Executive Summary






            The provision of digital finance services (DFS)    •  Identify security vulnerabilities and related threats
            involves a complex ecosystem with the participation   within the ecosystem.
            of different stakeholders such as banks, DFS provid-  •  Establish security controls to provide end to end
            er, mobile network operators (MNOs), DFS platform    security.
            providers,  regulators,  agents,  merchants,  payment   •  Strengthen management practices with respect
            service providers, device manufacturers, applica-    to security risk management that is inclusive of all
            tion developers, token service providers, OEMs, and   DFS stakeholders.
            clients. The interconnectedness of these system enti-
            ties and reliance on several parties in the ecosystem   The DFS Security Assurance Framework provides
            extends the security boundaries beyond the digital   a systematic security risk management process for
            financial  service  (DFS)  provider  to  the  customers,   assessing threats and vulnerabilities and identifies
            network providers, mobile phone manufacturer, and   appropriate security control measures to be imple-
            other third-party providers in the ecosystem (see   mented by the DFS provider and mobile network
            sections 4.1 and 4.2 of the report).               operator for threats targeting the user, mobile device,
               In addition, DFS providers must also deal with an   mobile network operator and DFS provider. Threats
            increasingly complex mobile ecosystem, develop-    related to merchants, payment service providers
            ing applications for multiple versions of operating   and other financial services organizations and the
            systems each with their specific vulnerabilities and   specific mitigations for addressing the threats that
            support different types of mobile devices. In this   they face are out of scope for this document. The
            fast-evolving dynamic environment, DFS providers   report complements the work undertaken under the
            face certain challenges concerning knowledge about   Cybersecurity workstream in the Security, Infrastruc-
            the actual security threats and possible security con-  ture, and Trust Working Group, on the methodology
            trols to mitigate the risks.                       for financial services organizations to manage and
               The DFS Security Assurance Framework provides   respond to cybersecurity incidents.
            an overview of the security threats and vulnerabil-  The DFS Security Assurance framework consists
            ities facing the DFS providers (banks, non-banks   of the following components:
            providing mobile money services), mobile network
            operators, customers, payment system providers,    a) A security risk management methodology based
            merchants, and technology services/third-party ser-  on ISO/IEC 27005 –Security techniques -Informa-
            vice providers. Regulators including telecom author-  tion security risk management (Section 7 of the
            ities, banking, and payment regulators could also    report).
            make use of the DFS Security Assurance Framework   b) Assessment of threats and vulnerabilities to the
            for establishing security baselines for the DFS pro-  underlying  infrastructure  of the mobile  network
            viders as well.                                      operator and DFS provider, DFS applications, ser-
               The framework, when implemented, would com-       vices, network operations and third-party provid-
            plement established risk and information security    ers involved in the ecosystem for DFS delivery.
            management practices of the stakeholders involved   c) Mitigation strategies based on the outcome of (b)
            in DFS ecosystem. For example, the security control   above. The mitigation measures identify 119 secu-
            measures in the document can be included as part     rity controls for the security threats which are out-
            of the ICT Security programme of the DFS provider.   lined in Section 8 of the report.
               The DFS Security Assurance Framework recom-
            mends a structured methodology for managing        Section 9 of the report provides a template for secu-
            security risks that the DFS providers offering digital   rity  best  practices  for  mobile money  smartphone
            financial services could implement to:             applications which  could be included in an app
                                                               security policy document by DFS providers. The
            •  Enhance customer trust and confidence in digital   template strictly considers the mobile application
               financial services.                             on the device unless stated otherwise, and subsec-
            •  Clarify the role and responsibilities of each of the   tions describing recommendations deal with various
               stakeholders in the ecosystem.                  aspects of the operation or underlying policy relating



            6    Digital Financial Services Security Assurance Framework