E-PAYMENT REVIEW
Vol. 09. No. 02 June 2019
BUILDING DIGITAL TRUST
In an increasingly data-driven world, business has to take necessary steps to manage digital risks INTERVIEW Niyi Ajao, Executive Director Buiness Development Nigeria Inter-Bank Settlement System Plc
STARTUP NATION Segun Akano, Managing Director, Upperlink INTERVIEW Gbenga Adams, Head, Digital Innovation and Fintech at Sterling Bank
1 /E-PAYMENT REVIEW/ JUNE 2019
2 /E-PAYMENT REVIEW/ JUNE 2019
EPAYMENTREVIEW.COM
E-PAYMENT REVIEW Vol. 09 No. 02 | | Jun 2019
Published By the E-Payment Providers Association Of Nigeria (E-PPAN)
Joy Obaji Administration & Membership
EDITORIAL Brown N. Ugbaja Editor
TRUSTEES Adedotun Sulaiman Chaiman, Financial Reporting Council of Nigeria
Lucy Akokotu Assistant Editor E-PPAN MANAGEMENT Onajite Regha Executive Secretary/CEO Lucy Akokotu E-Payment Review Manager
Tunde Lemo Chairman, Federal Emergency Road Maintenance Agency (FERMA) Demola Aladekomo Chairman, SmartCity Resorts Plc & Director, Chams Plc
Senator Ayo Arise Chairman, Fortunes Games Kyari Abba Bukar Chairman SUNU Assurances Nigeria GOVERNING BOARD Macaulay Atasie Managing Director Nextzon Business Services Mitchell Elegbe Managing Director, Interswitch Transnational Holdings
Premier Oiwoh Managing Director, NIBSS Plc
Kofo Akinkugbe Managing Director SecureID
Bob Nwojo Head, Card Business, First Bank of Nigeria
Onajite Regha Executive Secretary/CEO, E-PPAN
Stanley Jacob Chairman, Committee of e-Banking Industry Heads (CeBIH)
Gbenga Haastrup Group Legal Counsel, Interswitch
Agada Apochi Managing Director Unified Payments Services
ALTERNATE BOARD Niyi Ajao Deputy Managing Director, NIBSS Plc
Ochanya Dan-Ugo Chief Risk Officer Unified Payments Services
Chukwuma Ezirim Head, E-Business and Retail Products First Bank of Nigeria
Eme Godwin Head, Legal, Etranzact
Bami Akinlade Head, Information Technology, SecureID
In This Issue June 2019 4 | To Our Readers
10 Questions
6 | Lola Ekugo, Head, Digital Innovation Lab, First Bank
Talking Points
9 | Emefiele's second term as CBN Governor 10 | KuBitX pace with blockchain, Palmpay wallet launch, NSE gets digital platform, numbers 11 | AFDB's financial inclusion drive, Jiji buys OLX, CWG service model, West Africa's Tier 4 data centre, appointments
Interview
12 | Olayinka Oni on Sterling Bank's innovative mindset
Roundtable 26 | Cybersecurity culture at work
NeFF Insight
28 | Balancing security controls with customer experience
SECUREXWESTAFRICA
29 | NeFF news
Access Code
30 | The rise of mali-
cious apps, in short, Kenya's new currency, world's most secure phone 31 | Threat level, fraud by numbers, Web Payment Security Interest Group
Digital Commerce
32 |Jumia goes public, online shopping rising, DHL eshop, EMVCO new logo, datasets, mobile commerce growing
Product Profile 33 | Sterling Bank's Doubble, fast investment portal
NIBSS Fraud Report
34 | Q1 2019 fraud benchmarks
Trends & Tactics
39 | Luxury payment bracelet, by the numbers, self-checkout shopping cart, Apple payment card 40 | Automation and jobs, Belfast currency, Germany and cash, Visa API, Mexico payment system, Facebook crypto
Cover Dimensions of digital security
A look at how tech firms handle personal data, what informs data protection and the demand for trust-building strategies in data-driven financial services | 14
9 Questions: Data privacy assessment
Emeka Okoye on data protection risks and digital identity for user verification and authentication in digital channels | 18
Interview: Balancing risk and innovation
A view of the Securex West Africa Conference and Exhibition organised and executed by Afrocet Montgomery in Lagos in April. The two-day event had 129 cybersecurity delegates in attendance.
As risk incidents increase, Wale Obadare throws some light on the guarantor mechanisms for building trust in a digital economy and how his company, Digital Encode, thwarts malicious actors | 22
41 | Consequences of a cashless society, Number of ATMs
worldwide set to decline, NFC tags ready for the mainstream
The Gimlet Eye
42 | Building a digitalbanking business
COVER: Data Privacy or Data Protection? Posted by Penny Quirk. Courtesy of teamrg.com.
E-PAYMENT REVIEW (ISSN: 2360-9818) is published every quarter by the E-Payment Providers Association of Nigeria, 1 Rachael Nwangwu Close, Lekki Phase 1, Lagos. Š Vol. 09 No. 02. June 2019. All rights reserved. The opinions expressed do not necessarily reflect E-PPAN’s policy. E-PPAN accepts no responsibility for views expressed by contributors. Printed in Nigeria. 3 /E-PAYMENT REVIEW/ JUNE 2019
To Our Readers
MICROSOFT / TOM GROENFELDT - FORBES
The trust quotient HERE IS ONE THING THAT EVERYBODY IN TECH AGREES ON: THE world of digital payment is filled with insecurities that impact ngagement and trust. The same qualities that make payment services so appealing to consumers also expose them to significant risks—risks that consumers should be made to take seriously and which both service providers and regulators should do more to mitigate. But is the average consumer of payment services aware of these risks? Maybe. There is no gauge to know how much they know. What is incontrovertible, however, is that there is a consciousness of caution. Because banks have warned people so often to keep their PINs safe and never share that information with anyone, consumers of banking services have begun to see green snakes under the green grass of payment. Digital payment systems were sold to people with the promise that it will reduce the insecurities associated with cash. That is why consumers make the tradeoff — personal data for convenience. But data in the age of the internet has become very valuable. That is because it makes it easier for businesses to identify their consumers, to track their banking habits, monitor their purchases, and easily share information about new products and services. But the thing is, these practices have somewhat made that tradeoff a source of constant anxiety for consumers. People trade their data without comprehending the reality of greater information collection in digital transactions and the associated privacy and security risks. Data has become a major priority for businesses of all sizes. For example, all the service providers in the payments ecosystem – networks, banks and other participants – collect personally-identifiable inforWE CALL ON THE mation from consumers. They are not the only GOVERNMENT TO ones. Due to the rapid development of information BUILD A DECONtechnology, device ubiquity and social media, conSTRUCTIVE MODEL sumers are influenced to offer their information OF TRUSTWORTHIeveryday causing a global surge in data buildup. NESS THAT WOULD Maintaining the confidentiality of that data has proven very challenging not only because data BE THE CORNERstorage facilities, despite technologically advanced STONE OF MODERN protections, lack immunity from intrusions by BUSINESS DATA hackers but because of identified bad data pracPRACTICES. tices by businesses. From a privacy perspective, these bad practices include excessive data collection, sharing, storage, and use; and unchecked data brokerage. While from a security perspective, they include the use of weak encryption, poor technical controls and cyber intelligence. Technology companies, banks and other digital services providers deserve every credit for creating easy-to-use applications that belie their underlying technological and financial sophistication. But that simplicity smooths over more than just technical wizardry. It hides a thicket of overlapping and uncoordinated consumer protections and privacy practices. The bad data practices within this thicket negatively impact consumers in the way of identity theft and financial loss. We need to address these issues by introducing a new trust equation into the way we use data to power business today. This will assuage consumer agitations about the tradeoff, which has come into question because of people's sensitivity to emerging privacy issues. That is why this edition of E-Payment Review takes a look at the prevailing concerns about data protection and data privacy. It is our view that Nigeria needs a conceptual framework for providing a comfort level for consumers so they can use digital products in a tranquil frame of mind. We call on the government to build a deconstructive model of trustworthiness that would be the cornerstone of modern business data practices. The European Union’s General Data Protection Regulation (GDPR) should serve as a prototype for creating an intelligent data privacy legislation that does many things: disqualifies technologies that fall short of the principle of ‘privacy by design,’ vests consumers with enforceable rights, employs the highest standards for securing data and creates an expertise-driven market regulator. And the time to do it is now. We understand that consumers can do a lot to protect themselves, but we urge immediate action on the part of policymakers and service providers. Feel free let us know your thoughts on this issue. Thank you.
BROWN N. UGBAJA, Editor
BOOSTING TECH IN AFRICA L-R: Stuart Symington, United States Ambassador to Nigeria; Akin Banuso, Country Manager, Microsoft Nigeria & Ghana; Alex Kipman, Technical Fellow, AI & Mixed Reality, Microsoft; Babajide Sanwo-Olu, Lagos State Governor and Phil Spencer, EVP Gaming, Microsoft at the launch of the Africa Development Centre in Lagos through which the global tech company will spend $100 million in five years to increase its presence on the continent. "IF YOU ARE RESISTANT TO CHANGE AS A BANKER IN AN EVOLVING ECOSYSTEM LIKE NIGERIA’S, WE NEED TO START HELPING YOU LOOK FOR A JOB OUTSIDE BANKING.” Brett King, CEO of Moven in a keynote at the Africa Fintech Foundry Disrupt Conference in May where he emphasized the importance of technology to banking.
20, 354, 513, 050
Ordinary shares that MTN Nigeria offered on the Nigeria Stock Exchange in May through a “listing by introduction,” making it the second largest company on the bourse. Unlike an initial public offering (IPO), MTN Nigeria will not raise new funding as it only listed already existing shares.
$10, 000
Amount that e-commerce giant, Amazon offered to cover in startup costs (plus three months salary) for its employees who quit their jobs to start a business delivering packages for the company. More than 200 such businesses have been created since the programme was launched last year. POWER UP YOUR MAG! SEND US AN EMAIL
editor@e-ppan.org
If you've got a comment about our stories or an important issue regarding payment simply contact us.
ADVERTISING
advertising@e-ppan.org 01 3426493, 0802 220 3534, 0703 974 1808
For advert rates and participating in special sections
E-mails should include the writer's full name, address, e-mail and phone number and may be edited for purposes of clarity and space.
4 /E-PAYMENT REVIEW/ JUNE 2019
5 /E-PAYMENT REVIEW/ JUNE 2019
11 QUESTIONS
Lola Aworanti Ekugo Head of the Digital Innovation Lab at FirstBank on the value of AI to banking, why innovation labs would yield tech fruits for the future and the possessions she can't do without SO FIRST, CAN YOU EXPLAIN a little bit about yourself and what you do at FirstBank? I started my career as a software engineer over 13 years ago and I have worked with financial services companies in Europe and Africa including BNP Paribas and Commerzbank. I have also worked in the startup scene with a focus on helping solve critical problems using innovative technologies. Currently, I am part of FirstBank’s digital transformation journey and my work involves stimulating innovation in the bank’s digital product engine and pioneering a new wave of faster, better and more efficient digital products for FirstBank customers.
LOLA EKUGO
Labs are all the rage now, why do you think that is? Labs essentially create a medium for innovation. In the past two years, the number of innovation labs and hubs in Nigeria has doubled. Generally, innovation labs serve as focal points for ideation, innovation and intra/entrepreneurship. The changing demands and expectations of today’s consumers, and the rise of nimble startups and big techs have led to increased competition in the marketplace. These factors have played a part in the recent growth of innovation labs. Larger organizations are more deliberate about fostering environments to co-create, experiment and innovate with agility. This trend has also impacted funding from investors in the past two years. Over $1.2billion was raised by African tech startups in 2018, the highest so far raised in years. Could you describe some examples of the kind of problems you and your team are solving? The FirstBank Digital Innovation Lab is tasked with championing innovation for the bank in the development of better, faster and more efficient digital products and processes and creating new digital experiences while leveraging emerging technologies like artificial intelligence, distributed ledger technology and big data. The focus is on our customers and we are building products and services to solve real life problems and offer more convenient ways to bank. What makes artificial intelli-
used for enhancing security, customer profiling, risk management and fraud detection. AI will be among the impactful technologies in the banking and payment industry in the next 5 - 10 years. However, the advancement and maturity of the technological ecosystem in terms of infrastructure and skills will play a major role in the adoption of AI and the speed of transformation in Africa. How can financial institutions understand their customers better, and become a part of their customers’ lives? Today’s generation, the digital natives, are growing up surrounded by digital interaction. Their perception of the world and the products and services that make the world has evolved. Hence, financial institutions must reimagine banking in itself, integrate the needs of the customers with their digital lives and cater to these customers by embracing such ideals as convenience, interactive UI/UX, social media awareness, mobile adaptability and lifestyle relevance.
gence the most exciting technology today? Which other technologies are you keenly following? Artificial Intelligence stands out as a transformational technology of our digital age. It is potentially a game-changer in most industries today. The efficient utilization of AI across the financial services value chain can help unlock new revenue streams, reduce cost, raise productivity and increase strategic insights. AI will enable companies, large and small to significantly improve customer experience and provide access to new products and services like credit allocation and optimize costs savings from contact centres. Other technologies we are keenly following at the lab are blockchain, robotic process automation, biometrics, big data, IOT among others. In 10 years, what do you think will be the next big innovation that people might be laughing
at today? I don’t believe people are laughing at anything today. In fact, I think people are more optimistic about the future of technology and are closely following the trend of disruptive innovations happening around the world. This can be seen in the level of funding and research in areas like driverless cars, blockchain, AI and IOT. We are seeing broad adoption of these technologies. I believe there are still more areas to be unlocked with these new technologies. What is your view on the longterm impact of AI on the banking and payment industry? Banks, globally, are already utilizing AI across the banking value chain to unlock new revenue streams, reduce cost and increase productivity. AI has already made a global impact with the emergence of conversational chatbots for customer services. It is being
6 /E-PAYMENT REVIEW/ JUNE 2019
What are some of the goals you and your team have over the coming year or so? Basically, we are reimagining banking and hope to create innovative solutions for our customers lifestyle and convenience. Whenever you are not doing research in your lab, what are you interested in? I am a proponent of building a strong technology ecosystem in Nigeria, so I keenly engage in activities around the STEM agenda. Can you name three of your strengths and weaknesses? Well, these could be highlighted as strengths or weakness depending on the view, but I have a tendency to lean towards orderliness, perfectionism, and attention to detail. If you could only keep five possessions, what would they be? Let me make it more interesting, if I only have minutes to choose in no particular order I will pick my phone and charger; flats because I like to be comfortable; hand sanitizer; my wedding ring and my international passport.
7 /E-PAYMENT REVIEW/ JUNE 2019
8 /E-PAYMENT REVIEW/ JUNE 2019
TWITTER. -- TECHNOVATION
Talking Points
IN EARLY MAY, PRESIDENT MUHAMMADU Buhari offered a second five-year tenure to Godwin Emefiele as the governor of the Central Bank of Nigeria (CBN), and the Senate speedily con-firmed him. The appointment made Emefiele the first person to maintain leadership of the apex bank after one term since 1999. During his confirmation hearing, the Senate said Emefiele performed creditably in his first term by stabilizing the naira, setting up multiple exchange rates to the benefit of different sectors of the economy, with a discounted rate for investors and exporters and implemented low-interest loan programmes to fund agriculture and manufacturing. In a reading of the tea leaves for clues to Buhari’s mindset in keeping the CBN governor at the head of the monetary authority, many analysts believe Emefiele’s reappointment is a nod to policy continuity on the same course as in his first tenure. When he assumed office in 2014, Emefiele
APPOINTMENT
Emefiele gets another five-year tenure as CBN Governor He is the first central bank head to be re-appointed since the end of military rule two decades ago faced the challenge of fixing Nigeria’s fiscal conditions emblemized by the austerity measures systematically adopted by President Goodluck Jonathan especially at the twilight of his administration due to declining crude oil receipts. The sharp and sustained oil price declines which continued between 2015 through 2017 eventually nudged the country into a recession. To pull Nigeria out, Emefiele, introduced monetary policies and fiscal interventions that course corrected Nigeria’s 9 /E-PAYMENT REVIEW/ JUNE 2019
reaction to plummeting oil prices, spiraling inflation, sharp decline in forex inflows and exchange rate pressures. When the exchange rate went haywire (it was $1-N520 in 2017), Emefiele stabilized it at N360 to the dollar in the open market and it has remained so for two years now. He also renewed the accumulation in the nation’s foreign exchange reserves from $23 billion in October 2016 to nearly $48 billion in June 2018. Under his guidance, the country
TWITTER -- LEE-ROY CHETTY
Talking Points has seen its import bill drop from $665 million to $160 million. Meanwhile, CBN’s large-scale financing of agriculture through the Anchor Borrowers’ Programme, has disbursed hundreds of billions in loans to farmers in a determined effort to make the country a modern bread basket for Africa. In the area of financial services oversight, Emefiele’s first term saw regulations that were carefully crafted to balance fiscal discipline and growth. The results have manifested in increased profits in the banking industry, significant reduction in bad loans, softening in financing constraints and massive expansion in banking services with financial inclusion rates reaching nearly 64 per cent in 2018, up from only 32 per cent in 2012. Earlier in the year, the successful merger of Access Bank and Diamond Bank lead to the formation of arguably the largest banking group in Nigeria and Africa by number of customers. The resulting entity, which is still Access Bank, now has a presence in three continents and 12 countries with 29 million customers, 3,100 ATMs and nearly 32,000 PoS terminals. As far as digital payment is concerned, Emefiele’s leadership encouraged more brazen actions to further the incorporation of technology in banking. It set a target to achieve 80% financial inclusion rate by 2020 and introduced strategies to make it possible. It created SANEF (the Shared Agent Network Expansion Facility) alongside banks and the Nigeria Inter-Bank Settlement System to create 500,000 access points in rural parts of Nigeria to on-board 40 million low income and unserved Nigerians into the financial system. Last year, the CBN unveiled plans to open up the country’s financial services sector by allowing telcos, retail chains, post offices, fintech companies and financial holding companies to operate payment service banks to help expand access to financial products and services. With all this, the tea leaves will not only reveal continuity, it will show progress.
