An Account Aggregator (AA) is a Non-Banking Financial Company. These non-banking entities are regulated by the Reserve Bank of India (RBI). In order to perform the job of an account aggregator, these entities should obtain a license from the regulating body i.e., RBI. Such entities act as a bridge or a medium for transmitting the financial data between the data-requesting institution and data-providing institution also known as Financial Information User (FIU) and Financial Information Provider (FIP) respectively. This process of sharing the user data from FIPs to FIUs will only be carried out after explicit consent from the user. The AAs will never facilitate any kind of transaction involving money made by users or customers. The AAs will not be undertaking any other business other than the business of an account aggregator.
The RBI, being the regulatory body, has prescribed a Master Directive for AA (RBI/DNBR/2016-17/46 Master Direction DNBR.PD.009/03.10.119/2016-17), as AAs are involved in the transmission of users' financial data. It is necessary for all the entities carrying out the business of Account aggregators to be compliant with the Master Direction document which is considered a regulatory requirement.
As per the Master Directions defined by RBI, an Account Aggregator shall transmit the financial data about or of the user only after receiving formal consent from the user. The consent from the users can be obtained in electronic format by the AAs. AAs should store the consent obtained by the users for transmitting the financial data to the FIUs. The AAs shouldn’t store any other financial data other than the data for which the consent is received by the user.
The consent received by the AAs should include the Identity of the customer and optional contact information, the nature of the financial information requested, the purpose of collecting such information, if necessary the identity of the recipients of the information, URL or other address to which notification needs to be sent every time the consent artifact is used to access information, consent creation date, expiry date, identity, and signature/digital signature of the Account Aggregator and any other attribute as may be prescribed by the Bank at any point of time.
The latter-mentioned attributes should be displayed to the user at the time of receiving the consent form the user. The AAs Shall(Shall not), not request/access/store the user credentials of the users which may be manipulated/utilized for authenticating the customers to the FIP(s). The AAs should allow the customers/users to access the consents given by them and should be bestowed with the ability to revoke the consents provided by them for FIU(s) to access their financial information or parts of such information. Once the consent is revoked, a fresh consent artifact shall be shared with the FIP(s). An AA should have the request(s) and response(s) logs maintained by the FIP(s) recorded at the time of transmitting the data.
It is necessary for the AAs must enable secure data transfers of the requested data from the FIP(s) to its own systems and then to the FIU(s), to achieve such secure data transfer AAs shall employ the necessary IT framework and interfaces(s). The technology adopted by the AAs should be scalable to cover any other financial information or financial information provider as may be specified by the Bank in the future. An Account Aggregator is mandated to ensure adequate safety is built into its IT systems to protect against unauthorized access, data alteration/tampering, destruction, disclosure, or dissemination of records and data. An AA should adopt appropriate measures/controls for Disaster Risk Management and Business Continuity in order to provide a prolonged service to the customers/users without any disruptions. Information System Audit of the internal systems and processes shall be in place and shall be conducted at least once in two years.
An AA should constitute various internal mechanisms for reviewing, monitoring, and evaluating its controls, systems, procedures, and safeguards. The integrity of the IT systems should be maintained at all costs, and all necessary precautions should be taken to ensure that the records of the consents explicitly received by the users are not lost, destroyed, or tampered with. The account aggregator should establish a well-documented risk management framework which shall include a sound and robust technology risk management framework, strengthening system security, reliability, resiliency, and recoverability and deploying strong authentication to protect access to customer data and systems. AAs should formulate a Risk Management Committee consisting of not less than three members of its Board of Directors. AAs shall conduct a self-assessment of their existing outsourcing arrangements to validate the risk inherited from the outsourced vendor.
An Account Aggregator should not outsource any core management functions including Internal Audit, Strategic and Compliance functions, and decision-making functions such as determining compliance with KYC norms for opening deposit accounts, according to sanction for loans (including retail loans) and management of investment portfolio. The AAs are not permitted to outsource the service of an account aggregator from any vendor.
As prescribed by RBI, all AAs should comply with the master directions as prescribed by the regulatory body and the report must be submitted to the bank to obtain the license to perform the business of an account aggregator in India. This would call out the need for Subject matter expertise in Information Security to align the business controls to be in adherence with the regulatory requirements. Such firms/entities are assisted by CyRAACS (Cyber Risk Advisory and Consulting Service) in achieving information security compliance with the necessary documents as regulated by RBI.
