how much of their customers’ funds they can retain.

Additionally, it is the right time to introduce a government guarantee fund, like the deposit and credit guarantee fund (DCGF), to protect the public from loss arising from data breaches and other cyber incidents. If the government had set up such funds, it would have been more vigilant and strict on cybersecurity measures. This would be a win-win situation for all parties.

Furthermore, no insurance products are available in Nepal to hedge companies against any loss due to data breaches or similar security incidents. The lack of insurance coverage leaves companies vulnerable to hacking and losses. It might be appropriate for the regulator to open a pathway for companies in Nepal to obtain cyber insurance, even from foreign companies, until insurance companies in Nepal launch such products.

Similarly, Clause 45 of the Bylaw and Directive No. 3 of the NRB Unified Directive Related to Payment Systems, 2079, discusses the security policies and practices for PSO/PSP. Implementing a uniform requirement for payment card industry data security standard (PCI DSS) and International Organization for Standardization (ISO) 27,000 certifications across all financial institutions involved in payment processing would ensure a data protection baseline, mitigating the risks of cyber threats. The language of the Directive is clear: A licensed institution shall adhere to the standards of PCI DSS, Europay, Mastercard and Visa (EMV) Standard, EMV Contactless Standard, etc. However, a mechanism to ensure that these standards are followed is unclear. Had it been mentioned that certification like PCI DSS is mandatory, it would have made more sense since an independent third party always issues a certification.

Similarly, regulatory requirements always act as the baseline for security, and these NRB guidelines are the minimum requirements spread across the industry. Further, data security is not a matter of securing them for a point of time only; it is a regular, ongoing activity that needs the attention of the stakeholders. Similarly, if we look through most payment-related companies’ websites, except for a few big players, we don’t find much information related to their security and related certifications.

A provision requiring each licensed institution to disclose its licenses and certifications, commitment to data security, and other related matters on its website and update it regularly must be introduced to increase public awareness and invoke dialogues between the stakeholders. Similarly, Clause 45 of the Bylaw contains a provision for system audit while it also mentions a provision for an annual system audit. In contrast, the Directive states that a system audit is mandatory after a year of operation and every two years when there are no changes in the existing system. These two provisions contradict each other, and the regulator must provide clarification on the same. Two years to conduct a system audit is pretty long, and so payment-related institutions must conduct at least an annual system audit in light of the rise of cyber threats in the present context.

Awareness of cyber threats and cybersecurity is a pressing need today since most occur due to human negligence. Social engineering is the most common way through which intruders can gather data and find loopholes in a payment system. To improve cyber risk measures, visibility is required on the organisation’s risk dashboard, covering all inherent risk levels to provide a picture of what is being defended. Lastly, continuous monitoring and a proactive approach to risk management is the only way against cyber-attacks. The country’s payment industry is still in its infancy, and before something worse happens, all the stakeholders must join hands to protect the public’s interest.