DEAL ON BUS E-CARDS: Akeem Lawal, Divisional CEO, Interswitch Group; Jeremy Hunt, British Foreign Minister and Jack Dangoor, CEO, Bekoz UK Ltd, a UK transport ticketing company at the signing of a N26billion partnership agreement in Abuja. The deal will involve using technology – the BeCard, the BeVal and the BeReader - developed by Bekoz to enhance transportation ticketing in Nigeria.
PalmPay to launch mobile wallet app
PALMPAY AND VISA plan to launch a mobile wallet app in Ghana, Nigeria, and Tanzania for making and accepting payments. To use it, Visa cardholders will need to attach their card details to a PalmPay profile while non-cardholders will have to generate virtual visa card by registering on the app.
NSE adds digital payment platform
A NEW PLATFORM AS been created by money transfer service WorldRemit that enables Nigerian SMEs to pay employees and contractors in 140 countries. It will be available to UK registered businesses and will show WorldRemit’s low fees and exchange rates up-front.
BLOCKCHAIN
KubitX, Interswitch pave Nigeria's path to crypto with stablecoins DIGITAL CURRENCY TRADING platform, KuBitX is issuing NGNX, the first stablecoin that is pegged to the naira, is supported by Africa's payment megalith, Interswitch, and can be used for payments or transfers and could clear the way for the adoption of blockchainbased financial products that are not currently practical. Stablecoins are cryptocurrencies, which are becoming popular in the digital-currency market because they are designed to overcome the wild price volatility that have rendered bitcoin and others impractical both for commerce and payments. Stablecoin prices are often pegged at a one-to-one ratio to a stable asset such as the naira. KuBitX's co-founder and CEO, Eric Annon said the launch was part of the company's plans to build a digital assets marketplace for Africans and investors. He explained that Nigerians can use NGNX to pay for goods and services at over 3000 merchant locations or to transfer money outside the country.
Another upside to the stablecoin, according to Annon is that it could help dispel the misconceptions about blockchain and power it to gain mainstream appeal in Africa. Also, partnering a trusted company will help blockchain to go mainstream, Annon added. He said Interswitch has pioneered and succeeded with e-payments and KubitX will leverage Interswitch's fiat gateway to make financial services more accessible to more people in Africa. "We need this solution more than any other continent. We have more in-terms of infrastructure, economic empowerment and social impacts. So to us, mainstream adoption of all blockchain-based services can't be complete if we don't make the formal financial institutions a part of the future," Annon said. Founded in 2017, Kubitx describes itself as a “hybrid digital asset exchange” that leverages distributed ledger technology to facilitate payments throughout Africa and abroad.
NUMBERS
N34.02 trillion Electronic payment transactions in Nigeria in the first quarter of 2019, according to data from the National Bureau of Statistics.
231, 441
POS terminals issued by banks in the first four months of 2019, according to the Nigeria Inter-Bank Settlement System (NIBSS). 10 /E-PAYMENT REVIEW/ JUNE 2019
138, 060
Total number of registered .ng domains as of April 29, according to the National Information Technology Development Agency.
65.2%
Growth in the number of active fintech ventures operating in Africa in the last two years, as shown in a Disrupt Africa report.
INTEGRATION AND DEVELOPMENT
African Development Bank steps up digital financial inclusion drive THE AFRICAN DEVELOPMENT BANK (AFDB) and its partners have launched the Africa Digital Financial Inclusion (ADFI) facility, designed to aid expansion of digital financial transactions and ensure that at least 320 million more Africans, of which nearly 60% are women, have access to digital financial services. The fund will deploy $100 million in grants and $300 million in the form of debt from the bank’s ordinary capital resources by 2030, to scale up electronic financial services for lowincome communities. “We believe that with the right investments in innovation and smart digital growth, the obstacles to achieving financial inclusion and greater economic opportunity for all will be overcome,” said AfDB president Akinwunmi Adesina. The initiative is aligned to four pillars: infrastructure, including digital and interoperable payment systems; digital products and innovation; policy and regulatory reform and harmonisation; and capacity building. It will help to close the continent's transaction gender gap between men and women.
The new fund, launched at the bank’s annual meetings in Malabo, Equatorial Guinea, has the Bill & Melinda Gates Foundation, the Agence Française de Développement (AFD) and the Government of Luxembourg, as initial contributors. The grant will create an interoperable digital payment system for consumers to send and receive money between mobile wallets, and from these wallets to other digital and bank accounts. “With ADFI, we are convinced that our joint efforts can contribute efficiently to bring down the barriers that still undermine the full potential of digital finance in Africa," said Sébastien Minot, AFD’s deputy head for Africa. “It will enhance the delivery of quality and responsible digital financial services to the underserved, a cornerstone to inclusive and sustainable financial systems.” The ADFI will work with banks and non-bank financial institutions, mobile network operators, remittance and payment service providers, fintech companies, government ministries, regulatory bodies as well as regional economic organizations.
STOCK MARKET
INTERNATIONALBANKER / ZENITH BANK/ MC.TODAY
Jiji acquires OLX to pave way for big Africa classifieds business
TECHNOLOGY COMPANY GENESIS, KNOWN for a variety of Internet projects has bought OLX for its Jiji marketplace. The acquisition means OLX users in Nigeria, Ghana, Kenya, Tanzania, and Uganda will be redirected to Jiji, giving the company access to 300 million people across five markets. This is something of a coup for a company originally from Ukraine, pulling off an acquisition in one of the world’s last huge, relatively untapped regions. Vladimir Mnogoletniy, co-founder of Jiji said the partnership is pivotal to his company's future and success, as it paves the way for building the continent’s largest classified business. Jiji has more than six million unique active users and 50,000 professional sellers listing more than one million items. OLX’s reach and Jiji’s own proprietary search and delivery algorithms will create a beneficial combination that would streamline consumer experience. The deal was valued at $1.5 million to $3.4 million and was backed by one of Jiji’s major investors, Digital Spring Ventures.
TRACKER
CWG, banks seal shared networks of ATMs deal CWG Plc has sealed a partnership deal with the United Bank of Africa, Unity Bank and Rolez Microfinance Bank on the company's ATM-as-aService concept, a forward looking business solution designed to help banks maximize efficiency and embrace innovation in their ATM estate. With this managed-service option, banks will benefit from a complete ATM solution - encompassing hardware, software, maintenance and managed services - at reduced operational cost. CWG has partnered biometrics innovator, GRG-ATM to drive the concept.
APPOINTMENTS
OIWOH APPOINTED CHIEF EXECUTIVE OFFICER OF NIBSS Premier Oiwoh has taken over as the CEO of the Nigeria Inter-Bank Settlement System (NIBSS). He replaces Ade Shonubi who took up a new role as deputy governor, Operations Directorate at the Central Bank of Nigeria. With over 25 years experience in banking, Premier has previously worked as the executive director, operations and technology at Keystone Bank. His expertise cuts across business process assurance and reengineering, e-banking business, business process automation, information security management, and digital solutions.
Medallion, others build Tier IV data centre Medallion Communications, AIG, Etix Everywhere and Ngoya will deliver West Africa's first Uptime Institute certified Tier IV data centre in the third quarter of this year. The advanced multi-tenant facility, located in Ghana, is primed to meet growing demand for network connectivity in the sub-region. Ikechukwu Nnamani, Medallion's CEO said the facility will enable localization of content, promote regional connectivity, enhance security of data, and generate employment in the sub-region. 11 /E-PAYMENT REVIEW/ JUNE 2019
ZENITH BANK APPOINTS NEW CEO Consistent with its tradition and succession strategy of choosing its leaders from within, Zenith Bank Plc appointed Ebenezer Onyeagwu as the Group Managing Director/CEO with effect from June 1, 2019. He was previously one of two deputy managing directors of the bank and brings many years of management experience in the financial sector to his new position. Ebenezer joined Zenith Bank in 2002 as a senior manager in the internal control and audit group and has served in various posts and capacities.
Interview
Customer experience is central to Sterling's digital strategy Digital transformation must put the customer first, says Olayinka Oni, CIO of Sterling Bank on creating digital change, and the impact of blockchain innovation BY LUCY AKOKOTU
GBENGA ADAMS
IN JANUARY, STERLING BANK LAUNCHED a new logo. Tell us more it and what it represents. Our logo represents the rising sun. It represents the beginning of a new journey for us. It speaks to the vibrancy and aspiration that we have in terms of the direction we are going and the way we want the Sterling Bank brand to be perceived. Basically, it means the new things you will start to see soon from Sterling Bank. Product innovation has always played an important role in banking. What new products/services has Sterling Bank launched recently in other to become more responsive to customers’ needs? As a bank that places priority on our customers, it is important our products resonate with the user experience. This means our products would either solve customer problems or redefine customer experience. In line with our brand refresh, we revisited our strategy and identified three important things that would be the bank’s core pillars going forward. The first is specialization, this means that we will focus on five critical sectors of the economy: health, education, agriculture, renewable energy and transportation. Our philosophy or mantra is to seek to enrich lives, and we chose these sectors because they have a social impact beyond economic gains. The intention for us is to build specialization in these sectors so if anybody wants to do anything around them, their first point of call will be Sterling Bank. The other two pillars of our strategy are agility and digitization. Agility means that we are able to constantly innovate and as we do that we will leverage on digitization. Agility and digitization fuel the specialization in these sectors that we have identified. The products we put in the market speak of our intention to deepen our customers digital experience. Before now, anyone who desires to buy treasury bills will have to go into a bank and speak with an individual but today, you can invest in government bonds or treasury bills by doing it on your own with a product like Sterling Bank’s I-invest app. You do not require a third party when investing in these instruments. I-invest is basically disrupting that space and we will continue to extend such opportunities to several other investment instruments. In the transportation space, we also have a product called FarePay, which was designed to change the commuting experience of those riding on the BRT bus. You don’t need to carry cash or argue about having change to ride on the bus. You can just ‘tap and go’ to pay your fare and the beauty of it is that users do not have to be Sterling Bank customers.
Our new payment solution called OnePay, personalizes the customer’s mobile banking experience. We approached it from a customer experience standpoint and tailored it to each individual’s preference. For example, I may have a passion for football, so my scheme will reflect my passion for football and other things that are of interest to me while yours may be in fashion. We have also launched a product to digitize the experience in agriculture and we are doing same in education. These are the types of offerings that we have put out in the market to digitalize the sectors I mentioned earlier and there are more to come in the months ahead. Last year, Sterling launched a blockchainbased commodity trading and financing platform for efficient commodities exchange. How is this technology addressing some of the agricultural challenges prevalent in Africa? The agriculture value chain in Nigeria shares particular challenges. It’s either difficulty in accessing credit or the deficiency of logistics to get farm products to market. Sterling’s platform addresses the commodity trading space. It is not targeted at farmers but rather the middlemen who purchase farm produce in large quantities. From research, we found that the distribution process wasn’t adequately structured. For instance, one situation involves businessmen who aggregate and buy from different small farmers then take the product to off-takers like the manufacturing companies who require such produce as raw material. Ideally, everyone involved in the process wants to be sure that the produce exists in adequate quantity to meet the needs of the market. If they are using a warehouse, a paper certificate will typically be issued and often the aggregators may require some financing to buy and stock the produce. We want to lend to the middlemen but we need to confirm that the produce exists in the warehouse and this is where our platform comes in. It works to remove ambiguity. The uniqueness of blockchain is that you can have a contract, in this case, a digital certificate instead of a paper certificate. Everyone involved in the process sees this digital certificate and knows it can be trusted and validated. Since the process is transparent, the bank is more willing to lend. Beyond making the process more transparent, we are also injecting liquidity by lending to these middlemen which helps to grow the economy. In what other areas can financial service providers leverage on blockchain technology to make payments ubiquitous especially for those in the rural communities? 12 /E-PAYMENT REVIEW/ JUNE 2019
Ultimately, what blockchain tries to do is take away too many middlemen in the process. If you consider a switching platform as a middleman in that the role it plays facilitates a service and for which it charges a fee. A typical example is SWIFT where you can transfer foreign exchange between banks and people use it to move money and trade all over the world. Taking away such a party from the process makes it cheaper than it would ideally have been. People are innovating around payment schemes using blockchain and I believe this will make financial transactions cheaper which in turn supports financial inclusion. It doesn’t mean the last mile of usage for them will be any sophisticated technology, they can still interact through SMS, short codes, etc but the backend infrastructure will be enabled by blockchain. Outside the country, blockchain is used to build applications to make rural banking possible because the cost is cheaper as against paying a proprietary license for a core banking software. Other use cases of blockchain include ‘know your customer’ which the industry is trying to solve by making it more trustworthy; collateral management, which is a common challenge in the financial services where a customer takes a loan from bank A and another loan from bank B using the same collateral. With blockchain, it is impossible to pledge the same collateral for more than one bank. This means that banks may be more willing to lend to some sectors they haven’t been lending to because of collateral management. The same applies to using stock as collateral or other schemes that can be used for trading, although a lot of it is still being reviewed by regulators. How has innovation changed customers’ experience with Sterling Bank? The way we think about it internally is through the number of those adopting our platforms. Prior to now, majority of our customers would rather visit a branch to initiate transactions but we have noticed a strong shift towards customers using our various channels and a significant increase in transaction counts. Similarly, our customers’ monthly feedback and ratings powered by our Net Promoter Score (NPS) system gives us insights on what is important to our customers and how our channels are meeting their needs. Given your experience in the industry, what do you think will improve the security of digital payments? More than anything else, the bigger push must be on user education and awareness. Customers need to know thar their personal banking infor-
mation is meant to be kept private and should not be shared. If we can increase awareness on what they are up against, then it will be a major win for the industry. Another thing to explore is biometric identity, which though is not fool-proof because there are inherent risks at the point of collecting the data since it is still dependent on humans. However, it is still stronger than passwords. I believe two-factor authentication based on biometrics will be very important. The other thing is the use of technology - artificial intelligence in particular - to strengthen the fight against fraud or security risks since the technology can predict or detect a threat. Human beings may not be able to quickly catch on when there is an anomaly as opposed to when using technology. For instance, a customer makes a transaction in Lagos and within seconds, another transaction from the same customer originates from Jos, that clearly can’t be normal, but with technology, we will be able to detect that abnormality. Those are ways we can begin to leverage technology to address the issue of security. Looking at the Nigeria payment system, in your opinion, what have we done right and what other areas need improvement? We have come a long way; even our infrastructural penetration has matured a lot from where we were several years ago. Regulation has also contributed immensely. Policies like the Payment Service Banks (PSBs) and SANEF (Shared Agency Network Expansion Facility) have made banks to step up. SANEF is a direct response to improve our payment system through agency banking network because there is a need to serve people within the core structuresmost banks are unable to meet. The SANEF structure should help us rapidly increase the agency network which will make it easy to go deeper into the rural areas. We also have government schemes that banks are partnering with, like the Bank of Industry, the Vice President’s
office and other initiatives. We need to deepen penetration to the rural areas and more efforts like the ones I mentioned are now being focused around that. In time, I think the story will be different in the bankable size within the economy and the number of people we have reached.
"The two pillars of our strategy are agility and digitization. Agility means that we are able to constantly innovate and as we do that we will leverage on digitization."
13 /E-PAYMENT REVIEW/ JUNE 2019
How do you expect the banking industry will change over the next five years? How will people bank in the future? I think the word “bank” would almost become foreign to customers. I think they will be focused more on life outcomes and within these life outcomes, they will do financial or banking transactions. As a bank, we want to be in the life outcomes of people which is the reason we don’t truly think of ourselves as a bank anymore but as a technology company offering financial services because ultimately, we want to focus on deploying financial solutions to solve life problems or issues. People won’t think about a bank as a building but will go about their life activities and along the way carry out financial transactions. We will see something like an invisible bank. If you had the power to solve one problem each in the industry and Nigeria. What would it be and why? If I had a magic wand I will solve the problem of identity. Yes, we have BVN but it is not inclusive enough and as such it’s a barrier and the reason why some people are not banked today. I will like to use my wand to solve the identity problem, so it will bring more people into the ecosystem. For Nigeria, if I were to solve one problem it will be power. If we can get power right, we would have solved a lot of our problems. We think the solution to the issue of power is renewable energy. People are not interested in buying assets tied to generating power, they only want to consume power like they use their airtime. The solution we are working on here at Sterling Bank is one that will make customers use power as a service.