CyRAACS will assist an AA in fulfilling the requirements set by the regulator by ensuring compliance readiness. CyRAACS provides internal audit services to AAs, supported by a team of trained professionals in providing an unbiased observation to the AAs by assessing their IT systems, applications, or processes in scope and ensuring adherence to the regulatory and statutory requirements. CyRAACS also assists an AA in assessing the security of their applications and web applications through vulnerability assessment and penetration testing, which provides the AA with an overview of the risks and vulnerabilities that need to be rectified in the application's development phase. CyRAACS will also offer a source code review of the applications in scope to ensure application quality assurance from the source code perspective.
The Process flow of an AA is exhibited below the Flow chart.
Step 1: The user registers with an Account Aggregator application providing his details.
Step 2: The user registers with a Financial Information User (FIU) to receive a particular service.
Step 3: The user links his Account Aggregator with the FIU application.
Step 4: The Account Aggregator authenticates the linking via OTP.
Step 5: Once the Account Aggregator is linked to the FIU application, The list of linked Bank accounts i.e., the Financial Information Provider (FIP) of the respective user is fetched by the Account Aggregator.
Step 6: The user Selects the specific FIP from the list of FIP fetched.
Step 7: An Authentication is done by the FIP via OTP to verify the user prior to sharing data.
Step 8: The User Review the Type of Financial Information to be shared, the purpose of sharing, and the duration of data being shared by the FIP to the FIU.
Step 9: Once the user accepts and proceeds, the requested financial data is shared by the FIP in an encrypted form to the aggregator which in turn is shared with the FIU.
The below picture depicts the AA ecosystems as of August 2021.
Keep Your Data Secure with CyRAACS Cyber Security Solutions. Our experts offer tailored solutions for businesses of all sizes. Contact us today!
APIs are the backbone of the internet, powering the applications and services that we use every day. With the rise of the API economy, there are now more APIs than ever before, and they are handling sensitive data. This makes API security more important than ever.
API is an acronym for “Application Programming Interface”. An API is an interface that allows two pieces of software to communicate with each other. It is a set of subroutine definitions, communication protocols, and tools for building software.
API security is the process of securing APIs from unauthorized access, use, or modification. It includes both the security of the data and code that make up the API, as well as the security of the API itself. APIs are increasingly being used by businesses to allow third-party access to their data and functionality. This can be done for a variety of reasons, such as allowing partners to integrate their systems with yours or allowing developers to build applications on top of your data.
However, this also opens the possibility for security breaches, if the APIs are not properly secured, then malicious actors can get access to sensitive and personal data. API security is important because it helps to protect sensitive and personal data.
The Importance of API Security
As per the Gartner Report – Predicts 2022, by 2025, less than 50% of enterprise APIs will be managed, as explosive growth in APIs surpasses the capabilities of API management tools. The report also states to further improve API security posture by developing a security strategy for threat protection, API security testing, and API access control that leverages newer approaches and vendor solutions.
9 Most Common API Security Threats and Vulnerabilities are:
While a breach of an API can lead to data loss, downtime, and loss of customers, the right API security solution will help you secure your APIs and prevent breaches. As per multiple industry surveys, for about 83% of companies, the question is not if a data breach will happen, but when. Usually more than once. When detecting, responding to and recovering from threats, faster is better. Organizations using AI and automation had a 74-day shorter breach lifecycle and saved an average of USD 3 million more than those without.
Not only are these breaches costly, but they're also becoming more sophisticated. API security is important because APIs are increasingly how businesses share data and connect with customers, partners, and employees. A breach of an API can lead to data loss, downtime, and loss of customers. That's why it's important to adopt best practices for API Security.
Here are some of the best practices for API security:
In this day and age, data is everything. Businesses rely on data to make decisions, large and small. This data is often stored in databases, which can be accessed by applications through an API.
An API can be used to access sensitive data; when you have an API, you are essentially sharing your data with the world. This means that you need to be sure that your data is safe and secure. Otherwise, a malicious actor could gain access to it and use it for nefarious purposes.
Keep Your Data Secure with CyRAACS Cyber Security Solutions. Our experts offer tailored solutions for businesses of all sizes. Contact us today!
Cybersecurity is at the forefront of technological colloquy, as information is the nucleus of the technological revolution, and the one who possesses information reigns supreme over the others. This information can be accessed and utilized against the owner of the said information by miscreants who would most likely profit from such actions. Although there are sundries of laws that prosecute such miscreants, it is the age-old saying that comes to mind that proves preventing a possible threat facilitated by a vulnerability in the system is better than mitigating its after-effects- “Prevention is better than cure”.
It is imperative to understand the distinction between a cyber-attack and a cybersecurity threat. A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. Whereas a Cybersecurity threat is a potential negative action or event facilitated by a vulnerability that results in an undesirable impact on a computer system or application.
