Evolution of Data Protection in Fintech
Financial technology, or fintech, has experienced phenomenal growth in the past few years. It refers to technological innovation in the financial sector and includes both back-end and consumer-facing services, such as cryptocurrencies like Bitcoin to peer-to-peer lending sites. The rise of fintech has given way to new opportunities and alternatives in areas that only a decade ago were monopolized by traditional banks and lenders.
FinTech provides consumers with easy access to personal financial data, mobile banking, and investment opportunities in non-traditional situations. It deals with terabytes of sensitive and valuable financial data like bank accounts, passwords, and identity data. Data fuels Fintech in numerous ways. For example, financial technologies use our personal data to customise user experience, offering banking recommendations based off our spending patterns. Fintechs also use data and predictive analytics to make credit and lending decisions, to manage risk, detect fraud, to fuel marketing, as well as devise customer retention/loyalty programmes. It cannot be underestimated just how much Fintech relies on access to data, and what that data can be used for.
The security of data has been challenged by the incorporation of new services into the digital world. Data protection has become essential to continue operating in the new financial environment, especially due to the advent of Fintech. Champions of Fintech argue that consumers and indeed the society, will benefit from increased access to data that will continuously inspire change. However, the sceptics, argue that more data will equal to more risk. This points to challenges such as cyber-security attacks.
With so much digital information available for Fintech firms to use and analyse, it is imperative that these firms implement safeguards that ensure data is processed ethically and lawfully. However, security challenges abound in this industry and before a firm can develop effective data protection, first it needs to gain an understanding of the main security challenges in FinTech.
Security Challenges in FinTech
In working with sensitive data, fintechs have to work out a strict mechanism for regulating who can access, create, modify, benefit from, sell, and remove data, as well as who can grant these rights to others. Establishing data ownership makes litigation easier, in cases where information is leaked or misused by making it clear who is responsible for the data’s safekeeping. To establish data ownership, the company needs to take into account a bunch of technical and legal considerations and make sure the processes of collecting, processing, storing, transferring, and destroying data are compliant with the norms and regulations in yothe firm’s sphere.
Currently, the digitalization of financial services and the closing of physical offices is one of the biggest challenges in the fintech industry. In order to secure data and effectively manage digital identities, financial companies are having to develop reliable online mechanisms for verifying identities. To enhance the biometrics technologies put in place within their systems, FinTech companies are introducing the use of one-time passwords (OTP), the use of adaptive authentication. Adaptive or risk-based authentication checks such data as a user’s geolocation, registered devices, and more in addition to biometric data and one-time passwords.
The cost of non-compliance for any business is very high. Fintechs have to ensure all their processes comply with the regulations and norms of the country or region in which they operate. There are mandatory norms and regulations for all fintechs to adhere to, specific in certain countries or regions, which include;
- The General Data Protection Regulation (GDPR) regulates data protection and privacy in the European Union and the European Economic Area. It aims at protecting EU residents from data breaches and applies to all companies processing the personal data of EU residents, even if the physical location of the company is outside the European Union.
- PSD2, or the second Payment Services Directive, applies to all EU countries. The directive aims at ensuring the security of electronic transactions and expanding the financial services ecosystem within the EU market.
- PCI DSS is the Payment Card Industry Data Security Standard, which is meant to protect customer credit card information and reduce fraud. This standard is mandatory for all companies and organizations that deal with credit card information.
- GPG13 is a general data protection act in the United Kingdom that’s compulsory for companies that deal with high-impact data.
- eIDAS (Electronic Identification, Authentication, and Trust Services) is an act that regulates electronic identification and trust services for electronic transactions in the European Single Market.
As a sector lacking a uniform regulatory framework, FinTech firms remain vulnerable to a wide array of Security Challenges in FinTech such as hacking attempts, potential exploits from their software’s interaction with traditional banking institutions, and overall systemic financial risk. The industry is highly exposed to security attacks and data protection is key in countering the effects of these challenges in fintech.
