Capturing The Potential Of The World’s Accelerating Digital Payments Ecosystem – Consumer Protection

Capturing The Potential Of The World’s Accelerating Digital Payments Ecosystem – Consumer Protection

Along with many other countries, Canada saw a precipitous spike
in the use of and reliance on digital payments in the wake of the
pandemic.

And while digital payment technologies were already a
significant focus for businesses in the financial services sector
before the crisis, the acceleration of these systems continues to
raise unique issues for both consumers and companies.

In this article, we explore this trend and how organizations can
adapt their strategies and develop a risk mitigation approach to
seize opportunity and stay competitive in the evolving digital
payments ecosystem.

Shifting to a cashless society

Consumer behavioural changes triggered by the spread of
COVID-19, and the resulting shutdown of the physical economy, have
accelerated pre-existing trends in Canada toward adoption of
digital payments1. A recent Payments Canada
study comparing consumer spending habits pre-COVID-19 found that at
week five of the pandemic, 62% of Canadians were using less cash.
The study also showed a dramatic increase in the use of
e-transfers, PayPal and contactless payment apps for food delivery
services such as Uber Eats and Instacart. A total of 42% of
Canadians said they avoided shopping anywhere that did not accept
contactless payments2.

For business transactions, the shift to widespread use of
digital payments is here to stay. It is estimated that, as a result
of COVID-19, by 2025, 67% of global transactions (by value) will be
done digitally—a significant increase from the 57% previously
estimated for that time period3.

While digital payment systems benefit both consumers
(efficiency, consumer choice) and businesses (market penetration,
access to valuable consumer data), they also come with privacy and
cybersecurity risks that organizations need to be mindful of as
they refine their digital payment and risk mitigation strategies to
take advantage of the ongoing shift toward a cashless society.

Risks facing consumers

The move to online payments has coincided with increased
instances of data breaches and cyber scams aimed at exploiting
consumer data to perpetuate identity theft and financial fraud.
Cyber criminals are taking advantage of the pandemic as a thematic
lure or subterfuge for their malicious activities4.

For instance, one notable SMS phishing campaign claimed to
provide applicants for the Canadian Emergency Response Benefit
(CERB) with a link where they could access their benefits, but only
once they divulged personal financial details5.

Key consumer-related risks associated with digital payments
include:

  • Increased risk of phishing and social engineering
    scams.
    Consumers new to digital payments may be at an
    increased risk of scams leading to identity theft and other forms
    of fraud. Phishing and social engineering scams have become more
    sophisticated, making them harder to spot—and therefore, more
    successful. In most instances, cyber criminals focus on real-time
    compromises of consumer devices or exploiting communication
    channels. For instance, a customer who has recently downloaded a
    digital payment app may not be surprised to receive a message
    asking for more information or directing them to further validate
    their account password as part of a two-factor authentication step.
    This makes them more likely to click on a link that installs
    data-stealing malware on their phone, or to type their personal
    information into a fraudulent website that looks nearly identical
    to a legitimate one.

  • Insider threat. Instances of malicious
    insiders include current or former employees, vendors, or
    contractors who have misused their access or misappropriated other
    employees’ credentials to mine an organization’s data for
    personal gain. These insiders may sell the data to cyber criminals
    or use it themselves for fraudulent purposes6. While
    this risk has traditionally been difficult to detect even under
    normal business conditions, the rise of digital payments by
    consumers and businesses multiplies the risk of harm. Consumers may
    now share banking and other financial data directly with businesses
    that previously used intermediaries (or cash), or when seeking
    technical support for online payments, delivering new, highly
    valuable data to malicious insiders.

  • Systems breakdown. The breakdown of part or
    all of the digital payment ecosystem due to a systems outage (e.g.,
    technical or equipment failure), cyber-attack (e.g., zero day
    attacks), or natural disaster is always a risk. However, as more
    consumers rely primarily, or exclusively, on digital payments, the
    consequences of a service disruption could have much more
    significant consequences for individual financial transactions and
    for the Canadian economy more broadly. Such breakdowns could also
    expose customer data to cyber fraud and identity theft.

Risks for organizations

As they implement products and services within the digital
payments’ lifecycle, businesses must consider their risks and
vulnerabilities.

  • Data breaches. When businesses enter the
    digital payment space there is an increase in cyber-related threats
    in part because the volume, variety and sensitivity of information
    an organization may process is expanded. A business that relied on
    in-person transactions, or that has pivoted from wholesale to
    consumer service, may traditionally not have collected the
    sensitive personal data associated with digital consumer payments,
    and may be unprepared to adequately protect it. COVID-19 further
    compounds these risks because employees may be accessing sensitive
    payments data from personal devices or home Wi-Fi networks that are
    poorly secured in comparison to corporate IT infrastructure or
    using new tools that may not be vetted by corporate IT.