There are millions of cybersecurity threats that people encounter on a daily basis whilst going about their day, it is estimated by a Clark School study at the University of Maryland that there are 158,727 attacks per hour, 2,645 attacks per minute, and 44 attacks every second of every day on average across the global spectrum. In fact, there would have been 189 attacks across the world by the time you read this sentence. These attacks are caused by exploiting vulnerabilities in the system and these weaknesses are termed threats. By the end of this article, you will have an introductory ode to the world of Cybersecurity threats, their inhibition, and mitigation.
The following are the main cybersecurity threats faced by individuals and organizations:
Malware is an all-encompassing term for a variety of cyber-attacks including Trojans, viruses, and worms. Malware is simply defined as code with malicious intent that steals data or destroys something on the system it is hosted on. The purpose of malware is to intrude on a machine for a variety of reasons. From the theft of financial details to sensitive corporate or personal information, malware is best avoided, for even if it has no malicious purpose at present, it could well have so at some point in the future. Downloading infected files as email attachments, from websites, or through filesharing activities and OS vulnerabilities. Clicking on links to malicious websites in emails, messaging apps, or social network posts are popular proliferation method.
Steps for mitigation of malware once the system is affected as stated by ncsc.gov.uk :
Phishing is when attackers send malicious emails, communications, or messages designed to trick people into falling for a scam. Typically, the intent is to get users to reveal financial information, system credentials, or other sensitive data.
Types of phishing attacks:
A password attack refers to any of the various methods used to maliciously authenticate into password-protected accounts. These attacks are typically facilitated through the use of software that expedites cracking or guessing passwords.
There are three common methods employed to authenticate passwords:
DDoS Attack, also known as a "Distributed Denial-of-Service (DDoS) Attack," is a type of cybercrime where the perpetrator overwhelms a server with internet traffic in an effort to prohibit users from accessing linked websites and online services. This attack preliminarily focuses on disrupting the service of a network, and usually involves sending a high volume of data through the network until it gets overloaded and no longer functions.
An attack in which an attacker is positioned between two communicating parties in order to intercept and/or alter data traveling between them. One major occurrence of Man in the Middle attacks is active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.
Methods involved in Man in middle attacks:
A drive-by download is when malicious code is unintentionally downloaded into a computer or mobile device, exposing users to various hazards. The malicious code is designed to download malicious files onto the victim’s PC without the user being aware that anything untoward has happened. A drive-by download abuses insecure, vulnerable, or outdated apps, browsers, or even operating systems.
Website owners can prevent drive-by downloads by doing the following:
Endpoint users can prevent drive-by downloads by doing the following:
Malvertising, often known as malicious advertising, is a relatively recent cyberattack method that involves embedding malicious code in online advertisements. These infected ads are typically delivered to customers through reliable advertising networks, making them difficult for both internet users and publishers to detect.
In a malvertising attack, harmful code is injected into networks of trustworthy internet advertising. Users are often redirected to fraudulent websites using the code.
Malvertising is typically confused with ad malware or adware—another form of malware affecting online advertisements.
How can end-users help mitigate malvertising?
How can publishers help mitigate malvertising
Rogue security software is a type of malicious software and online fraud that tricks consumers into thinking their computer has a virus and tries to persuade them to pay for a phony malware removal program that in fact installs malware on their computer. Mobile applications known as "rogue apps" are created to spoof well-known businesses in order to obtain illegal access to data that may be used to carry out fraudulent operations.
Practice online skepticism. Be aware that rogue security software does exist on the Web, and be vigilant about avoiding it. These programs are designed to appear genuine – meaning they may mimic legitimate programs, use false awards and reviews to rope you in, or employ other deceptive tactics. It’s also a good idea to familiarize yourself with common phishing scams and to be cautious of links in e-mail messages and on social networking sites.
The banking sector has been at the heart of the Indian economy contributing to more than 40% of the GDP and lending or credit is what fuels the Indian economy contributing more than 60% of the GDP. Digital lending is the new buzzword in banking, where people mean different things. So let us understand what RBI has mandated in its guidelines on Digital Lending.
Before we understand what digital lending is, let us understand what lending is. Simply put, lending is when a lender provides funds to someone who wants to borrow it (usually at a fixed interest rate) and the borrower agrees to pay back the borrowed amount with interest. It's essentially trading future income for current access to money.
Banks are in the business of collecting our deposits and lending them to those who want to borrow. However, there are many who find it difficult to access loans from banks for various reasons. Maybe they don't have an established credit history, maybe they don't live in regions where the bank operates, or the bank deems the interest too high to provide a loan, etc. So, there is a gap that banks cannot reach and as a result, many digital lending platforms have emerged to serve this segment.