Data Protection in FinTechs
Data protection in fintech will seek to address 3 key questions:
· What happens if data security is compromised?
· Who (or what) is held accountable by regulatory watchdogs for decisions made by robots?
· Just how do Fintech firms protect our consumer rights?
The latest approaches and techniques that can help fintechs deal with these concerns and protect their sensitive data include;
1. The encryption of sensitive data. Data encryption is the use of complex mathematical algorithms to encode data. To decode this data, special keys are needed. The four most robust encryption algorithms fintechs can use include;
· Advanced Encryption Standard (AES). AES is a symmetric cipher, which means it uses the same key for encryption and decryption. The US government uses AES encryption to protect sensitive and classified data.
- Rivest-Shamir-Adleman (RSA). RSA is an asymmetric encryption algorithm that uses different keys for encrypting and decrypting data. The encryption algorithm is highly secure.
- Triple Data Encryption Standard (TripleDES). TripleDes is based on the DES cipher. It applies the DES cipher algorithm three times to each data block. This algorithm is often used to encrypt credit card PINs and other types of passwords.
- Twofish. Twofish is a symmetric block cipher that uses data blocks of 128 bits and accepts a key length of up to 256 bits. No matter the key length, there are always 16 data encryption rounds.
Each encryption algorithm has its own peculiarities and is used to encrypt different sets of data.
2. Creation of secure code and secure architecture. The quality of architecture and code are vital to the security of an application. A messy code is easy to hack. If the application has security issues in its business logic, these issues will be difficult to detect, even with automation tools. The best way to prevent them is to do code reviews and employ pair programming. In addition, the main programming language for a FinTech has to be fast, scalable, reliable, versatile, well-supported, and secure.
3. Secure authentication. For FinTech software, secure and precise identification and authentication is vital. Apart from OTP and adaptive authentication, fintechs can employ the following approaches:
· Role-based access control (RBAC) – This is an approach in which access to software and systems is granted according to a user’s role. Each type of role can access only predefined files and systems and is restricted from accessing other parts of the software.
· Password expiration - Not only cyberattacks and malware can cause data leaks and breaches. Human errors and, in some cases, willful actions by employees can also lead to data loss. Systematically changing passwords reduces the risk of data leaks and allows you to protect sensitive data from ex-employees and unexpected accidents.
· Shorter session lifetimes – For fintechs, it is recommended to reduce the session time. This can minimize the risk of malicious third-party access to a user’s applications from an active session.
· Tracking failed sign-in attempts – This allows the fintech to detect and prevent cyberattacks. It is recommended to set a limit for sign-in attempts and ask for additional (multi-step) identity verification if a user exceeds this limit.
4. Tokenization. This is an approach to securing data whereby meaningful data is turned into random strings of symbols, or tokens. Tokens reference the original data. However, they can’t be used to decrypt the original information unless you have access to a special database. This database, called a token vault, stores the relationships between the original data and the generated token. Without the database, tokens are useless sets of symbols. Tokenization is a highly secure method for storing and transmitting data. The most important step here is to protect the token vault. One common way to do this is to encrypt the database.
5. Code obfuscation. This is an effective way to protect your software from cloning. Program clones look and work very similarly to the original software and aim at gathering users’ personal data. Obfuscation complicates the analysis of an app’s source code, makes it impossible to understand how algorithms work, and prevents reverse engineering.
Author: Stephen Mwangi, Chief Operating Officer
As Virtual Pay's Chief Operating Officer, Stephen leads Virtual Pay’s global payments network, business operations, finance, legal, compliance, sales and partnerships, payments and global operations. Stephen brings hands-on experience in legal, compliance, risk management, finance, go-to-market strategy and business development. Stephen holds a Bachelor of Commerce degree in Finance & Accounting. He is a Certified Public Accountant (CPA), a Certified Investment and Financial Analyst (CIFA) and holds certifications from the Chartered Institute for Securities and Investment (CISI, UK). He is currently pursuing his Msc. In Finance and Financial Law from the University of London.