GETTY IMAGES
14 /E-PAYMENT REVIEW/ JUNE 2019
Cover
Data Privacy & Data Protection Interpretating How Security Consumes Data Mind Share Security and privacy are not interchangeable, so understanding the difference lies in looking at their different streams together to see what may influence something else BY BROWN N. UGBAJA
L
AST YEAR, WHEN GDPR WENT INTO effect, Europe raised the stakes in the conversation about data, how it is kept, used and safeguarded. GDPR, better known as the General Data Protection Regulation is a European Union (EU)-wide statute that requires businesses that deal with the data of EU citizens, specifically banks, insurance companies, and other financial companies, to protect the personal data and privacy of citizens for transactions that occur within the EU space. The law replaced sets of disparate legislation regarding privacy in different EU member countries. Currently, GDPR dominates the discussion about data privacy because in its present form, it is very detailed and more precise in certain areas, and takes into account the challenges in the rapidly evolving digital ecosystem today and the privacy risks that data subjects (individuals) face. At 68 pages and comprised of 99 articles, it sets out the rights of individuals and obligations placed on businesses that are subject to the regulation. Fundamentally, GDPR is very demanding due to its detailed transparency requirements. Any company as well as other bodies that process personal data, is also to a large extent required to document the processing, ensure the law15 /E-PAYMENT REVIEW/ JUNE 2019
fulness of processing, document the existence of sufficient procedures, provide information on security measures and ensure that sufficient data processing agreements are in place. It improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights. By the same token, the law’s provisions impose certain responsibilities on businesses outside the EU that have dealings or transactions involving EU citizens. They are required to ensure that any personal data exported outside the EU is protected and regulated. In other words, if any EU resident makes an online purchase from companies in Africa, America or Asia, those African, American or Asian businesses are still required to comply with GDPR because of the European data involved. Such broadening of liability forced the issue into the global digital space where the dialogue is overwhelmed by business people’s annoyance with tech regulation and, to a degree large scale misapprehension of the vicissitudes of data. Data security and bad actors At its core, digital technology has been a potent force for disruption because it has allowed modern man to really achieve great things. Digital technology is now
Cover
MASHABLE
BROUGHT TO ACCOUNT Facebook’s chief executive, Mark Zuckerberg, faced the US Congress and answered questions on privacy, data mining, regulations and Cambridge Analytica during the course of a marathon five-hour hearing. “There’s a very common misconception that we sell data to advertisers. We do not sell data to advertisers,” he said. “What we allow is for advertisers to tell us who they want to reach, and then we do the placement … That’s a very fundamental part of how our model works and something that is often misunderstood.”
just a part of life. From facilitating communication at the speed of light to online shopping and easy banking to helping medical personnel cure diseases that appeared incurable just decades ago to simplifying government services to even humanizing machines, digital technology plays a central role in everything. But it has also given firepower to different kinds of bad actors. State sponsored entities rely on it to keep tabs on their country’s citizens using the pretext of fighting terrorism while authoritarian regimes are responding to challenges to their power with such reactive measures as filtering online content, monitoring Internet traffic, communications and behaviour and tracking (even killing) opponents. Digital technology also changed crime and unleashed new forms of criminality. It has allowed individuals to commit criminal acts anonymously. Hence the term cybercrime, which implies actions carried out using electronic devices connected to the Internet to cause harm to others. The slate of crimes in this category are numerous and diverse. Examples include hacking, identity theft, sophisticated banking/ card fraud, sexual harassment, cyberbullying and even child sexual exploitation. Some trends are clear. Using the internet, especially the dark web, pedophiles and child molesters can order and watch online abuses of poor children including to their own specifications. Fraud is no longer about a smooth talker trying to gain access to
private information, but often about somebody thousands of miles away hacking into wherever your personal information is kept and taking it. In recent years, the world has witnessed many high-profile cyber-attacks where companies are caught in a cycle of data breaches, leakages and theft. Such attacks have grown rapidly because cybercrime has evolved into an entire economy rife with professionalization and filled with parallels to legitimate businesses. The economics of cybercrime is powered by human beings, motives, resources, and processes that are so much like that of any other enterprise in an economy. At the very core it is absolutely a business and its business model is designed to make money. It is driven by profit. It pays well. Cybercriminals continuously innovate, sell products, and even offer customer service. Just like in any other industry, the cybercrime ecosystem depends on the services of skilled individuals. According to a 2016 research by the cybersecurity firm Digital Shadows, which examined cybercrime recruitment, the business looks for a broad range of characteristics in potential candidates. Requirements include specific skills (SQL injection, denial-of-service attacks) and a facility with certain programming languages (Perl, Python, C). There are also more basic requirements. “You must speak English fluently; bad grammar can be tolerated to a certain extent,” read one ad posting cited by Digital Shadows. Even with good education, many 16 /E-PAYMENT REVIEW/ JUNE 2019
players in the cybercrime economy still engage in further edification especially in the areas of new programming languages, attack vectors, and everything else. Other interesting aspects of the cybercrime economy is that it is stratified, with large operations functioning almost as multinational corporations and smaller operations mirroring small businesses. And the return on investment (ROI) is astonishing: Large cybercrime operations can make profits totaling over $1 billion a year while smaller operations tend to make between less than a million. When their earnings are put together, what emerges is that cybercriminals have built a “Web of Profit.” Research done by Dr. Michael McGuire, Senior Lecturer in Criminology at the University of Surrey in England on cybercrime found the industry’s profitability to be in excess of $1.5 trillion. Breaking down that figure reveals why data truly has value and why cybercriminals are after it. Data is the new currency of modern business. Due to the growth of the internet, smartphones and social media, there has been a surge in digital data creation. Much of that data includes customers’ demographic and psychographic information, what they share online or view or listen to. It consists of their web activity figures, bank transaction numbers, shopping and payment details, and even medical records. More broadly, data includes people’s personal files and companies’ proprietary information or trade secrets
that they wish to keep confidential and hidden from people outside, which could be anything from a recipe, to a specific formula, a product design or a future plan. All this information makes up what the International Data Corporation (IDC) a Chinese IT intelligence service, called the collective sum of the world’s data, which stood at 33 zettabytes last year. To place that volume of data in more practical terms, a zettabyte hard drive can store more than 34 trillion three-minute songs. According to Cisco, that is the equivalent of about 250 billion DVDs. Because data is a precious commodity, cybercriminals want access to all that information. In fact, they succeed to an extent. In 2017, they managed to compromise over two billion data records and breached more than 4.5 billion records in the first half of 2018. These are for figures that were reported. The cybercrime value chain has components which involve penetration that is theft of credentials (aka data breach), brokering, where stolen credentials are sorted and tested to confirm their value and carding, which is when criminals take over accounts to obtain actual goods or take control of bank accounts, or any other thing that can be converted to cash. The penetration part is what companies are always trying to build defenses against. It involves activities carried out against computers or devices directly to damage or disable them, or the use of computers or networks to spread illegal information, images or other materials. The many different types of activity also include ransomware attacks, identity theft, email, internet and identity fraud, as well as attempts to steal financial or payment card information. Cybercriminals often carry out their activities using malware and other types of software, but social engineering is often an important component for executing most types of cybercrime. They target organizations that store people's personal information, like schools, banks or card companies by hacking into their networks. This is the modus operandi of cybercrime syndicates and generally, organizations (governments and business) have found a way to build resilient fortifications against these cyberattacks. The methods they deploy involve employee education, use of firewalls, encryption and intrusion detection solutions, limiting the amount of information a system provides, use two-factor authentication, mediated cooperation among themselves and most recently, the use of artificial intelligence. This is the essence of data protection. But why none of these defenses is infallible, in the main they have held up against the onslaught of cyberattacks. Consequently, because overcoming sophisticated defenses costs more money and reduces profit margins, cybercriminals look for targets that require little time and energy over those that are difficult to crack. They prefer to break into people’s devices or they use social engineering, a tactic of expending lies and manipulation to trick people into revealing their personal information. Common attack vectors are related to unsafe browsing and phishing. They send emails with links to fake websites or attachments that contain malware. In some instances, they pretend to be a network or account administrator and ask for the victim's password to perform maintenance or claiming that the victim has won a prize but must give their card information in order to receive it. These tactics work because of human fallibility.
Big technology companies known for their ability to service a wider segment of the global population due to their infrastructural capabilities and who in turn collect humongous amounts of user data have found a way to deploy, use and incentivize other parties to use such data in a way that exploits users or exposes them to targeting by advertisers, state security agencies and malicious elements.
The vicissitudes of data The natural element of running businesses in a digital era is that in all occasions, the products/services providers involved have to process customers/users data. These are facts and information, which form comprehensive composites of actual users of each product or service – their needs, wants, desires and other behaviours. Thus, every piece of customer data has become very valuable. Through thoughtful analysis of the meaningful data it collects, a business can better define which aspects of its customers behaviour are most significant to its business. It can make educated hypotheses 17 /E-PAYMENT REVIEW/ JUNE 2019
about customers’ prospects and analyze better ways to engage them so as to sell more goods and services to more people. Due to device ubiquity and improved internet access, the nature of customer-business interaction now involves engagement with a brand on the phone, browsing its website, clicking on emails or sharing its social media content. All this can be done without the customer ever visiting the brand’s brick-and-mortar location. To be able to do this, the customer has to leave a bit of information about himself here and there – his social media profile, email, phone numbers and a whole lot more including favourite food and colour. All that a business would have to do is to unite all this information in one easily accessible place. That is how customer profiles are built. It is the consolidation of all the data a business collects about its individual customers in a single place. Naturally, each person has his or her own customer profile, based on his or her unique characteristics and interactions with the business. These profiles help the business to cultivate a deep understanding of its users, engage with them in meaningful ways, and better serve their needs. Unfortunately, harvesting of data has not always been within the lanes of ethical business conduct. Big technology companies known for their ability to service a wider segment of the global population due to their infrastructural capabilities and who in turn collect humongous amounts of user data have found a way to deploy, use and incentivize other parties to use such data in a way that exploits users or exposes them to targeting by advertisers, state security agencies and malicious elements. Many examples of this practice exist but for this magazine, a few examples will suffice here. Bad behaviour In 2018, social media giant Facebook came under intense media criticisms and political scrutiny in Europe and around the world after it was exposed for business practices that involve the misuse of people's personal data. The social network had allowed developers to create apps on its platform that were used to harvest the data of millions of users and the data was used to influence the Brexit and Trump campaigns. Cambridge Analytica, a former political consulting firm (it has since shut down) and prominent party in the scandal was allowed by Facebook to harvest the raw data of up to 87 million Facebook profiles. The data was used to influence Donald Trump's success in the 2016 United States elections and the outcome of the Brexit referendum in Britain. Facebook and Cambridge Analytica blamed Aleksandr Kogan, a Moldovan-born data scientist, who developed a quiz app used to harvest the data. But in his response during a UK parliamentary enquiry, Kogan who worked as a research associate at the University of Cambridge exposed how a loophole in Facebook API allowed him to collect data from friends of the quiz takers as well. "In fact, the platform's tools provide companies a far more effective pathway to target people based on their personalities than using scores from users from our work," he said. That would not be the extent of Facebook’s digital malfeasance. In fact, the company is facing a slew of lawsuits and regulatory inquiries over privacy issues, including a US Federal Trade Commission (FTC) investigation into the Cambridge Analytica scandal. Early this year, New York’s governor, Andrew Cuomo, asked two government agencies to investigate Facebook after the Wall Street Journal, a newspaper not known to be a bastion of liberal sentiments published a story about how the network was accessing far more personal information than previously known from smartphone users, including health and other sensitive data. The paper exposed Facebook’s method of collecting personal information from other apps on users’ smartphones including sensitive user data such as weight, blood pressure and ovulation status. The report said Facebook even accesses
Cover data in some cases when the user is not signed into Facebook or does not have a Facebook account. Weeks before the Facebook story, New York initiated an investigation into Apple for the phone maker’s failure to warn users about a FaceTime bug that had let iPhones users listen to conversations of people they call before they accepted a video call. Facebook and Apple are not the only culprits. Last September, a coalition of privacy activists and browser-makers accused Google and the advertising technology industry of “a massive and ongoing data breach that affects virtually every user on the web.” The complaints were
METADATA DATA DOMINATES US
33 zettabytes
Size of data created in the world in 2018 alone, according to IDC.
INTERNET IN FIGURES
5 billion
Active daily users of the Internet, according to the International Union of Communications (ITU)
Sent every 60 seconds
DIAMOND BANK - YOUTUBE
188 million emails; 41.6 million messages on WhatsApp; 41 million music streaming subscriptions and 18.1 million text messages.
that the search company was broadcasting people’s personal data to dozens of companies without proper security. Evidence released by the activists showed that people’s ethnicity, disabilities, sexual orientation and information considered sensitive were filtrated to advertisers by Google using a technique called behavioural advertising. This basically means that they track you around the web and build a profile based on what you look at. When you then visit a webpage that runs behavioural ads, there’s often an automated auction with the winner getting to show you an ad that supposedly matches your profile. The system allowed companies to even target incest and abuse victims, and people with eating disorders. It sounds like a bad joke In each of these scandals, the companies found a way to absolve
themselves of blame. They regularly invoked how their operational guidelines prohibited against such acts. For instance, Mark Zuckerberg, Facebook founder and CEO, in a response to the Cambridge Analytica indignity, wrote: “The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there’s more to do, and we need to step up and do it.” But ex-Facebook employees repudiated that statement. They said that there was always tension between the security team and the legal/policy team in terms of how they prioritize user protection in their decision-making. What’s more, the report of the UK parliamentary enquiry accused Facebook of operating a business model that was predicated on selling abusive access to people’s data. That model is the use of personal data to further Facebook’s business interests, such as providing access to users’ data to developers and advertisers in order to increase revenue and usage of its own platform. In a belated defense after been caught with its hand in the cookie jar, Google said it has “strict policies that prohibit advertisers on our platforms from targeting individuals on the basis of sensitive categories such as race, sexual orientation, health conditions, pregnancy status, etc.” That if it found ads on its platforms that were violating such policies it would take immediate action. Truth is that action is only coming from governments of different countries including the US Congress which is beginning to moot the idea of breaking up the big tech companies. The extent of political concern is forcing officials to take extraordinary measures. Take New York for example, the state's financial services department did not traditionally supervise social media companies directly but that has changed in light of the scandals. It has waded into digital privacy in the financial sector and could have oversight of some app providers that send user data to Facebook. Meanwhile, Facebook is facing fines of up to $5 billion by the FTC for the Cambridge Analytica incident. The UK hit Facebook with a maximum £500,000 fine over the issue. While the fines are a drop in the ocean for a company with a market cap range thought to be roughly $468 billion, government response in many countries are being retuned to have more bite. The GDPR imposes a fine of four percent of a company’s global turnover in such situations. Facebook escaped this penance because investigation into
9 QUESTIONS
Emeka Okoye CEO and Chief Architect at
Cymantiks Nigeria on digital payment and how the ecosystem has changed the way we think about data privacy and protection
1. COULD YOU PLEASE SHARE WITH OUR READERS A
little bit about your professional background and tell us how you started working in the area of digital technology? I learnt computer programming in my second year of undergraduate studies in geology and on graduation, I got a job as a programmer/analyst. At Soft Solutions, one of the organizations where I worked, I was exposed to different levels of computerization and automation in different sectors of the Nigerian economy. I also embraced the Internet from the onset in the mid 90s. I made sure to understand the underlying technologies as well as the principles. All this knowledge is still relevant. I quit that organization to co-found Nigeria's earliest startup, ngex.com, and also built the first internet banking software. I designed the first ecommerce project in Nigeria for Xerox and worked with global database company, OpenLink Software, as country manager for Africa. I now have Cymantiks, a company dedicated to data, artificial intelligence (AI) and semantic technology. We help organizations navigate this fourth industrial revolution in analytics, cognitive computing, Internet of Things. Our clients are spread all over Africa.
2. What does data protection mean to you and why is data
privacy important? In a nutshell, data protection is about securing data against unauthorized access and it is essentially a technical issue. There lies the crux of the matter: we traditionally associate “unauthorised” with criminal activity (e.g. a data breach) while that of “authorised” access involves sharing data with an “authorised” third party. This third party is usually decided by the organization (aka a data controller) holding the data, Data privacy is about authorized access — who has it and who defines it - and it is a legal issue. Concerns about data privacy arise wherever personal information is collected, stored, or used, and the data subject is not in control of such activities.
3. What are some of the nuances of data protection and
data privacy that are either getting lost or getting pushed down with all of the other noise? Basically, personal data may be shared with a third party in a way that is authorised by a company. While this might be perfectly acceptable for satisfying data protection purposes, it may be unacceptable under data privacy principles, as said third party may not have been authorised by the individual who has the data, who may object to the processing activities his data is used for. Data privacy is about what people who have collected your data lawfully can and should do with it and what control you have over that retention and use of data.
4. What are some of the risks associated with digital identi-
ties and how can payment companies mitigate those risks to ensure consumer trust? A seamless and secure method for accurately identifying people served via digital channels is fundamental to payments, commerce and finance in our present day digital economy. But attaining that in a world with rising sophisticated digital attacks; hackers exploiting weak identity systems awash with stolen identity data, can be daunting and challenging for even the most sophisticated service providers. As the financial sector continues transforming some core banking functions, including loans, alternative lines of credit and more, criminals are leveraging stolen identity data to hijack accounts, apply for fraudulent loans, and make illegal purchases thereby wreaking financial and reputational havoc on the system. This is why digital identity is fundamental for fintechs
18 /E-PAYMENT REVIEW/ JUNE 2019
and other financial institutions. Identification is still a problem because it is still mostly physical and passwords don’t solve the identity question. Today, a transaction that requires identification—whether for a payment or a loan—means either collecting physical proof over a digital channel (such as driver’s license) or relying on the know-your-customer (KYC) processes of established financial institutions. Identification is important because it’s at the centre of digital payment. Institutions need it to comply with regulations, assess risk for insurance and credit; and provide a tailored customer experience. Detail and accuracy are critical. Digital identity promises to improve these while removing inefficiencies from processes that are largely manual today. In a digital identity system, “identity” is a set of digital records that represents a user. These records are held in a standard format by entities that provide the identity information or assurance needed to complete transactions. A digital identity also accepts and integrates new records to create a rich view of the user. A system like this makes it easier to collect and share supporting documentation. Thanks to cutting-edge authentication and security protocols, a digital identity system also makes it harder to damage, lose, steal or tamper with identification records. Finally, digital identities offer banks and many others, a better way to know and serve their customers. By providing the full context for accurate trust decisions at each step in the customer journey, these technologies can help maintain and even enhance the customer experience while boosting security.