What does the Reserve Bank of India (RBI) think of these digital lending platforms? That's an important question for a startup. Any guidance from RBI on matters such as these is valuable since we will have to first understand it and then live with the regulations at the time of scaling the business.
So, let us see what RBI has to say on digital lending in the guidelines on Digital Lending issued on 2nd September 2022.
The purpose of the guideline ( Number CRDIR/DGL-19/02.01.002) is to inform applicants proposing to set up non-bank digital lending platforms about the criteria the Reserve Bank would use to assess their proposals.
The guideline is interesting as it shows the thinking perspective of RBI to explain its views and concerns. Let us try to summarize the key pointers from the guideline.
On June 20th, RBI issued a direction disallowing non-banking Prepaid Payment Instruments (PPI) from loading credit lines on the PPI. This bans PPI wallets from being loaded with credit lines/credit cards.
BNPL is short-term financing for consumers who can buy products and get short-term credit and pay later for the credit taken. Well, isn’t that what credit cards are used for as well? The concept of BNPL is similar to that of credit cards wherein a consumer makes a purchase through a credit line and the payment is done later- quite literally “Buy Now, Pay Later”. The BNPL market has grown a massive 539% in 2020 and 637% in 2021.
Credit Cards are given to individuals with a minimum average income of INR 1-3 lakh per annum. Eligibility for a credit card is based on multiple parameters age, salary (ability to repay), type of employment, and credit score. RBI has definite directions for the issuance and operations of credit cards.
There aren’t instruments to finance instant loans without an elaborate process. This is where BNPL comes in. Unlike for credit cards, BNPL issuers do not require credit score and other stringent checks prior to onboarding. This makes credit more accessible. While cursory checks are being done on the spending pattern of customers, it taps on the customer’s ability of immediate spending.
Another difference is that credit cards require a joining and/or an annual fee, while BNPL cards do not levy any such charges/hidden charges on the consumers. That means that all is great if consumers pay their bills on time, however, failing so, the issuer will charge a delay fee. Additionally, the BNPL service is fast and easy to set up as the approvals are almost instant and offer easy repayment options with EMI.
In the past month, the number of credit cards issued was recorded as 15 Lakh, while 20 Lakh BNPL accounts have been opened. This jump seen in the BNPL market made the traditional credit card issuers jittery. The credit card market is currently operated by major banks in the country.
While all seemed to be a fairy tale and a bed of roses for consumers and BNPL entities with heavy investments flowing into the market, the Reserve Bank of India (RBI) threw a bombshell that may have put BNPL entities in the backfoot. The RBI notification restricts non-banking Prepaid Payment Instruments (PPI) from loading credit lines on the PPI. This bans PPI wallets from being loaded with credit lines/credit cards through financing done by NBFCs.
Most popular BNPL players operate using banks’ license/banks’ NBFC license. Alternatively, banks hold PPI license. On the PPI wallet, a credit line was given which was not in line with the PPI directions from RBI.
The main concern that RBI has raised is the lack of clear guidelines/regulations around BNPL. The main focus with which RBI has been operating in the protection of consumers. While consumers seem to be enjoying it, BNPL as a business does not seem viable unless properly regulated over and above the credit card market.
Unlike concerns raised by some on RBI’s stand, the regulatory body has indeed mentioned BNPL in their
“Payment Vision 2025” was released in June 2022. As per the vision document,
BNPL should be:
The Current Market: Its Ups and Downs
Quite a positive right?
But here’s the catch! BNPL is risky lending and there has been a rising trend of defaults accounting for about 18-19% of delinquencies. One main reason that can be attributed to this trend is the provisioning of BNPL cards to Millennials and GenZ as several of them are unemployed, are studying, or are employed but do not have the ability to repay (as per stats in the US BNPL market). This in turn creates a debt trap for consumers as they tend to pay back the existing loans with further credit lines, while the expenses continue to pile up. India is a savings-based economy, contrary to other countries such as the USA, which is credit based.
On the contrary, below are the downsides of BNPL:
The business model is quite ambiguous for BNPL players. Also, as mentioned above, there isn’t a mechanism in place currently to link BNPL defaults to the credit score. Above this, BNPLs adopting AML and Fraud Risk mechanisms within their system is not transparent.
BNPL Stats across the Globe
Recently, OpenPay, a BNPL company in Australia paused operations in the USA due to defaults and rising interest rates. Klarna, another fintech in BNPL has lost its valuation from $45 Billion to $6.5 Billion in the last round of funding and another Australian BNPL firm has lost its valuation to $300 Million from $9 Billion.
