Cybersecurity: A Crucial Ingredient for Responsible Finance and Consumer Protection

Cybersecurity has become a critical pillar of consumer trust and a key enabler of equitable financial inclusion. In collaboration with CyberPeace Institute, we explore the risks of cyber threats in inclusive finance and what is needed to responsibly address them.

AUTHORS

Francesca Bosco, Edoardo Totolo

Topics

Once relegated to the realms of IT departments, cybersecurity is increasingly becoming an integral component of responsible finance. This transformation marks a shift in the inclusive finance sector, recognizing that cybersecurity is no longer just about technology, but a critical pillar of consumer trust and a key enabler of safe, equitable financial inclusion for consumers and small businesses.

While the digitalization of finance expands access and opportunities, it also exposes people to heightened financial risks, including fraud and predatory practices.

In large part due to the widespread adoption of digital financial services, the Global Findex 2021 highlighted a significant milestone: 76 percent of the global population now has an account at a financial institution. While the digitalization of finance expands access and opportunities, it also exposes people to heightened financial risks, including fraud and predatory practices. Research shows an escalation in consumer protection risks accompanying the rise in digitalization, including cyber threats. It is crucial for businesses and policymakers committed to inclusive finance to acknowledge the immediate need for robust cybersecurity measures.

CFI’s approach to consumer protection focuses on reducing consumer vulnerabilities, whenever they arise. These vulnerabilities can be classified using a vulnerability framework, and help identify who is least equipped to deal with the shock. Cyber threats, due to their nascent and dynamic nature, can create a complex intersection of vulnerabilities, affecting those who are most at risk. In this context, cybersecurity measures implemented by institutions and raising awareness among users are both equally important steps to safeguard individuals and institutions and prevent systemic risks.

Risks of Cyber Threats in Inclusive Finance

The landscape of cyber threats has grown substantially more complex. We’re now facing a wide array of dangers, including ransomware, phishing and its derivatives like Smishing, vishing, and Qshing, Distributed Denial of Service (DdoS) attacks, and supply chain infiltrations. These threats expose critical vulnerabilities that can disrupt operations, undermine the integrity of financial institutions, compromise sensitive data, and significantly erode consumer trust. Such risks not only threaten security but also contribute to driving consumers away from the digital economy.

The increasing prevalence and sophistication of cyber threats are highlighted by a series of high-profile incidents across the globe. In 2016, in an attack on the Central Bank of Bangladesh, cyber-threat actors attempted to steal nearly $1 billion from a Federal Reserve Bank of New York account that belonged to the Bangladeshi central bank; however, the attack was thwarted and losses were largely minimized. Years later, in August 2023, the Central Bank of Bangladesh received threats that caused them to halt several internal online services to prevent another potential cyberattack. A DDoS attack targeting a Ukrainian investment company led to severe disruptions in website connectivity, and the cyber incidents plaguing Uganda’s largest mobile money networks, MTN and Airtel, resulted in a crippling four-day halt in service transactions.

Cyber threats expose critical vulnerabilities that can disrupt operations, undermine the integrity of financial institutions, compromise sensitive data, and significantly erode consumer trust.

In addition to high-profile cases, many cyber threats targeting fintechs and small financial institutions go unnoticed in the media, but their impact is significant. For instance, in Africa, the financial sector is increasingly recognizing cybercrime as a major risk. In a notable case, the Bluebottle cybercrime group’s targeted attacks against financial institutions in Francophone African countries have caused financial losses totaling millions over four years, using methods that are accessible and less sophisticated. In Latin America, the situation is equally concerning. The region saw an estimated 137 billion cyber attack attempts in just the first half of 2022, with ransomware being a prevalent threat. SMEs often lack comprehensive security measures and have become prime targets as they digitalize.

The diversity of cybersecurity incidents and their associated risks– including fraud, data misuse, transparency deficits, and a lack of resilience mechanisms – have a direct, negative impact on inclusive finance efforts, affecting both financial institutions and consumers. Findings from the Global COVID-19 FinTech Market Rapid Assessment Study indicate a rapid escalation in the perception of cyber risks across surveyed financial products which erodes trust, an already scarce feature of financial services. Data breaches are taking longer to identify and contain, and are only likely to increase with AI-powered attacks. Furthermore, low digital literacy among users leads malicious actors to take advantage of consumers. Rural DFS users have been systematically targeted through deceptive calls and messages, coercing fund transfers for false overpayments. In Kenya, the rise of mobile banking has significantly increased the number of fraudulent actors and cyber criminals since 2016.