5. Traditionally, fraud manage-
ment, security and authentication activities in organizations have operated in siloes. How can governments, banks, telcos and tech companies come together in a united ecosystem to tackle issues around data privacy and protection? What models and approaches do you see around the world? These activities (fraud management, security and authentication) need to happen under the following: enabling data protection and data privacy laws, open data initiative while solutions in the ecosystem should be able to de-couple identity, identification, authentication, authorization and storage.
6. How well protected are private
user data? Could you offer some advice on how to protect user data? Most user data are kept in a data controller's servers or environment, protected with (hashed) password. Ideally user's data should be kept in servers that they own or have control over so that they
"
can determine who can have access (read or write). They can also determine the security mechanism, authentication methods required to protect their data.
By providing the full context for accurate trust decisions at each step in the customer journey, these technologies can help maintain and even enhance the customer experience while boosting security.
7. How do you see Nigeria’s regulatory environment regarding data protection and privacy? Do you think that we need stronger data protection laws in the country? Nigeria does not have a data culture, which means that we lack experience and expertise in data protection. However, Nigeria is about to make a law modeled after Europe's General Data Protection Regulation (GDPR). So I believe we are starting on a right note and over time we can improve the law where it falls short.
8. Is there a security skills gap right
19 /E-PAYMENT REVIEW/ JUNE 2019
now? Should companies invest more in security training? Yes, there is a security skills gap. We have not taken security seriously probably because we have entrusted cloud systems with our data and security. We need to invest in capacity development in that area while organizations need to invest heavily in security departments.
9. What is the single most impor-
tant data protection issue you would like to see solved in the next five years? I will like to see data owners have full control of their data and no entity should be able to use, sell or manipulate that data without permission or authorization from the owners. I want to a situation where doing otherwise would be legally termed a crime.
Cover
PRESIDENT BUHARI REJECTED A BILL SEEKING TO PROTECT THE RIGHTS OF INTERNET USERS In a veto message to the last National Assembly he said the bill covered "too many technical subjects" yet failed "to address any of them extensively."
METROWATCHONLINE
its activities began in May 2017 long before the introduction of GDPR. Data privacy consciousness Data privacy and data protection are very closely interconnected, so much so that users often think of them as synonymous. But the dissimilarities between them are fundamental to our understanding of how each works and how they complement each other. As explained by Emeka Okoye, CEO of Cymantiks (see interview on page 18), data protection pertains to how data is secured against unauthorized access. It is, essentially, a technical issue. Data privacy, on the other hand, concerns authorized access but relates to who has that access. What's important to note in this comparison is that businesses cannot ensure data privacy unless the personal data is protected by technology. If personal data can be stolen, its privacy is not guaranteed, which puts companies at risk for identity theft and other security breaches. But the opposite relationship is not always true: personal data can be protected while still not being reliably private. How? When you avail USSD or enter your card information on an e-commerce website, you are doing two things. One, you are trusting the company and payment system with your personal data protection — to make sure, among other things, that cybercriminals and other third parties do not access information. Two, you are also trusting them to respect your privacy by not misusing the information you provided to them.
These are not mere individual wishes or preferences, the laws and regulations governing the payment system demands trust from entities managing the information of data subjects. Chief among them is the code of ethics of the Open Web Application Security Project (OWASP) , whichcalls on security specialists to "maintain appropriate confidentiality of proprietary or otherwise sensitive information encountered in the course of professional activities." OWASP is an international community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. To put the idea of digital trust into proper perspective, let us exeunt the virtual world for a moment and draw a real world analogy. In their lives, people have things that are valuable to them: phones, electronics, certificates, jewelry and important documents. The loss of any of these possessions usually devastate their owners. So people find a way to try to keep them safe. This is what applies to data. Since the beginning of time, Information has always been very useful but that depends on what that information is and who holds it or who wants it. But in this digital era, information has become valuable. That is because tech purveyors assigned a dollar value to data. In the past, the forms peopled filled to obtain government services would become wrapping paper at an akara seller's joint. But the digital equivalent cannot be applied to such purposes. The reason is not because they are not palpable. No. It is because digital data is deemed 20 /E-PAYMENT REVIEW/ JUNE 2019
reliable due to its characteristics as defined by database experts - accuracy, completeness, consistency, uniqueness, and timeliness. The information that customers provide to businesses is presumed to be accurate and that is why they have been assigned a value, which means they need to be safeguarded. So how do we mitigate the risks that threaten the safety and security of data such that it remains safe and available only to authorised users? One way is to identify the distinction between protecting our privacy and ensuring our data is secure. Making data secure involves applying protective measures to prevent unauthorized access; to keep the bad actors out and save data from corruption. Such measures are analogous to the multiple ways by which we make a house safe and secure. At the minimum, many houses have doors with locks and keys; they are fenced in some cases with razor wires or spikes and fitted with a metal gate. If someone tries to assail the fence to get into a compound, he could be confronted by dogs or armed security men. The whole point of these layers of security is to deter unauthorized access. Still there are people who can get in. This could be relations, artisans and law enforcement agents. Each group’s access depends on specific situations. It is not a free-for-all. Privacy allows a homeowner to give access based on each group’s role, and it helps him or her make sure that they only see what they are allowed to see. Relations can have keys, which symbolizes approval to come. Even without a key, they can have free rein of the house when they are inside.
Conversely, law enforcement and artisans do not have such freedom. If I hire a plumber, I can ensure he only accesses the bathroom or kitchen and shoo him out after his work is done. But if for a reason the police have to come to my house, I can only grant them access if they have a search warrant and they are only allowed access relative to the terms of the legal request. Legally, I cannot prevent them from getting in, but I do have the ability to authorize their presence. In other words, I want to be the one to let the police in; I don’t want them breaking down the door. I want to control when and how they gain entry into my house, supervise their access, and let them back out after they are done. If for some reason they need to return, I also want to be the one to open the door for them again, . It is the same with our data. Data privacy means keeping our data safe from misuse by authorized users. This means that if anyone wants my stored data, I want them to come to me. I do not want the Nigeria Inter-Bank Settlement System (NIBSS) or my bank just handing it over to them. This is the spirit behind GDPR. It requires clear consent from a data subject and justification before his data can be obtained by anybody. This includes personally identifiable information, Web-based and biometric data, political opinions and sexual orientation. Further, GDPR offers major rights. First is among them is approval. Organizations need your consent to store and process your personal data. They must ask for it in an easily accessible way, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Two is the right of erasure, or the right to be forgotten. If you do not want your data out there, then you have the right to request for its removal or erasure. Third, the right of portability. When it comes to "opt-in/opt-out" clauses, the notice to users must be very clear and precise as to its terms. The fourth right involves breach notification. Clients must be alerted when and if an organization suffers a data breach. Fifth is the right to access., which means that you can inquire from an organization if it is processing your personal data. That organization must also provide a copy of your data, free of charge, if you ask for it. Then there is privacy by design, which means that businesses can only process data that is absolutely required for the fulfilment of their service to you, and must restrict access to your personal data to those who need to carry out the processing. Solving for data privacy and protection in Nigeria Late March, President Muhammadu Buhari rejected the Digital Rights and Freedom Bill, which was enacted by the last National Assembly to protect Internet users in Nigeria from infringement of their fundamental freedoms and to guarantee the rights for people accessing digital platforms. The president held the bill “covers too many technical subjects and fails to address any of them extensively.” The move shocked businesses and activists who had pushed for its passage. Some called Buhari’s withholding of assent a mistake. Boye Adegoke, a digital rights activist told Pulse that the decision was strange as provisions and contents were very clear enough. “The cost of rejecting the bill on the citizens mean a continued breach of data privacy, violation of
human rights and a not too clearly defined legal framework for the judiciary to act on digital liberty cases in the country,” he said. The rejected bill would have boosted efforts to enforce comprehensive data safety laws and strengthen online privacy rights of Nigerians. Legitimate concerns about how personally identifiable information is gathered in the country, stored, or used. In truth, data collection is not coordinated and there cannot be privacy where data is not harmonized. Most businesses, government agencies and sector regulators collect citizens’ private data in the most haphazard manner and lack a robust data management infrastructure to handle the accumulated records. Many companies collect detailed information of visitors to their offices and repeat the process each time an individual visits these offices. That information just sits in a ledger somewhere without any clear advice about how it is used. On the government side, the same biometric and other information is collected and superintended by agencies like the Central Bank of Nigeria (CBN), Federal Road Safety Corps, Independent National Electoral Commission, Nigerian Immigration Service, Nigerian Communications Commission (NCC), National Identity Management Commission, and financial institutions. This information is reposed in their respective silos and data subjects have no control over how it is used and have no legal pathway to take action should their data be misused. And data has been misused. Sensitive data including email addresses and phone numbers of Nigerians are routinely hawked on the open Web. In a scathing 2017 blog post to push for passage of the Digital Rights and Freedom Bill, Gbenga Sesan, Executive Director of Paradigm Initiative, a Pan-African digital rights advocacy group recalled how the information of registered voters appeared online following a data breach. He cited other examples including how a hospital’s customer data processed by a bank was found online and how laptops were sold with telecom subscribers information captured during the SIM card registration process still on them. Available fraud data shows that financial institutions have not been adept at keeping themselves well-protected. The banking industry suffered N2 billion in fraud losses in 2018 and the first quarter of this year saw banks lossing N1.1 billion, a 38.44% percent jump from same time last year, according to the NIBSS Fraud Report.
As the internet boosts employment in Nigeria, there are anxieties about how the absence of laws like the GDPR would impact consumers. As more organizations are store and use even more data in the course of doing business, data security should be an over-arching national-level concern.
21 /E-PAYMENT REVIEW/ JUNE 2019
The above may appear to be isolated examples but they are not. The challenge is that there is no nationally available qualitative research to paint a holistic picture of how common and pervasive the data unconsciousness is within the country. The business case for fixing the problem is usually made with disputable figures that are bandied around in conversations about data privacy and protection. What is well-known though is that data is stored and managed in siloes, agencies and businesses are reticent about the data in their care so nobody has a clue how safe the data is or whether they have been compromised or misused. Worse of alll, there is no clear data protection law that defines how those handling data can be held accountable. As the internet boosts employment opportunities in Nigeria, there are anxieties about how the absence of laws like the GDPR would impact consumers. As more organizations are store and use even more data in the course of doing business, data security should be an over-arching national-level concern; an essential part of government’s strategy to guarantee ‘the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications’ as stated in Section 37 of the Nigerian constitution. Though there are a patchwork of laws relating to data protection in Nigeria, which also make specific suggestions on principles to be considered for data privacy, the Nigerian payment industry wants a more efficient approach. The freedom of information act, the cybercrimes act, the consumer code of practice regulations issued by the NCC and the consumer protection framework issued by the CBN all score points in areas such as data sovereignty, e-government, ICT prioritization, and intellectual property protection. However, they rate low in the area of data privacy. What the industry desires is a data protection law designed to govern the collection, use and disclosure of personal data by both the public and the private sector in a manner that recognizes both the right of individuals to protect their personal data and the need for organizations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. Nigeria is already on course to do this. On January 25, 2019, the National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation 2019. It contains notions that mirror the GDPR in key elements that include data processing principles, consent, data security, privacy policy, data subject rights, transparency and penalties. It prescribes fine of up to 2% of a company’s annual gross revenue for any breach of the privacy rights of any data subject. NITDA issued this rule to increase consumer trust and strengthen Nigeria’s position as a trusted global data hub. But then there is still the issue of obligation. Discussing this subject in an interview with this magazine , Adewale Obadare, co-founder of security firm Digital Encode said that the absence of laws is not the contest when it comes to data protection. He argued that what counts against every effort is implementation and compliance. Well, at least that acknowledges that something needs to be done to guarantee data privacy and protection
COVER INTERVIEW
Trusted data is central to payment system success Chief Operating officer of Digital Encode Adewale Obadare on how managing data privacy and protection should be an evolving process that involves people, process, technology and leadership
A NIYI AAO
ADEWALE OBADARE IS THE CO-FOUNDER and Chief Operating Officer (COO) of Digital Encode, a company he co-founded. A GRC thought leader, he is among the most credentialed cybersecurity experts in Africa with multiple international recognitions and professional certifications. He was recently awarded an honorary doctorate by the Trinity International University of Ambassadors, Atlanta Georgia in the United States. In his daily work, Adewale deals with technology impact assessment in relation to data privacy, information security, penetration testing, computer forensics, business continuity, IT governance, risk management and regulatory compliance. He is an alumnus of executive education at Harvard Business School, Harvard School of Government, MIT Sloan School of Management, MIT Professional Education and Oxford University’s Said Business School. A platinum team member of the Open Source Security Testing Methodology Manual, he is active with the Risk Managers Association of Nigeria. Last year, his company received the African Leadership Award & Medal of Honor in Business and the Nigeria Tech Innovation & Telecom Award for Cybersecurity Professional of The Year. In this interview conducted via the internet, Adewale shares his views on why data privacy and data protection are very important in the digital world. What makes data so valuable and why does data privacy matter? Before the advent of technology, data was just a collation of raw facts which are processed into valuable information. However, from the information technology age to the current artificial intelligence era, data became the life line of businesses that are technologically driven. In other words, data is a valuable asset that is guided by a nature that is based on confidentiality, integrity and availability. This triad of properties define the value of information. Today, because data has become commoditized, its true nature is that it is not handled in a trivial manner. Data is used to predict people’s behaviour, to tailor product promotions and to predict business risks. Analysing data in these ways requires storing it in a way that is safe and protected and only available to the custodian of that data. Any breach of the stored data could lead to identity or
intellectual property theft, reputational damage and could even be regarded as an art of war. What is important to you about data protection? For example, when you use a payment app, what do you watch out for? Where do you see risks in everyday use? Data is a transactional instrument and ransactions could be either financial or non-financial, and it is guided by the attributes of confidentiality and integrity and should be made available without causing harm. When you make use of a payment app, you do not expect the custodian of your data to release to the public your personal identifiable information such as your name, address, email address, national identity number, international passport or driver’s license details, credit card numbers, date of birth, telephone number or log in details. If any business or data custodian of such information makes it public, it would be detrimental to you because as earlier mentioned, such risk exposure could lead to financial loss, reputational damage and even loss of life. What metrics do we use to determine privacy and data security and how do we define compliance success? Performance evaluation of data privacy and security could be based on such smart measures as average privacy duration, number of completed privacy evaluations and the number of related privacy incidents trailed by enterprise functional units, executed projects or security breaches. It would also involve mean time to respond to privacy incidents or to have a full incidents response concluded, percentage of budget allocated to privacy matters and proportion actualy executed, percentage of workforce that are trained and certified as data privacy protection crusaders, number of staff trained on data privacy protection and the average cost of data privacy incidents. From compliance perspective, success is based on level of data leadership accountability, privacy notice communication, evidence of breach notification, data processors and intercontinental conveyance compliance and security. Do you think there’s a problem with the current state of data management policies – from hosting, to privacy, to protection? Do you think it’s time for 22 /E-PAYMENT REVIEW/ JUNE 2019
A PROFILE IN DIGITAL SECURITY
Obadare is a fellow of the British Computer Society; the Institute of Management Consultants, the Institute of Information Management; the Institute of Brand Management and a Chartered Information Technology Professional. He is the First EC-Council Licensed Penetration Tester in Africa, Second COBIT 5 Certified Assessor in Africa and a Payment Card Industry Data Security Standard Qualified Security Assessor.
23 /E-PAYMENT REVIEW/ JUNE 2019
Cover interview a different approach? If you carry out research on the level of data privacy compliance in Nigeria based on economic sectors enabled by technology, you could generalize that the level of data privacy regulatory compliance is still very low and thus could pose a great challenge. Realistically, the only thing that is constant is change, this could either be positively transformational or retrogressive. While we have some organizations that have one or more management system in place, I strongly believe that it is time to introduce a different approach to the way we handle data privacy and its regulations. What types of security breaches have you dealt with in your job? How did you manage them and what did you learn from them? At Digital Encode, we have helped our clients to deal with privacy and protection issues that include incidents and security breaches around data leakages, DDOS, ransomware and phishing attacks as well as different malware assaults. In these incidents, the best industry standards were deployed to mitigate them at their different periods of occurrence. One thing I learnt from these incidents is that human factor is the most critical element that drives the process and that technology that affect the business ecosystem. People could be the strongest or the weakest link that could impact any enterprise. Of the latest development in the past few years — cloud computing, big data, IoT, AI, even social media – which, in your opinion, has been the most ‘harmful’ from a data security perspective? Unfortunately, all the technologies you mentioned have had high rates of breaches but the most prevailing and one that is still wreaking havoc because it houses other technologies is the cloud. Most technologies and intellectual property are stored in the cloud. Social media, big data, Internet of Things and artificial intelligence data are all stored in the cloud because they require a lot of space. The cloud has shown some vulnerability because most end users do not know how to properly use and secure their profiles adequately when interfacing with technologies hosted on the could. For instance, despite the General Data Protection Regulation (GDPR) put in place by the European Union (EU) in 2018 and, which represents important changes in data privacy regulation for businesses operating within and in relation to the EU, there are still risks associated with managing data on the cloud. Are you satisfied with Nigeria’s privacy regulation and data protection legal framework? Are there aspects you feel could have gone further? I must commend Nigeria’s regulatory agencies on this issue. While they have started a data protection regulatory journey, there is room for improvement. In this part of the continent, developing legal framework and formulating applicable policies is never our problem. The bottleneck is implementation. If we look at the critical sectors of the economy – financial services, telecommunications, hospitality and tourism, real estate and education - how many businesses in these sectors have implemented the data protection act? How are the regulatory agencies monitoring the implementation of such regulation in these sectors? Do they have performance evaluation measures to show the statistics and ascertain those that have complied compared to those that have not? To what degree are those that have implemented in Nigeria compliant? And how have those who implemented it correlated their risk assessment to their data protection impact assessment? These are what bother me because if we cannot address these challenges nationally, how do we tackle a GDPR breach that involves a European citizen? Again, these are
some of the reasons performance evaluation and monitoring are very necessary. We still have to do more ,especially finding novel solutions to hard privacy problems. In the EU, privacy is treated as a basic human right that cannot easily be traded away to suit the needs of businesses. Right now, we need to start looking at a GDPR style regulation because many companies are depending on the unrestrained collection and use of personal information to grow their businesses and we need to regulate how such information is collected, used and generally treated.
