Non-banks' Access to Singapore ePayments a Security Concern?Experts Discuss the Security Challenges of Real-time fund Transfer
There are concerns about the security of non-bank financial institutions' transactions after The Monetary Authority of Singapore allowed them to transfer funds in real-time via its Fast and Secure Transfers and PayNow systems. But critics have questioned whether the NFI's security infrastructure and compliance norms are up to scratch to secure the transaction.
Direct connection to the FAST electronic fund's transfer service, and PayNow, an overlay central addressing service, will enable users of NFI e-wallets to make real-time funds transfers between bank accounts and e-wallets as well as across different e-wallets.
Currently, users cannot transfer funds between e-wallets, most of which require debit or credit cards to top-up funds.
However, security leaders have raised concerns over the capabilities of these NFIs in ensuring a secure real-time fund transfer; say, most lack adequate security, authentication, and risk management capabilities.
Singapore-based Gautam Aggarwal, senior vice president & regional CTO,-Asia Pacific, Mastercard, says, "Most e-wallet players have put their security layers, including biometric log-in and one-time-password as the second-factor authentication, which is not sufficient for FAST. They are also prone to fraud, and there are challenges with APIs integration."
E-Payment Access for Real-time Fund Transfer
MAS requires, businesses that partner with any of the 23 FAST or 9 PayNow banks or e-wallets will soon be able to receive real-time payments from other users of e-wallets or mobile banking applications joining FAST or PayNow, those who have traditionally been closed-loop ecosystems. From February 2021, the expansion of direct access to the payment platforms will enable businesses to receive real-time e-payments from a broader consumer segment.
Ravi Menon, managing director of MAS, said, "Direct access by NFIs to FAST and PayNow closes the last-mile gap in Singapore's e-payments journey. Consumers who may not have ready access to debit or credit cards to fund their e-wallets will now have the option to do so directly through their bank accounts."
To plug this gap, a new application programming interface payment gateway has been developed under guidelines from the Singapore Clearing House Association and Association of Banks in Singapore, which govern FAST and PayNow, respectively. The API is designed to better fit the technology architecture of banks and non-bank financial institutions, according to industry regulator, the Monetary Authority of Singapore (MAS).
Lawrence Chan, chairman of Banking Computer Services Pte Ltd (BCS) said, "BCS has worked closely with the financial industry to spearhead large-scale, national payment projects that have enhanced the industry's service offerings in Singapore and introduction of the API payment gateway is a significant milestone for FAST and PayNow, which are the foundations of instantaneous, open and accessible payments.
Mrs. Ong Ai-Boon, director of ABS, said, "This is the first time the industry has opened access to these two important e-payment platforms to non-banks. FAST and PayNow adoption rates have exceeded expectations, and we are confident that the addition of new players will help accelerate the national path towards a less-cash economy."
Singapore-based Tom Wills , a security consultant for the banking industry, says, "Non-banks participating in Singapore's fast payments schemes will be licensed under the Payment Services Act of 2019, and this is subject to meeting the compliance requirement of having adequate risk governance framework in place with risk mitigation plans."
Challenges in Compliance
Andrew Koh, regional CISO and deputy general manager at Habib Bank says, the e-wallet companies will need to align their security measures with the providers of FAST or PayNow. They are now struggling to comply with payment security regulatory norms and find it hard to deploy adequate resources to step up security.
Wills says that the big challenge for non-banking institutions in integrating with Fast or PayNow is: "These players, having more of a technology pedigree than a financial service one, may not have started with the strong risk management and compliance culture that banks naturally have."
In those cases, the firm will have to build robust security and risk management controls into its business processes and technology stack. This tends to be quite costly when applied retroactively, Wills notes.
NFIs could face hurdles of securing their APIs as it needs continuous upgrades and robust security architecture. Wills says the connecting banks will not certify themselves unless they are at par in the security governance framework, and besides, they will be subject to audits.
Aggarwal says, when a bundled experience needs to touch multiple APIs, it is a challenge to allow a secure handshake between multiple API calls without creating friction in the user experience. The new API was developed by a group of industry players, comprising banks and non-bank financial institutions, including Citi Singapore, Deutsche Bank AG Singapore, Standard Chartered Singapore, Grab Financial Group, Liquid Group, Razer Fintech, and Singtel Dash.
Some interoperability issues with FAST and PAY Now might arise for these banks. However, Aggarwal says, FAST and PayNOW are open rails, so there is no real interoperability needed, as long as they use the FAST acceptance mark. The challenge is if a wallet such as Grab wants to use its QR code to push a FAST payment, it does not happen in 1 step. The way to achieve that is to preload your wallet using FAST or cards and then use the wallet's acceptance channel, and this will call for the use of multi-factor authentication or tokenization."
Security Requirement for NFIs
To comply with FAST and Pay Now service, NFIs need to have a security and risk management structure in place with a robust authentication mechanism, say security leaders.
To enable a successful real-time fund transfer, the NFIs and e-Wallet companies have to pay special attention to user authentication, data loss protection, threat prevention, and detection capabilities. Additionally, they are subject to meeting anti-money laundering and counter-terrorism financing and Know Your Customer requirements, says wills.
Koh recommends these banks to do the risk assessment and threat modelling of their infrastructure ... and opt for a subscription-based services model to choose the right technology or solutions to build a secure transaction platform.