  • Regulatory and related risks. Digital payments
    bring with them new forms of data to which organizations may
    previously not have had access, including transaction and consumer
    behavioral data. Organizations need to ensure that they collect,
    use, share, and safeguard such data in compliance with regulatory
    and contractual obligations as well as industry standards. In
    addition to privacy and competition law obligations, organizations
    need to be mindful of whether they are required to comply with
    industry-based regulations such as the Payment Card Industry
    Data Security Standard
    , and/or contractual obligations by
    financial institutions, payment card networks etc.

    Organizations also need to prepare for upcoming changes in the
    regulatory landscape such as the federal government’s proposed
    introduction of open banking in Canada (read our analysis on open
    banking reforms here). Failure to comply with one’s
    regulatory obligations can result in consumer complaints to
    regulators or independently attract a regulator’s attention,
    which in turn can result in regulatory penalties.

    Québec, as part of its privacy reform, is proposing to
    impose monetary administrative penalties of up to $10,000,000, or
    the amount corresponding to 2% of the organization’s worldwide
    turnover, for a variety of contraventions, including for failure to
    report a breach and processing of personal information in
    contravention of Québec’s private sector privacy
    act.


  • Litigation. Organizations are increasingly
    facing civil liability for failing to comply with their regulatory
    obligations, predominantly in the form of privacy and data breach
    class actions (for more on our analysis of privacy data breach
    related litigation risk trends, see our articles here and here). Compliance violations associated with
    sensitive consumer payments data are particularly likely to attract
    civil litigation.

Adjust your digital strategy to mitigate risk

Companies that see—and seize—opportunity in the
current crisis to invest in proactive measures and build
relationships of trust with their customers will fare best in this
time of rapid transformation for the digital payments
environment.

Companies that invest in prevention, detection, monitoring, and
ongoing response to cyber threats will stand out amidst companies
that merely try to ride out these changes without investing in
their infrastructure or relationships. This may be the time to map
your company’s data flows, test your organizational
infrastructure, identify weaknesses that fraudsters could exploit,
and triage the plan for improving those systems.

It is also the time to undergo careful diligence on any third
parties you partner with for payment processing, ensure you have
contractual safeguards so that third parties remain accountable,
and confirm that backstop measures such as cyber insurance,
alternative data processors, and record keeping systems to address
the risks associated with consumer payment incidents. It would also
be timely to review internal cyber and privacy training plans and
the frequency of refresher communications.

The current momentum in the adoption of digital payments offers
an opportunity to build on existing relationships with customers
and clients through communication and education on privacy and
security.

  • Explain the risks and make sure your customers are clear on how
    you will or won’t communicate with them so that they can better
    avoid falling for scams.

  • Remind consumers of the importance of creating difficult
    passwords and changing them regularly, and send out “calls to
    action” when passwords are changed.

  • Consider creating a reporting service where customers can
    participate in helping to curb fraud by informing you of suspicious
    texts and emails they receive—Interac was able to take down
    4,400 phishing sites that were fraudulently using its logo through
    this method alone7.

Businesses at the forefront of these changes will build enhanced
trust with their customers and within the wider community, gaining
a competitive advantage as they move to implement robust digital
payment systems in their organizations.

Footnotes

1 Digital payments are a form of payment where
the payer and payee use electronic modes to send and receive money.
This can include online money transfer services like Paypal,
contactless and online app-based payments, as well as digital
wallets and digital currency exchange.

2 Payments Canada’s May 13, 2020 Report.

3 Bain Analysis, Figure 2.

4 The Canadian Centre for Cyber Security noted
in their June 2020 Bulletin that as of 27 April 2020,
they are aware of over 120,000 newly registered COVID-19 themed
domains, a large proportion of which was considered malicious or
related to fraudulent activity.

5 See Canadian Center for Cyber Security’s
June 2020 Bulletin.

6 Even though negligent or error prone
insiders also expose organizations to cyber risks (e.g., social
engineering hacks—phishing, impersonation, business
compromise fraud etc.), these types of insider risks are easier for
organizations to address through a combination of training and
robust information security systems.

7 See Interac’s Report on Fraud
Prevention
.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

I'm business helper , i have 20 year experience in business management sector. I help many business owners to grow business. My passion is helping fellow entrepreneurs and small business owners succeed.

Leave a Reply

Your email address will not be published. Required fields are marked *