"
In this part of the continent, developing legal framework and formulating applicable policies is never our problem. The bottleneck is implementation. If we look at the critical sectors of the economy – financial services, telecommunications, hospitality and tourism, real estate and education - how many businesses in these sectors have implemented the data protection act?"
Let’s talk about deletion concept. After how long should data from a customer be deleted by the business in possession of such data? Firstly, industry convention for data retention based on relevance could be between 5-7 years and this duration is still dependent on the organization. However, data privacy regulation allows the retention of data for as long as the collected and agreed personally identifiable information are relevant to the purpose for which it is being used. Again, there is a twist to this, should the client not want to continue any form of transaction with the company holding his or her information, the customer is empowered to request the company to delete such details before the official deletion period stated by the custodian of the information. Can customers ask specifically for their data to be deleted as part of an override in situations where a business has a valid interest in the data for legitimate reasons and want to store them for longer. Yes absolutely. The customer is not just a local king when it comes to data protection regulatory act but a platinum king. That is the right to erasure and to a larger extent it is about the customer and the protection of his data. The right to erasure is also known as ‘the right to be forgotten’. A customer can make a request for his data to be deleted but the question is how many people understand when the right applies? That is why we need a law that specifies this right and how the data subject can make a valid request for his data to erased. What advice would you give to companies who are unprepared and don’t know where to start on data privacy and data protection? I will strongly suggest they engage a data protection consulting firm like ours, who are knowledgeable and hands-on to guide them through their data protection implementation journey. This will help them to drive value delivery across the organization. Digital Encode is the first information assurance company in Nigeria to have a GDPR Certified Data Protection Officer (DPO) trained to impact Nigeria industries on data protection matters. As for such companies, it is never too late for them to become data protection compliant in order to protect their enterprise and related assets. If you had the chance to start from scratch in the field of cyber security, what would you have done differently to prepare for privacy regulations or customer privacy expectations? Fortunately, from governance, risk and compliance advisory perspective, Digital Encode has always been compliant, consistent and committed to the rules governing data security and ICT management. We strive to continually improve the data protection regulations in our enterprise. However, I will rather that new entrants into the cyber security business or companies that never considered data protection regulations at their startup, strongly factor it into the building of their enterprise. That is the only thing that will ensure their readiness to create value for their clients, the market and their stakeholders.
24 /E-PAYMENT REVIEW/ JUNE 2019
...the next frontier, covering Africa from Nigeria
Since 2005, Nextzon has been offering world-class advisory and consulting services to organizations, supporting them for phenomenal success.
Website: www.nextzon.com
Email: info@nextzon.com
Address: 1 Racheal Nwangwu Close, Lekki Phase 1, Lagos, Nigeria.
25 /E-PAYMENT REVIEW/ JUNE 2019
Roundtable
Fostering cyber security culture in the workplace
"With the advent of bring your own device and more organizations allowing employees to work from home, company policy must demand that such employees maintain robust security standards." -- RANGANATH
This Roundtable explores the need for a revolutionary change in how companies approach effective security awareness and how promoting a cybersecurity culture can present a stronger front against cyber threats.
W
HAT IS A CYBERSECURITY CULTURE and why is it so important to organizational success? RANGANATH: A cybersecurity culture advocates for everyone including executive leadership and management to have equal parts to play in cybersecurity, which is essential for bolstering an organization’s resilience and the building of practical structures for maintaining a strong organic firewall. Strong cybersecurity involves many different technical and informational solutions that must be adopted and implemented. Technology is necessary in this regard but it cannot work independent of complementary factors such as policy guidelines, information sharing on threats, and user awareness. A befitting cybersecurity culture helps an organization to create processes that tie up security practices with business operations. It ensures that security is not just a random job given to a relegated, inexperienced, understaffed and underfunded IT department. Culture by its definition is “a way of thinking, behaving, or working that exists in a place or organization.” Executives can certainly lead a cybersecurity culture, but it must be built and supported by the entire organization for it to be successful. In this way, "we are all equal partners" becomes more practical, rather than just a slogan and makes staffs to understand that they are stakeholders in the safety of the organization. OKPUNUNG: For some organizations, cybersecurity is in their DNA and it's considered in everything they do; and not as an afterthought. This culture is important to their success because it amounts to the promotion of safe digital security practices that integrate seamlessly with the work that each employee does. In this day and age, employees should be made to consider cybersecurity in the same way as they do work safety if a company wants them to make better choices in this regard. It involves creating workplace policy on the use of certain devices at work, making employees aware of cybersecurity threats like phishing attacks and promoting better password management. These are skills that are transferable outside the office. ABUMERE: In my view, a cybersecurity culture is one which demands that employees be fully aware of the cyber risks the company faces and are involved in ensuring the effective protection of the organization’s information and cyber assets. It is the promotion of safe cybersecurity practices that integrate seamlessly with employee’s work. It is making employees aware of cybersecurity threats and making them amend their behaviour accordingly to mitigate those threats. Human error contributes to many cases of cyberattacks, maybe from social engineering or compromised credentials from accessing fake login pages or answering phishing emails. Employee behaviour is important in an organization’s success in the fight against cyber threats because a single human error can bring down an entire
organization's cyber infrastructure.
RESPONDENTS DR. KRISHNAN RANGANATH Chief Technology Officer, Medallion Communications Limited IGBOA ABUMERE Chief Information Security Officer Stanbic IBTC Bank ITA OKPUNUNG Fraud/Risk Analyst Paystack
26 /E-PAYMENT REVIEW/ JUNE 2019
How can you build a culture of effective security? What are the actions, tips and steps that can help strengthen cybersecurity culture? Does it involve broadening employees’ skills? ABUMERE: Organizations need to develop a cyber-awareness programme that constantly drives knowledge of cyber associated risks and their mitigation. They should build a cyber-champion framework that leverages employees embedded within the business to help spread the word. They should also implement an online security awareness programme that uses technology to engage employees actively as well as assesses effectiveness of training efforts. To strengthen its cybersecurity culture, every organization should use individuals from a variety of levels and office in outreach and educational activities and provide cyber champions or ambassadors with tools and resources to promote and support activities at their respective locations. There is also the need to broaden employees’ skills through integrating security awareness into business processes and ensuring everyone has adequate knowledge of the threats against the business or an area of operation. RANGANATH: Studies have shown that prioritizing investment in training, staff development and technology retreats can be a meaningful driver of a strong cybersecurity culture. Evaluating employee views on cybersecurity is among steps leading to heightened awareness and improved cybersecurity consciousness. Meanwhile, in order to determine a consistent onboarding programme for new recruits and existing staffs, security experts across the globe have suggested these factors be put into consideration: access control, verification and authentication, privacy policies and terms of use, password management, encryption and digital signing, if applicable, phishing, scheduled digital back up and information sensitivity. But then, communication is an integral part of a cybersecurity culture and a critical enabler for employees to become active in the organization’s security efforts. Communication takes several forms; it can be policy guidelines that are directed from executive leadership; it can be workers reporting potential security incidents; or security personnel informing the organization of new threats impacting the sector. With the advent of bring your own device and more organizations allowing employees to work from home, company policy must demand that such employees maintain robust security standards. Also,
"The risk of not recognizing the importance of cybersecurity today is that the outcome of an attack would not only ruin a company financially, but could damage the organization’s reputation." -- OKPUNUNG
educating staff on acceptable online behaviour, which includes even the types of information they can share on social media will help employees reduce risks at both their residences as well as their places of work. Enterprise security is as closely related to the systems as with the people interacting with them. How do organizations evaluate employee awareness regarding cybersecurity and what internal processes need to be in place to ensure that a company’s security culture can thrive? OKPUNUNG: The very first step is to invest in continuous employee education and enforcing practices such as regular password changes. It could include internally simulating attacks to expose employees to what can happen if they are not security conscious. ABUMERE: One, training must be leveraged to promote awareness, which means regular target driven courses distributed to employees. In measuring and assessing effectiveness of these trainings, assessment should be conducted and the courses scored. Two, organizations can engage external consultants to carry out vulnerability assessments or penetration testing against processes and systems as a way to understand the impact of employee security education. RANGANATH: Standards and procedures need to be put in place and closely monitored especially restrictions on accesing certain types of URLs on company networks and warning on launching certain types of content on the organization’s domain. When evaluating employees, we monitor the contents they access on a weekly basis and during our monthly internal training and awareness sessions, we discuss activities that raised some concerns. We also have internal drills to see how teams understand our processes and how they are adapting to them. What is your advice for effectively communicating cybersecurity to top-level executives? Do boards need to get more tech-savvy regarding their understanding of cybersecurity? OKPUNUNG: Top-level executives are typical targets of one of the most common whale phishing attacks and so should be made fully aware of such threats. But the goal of communicating cybersecurity to them should not be to educate them on the different threats they face individually. Instead, security leaders should help the board members understand top security concerns, how they may impact the business and possible mitigation approaches so the board can establish priorities and allocate required resources appropriately. They don’t need to know how the technology works or threat terms like ransomware. For a board, a presentation on cybersecurity should focus on financial involvement and return on investment. RANGANATH: This depends on every organization's tier of leadership. There is a very high probability of the top management staffs not been tech/ IT savvy, but are well aware of the issues that can cause problems for the organization. In my opinion, every organization that is connected to the internet should participate in awareness training but it has to be enforced and practiced by leaders at the top management / board level. ABUMERE: Effective communication of cyber risks to top level executives is compulsory considering they have full oversight of the entire organization. But in communicating with them, staff with such obligations should endeavour to contextualize the information they are presenting, by ensuring that facts and figures are not only accurate but relevant. Also, know your audience and learn what the executives value. Don’t assume everyone you’re presenting to has the same vision for what should be done. If you learn what the leaders in the organization value, you can find the best way to explain things or present new
ideas to them. Drop the jargon and use the language of business. Boards do not need to be tech savvy to understand cybersecurity rather the information security officer needs to communicate cyber risk to board members in a business-friendly language.
"Human error contributes to many cases of cyberattacks, maybe from social engineering or compromised credentials from accessing fake login pages or answering phishing emails." -- ABUMERE
27 /E-PAYMENT REVIEW/ JUNE 2019
Do you think that cybersecurity should become an integral part of a company’s corporate social responsibility? GODWIN: Yes. the risk of not recognizing the importance of cybersecurity today is that the outcome of an attack would not only ruin a company financially, but could damage the organization’s reputation. Such an organization may never recover from it, so if it plans to thrive in this digital era, it must make cybersecurity decisions that reflect obligations not just to investors or shareholders, customers and employees, but the society at large. RANGANATH: In this era of information technology and the Worldwide Web, cybersecurity must be a part of the corporate culture. Each onboarding process must assess and evaluate the employee's security consciousness in terms of the workplace and the organization’s digital assets. We say charity begins at home, so unless employees attune to the company's security culture, the same may not be treated as CSR because the threat from cybersecurity issue is much bigger than any other threat to an organization or to a nation. Around 56% of the global population is connected to the internet, and you can imagine the implications of a global cyber-attack. Cybersecurity should be a part of the curriculum at every education level as the world is gradually approaching the digital age.
NeFF Insight PRACTICAL ADVICE FOR THE MITIGATION OF PAYMENTS RISK BY THE NIGERIA ELECTRONIC FRAUD FORUM
How firms can balance consumer experience with security and fraud controls By ADESOLA OSUJI
NEFF / PAYSTACK
F
RAUD MAY BE LOOSELY DEFINED AS the use of trickery, falsehood, deception or dishonesty to gain unlawful or unfair advantage or benefit which may be financial or non-financial. Fraud involving financial transactions could occur in nearly all sectors. However, of particular interest to us is fraud in the payment services industry in Nigeria. Here, the customer may lose cash, financial value, online/virtual currency value or physical goods as a result of impersonation, identity theft, account takeover, etc. In 2018, the Nigerian payments industry experienced 38,000 fraud incidents valued at N9billion, with an estimated N2billion completely lost. In this same period, a total of 17,328 unique customers were defrauded (NIBSS Report on Fraud Landscape in Nigeria). When a customer is defrauded, it is usually accompanied with significant levels of distress for the defrauded customer on one hand, and exposes the financial institution to the risk of financial and reputational loss. The effective handling of these fraud incidents creates a veritable avenue for positive customer experience despite the fact that the customer has just recorded a financial loss or a near miss. In my experience, the payment service customer’s priority following a fraud incident is not just limited to a full recovery or refund of what has been lost, but high on the customer’s priority list is the need for reassurances that the fraud incident will be handled honestly, expeditiously and professionally; and the need to feel safe and protected by the bank. Effective fraud management therefore, is the totality of actions, policies and processes put in place before, during and after a fraud incident, to assure the customer that he is safe and that his bank would act in his best interest. It commences from the evaluation of risks at the point of initial product conception/ design, and continues until after a fraud incident, should the fraud risk ever crystalise. Effective fraud management should be part of the bank’s customer acquisition and retention plan because, effective fraud management will get you customers and keep them. So, what then does effective fraud management entail? It is primarily made up of three components, namely; fraud prevention, fraud detection and fraud response management.
Sam Okojere, Central Bank of Nigeria's Director of Payments System Management and chairman of the Nigerian Electronic Fraud Forum (left) during a tour of the offices of payment processing company, Paystack where he had interesting conversations around regulations with staff of the company.
Sam Okojere, Central Bank of Nigeria's Director of Payments System Management and chairman of the Nigerian Electronic Fraud Forum (5th from left) and other members of NeFF at the forum's annual meeting and the presention of the NeFF’s 2018 annual report on, ‘Emerging fraud threats: An evaluation of the industry cybersecurity posture’ in Lagos.
"Banks and other payment service providers must demonstrate their knowledge and competence regarding fraud prevention by communicating anti-fraud measures effectively"
28 /E-PAYMENT REVIEW/ JUNE 2019
Fraud Prevention: Fraud prevention starts from the identification of fraud risks which may crystalise, should any of the gaps in policy, process, practice or technology be exploited. It also involves putting mitigants in place to dissuade potential fraudsters. Within this context, these mitigants could include validation sequences such as requiring further authentication, information/action to conclude a transaction or placing a hold on the transaction [value] pending confirmation before the transaction is concluded. At this point however, a balance must be struck between convenience for the customer and security for both the customer and the bank. Clearly, too much inconvenience for the customer in the guise of fraud prevention could lead to customer apathy for the service/
product, or worse still, for the bank. This could be the case especially where the customer is ill-informed, insufficiently informed or wellinformed but unconvinced of the value of such preventive measures. Fraud detection: Where prevention has failed, and before or during a fraud incident, the fraud detection phase kicks in. It also involves activities geared towards detecting vulnerabilities in the system. A few of such activities could involve input and feedback from customers – both internal and external to the organization, vendors, staff and other stakeholders. In many organizations, a lot of effort, time and financial resources are expended on this component. This ought not to be so. At the very least, equal or even more resources should be expended on making sure the risk never crystalises. However, where it crystalises, the resulting process is midwifed as best as possible. Fraud response management: And so the risk has crystalised. The customer has been defrauded. Financial loss may or may not have occurred. So what next? Clearly, this would be a distressing and confusing time for the customer (fraud victim). There is usually a feeling of disorientation and hopelessness with many of the fraud victims. Effective communication and education in the fraud management process According to the NIBSS Report, the weakest link in the fight against fraud in Nigeria is the customer and that the industry must collectively embark on massive education of customers to achieve significant and sustained reduction in the fraud rates currently experienced in the payment service industry. Effective communication and customer education is an avenue for the organization to assure customers of the safety of their products and services (Guardian Analytics, 2011). In order to translate the key components of fraud detection, prevention and response management into higher-quality relationships with customers, effective communication and education are critical and imperative. Banks and other payment service providers must therefore demonstrate their knowledge and competence regarding fraud prevention by communicating anti-fraud measures effectively, thereby creating a feeling of safety among customers (Rauyruen and Miller, 2007). This communication should commence at the beginning of the relations and should be sustained and consistent throughout the pendency of the relationship. Some pointers for effective communication and education in the fraud management process include the following: Simplicity and Clarity of the message: Consistency in mode and style of communication: The bank should have a consistent style and mode of communication. This should not affect the creative, mode or the message being communicated. If consistency in mode/channel of communication can be achieved, it would help the customer to easily recognize and validate the message from the organization. Where the mode or style is arbitrary, it leaves the customer confused, easily convinced and fooled by fraudulent messages. Uniformity in message being communicated:
NEWS TICKER
Consumers lost N3.6bn to fraud last year Financial institutions were besieged with fraud attacks in 2017 and 2018 leading to 63,895 of their customers losing N3.6 billion to fraud in the two years. Sam Okojere, Chairman of the Nigeria Electronic Fraud Forum (NeFF) disclosed this while presenting NeFF’s 2018 annual report in Lagos. He said that phenomenal growth and transformation of any payment system like Nigeria’s, would naturally be accompanied by corresponding growth and sophistication in fraud schemes.