These increased attacks on lower socioeconomic groups living in rural areas are largely due to two factors:

The lack of affordable, secure hardware and software places lower socioeconomic groups at heightened risk; and
Cybercriminals have capitalized on the confusion that often surrounds regulations related to cybersecurity specifically and digital services more broadly.

This second issue is exemplified by incidents in Ghana where public unawareness of tax collection mechanisms facilitated fraudulent account information collection. These cyberattacks, beyond the immediate financial repercussions, erode trust in financial institutions and the expanding digital economy. Moreover, attacks targeting vulnerable communities ripple through the interconnected financial system, posing a systemic risk.

What Is Needed to Fight Cyber Threats in DFS

The evolving DFS landscape calls for a proactive and multi-faceted approach to strengthen cybersecurity and protect users from evolving cyber threats. To date, several initiatives and strategies have emerged to address these challenges. In Africa, USAID and the Federal Trade Commission are collaborating to bolster an enabling environment for consumer protection in the African digital economy. Though its primary focus lies beyond cybersecurity, the effort aims to reinforce regulations and capacity building for authorities. Additionally, CGAP launched the DFS Consumer Protection Laboratory which works on cooperative approaches to combat DFS fraud and champion a more consumer-centric approach.

Consumer protection by design involves thinking of consumer protection at the time of designing products and services, and not as an afterthought.

However, more work is needed to safeguard people from cyber harms that risk excluding them from the benefits of the digital economy. Adopting a human-centric approach to cybersecurity could help address the issues of the most vulnerable. Consumer protection by design, an approach championed by CFI, akin to privacy by design and secure by design, involves thinking of consumer protection at the time of designing products and services, and not as an afterthought. This means taking proactive measures to safeguard users’ financial well-being in an increasingly digitalized financial landscape, and collaborating with multiple stakeholders- regulators, product and service designers and funders to develop protection-by-design principles that can be integrated into the design of financial systems.

One example of this type of collaboration is the CyberPeace Builder’s Program which fosters cooperation and addresses cybersecurity issues in digital finance. This collaborative approach, underscored by the involvement of NGOs like Bridges to Development which aligns charitable investments with cybersecurity goals, signifies a collective stride toward bolstering cyber resilience and fostering a secure digital financial landscape for all users.

Conclusion

Human-centric approaches have long been touted as a path to build greater customer centricity when designing financial services. However, their use in the field of cybersecurity is relatively nascent. The increasing complexity of digital financial services and the pace driving inclusion demands a collaborative, human-centered approach to address growing risks. We need collective action to address the risks that will emerge as we traverse this digital frontier – the responsibility lies on all of us to ensure the outcomes of responsible digital finance.

Authors

Edoardo Totolo

Vice President, Research and Programs

Edoardo joined CFI in 2022 as Vice President of Research and Programs, where he oversees CFI’s thought leadership in the thematic areas of financial consumer protection, responsible data practices, and green inclusive finance.

Prior to joining CFI, Edoardo worked for IFC’s venture capital team in Washington, D.C., where he promoted enabling environments and investment opportunities in embedded finance, startup ecosystems, and the digital economy. He also worked for the World Bank’s global financial inclusion unit, assisting regulators in leveraging data and developing strategies for financial inclusion and consumer protection. Between 2012 and 2018, Edoardo worked in Kenya as Research Economist for Financial Sector Deepening Kenya, a multi-donor program supporting the development of inclusive financial markets. He led flagship nationally representative surveys and provided fintech companies with advanced analytical tools for consumer insights and segmentation.

Edoardo holds a PhD in development economics from the University of Trento and an MSc in international development studies from the University of Amsterdam.

Francesca Bosco

Chief Strategy and Partnerships Officer, CyberPeace Institute

Francesca has an International Law and Human Rights background and 15+ years’ experience working for international organizations (United Nations and World Economic Forum) on action-oriented research, capacity building, and technical assistance in international justice, crime, and security. She has developed her expertise in countering and preventing cybercrime and misuse of technology, focusing on opportunities, risks, and threats created by new technologies (like AI, Web3, etc) specifically on vulnerable communities, like humanitarian and development NGOs. She has long-standing expertise in leading programs to foster cybersecurity and increase cyber resilience via cyber capacity building. At the Institute, she is leading the strategic engagement in programs and initiatives leveraging multistakeholder cooperation (with civil society, academia, corporates, philanthropy, and public institutions) to strengthen cyber resilience and secure digital transformation as an enabler to achieve the Agenda 2030 and SDGs goals.