Outcomes, Recommendations & Actions
On July 5, 2024, The MENA FinTech Association convened a Payments Boardroom on the topic of Payments Security. This was part of the Association’s Payments Working Group. Senior leaders from FIs, FinTechs, and venture gathered to discuss the critical topics of transaction security, anti-fraud, and cybersecurity (attendee list at the end of this document).
Context
The MENA region has been a pioneer in the adoption of payments security protocols, evidenced by the early adoption of 3D Secure, as well as the creation of government bodies (e.g., UAE Cyber Security Council).
However, as is the case globally, payments in the region face unprecedented threats on both transaction security and cybersecurity fronts. This has been exacerbated by the rise in AI tools and increased sophistication of bad actors. The region is expected to increase its spending on security and risk management (SRM) to $3.3 billion in 2024, reflecting a 12.1% increase from the previous year (TRENDS Mena).
Speciffic Ecosystem Challenges
- People remain the weakest link:
- Despite massive investments and efforts towards customer education, individuals are still prone to falling for scams and sharing sensitive data.
- For example, in a Visa study, 56% of respondents expressed confidence in being able to recognize fraud, however, in practice, only 10% could.
- This trend is equally true for digital native generations such as GenZ; they are likely to fall prey, often because of their expectations of speed and confidence online.
- Fraudsters have honed and premiumized their attacks, knowing which segments yield more.
- Still not considered a shared responsibility
- There is no clear/proactive ownership and accountability in the industry when it comes to fraud and payment security. As a result, there is no strong, unified effort to combat these threats.
- A classic example is that when fraud does occur, there is often blame-shifting between the multiple enablers in the transaction cycle.
- Bad actors have access to cutting-edge tools and collaboration techniques
- Given the increasing democratization of technology, fraudsters and scammers are able to deploy these tools for criminal purposes.
- One of these technologies is generative AI, which aids criminals in creating highly convincing fraud messages and deep fakes.
- Bad actors are also known to collaborate globally. A classic example is a bad actor providing ‘ransomware as a service’ for other fraudsters.
Increasing overlap between Cybersecurity and Fraud
- The industry is seeing a disturbing convergence between these threat vectors.
- For example, a cyber attack yields personal and payment information, which is followed by an attack on the card and transaction infrastructure to misuse these cards using with merchants, for example
Know how to collaborate globally. A classic example is a bad actor providing ‘ransomware as a service’
Suggested Industry Initiatives
- Increased Ecosystem Dialog and Collaboration
- The mindset needs to evolve away from liability rules to shared ownership of the solution.
- Some industry associations have already begun to create regular meetings of Chief Information Security Officers to address threats facing the industry.
- Increased Ecosystem Dialog and Collaboration
- Action: The MENA FinTech Association will increase the frequency of hosting Boardroom and similar industry events on payments security.
- Education of Younger FinTechs
- It is observed that early-stage FinTechs often tend to deprioritize payment security. This can hobble them in the later stages, as their infrastructure may be deemed insufficient to work with a large FI.
- Early-stage FinTechs should be educated to view payments security as not only as critical infrastructure but as a competitive advantage.
- Education of Younger FinTechs
- Action: The MENA FinTech Association will partner with specialized players to create an education program for younger FinTechs.
- Stringent Requirements for Chief Security Officers
- Participants commended the Bank of England’s requirements for Chief Security Officers.
- For example, BoE mandates minimum qualifications and support staff requirements for a CSO or CISO, which is audited annually.
- While such requirements increase the overheads, especially for smaller bank startups, they represent a sound investment in critical security infrastructure for the industry overall.
- Increased Public-Private Partnership on Threat Management
- It is encouraging to see some public-private partnerships in the region such as Cyber Fusion Centers that allow real time action by multiple parties.
- It is encouraging to see some public-private partnerships in the region such as Cyber Fusion Centers that allow real time action by multiple parties.
Attendees
Akshay Chopra: 237 Ventures, MENA FinTech Association Imane Adel: PayMob, MENA FinTech Association Nameer Khan: Fils, MENA FinTech Association
Gaurav Dhar: Marshal FinTech, MENA FinTech Association Charles Lobo, Visa
Pati Murtazalieva, Sumsub Ani Sane, TerraPay
Sailesh Malhotra, Geidea
Ronit Ghose, Citibank, MENA FinTech Association Fernando Plaza, ADIB
APPENDIX
Sumsub’s Identity Fraud Report 2023