NeFF warns about phishing threats NeFF is warning that a wave of phishing schemes and rogue mobile applications continued to be heavily used by cybercriminals to defraud users and organizations. “Rogue mobile apps are assumed to be one of the fastest-growing phenomena among cybercriminals," NeFF gave the warning over the weekend, at its Annual General Meeting in Lagos. "Fraudsters create malicious apps that appear genuine, taking advantage of the trust of customers to access their personal information. This can be viewed as a form of phishing on the mobile platform.”
Mobile fraud attacks rising NeFF recently released new cybercrime insights revealing a sharp rise in fraud attack levels on mobile transactions. Mobile fraud has tended to lag behind the channel’s overall growth, however in 2018 attack rates rose 72.2%, when compared to figures from 2017. Globally, one third of all fraud attacks are now targeting mobile transactions.
The central theme of the message should be uniform at all times and across all channels. For instance, where an organization communicates that “we would never ask you to click on a link…” as a way to protect its customers from phishing/smishing scams, it would be an antithesis for the organization to roll out a product/ service requiring customers to click on a link sent to them by SMS or email to access bonus points or discounts. For such an about-face to happen and succeed with minimum impact on fraud indices, there must be a concerted effort to reorient the psyche of the customers and sufficiently enlighten them on how to identify scam messages/emails. Centrality of the source In communicating with customers, the source of the communication should be central. As such, the organization ought to have a central source of sending out information; particularly a secure email address, a secure Short Messaging Service engine, a push message service, etc. The practice of sending emails or SMSs to customers from various email addresses/ messaging services should be strongly discouraged. To this end, it would not be out of place to designate a specific function or department within the organization to handle communications with external customers. Ease of communicating with the organization/effective feedback mechanism: The channels of communicating with the customer should be multiple and easy to access. Customer care e-mail addresses and phone numbers should be well publicised and easy to remember. The channels of communication should also be confidential and secure. Where the communication is face-to-face, it should be in a secure location and the staff must be adequately trained in effective communication with customers. In addition, the bank/organization must arm the staff with enough information on the policies and processes involved in the handling of fraud incidents, to sufficiently allay the fear of the customer. It is not required that the particular facts of the fraud incident should be made available to every staff. What is required is that the staff is aware of basic customer details as well as enough details of the fraud incident to re-assure the customer that the incident is receiving adequate attention. A mechanism for customer feedback should be put in place. The mechanism should be two-way such that the customer can be easily reached, and the customer can easily reach the organization. Practical implications The crystallisation of a fraud risk into a fraud incident should be viewed as an opportunity for the bank/payment service provider to connect with its customer for excellent service delivery. It is an opportunity for the customer to be reassured that funds are sufficiently safeguarded and can be recovered in the event of loss. Ultimately, it is an opportunity for customer satisfaction and retention. Adesola Osuji is a lawyer with expertise in audit, compliance and risk management. Culled from NeFF 2018 annual report.
29 /E-PAYMENT REVIEW/ JUNE 2019
Access Code. IT TROJAN THREATS
Researchers warn of rise in malicious mobile banking packages RESEARCHERS HAVE UNCOVERED A worrying rise in malware designed to steal credentials and money from people's bank accounts. That's according to Kaspersky Lab IT threat evolution report, which identified 29,841 such files in Q1 2019, up from 18,501 in Q4 2018. Mobile banking Trojans are one of the most rapidly-developing, flexible and dangerous types of malware. They usually steal funds directly from mobile users’ bank accounts, but
sometimes they are directed to steal other kinds of credentials. The malware generally looks like a legitimate app, such as a banking application. When a victim tries to reach their genuine bank app, the attackers gain access to that too. In Q1 2019, Kaspersky Lab detected around 30,000 modifications of various families of banking Trojans, trying to attack 312,235 unique users. What’s more, banking Trojans grew not only in the number of different samples detected
- their share of the threat landscape increased as well. In Q4 2018, mobile banking Trojans accounted for 1.85% of of all mobile malware; in Q1 2019, their share reached 3.24%. While users were subjected to a variety of mobile banking malware families, one was particularly active in the period: a new version of the Asacub malware accounted for 58.4% of all banking Trojans that attacked users. Asacub first appeared in 2015.
In Short
MOBILE SECURITY
Kenya creates new banknotes to curb fraud
Customers of Bahrain's Ithmaar Bank no longer require cards to use the bank’s ATMs. Instead, they can use their fingerprint along with their PIN to process transactions. To use the service, they will need to register their fingerprint data at the bank. One of the features of Windows 10 version 1903, otherwise known as the May 2019 Update, is the Windows Sandbox, a virtual machine for testing downloads and browsers extensions to avoid infecting your operating system.
TROVA / YANKODESIGN
Big banks and other financial firms spend as much as $3,000 per employee to defend computer networks from criminals, a survey found, as the industry remains the primary target of cyberattacks. Some websites are promising $5-30 worth of free bitcoins for people to run their Bitcoin Collector programme. In reality, this programme does nothing but install ransomware or password-stealing Trojans onto a victim's computer.
A PRETTY NEAT WAY TO CARRY YOUR THINGS This sleek slab of metal is the Trova Go, a carrying case for your things, but much more impenetrable and less susceptible to theft. Housed in a sleek, anodized aluminum case, protected by a biometric lock that’s also tied to your smartphone, the Trova Go is for holding stuff -- cards, cash, medicine, pen-drives, memory cards, anything that you want to have with you. Its small form factor means it can be carried in your hand or bag, and its neat, simplistic styling and anodization integrates it aesthetically with your lifestyle. It pairs with an unlock functionality on your phone, allowing you to unlock the case remotely using your fingerprint or your face. Using authentication techniques normally reserved for data, Trova Go brings biometric protection to real-life things.
THE CENTRAL BANK OF Kenya (CBK) plans to withdraw an old version of its 1,000 shilling banknote to tackle illicit financial flows, crack a whip on embezzlement of public funds and ease increasing concern about the emergence of counterfeits which jeopardize proper transactions and the conduct of commerce in the country's currency. CBK Governor Patrick Njoroge said the old note will cease to be legal tender by October 1 and will be replaced by next generation notes adorned with modern security features that will enable the visually impaired to differentiate the values by running their fingers over the currency. To protect from counterfeiting, the new notes had increased security features when held up to the light. The notes reveal a watermark of a perfect lion’s head, the text “CBK” and the note’s value. This is among other security features such as the raised text on the note’s value and the text “Kenya”.
Finnish firm produces world's most secure smartphone BITTIUM, MAKER OF THE WORLD’S MOST SECURE PHONE SYSTEMS, HAS UPPED ITS GAME with the launch of the ultra secure Bittium Tough Mobile 2 smartphone, which it certified for use by national governments. The phone's multilayered security is based on the hardened Android 9 Pie operating system and unique hardware solutions integrated in the source code. Built into it are several encryption, authentication and key management-related features, boot and runtime security checks, tamper-proof platform as well as a privacy mode. With the privacy switch disabled the microphones, camera and Bluetooth, and accuracy of sensors are reduced with the touch of a button. “In this age, when you can read in the news almost daily about wiretapping and the hacking of generic smartphones, we are proud of the major upgrade Tough Mobile 2 brings to secure mobile communications,” said Jari Sankala, Bittium's Senior VP of Defense and Security. 30 /E-PAYMENT REVIEW/ JUNE 2019
THREAT LEVEL ADVANCED PAYMENTS SKIMMER // Security researchers have discovered a polymorphic Magecart skimmer that can sniff 57 different payment gateways worldwide. Its modular architecture allows crooks to inject the skimmer within almost any checkout page, on any website, and start scraping card information without the need of customizing it for every store they manage to compromise.
FRAUD BY NUMBERS COSTS OF FRAUD
$1.5 trillion
Annual global fraud loss cost to businesses in terms of revenue, fines, remediation, labour, technology, lost opportunities according to a report by Lexis-Nexis.
SECURITY COST
GENDER PROBLEM
HACKING TOOLS
Projected global spending on information security products and services, rising 8.7% from $114 billion in 2018, according to forecast from Cybersecurity Ventures.
Representation of women in the cybersecurity workforce as revealed in the 2019 Women in Cybersecurity report by the International Information System Security Certification Consortium.
Starting price point on a cybercrime shopping list for kits for cyberattacks, identity theft, malware, ransomware, and other nefarious purposes available in online marketplaces compiled by security firm Recorded Future.
$124 billion
24%
$1
TROUBLING SIGN // Malicious actors pushing Magecart POS skimming malware infected Forbes magazine subscription website and copied users payment card numbers, expiration dates, three digit CVV/CVC security number, carhdholder names, addresses, and phone numbers. The malware may have gained access to Forbes through a third-party vendor that was used to supply icons to the website.
DESIGNFEEL
CISCO BACKDOOR // Red Ballon technology experts discovered a vulnerability named Thrangrycat that allows bad actors to inject malware-based components on some of Cisco's devices and products such as firewalls, switches, and routers that are widely used in enterprises and government networks. JUST TOO SMART // Researchers are warning against a third-party Android app store seemingly specializing in games but is simply a front for a campaign to install malware into too-trusting victims' devices. The “Smart Content Store" isn't a smart place to shop, and it doesn't even offer real content. If you try to download "CrazyBirds" or SuperBros Run, you won't even get a Trojanized game. All you'll install is malware. The attackers are opportunistic: brute-forcing, credential stuffing, and social engineering are all in play.
AESTHETIC AND FUNCTIONAL DesignFeel's Yoo Eunsook created this ATM to alter the clunky and bulky nature of the machines as well as making them safer. The idea is to basically integrate ATMs flush into walls. This way, they don’t take space, and they also make it much harder to break into and steal. Securitywise, the machine closes down, with a retracting keyboard panel, when not in use. The minute you want to use the ATM, the keyboard panel extends outwards, and the screen recedes into the back, giving you privacy. When you’re done, the keypad slides back in and the screen extends outwards again, turning it into a great canvas for advertisements. ONLINE SECURITY
Web payment interest group assemble to increase security and interoperability THE BIGGEST INDUSTRY ASSOCIATIONS IN THE fields of payments, the internet, and authentication have created a new cross-industry interest group to collaborate on a vision of fostering security and interoperability for online payments. The groups involved are: EMVCo, the payments group overseen by American Express, Discover, JCB, Mastercard, UnionPay, and Visa; W3C, the ‘World Wide Web Consortium’ that oversees prominent web standards; and the FIDO Alliance, the developer and publisher of the most prominent on-device authentication standards. According to a press release, participants in the Web Payment Security Interest Group will engage in activities including the formulation of a vision for web payment 31 /E-PAYMENT REVIEW/ JUNE 2019
security, development of use cases, gap analysis, liaisons with other organizations, and identification of standardization opportunities for each organization. "This group has been created to better understand and shape the future of secure web-based payments and ensure alignment on the work of the three technical bodies," said Karteek Patel, EMVCo executive committee chair. The Web Payment Security Interest Group complements existing specification-level discussions around EMV secure remote commerce, EMV 3-D Secure, Fido Alliance Fido2 specifications, and W3C web authentication and payment request APIs. The group also provides the foundation for collaboration around future technical specifications.
Digital Commerce RETAIL INSIGHTS
Report finds global online shopping on the rise
HONOURING THE BELL: To mark the listing, Jumia’s major executives including Sacha Poignonnec, co-CEO of Jumia Group, and Juliet Anammah, chief executive of Jumia Nigeria, were present to ring the opening bell on the exchange on Friday, April 12.
Jumia in landmark stock listing on NYSE
JUMIA / EMVCO
FOLLOWING A ROADSHOW TO GAUGE INVEstor interest, Jumia, Africa's largest e-commerce firm, formally debuted on the New York Stock Exchange (NYSE) with a historic public offering (IPO) that soared more than 75% on its first day. The company offered 13.5 million of its shares at $14.50, the midpoint of its estimated range. Jumia's financial advisers had been pitching the shares to investors at between $13-$16 each. It said that the flotation on the NYSE would raise $196m for shareholders and for future investment. The listing is a watershed moment for Africa’s tech ecosystems as Jumia is the first Africa-focused tech company to launch on NYSE or any major global exchange . It sends an important signal to other African start-ups that a major stock market listing was possible. The company's e-commerce services are active
in 14 countries that account for 72% of Africa's gross domestic product. These nations also accounted for 74% of African consumer expenditure of $1.58 trillion during 2018, Jumia reported. “This achievement has been made possible thanks to the hard work of our teams, the trust of our consumers, as well as the commitment of our sellers and partners," said Sacha Poignonnec and Jeremy Hodara, the two French founders of the company. "We are going to continue to focus on our mission and to work even harder to help consumers, sellers, partners and all stakeholders benefit from this technological revolution.” Jumia operates multiple online verticals including Jumia Food (an online takeout service), Jumia Flights (for travel bookings) and Jumia Deals (for classifieds). Jumia processed more than 13 million packages in 2018, according to its data.
DATASETS
DHL launches new ecommerce app
3,000,000
GLOBAL LOGISTICS COMPANY DHL has announced it is expanding its DHL Africa eShop business to 9 additional markets, expanding the platform to 20 African market. The app which launched in April 2019 brings together more than 200 American and British retailers to African consumers and will deliver directly to homes. Africa eShop operates using startup MallforAfrica.com’s white label fulfillment service, Link Commerce. Payment methods include local fintech options, such as Paga and Kenya-based M-Pesa.
Projected new jobs that will be created by online marketplaces across Africa by 2025, which would raise incomes and boost inclusive economic growth with minimal disruption to existing businesses and workforce norms, according to the Boston Consulting Group.
EMVCo unveils new commerce icon EMVCO PRODUCED THE above icon for businesses to signal to customers that EMV Secure Remote Commerce ‘virtual payment terminal’ specification is being used to process card-based payments in remote-checkout environments, including websites and apps. The icon and accompanying documents are available on the EMVCo website for royalty-free usage.
24% Growth rate of the global e-commerce logistics market during the period 2019-2025 with Latin America, Middle East and Africa expected to grow at the fastest pace due to technological advances and high Internet connectivity, according to market research by Report Consultant.
32 /E-PAYMENT REVIEW/ JUNE 2019
MORE THAN 60 PERCENT OF GLOBAL consumers shop online at least once a month with the majority of those sessions stemming from a mobile device according to research from digital commerce company, Episerver. Episerver used data on unique shopping sessions across 159 retail and consumer brand websites around the world to capture insights on the devices and traffic sources performing best for B2C organizations selling online. Some Episerver customers tracked in the report see more than 80 percent of sessions coming through mobile on certain days based on 2018-2019 tracking. Desktop, however, outperforms all hand-held devices with units sold per order at 3.6 items versus 3.3 for tablet and 2.9 for mobile. Simultaneously, social media is now a mainstay in people’s path toward purchase as 63% of online shoppers have clicked on a social media ad with 33% of them making a direct purchase as a result. Episerver also found that over half of those have clicked on an influencer’s post, and 31% have made a direct purchase from the post. "Through access to 1.3 billion sessions, we’re able to provide digital commerce leaders and practitioners an opportunity to benchmark themselves against a statistically significant sample of retail and consumer brand websites and get definitive answers to their top B2C commerce questions,” said Ed Kennedy, senior director of commerce strategy at Episerver.
Mobile commerce market set to double MOBILE COMMERCE IS SET TO overtake desktop sales globally by 2023, according to May's Global Payment Trends report from Worldpay. Sales accessed on mobile devices sales are growing at an average of 16 per cent every year, well outpacing desktop sales growth of five per cent. This growth is expected to rise to 19 per cent annually in the next five years, bringing the market’s total value to $2.29 trillion by 2022. Mobile commerce’s global penetration is also expected to rise from 38 per cent to 49 in the same period with Nigeria, Turkey and Columbia set to see the fastest growth.
Product Review
Sterling Bank makes your money work for you Doubble
DAILY POST NIGERIA
I
T IS NO SECRET THAT MOST PEOPLE ARE NOT saving for the future; and many are not investing. The state of the economy gives people the sense that they do not need to save for the rainy day; that their only choice is how to survive today. Many Nigerians feel that they do not have sufficient funds to start saving and they believe it takes a lot of money to start investing. For many years, banks have been trying to convince their customers that the smart place to keep their money is in a savings account, where it can generate more value as it waits. Yet this notion is still one that many people have a hard time thinking about. For some people, the idea of savings and investing makes natural sense. If you put away money for a time or involve it in an investment, it is going to grow and grow and grow. By being smart and taking a few risks, and by knowing the market, you can easily earn yourself a ton of money. For young people it is a way to build themselves a retirement fund. It is exactly for this that Africa’s most agile financial institution, Sterling Bank, recently introduced Doubble, an online investment portal, into the market to cater to the investment appetite of young people, the working class, and retirees. Built on robust technology, the self-service platform will enable its users to invest at their convenience and earn up to 200 percent over a stipulated period. According to Dapo Martins, Chief Marketing Officer of Sterling Bank, Doubble was designed to demystify investing and expose people who are looking to accumulate savings overtime to a simpler, low-cost way to start building their nest egg. “With Doubble, a customer can choose to invest either a lump sum in one contribution or monthly contributions, which could be for the duration of 36 months or 60 months with all pay outs remitted monthly to the beneficiary or in their choice of equal instalments. Simply put, Doubble is an investment product that allows individuals save monthly for three to five years and receive double the previous monthly savings from the sixth year for the next 10 years,” Martins said. This style of wealth management does not generally enter the calculation of those on less than a six figure salary. Doubble’s major goal is to change that. It wants to cancel out the excuse that people need a load of money to start investing by getting the average Nigerian to save every unspent money. The premise is fairly simple. It takes money you set aside and then invests it to make you more money. It is a fun way to get into investment without having too much experience or resources and without having to take it too seriously. The platform’s flexibility allows individuals to register on their first visit and choose a future convenient date to commence the contract. They can also choose other beneficiaries other than themselves (spouse, child/children, parent or anyone else of choice) to receive the returns on their investment. In its element, Doubble allows investors to practice delayed gratification in the form of ‘save today, earn Doubble later.’ It empowers people to plan towards future consistent cash outflows such as payment for utilities, mortgages and monthly upkeep. Martins said the solution could function as an annuity to
Abubakar Suleiman Managing Director/Chief Executive Officer of Sterling Bank.
some customers as it guarantees monthly payment at regular intervals over a specified duration, and that customers can access loans at concessionary rates if they require quick funds but still want to keep their contracts running. Sterling Bank is a trendsetter when it comes to providing personalized products and services to its digital-centric customers. Technology offers it an innovative means of helping people feel confident with their money. That is why Doubble is custom designed to fit different lifestyles and classes. Its investment variants include Doubble 3, Doubble 5, Doubble 10 and Doubble Lump Sum. The first is a six-year contract plan with a 25 percent return on investment (ROI) that allows customers to contribute for the first three years and then receive the invested amount and returns every month for three years. Customers choosing Doubble5, a 10-year plan, will make monthly contributions for five years and afterwards receive the invested amount plus returns every month for another five years at an ROI of 50 percent. Doubble10 is a 15-year plan that takes monthly contributions for the first five years and pays out the invested amount plus 33 /E-PAYMENT REVIEW/ JUNE 2019
a 100 percent ROI every month for 10 years. Finally, the Doubble Lump Sum is a 10-year plan requiring one bulk contribution. Upon maturation, the invested amount including returns are paid every month to the beneficiary from the sixth to the tenth year with 100 percent returns on invested funds. The different investment plans are evidence that Doubble is for everyone. On the portal (doubble.ng) you can set up your account in minutes and monitor the progress of your investments. It offers a plethora of features: an easy-to-use investment calculator to guide investment decisions and a good, solid option for tracking savings and investment in both naira and US dollars. Sterling Bank customers can start investing as soon as they register by indicating an account that can be debited while non-account holders will have Sterling Bank accounts created for them. Those saving in dollars, will get a USD domiciliary account. Looked at radially, Doubble is the place for those who want to be in the know when it comes to investment and financial things. That is a testament to Sterling Bank’s belief in enriching the banking experience of its customers and its continual striving to deliver excellence.
NIBSS Fraud Report INDUSTRY FRAUD REPORT - Q1 2019 FRAUD AT A GLANCE - DEPOSIT MONEY BANKS FRAUD VOLUME
15,809 8,538 11,247 First quarter 2019
First quarter 2018
Fourth quarter 2018
Q1 2019 | ACCOUNT TYPES | DMBS
13,772
65+35 Individual accounts
35%
98
Corporate accounts
10,278 Actual loss count
The 1st quarter increased in fraud volume with a percentage of 40.56% and 85.16% when compared with Q4 and Q1 of 2018 respectively. About 65% of the reported fraud cases were partially or completely lost within the quarter. The industry salvaged 35% of the reported fraud volume.
First quarter 2019
N1.32 billion First quarter 2018
N4.29 billion Fourth quarter 2018
ACTUAL LOSS VALUE
N1.1 billion First quarter 2019
N794 N447 million million First quarter 2018
Although this channel represents only 0.3% of the entire fraud volume, the channel accounted for 43.3% and 30% of the attempted fraud value and actual loss value respectively. While there is decrease in volume for this channel in comparison to Q4 and Q1 2018, there a sharp increase in value. It recorded 496.7% and 1187.5% increase in value over Q4 and Q1 2018 respectively.
Internet Banking -- Volume - 411 Value - ₦15.3 million
The Internet banking channel experienced a reduction in fraud volume when compared to Q1 and Q4 2018. The channel depicted 54.5% and 22.7% decrease in both volume and actual loss value when compared to Q4 and Q1 2018 respectively.
POS -- Volume - 861 Value - ₦45.1 million
POS recorded over 31% and 120% increase in fraud volume and loss value respectively when compared to Q4 2018. It is important to note that POS fraud has been on the decline recently. However, it is still a channel to watch.
Cheques -- Volume - 4 Value - ₦4.5 million
ATTEMPTED FRAUD VALUE
N2.37 billion
Across the counter -- Volume - 44 Value - ₦330.1 million
Fourth quarter 2018
Despite the 40.56% increase in fraud volume between Q4 2018 and Q1 2019, the quarter recorded about 44.74% decrease in attempted fraud. However, the quarter experienced a rise of 79.91% when compared to Q1 2018. The fraudsters succeeded in carting away more than 46% of the attempted value in this quarter. There is an increase of 145.89% and 38.44% when compared with Q4 and Q1 2018 respectively. FRAUD BY CHANNEL
ATM -- Volume - 3, 803 Value - ₦189.3 million
As with previous trends, ATM is still stipulated as a "choice" channel for fraudsters. The viability of the ATM channel can be seen in the reported 62.87% and 48.67% increase in volume when compared with Q4 and Q1 2018 respectively. The channel represents 13.2% of the Attempted Fraud Value and consequently represents 17.2% of the Actual Loss Value in Q1 2019.
This channel recorded the least fraud volume, attempted fraud value and actual loss value within the quarter. The actual loss value also shows 2447.7% increase Q4 2018.
E-Commerce -- Volume - 643 Value - ₦4.9 million
E-commerce maintained an increase of 14.4% and 33.13% in fraud volume when compared to Q4 and Q1 2018 respectively. The actual loss decreased by about 7.53% from the previous quarter and about 4.5% from Q1 2018. With N4.9M in actual loss values, the e-commerce channel recorded minimal losses to fraud in comparison to other channels. S/N Channels
Fraud Volume
Attempted Fraud Value
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
44 3,803 4 643 411 5,533 287 861 4,223 15,809
1,027,983,785.65 330,120.995.70 313,045,792.28 89,363,398.09 4,650,739.88 4,534,942.46 36,685,106.81 4,968,963.00 108,969,089.45 15,346,735.96 449,249,711.58 327,152,593.16 57,617,711.78 57,548,925.78 128,071,867.69 45,133,280.20 246,436,190.54 126,326,811.20 2,372,709,995.66 1,100,496,645.55
Across the Counter ATM Cheques E-commerce Internet Banking Mobile Others POS Web TOTAL
Mobile -- Volume - 5, 533 Value - ₦327.2 million
The mobile channel maintains its status as 'the most preferred fraud channel'. It accounted for 35% of the total fraud volume for this quarter and also increased by 97.3% in value when compared to last quarter. Mobile represents 18.9% and 29,7% of the attempted fraud value and actual loss value respectively.
Web -- Volume - 4,223 Value - ₦126.3 million
The web is the second most attempted channel for this quarter with 26.7% of the total fraud volume. Conversely, actual loss value is relatively lower compared with ATM which also has a higher volume. As with other notable channels like Mobile and ATM, it witnessed an increase of 34.5% and 108.3% in volume and value respectively when compared to Q4 2018. 34 /E-PAYMENT REVIEW/ JUNE 2019
FRAUD BY DAY
Fraud Volume Comparison by Day Q4 2018 vs Q1 2019
Actual Loss Value
Fraud Value Comparison by Day Q4 2018 vs Q1 2019 [In Millions]
FRAUD BY CHANNEL
ATM -- Volume - 8 Value - ₦523, 000
The lower figures reported for Q1 2019 indicate a 62% decrease from Q4 2018 fraud volume and a 93% decrease in actual loss amount. Clearly, this channel was not exploited as in the previous quarter which recorded a loss amount of 7.4 million.
Mobile -- Volume - 85 Value - ₦13.6 million
Though there was a significant reduction of 68% in mobile fraud volume, having dropped from 266 in Q4 2018 to 85 in Q1, 2019, only a slight difference was recorded for the amount lost. The mobile channel experienced about 9% reduction in actual loss value. Tuesday emerged as the day with the highest fraud volume for this quarter having Thursday following closely behind with reported fraud cases of 2,864. The analysis shows that most of the fraud recorded were attempted during weekdays and not necessarily weekends. The highest amount lost to fraud for this quarter occurred on Thursday, followed by Tuesday. Sunday recorded the least amount lost within the quarter.
63
First quarter 2018
394
Fourth quarter 2018
Q1 2019 | ACCOUNT TYPES | DMBS
161
2
Individual accounts
Corporate accounts
151
Actual loss count
The volume of fraud reported by the OFIs in the first quarter of the new year amounted to 163. This is almost 60% less than Q4 2018. A look at Q1 last year shows an increase from 63 to 163 when compared to Q1 2019. ATTEMPTED FRAUD VALUE
N114 N8.99 N35 million million million First quarter 2019
First quarter 2018
Across the counter -- Volume - 24 Value - ₦4.8 million
Internet Banking -- Volume - 11 Value - ₦117.2K
FRAUD VOLUME
163
The web channel contributed 34 counts of fraud to the volume statistic which is 62% more than what was recorded in Q4 2018. On the other hand, the actual loss value rose from 2.2M in Q4 2018 to 93M in Q1 2019 making it the channel with the highest fraud value for the OFIs.
Despite the decrease in fraud volume when compared to Q4 2018, there was a rise in the actual loss value for Q1, 2019 by over 200% increase making it the third highest contributor to OFI fraud value this quarter.
FRAUD AT A GLANCE - Q1 2019 OTHER FINANCIAL INSTITUTIONS (OFIS)
First quarter 2019
Web -- Volume - 34 Value - ₦93 million
Fraud volume and actual loss value recorded for the Internet banking channel dropped by 73% and 97% respectively from Q4 2018.
Cheques -- Volume - 1 Value - ₦950.6K
A single cheque fraud was reported by the OFIs for the first quarter of 2019 amounting to 950.6K. Based on previous reports, cheque fraud appears uncommon as OFIs rarely report incidences of cheque fraud. S/N Channels
Fraud Volume
Attempted Fraud Value
Actual Loss Value
1. 2. 3. 4. 5. 6.
24 8 1 11 85 34 163
5,550,903.50 537,100.00 950,031,065.00 430,700.00 13,762,261.25 93,031,065.00 114,262,659.75
4,800,903.50 523,100.00 950,031,065.00 117,200.00 13,629,391.25 93,001,065.00 113,022,259.75
Across the Counter ATM Cheques Internet Banking Mobile Web Total
FRAUD BY DAY
Fourth quarter 2018
Fraud Volume Comparison by Day Q4 2018 vs Q1 2019
ACTUAL LOSS VALUE
N113 N8.49 N31 million million million First quarter 2019
1+99 99%
Success in attempted fraud value
First quarter 2018
Fourth quarter 2018
Despite the decrease in fraud volume for Q1 2019, attempted fraud value increased by 227% when compared to Q4 2018. The attempted fraud value also increased by 1,168% when compared to the same quarter last year. The fraudsters succeeded with over 99% of the attempted fraud value. The actual loss amount of N113M recorded by OFIs is much higher than that of Q4 2018 and also represents a 266% increase.
Comparing Q1 fraud volume by day, Tuesday and Wednesday hold the highest count with 37 reported cases each. The day with the next highest fraud count is Thursday with 26, followed closely by Friday and Monday with 22 and 21 respectively. Sunday, on the other hand, recorded the least fraud volume with 8 counts.
35 /E-PAYMENT REVIEW/ JUNE 2019
Fraud Value Comparison by Day Q4 2018 vs Q1 2019 [In Millions]
In terms of actual loss comparison by day, Friday takes precedence over all the other days by a huge margin with a whopping value of N89.2 million. Wednesday and Tuesday come next with N11.8 million and N5.4 million respectively. Again, Sunday recorded the least amount, N1 million.
Above 10% Between 5% and 10% Between 1% and 5% Below 1%
UNIQUE CUSTOMER ANALYSIS
FRAUDULENT CUSTOMERS
DEFRAUDED CUSTOMERS
11,770 Unique defrauded customers in Q1 2019
11,770 unique customers were defrauded this quarter. This is a drastic rise from the reported 5,534 and 3,314 uniquely defrauded customer in Q1 and Q4 2018 respectively. About 60% of the defrauded customers fall within 20 and 39 years of age. 62% of customers defrauded were male and 32.62% of these customers reside in Lagos.
178
Unique fraudulent customers in Q1 2019
AGE DISTRIBUTION Below 20 2.55% 20 - 29 30 - 39 40 - above
AGE DISTRIBUTION Below 20 2.72% 20 - 29 30 - 39 40 - above
178 unique customers were reported to have received fraudulent proceeds in Q1 2019. This shows an increase from Q4 2018 values. Customers between the ages of 20 and 29 years old made up for 57.32% of fraudulent customers.
30.37% 29.55%
57.32% 24.84% 15.29%
GENDER DISTRIBUTION 37.25%
78%
GENDER DISTRIBUTION
62%
22%
38%
WATCHLISTED CUSTOMERS
172
DISTRIBUTION BY LOCATION (STATE) TOP 10 STATES
32.62
6.67
6.30
5.98
5.38
3.40
2.84
2.65
2.62
Lagos
Ogun
Delta
Rivers
Oyo
Anambra
FCT
Watchlisted customers in Q1 2019 In Q1 2019, Only 172 customers were reported for watchlisting due to their involvement in fraud-related activities. 83% were male and 80%, of the customers, were between 20 and 39 years old.
Edo
Kaduna
2.33 Abia
36 /E-PAYMENT REVIEW/ JUNE 2019
AGE DISTRIBUTION Below 20 20 - 29 30 - 39 40 - above
4% 45% 35% 16%
GENDER DISTRIBUTION
83% 17%
to improve the quality of the industry fraud reports, NIBSS has upgraded the existing portal. The upgraded portal will allow for the gathering of trending fraud data that will enhance the quality of industry fraud reports. It will also make fraud reporting more comprehensive, comfortable and efficient. It is expected to improve the user's experience. The portal was redesigned to collects three types of reports viz-a-viz Fraud Returns, Fraud and Forgeries rendition to the Central Bank and Security Breaches. Financial institutions were expected to start reporting fraud data from April, 2019.
FRAUD INTEREST INDEX (FII) Fraud Interest Index is a mathematical fraud model that shows the channels with the best Return on Investment (ROI) for fraudsters. The greater the ROI, the higher the probability of fraudsters exploiting a channel. Mobile takes precedence as the channel with the highest FII for this quarter. The ATM as expected also mirrors a high FII and is sure to maintain this level of interest to fraudsters should all conditions supporting this remain same. The unexpected increase in FII for across the counter can be attributed to how very few attempts were made yet significant losses recorded. We can re-iterate that institutions need to be constantly alert anticipating that fraudsters would always be dynamic in operations, constantly seeking loopholes to exploit. CHANNEL Across Counter ATM Cheques E-commerce Internet Banking Mobile POS Web Others Total
FRAUD INTEREST INDEX (FII) 24.13% 20.38% 0.66% 0.03% 0.13% 27.40% 3.80% 15.11% 8.36% 100.00%
INDUSTRY ANTI-FRAUD REPORTING PORTAL UPGRADED Over the years, the financial industries have adopted the Industry Anti-Fraud reporting portal as a means of rendering fraud returns in line with the CBN mandate. The analysis of reported data has also helped the institutions in taking control measures against prevalent fraud schemes in the industry. In a bid
BIOMETRICS
DAON INC
Leveraging trust for better digital transformation IDENTITY ASSURANCE SOLUTIONS INNOVAtor, Daon hosted a biometric dentity event in Lagos in May where its president for EMEA and APAC, Clive Bourke, called on banks
Courtesy of the Nigeria Inter-Bank Settlement System (NIBSS).
and fintechs to improve their biometric authentication offers to increase their customer bases and prevent fraud. The biometrics specialist gathered companies from the telecoms and financial sector including FirstBank, EcoBank, StanbicIBTC and UBA for a meeting to promote the digital possibilities of adopting biometrics-based customer verification rather than relying on potential customers visiting physical premises. “The potential for growth is very significant. Presently, I think we are at the course of starting, it is not significantly developed, there is some good things done already. The truth really is that Nigeria has a growing volume of banking customers. Within that growing of banking customers, there is a growing adoption digitally,� said Bourke. The event provided great discussion, 37 /E-PAYMENT REVIEW/ JUNE 2019
presented a vista of opportunities, and left our guests with a general realization that if banks want to innovate and simultaneously reduce fraud, authentication of users across multiple platforms/channels is a business imperative. It was clearly established that there are opportunities for digital onboarding, which allows customers to register through mobile or web channels, strong multi-factor authentication for omnichannel platform and voice biometrics in the call centre, which eliminates the need to speak to an agent or use knowledge-based authentication (KBA) to verify customer identity. In the two years that Daon has been operating in Africa, it has seen tremendous growth as more banks move toward digital transformation and seek a competitive edge by embracing innovative technologies.
38 /E-PAYMENT REVIEW/ JUNE 2019
Trends & Tactics RICH FORM FACTOR
LUXURIOUS BREAKTHROUGH FOR JUST THE WEALTHY FEW A TEAM OF JEWELLERS, watchmakers and designers at Swiss fintech brand Armillion has crafted a luxury arm candy - a payment bracelet with a staggering contactless spending limit of £1 million. Beyond the ability to make
an enormous purchase with a single swipe, the Armillion Adamantos bracelet – which is tailored in limited 10 unit editions for select prestigious customers – is also compatible with home and vehicle security systems for keyless entry. The Adamantos is crafted from the toughest advanced engineered materials, enveloped in luxurious black high tech ceramic and detailed with 18k white gold. Each piece is embellished with a delicate combination of 252 diamonds.
The bracelet is backed by Mastercard with “bank-grade encryption” and links to an app, where owners can set up their banking information to use it anywhere in the world. It never needs to be plugged in to charge but uses each scan to charge itself automatically. Armillion uses a technology provided by leading global payment companies to establish an instant bank account assignation: it completes payment, simply by placing the bracelet near a card reader.
BY THE NUMBERS
$7.6
trillion
Projected value of the global digital payments market by 2024, recording a CAGR of 13.7% from $3.4 trillion in 2018, according to insights from Analytical Research Cognizance.
APPLE CARD
Titanium beast built for privacy and security
8.5 million
Number of PoS terminals the Indian government has mandated banks to deploy across rural areas and the northeastern states in order to meet a target of 40 billion digital payments in the country in the current financial year.
ARMILLION / CAPER / APPLE
97%
Increase in donations to tech-savvy churches that turn to contactless technology for their collection plates, according to SumUp, the company building devices that allow churches to take digital donations.
RETAILING FROM THE FUTURE
Smart cart technology enhances the shopping experience AWARE OF THE CHANGING NEEDS of consumers today, an American company has revealed an alternative to the smart grocery store: a smart shopping cart with all of the technology for checking out built in. Equipped with an interactive display and card swiper, the Caper smart shopping cart lets shoppers scan an item's barcode as they shop and pay before they leave. According to Caper, its shopping cart is the first of its kind powered by artificial intelligence. Integrated sensors are designed to identify the items chosen by the customer as they’re put into the cart. A virtual basket is displayed on the screen with each item and how much it costs. Caper is currently working on a more evolved version that includes image recognition and a weight sensor so that products can be scanned as
they are put in the carts. The startup said that sales went up 18% higher for stores using the technology. For now, Caper is marketing the smart cart as a more affordable, scalable solution for businesses looking to get in on the autonomous shopping action. The company is seeking to help retailers redirect cashier operators to other sectors within the store such as consumer assistance or shelf replenishment. Caper that information stored by the shopping cart stores may be used, for example, to optimize store layout. An additional advantage that Caper has over its competitors is that it can expand the shopping experience for consumers, offering them complimentary products to the ones they have in the cart or telling them about deals near their location.
39 /E-PAYMENT REVIEW/ JUNE 2019
APPLE HAS MADE ITS FIRST foray into financial services with a credit card, well, done the Apple way: minimalist, titanium and laser-etched, and focused on privacy and security. CEO Tim Cook called it the most significant change to card payments in 50 years. The card is simplistic: It comes totally free of a card number, expiration date and the CVV security code - because that information is stored securely in the iPhone. If users need it, they can access their number through Apple's Wallet app using Face ID or Touch ID. However, the tech company envisions most payments being made directly through the iPhone via Apple Pay. It also promises not to track payment data — information that only card partner Goldman Sachs will have, and which it has promised not to sell or share with third parties for marketing purposes. Card holders can easily track their spending in-app, which Apple will use machine learning and Apple Maps to colour-code by categories and locations, and serve up in weekly or monthly user-specific reports.
Trends & Tactics
LOCAL DIGITAL CURRENCY BELFAST, THE CAPITAL CITY of Northern Ireland, has partnered with Israel-based Colu for the launch of Belfast Coin, a payment platform that enables participants to earn rewards for taking part in ‘good citizen’ activities such as shopping at local businesses, volunteering and recycling. Each ‘coin’ will be worth £1 and can be used to buy items in participating shops, restaurants or businesses, according to Belfast City Council.
FAST FOOD: Kenyan social enterprise Food for Education rolled out this contactless wristband, which is linked to parents’ accounts, to help school children pay for discounted meals. To pay, students tap the wristband on an NFC reader, which debits the cost of the meal and sends a notification to their parents letting them know they have eaten. The whole process takes less than five seconds. The organization runs a feeding programme for public primary school children in Kenya and is introducing the payment system to help it expand from 3,000 to one million students a day.
ARTIFICIAL INTELLIGENCE
NFCWORLD
Up to a fifth of capital markets jobs at risk from automation FEARS OF ARTIFICIAL INTELligence from within the financial services may be justified, as research from consultancy firm Opimas has indicated that as many as four hundred thousand capital markets jobs could disappear over the next decade as advances in automation decimate the workforce. Opimas believes the asset management industry - already under tremendous pressure due to declining management fees and slowing asset inflows - will see some of the greatest cutbacks in the workforce, shedding about one third of its headcount. While the size of staff in the capital markets will drastically decrease, Opimas also expect a shift in the profiles of employees, as experts in AI, data science and cybersecurity are fought over in a fight to recruit fresh talent. It points out that since early 2019, more than 35% of the job offers published by financial institutions specifically target candidates with a technology profile. "Yet hiring people with these skills is increasingly difficult, as the demand for tech experts is currently outstripping the supply," notes the
consultancy. "The reason: The ideal candidate for the capital markets must have double expertise in business, administration or mathematics and also in specific technologies such as Python, data visualization, etc. The new gem in recruitment is a candidate that possesses science, technology, engineering, and mathematics (STEM) specialisation." To adjust to the changing landscape, financial institutions must implement a new talent strategy, says Opimas, not only because they have to recruit new employees with different skill sets, but also because they have to bridge a talent gap within their own organizations. "Reskilling or upskilling current employees is a necessity, and financial institutions are being pushed to diversify their learning and development programs," the consultancy concludes. "In their transition to the workforce of the future, financial institutions will face significant challenges and must completely rethink their internal organization. Business and talent strategies will have to be aligned from the top, requiring strong support from executives."
EUROPE'S LAST BASTION OF CASH GERMANY HAS SEEN digital payments eclipse traditional cash-based payments, according to a study by Cologne-based EHI Retail Institute, which showed that in 2018, card payments accounted for 48.6% of total retail sales, narrowly overtaking the 48.3% of cash payments. Main causes of the growth was a 4% increase in sales from Gerrmany's debit card system and a growing trust in card payments among German consumers, especially young people. APIS FOR DIGITAL EXPERIENCES VISA HAS UNVEILED A platform with a set of beta APIs and development tools that help issuers and issuer processors build and test digital payment products. Available to the payment giant's clients and partners through a new site, called Visa Next, the platform promises to "help re-imagine" how people access, manage and control their money in the digital age. The APIs will have a host of functionalities, including digital card accounts creation and instant tokenization of digital accounts.
40 /E-PAYMENT REVIEW/ JUNE 2019
Mexico to launch national NFC & QR payments system MEXICO’S CENTRAL BANK Banxico has begun trials of its cashless QR and NFC Cobro Digital (CoDi) electronic payment system with employees of financial institutions in preparation for a national rollout at the end of September The introduction of electronic payments aims to reduce Mexican consumers’ dependence on cash and drive use of bank accounts, according to Deputy governor of the Bank of Mexico Gerardo Esquivel. “CoDi will be a mandatory payment system for all banks in the financial system. It will have a few months of evaluation and learning for its full implementation at national level, and will become very important in terms of financial inclusion,” he said. A further aim of the systems is to crack down on problems such as money laundering, tax evasion and corruption in the country.
Facebook to launch own crypto in 2020 SOCIAL MEDIA GIANT FACEbook plans to roll out its own virtual currency across a dozen countries by early 2020, with trials beginning by end of this year. The BBC said the company is in talks with US and British financial regulators as well as multiple highfrequency trading firms, money transfer firms, and banks to discuss operational and regulatory issues relating to the cryptocurrency. Facebook’s aim is to ensure those without a bank account can make secure payments and the Big Tech will collaborate with banks and cryptocurrency exchanges to exchange fiat currencies into virtual coins, placing the company in a better position to further disrupt traditional lenders and fintech startups trying to do the same. Analysts predict that the cryptocurrency could allow Facebook to earn as much as $19 billion in additional revenue by 2021.
FINANCIAL EXCLUSION
The vulnerable will struggle in a cashless society THE SUSTAINED PUSH TOWARD A WORLD DEVOID OF CASH WILL have major consequences including financial exclusion, system vulnerability, loss of personal independence and increased risks of abuse. These were highlighted in a new report that claims millions of people could suffer. Across many economies, cash use has fallen as banks continue to drive consumers toward digital payment methods that are cheaper and easier for the banks to manage and offer more succulent fees than cash. But the report, called the Access to Cash Review, published in the UK finds that the rush to embrace digital payments risks leaving people behind, especially the most vulnerable in society. Amid the many benefits of digital payments – ease of use, potential to cut costs for businesses and reduce tax evasion, corruption and organized crime – the report warned that drifting into a cashless society would handicap those who are poor or in debt or disabled, rural families, and people who don’t have cards or bank accounts, or who have difficulty using smartphones and computers
for banking and payments, or lack of broadband and mobile connectivity. For the report, researchers spoke to central bankers, consumer groups and a cross-party commission in Sweden, considered to be the most cashless society in the world. Half of Sweden’s retailers expect to stop handling cash by 2025. A fifth of Swedes don’t withdraw cash anymore, and only 13% reported using it for a recent purchase, compared to 40% in 2010. Some 85% of transactions in Sweden happen by card, online, or a payment app. The report, says Sweden’s experience “outlines the dangers of sleepwalking into a cashless society: millions of people could potentially be left out of the economy, and face increased risks of isolation, exploitation, debt and rising costs." Meanwhile, a projected dip in cash use has prompted some pushback from governments with some cities in the US banning cashless stores in a move that will require most retail stores to accept cash as opposed to credit cards or mobile devices.
Research shows NFC tags ready for payment mainstream
THE POS FOR SELLING IN-STORE AND BEYOND: Canadian e-commerce company, Shopify has unveiled
new point-of-sale (POS) device for retailers -- the Shopify Tap & Chip Reader -- to simplify and speed up instore transactions. The system lets consumers make a payment by tapping their phone or inserting a debit or credit card. It supports Visa, Mastercard, American Express, Discover, Apple Pay and Google Pay, and is EMV and PCI certified. It also allows for such additional functionality as inventory management. DEPLOYMENT TRENDS
SHOPIFY
Global ATM numbers set for a decline as demand for cash decreases AS THE CASHLESS TREND PICKS UP PACE IN major markets, ATM numbers are seeing a swift fall. Research from London-based consulting firm RBR shows that the number of ATMs installed worldwide fell by 1% in 2018, to stand at 3.24 million, impacted by branch closures and the rising popularity of mobile payments. The report, Global ATM Market and Forecasts to 2024, said more than half of the world's ATMs are located in only five countries: China, Japan, the United States, Brazil and India. All except India saw declines in ATM numbers in the past year. Reasons for their decline vary across markets: in China, the swift adoption of non-cash payments has contributed to a similarly rapid fall in ATM installations. In the U.S., branch closures have led to fewer bank ATMs, while the number of independently operated machines fell as some retailers
chose to withdraw them rather than upgrade to EMV standards. Numbers in Japan fell for the first time since 2009, as banks have increased ATM sharing in a bid to improve operational efficiency, while the removal of 1,200 terminals in Brazil was due to banks reacting to a surge in the use of digital channels. While the total number of ATMs worldwide experienced a decline in 2018, this figure actually grew in most countries, particularly in developing markets across Asia-Pacific, the Middle East and Africa and Latin America. The report cited financial inclusion initiatives in these regions as contributing to stemming the fall in global ATM numbers, which is set to decline slowly over the next five years to 3.22 million as a result of branch closures and a rise in mobile payments. 41 /E-PAYMENT REVIEW/ JUNE 2019
NFC TAGS REPRESENT AN “ENORmous growth opportunity” and are now “ready for the mainstream”, according to a forecast by ABI Research, which also said more than 10bn silicon NFC tags will be in use by 2023, while the percentage of smartphones equipped with NFC functionality will reach 70% by that time. “Silicon tags are better equipped than ever before in terms of cost, scalability, flexibility, interoperability, and compatibility, in addition to having a mature wider ecosystem to help ensure NFC tags can be quickly and effectively integrated into cost-sensitive and high-volume products,” ABI explained in the report. Successful implementations and rollouts by leading brands and product owners over the last couple of years, meanwhile, have led to increased awareness about how NFC tags work, what type of products are successful, and how best to implement an NFC tag solution. “The emergence of increasingly feature-rich NFC tags, as well as gains in tag production efficiency that have lowered unit costs to less than US$0.05, can potentially enable a vast array of products to be easily interacted with through a simple tap,” the analysts said. In the paper, ABI analysed the factors expected to drive penetration and adoption of NFC tag technology over the coming years. It examined traditional use cases (including gaming, connected toys, and pairing), contemporary use cases (proximity marketing, brand protection, configuration and parameter setting) and emerging applications (sensors for monitoring, provisioning headless IoT devices with embedded connected tags).
The Gimlet Eye
How can banks build a genuine, effective digital culture? By MATT PHILLIPS
T
HE HUGE GLOBAL INCREASE IN CONNECTIVity, prompted by the launch of mobile devices, has affected banks just as much as retailers. As a result, financial institutions have had no choice but to put digital at the front and centre of their strategies – using technology to enhance the customer journey at every touch point, personalising services, combining channels, and using big data to make the consumer’s banking experience more seamless. As the industry is starting to see, organizations that do this successfully can gain loyalty from customers, attract new business and make savings along the way. We know that financial institutions haven’t always been able to effectively digitally transform at the pace they need. However, digital is no mere fad, and so finding a new approach is essential. After all, it is estimated that by 2025, 40% of Fortune-500 companies will have vanished because they will have failed to keep pace with the changes now underway. Customers increasingly expect a digital experience and financial institutions therefore, have no choice but to provide one.
BUSINESSNEWS.COM.NG
A digital approach is a people-first approach To deliver a digital experience to their customers, financial institutions need to build a digital culture into their processes and foster this among their staff. They also need to remember that investing in technology alone doesn’t make them digital. That’s because ultimately, any digital strategy must start by putting people at its heart. Digital teams must ask – what do our customers want to achieve? What’s the journey like for them? What information do they need access to, and how do they want to access it? And, crucially, how do we help our staff make this possible? It’s only by understanding the answers to these questions that a financial institution can then start to build and implement the technology that will best support its customers. Of course, every customer likes to deal with their banks, lenders, mortgage providers, or current accounts differently, so it’s likely that there’s no one simple answer to these digital strategy questions. One banking customer might be very happy to embrace the whole mortgage process from their living room, even down to booking their removal firm from the banking app on their smartphone. For others, a transaction like this is preferable face to face, but they would expect services and information to be readily available via engaged and knowledgeable staff in branch. Financial institutions need to consider this, and make sure that their digital investments support a wide range of customer journeys and preferences. Achieving all of this, of course, is no mean feat, and there is a growing need for banks to put customers and people at the heart of every digital change. So, how do banks need to change culturally to make that happen? Building a digital culture Of course, financial institutions need to invest in technology and continually monitor developments in digital applications, but it is nowhere near good enough just to give staff new technology and tell them to get on with it. If banks are serious about going digital, they must create an organization that is customer-focused. For many, this involves a certain amount of cultural change at an internal level. Initial steps might seem small – such as cross-team working to encourage new ideas, or data analysis to understand customer trends and requirements better – but steps like this are vital for setting out on the right path, and for making the right digital choices in the long run.
''
Any digital strategy must start by putting people at its heart. Digital teams must ask – what do our customers want to achieve?"
Most banks already have a crew of ‘digital natives’ who can contribute to the process (according to some reports about 50% of today’s workforce is currently considered to be digitally native). So, banks can benefit from not only informing, but also actively engaging enthusiastic staff from the beginning. When barriers are removed, and contributions welcomed, a ‘learn fast’ rather than a ‘risk averse’ approach can inspire creativity and foster digitalisation. Once initial steps have been taken to encourage collaboration and agility, concept work and R&D, will be essential to digital development. Every new innovation must be tried and tested, a process that involves stakeholders and many levels in the business – from customer experience teams in branch, to security professionals at HQ. Before new technology can be put to work, financial institutions must also train staff effectively. For many front-line employees in the branch, a switch to digital might involve them having less of a transactional role and becoming more customer-facing, so an educational programme to bring staff onboard with change, if they’re not already, is essential. Many, or all, of these steps require an adjustment – whether that’s because traditionally siloed teams must work with other departments in the business, or whether because projects may need to change direction or morph as time goes on. Cultural change is not easy – in fact, according to Harvard Business Review, three-quarters of all organizational change initiatives fail. This makes it all the more important that financial institutions help staff to see the benefits of change. Certainly, there is reason to hope that employees will be keen, if they understand the future benefits of transformation. In short, digital culture requires greater collaboration, agility and, above all, a strategy and vision that is designed to put people first. Because for financial institutions who can engage with customers in a way that adds real value to their daily lives, the digital future looks very promising indeed.
42 /E-PAYMENT REVIEW/ JUNE 2019
Matt Phillips is Vice President and Head of Financial Services at Diebold Nixdorf United Kingdom. Courtesy of globalbankingandfinance.com.
43 /E-PAYMENT REVIEW/ JUNE 2019
YE
AR
S
Get Paid for
Using a FirstBank Visa Card
Get a FirstBank Visa Card and enjoy: 100% cost refund on newly issued cards
Open to new and existing customers. Visit www.firstbanknigeria.com/personal-banking/cards/visa-promo/ for terms and conditions.
WOVEN INTO THE FABRIC OF SOCIETY Y E A R S
1894-2019
44 /E-PAYMENT REVIEW/ JUNE 2019