Fintechs and BNPLs shouldn’t worry yet as it’s a wait-a-watch game with RBI. The aura in the market is that the central bank will issue new guidelines for the BNPL segment that will not only regulate the sector but also reshape it all together with a focus on consumer protection, risk management, and overall security.
The Indian Fintech and BNPL spaces are nascent and not very mature. The regulator has put in some basic controls at this point in time to ensure that the consumer is not affected by a debt trap, at the same time realizing that for having a spending economy, these kinds of instruments are necessary. The balance may tilt from one side to another every now and then, but at this point, we are poised for some more interesting creative fintech instruments coming in with the regulator constantly on the catching-up game.
The cyber security threat landscape is rapidly evolving. Increasingly sophisticated attacks, multiple threat actors, strict regulations on security and privacy, and new-age trends on BYOD, remote working and growing adoption of cloud, and digital transformation initiatives are just some of the varied challenges that Information Security teams face. And the lack of adequate skilled resources compounds these challenges to manage various security responsibilities.
As news comes in every week of more cyber-attacks, Chief Information Security Officers (CISO) are searching for solutions and measures to improve their organization’s cyber security posture. Often, solution providers pitch various solutions/technologies to solve these challenges. Information Security teams assure that these solutions, with built-in next-gen features, can flag attempts to disrupt business, prevent attacks and minimize impact.
But multiple studies and industry surveys over the years have shown that procuring and implementing a solution does not mitigate the threat on its own. Often these implementations face challenges like high costs, lack of skilled resources to manage the solutions, poor or inadequate configuration of policies, absence of integration with other solutions, insufficient supporting workflows, and processes, and so on.
So, if just buying a solution and implementing is not enough, where does one start? The answer is Security Architecture Review — an activity that can help organizations understand their security threats and identify which solutions can mitigate these risks. The complex nature of the IT infrastructure of organizations today means that a thorough review is needed to identify the critical security risks and the solutions to address them.
Security Architecture Review is a holistic review of security that covers networks, Data, Applications, Endpoint, Cloud, etc. It identifies gaps in your Architecture, Policies, and Controls that may put your critical assets at risk from attackers.
So, what does a Security Architecture Review involve?
Security Architecture Review begins with a study of the Business and IT environment of an organization and the key security and privacy requirements that are mandated by clients and regulations like GDPR, CCPA, PCI DSS, etc. Organizations wanting to adopt best practices can look at information security and data privacy standards and frameworks like NIST 800-53, ISO 27001, CSA STAR, etc.
Identifying security and privacy risks is the next critical step as Information Security teams need to know what assets, applications, and processes need stringent controls and monitoring.
The next step is to study the existing architecture for network and security, understand cloud adoption, study existing solutions for security for design and implementation effectiveness, and identify gaps. We also recommend assessing the configuration of key solutions to understand the implementation effectiveness and identify any gaps.
After studying architecture, it is important to assess the current solutions implemented and their design effectiveness as per the security domains such as Access, Patch, Monitoring, etc. This helps in identifying the solutions that address various security and privacy risks.
After identifying the gaps, it is important to identify the right solutions to mitigate the gaps and address critical risks. Again, the solutions must address a few key criteria–risk mitigation, compliance management, integration with other solutions and interoperability, monitoring capabilities, and the ability to provide detailed reports as per organizational policies.
While identifying solutions, one must also consider the state of the infrastructure–On-prem, cloud or hybrid. One must also look at security components that are provided by Cloud Service Providers.
The end-state architecture must comprise solutions that offer protection from critical risks, integrate with other solutions deployed to provide relevant alerts and minimize the impact of any attack. Finally, one must also fortify the Information Security team with Subject Matter Experts (SMEs) who will manage the solutions.
No matter how secure your organization’s cyber defenses maybe, a Security Architecture Review (SAR) can identify potential vulnerabilities and recommend countermeasures. The process begins with an assessment of your current state of security, followed by the development of a roadmap for improvement.
A SAR is especially important in the current environment, where cloud security services are becoming more popular. By definition, the cloud is a distributed system that spans multiple data centers and devices. This makes it more difficult to secure and increases the risk of data breaches.
Fortunately, many Cyber Security Companies in Bangalore offer SAR services. They can help you identify and mitigate vulnerabilities in your systems. Reach us for more information at [email protected]
Customer pursued CSA STAR certification and a review of the Information Security program to address Investor and customer requirements on information security and cloud security.
Customer was required to conduct an independent security review of its application and cloud infrastructure as part of its contractual obligations.
The CIO sought an objective point of view on the current state information security (IS) program, including opportunities to improve compliance and overall alignment with IS leading practices. The results of the assessment would be used to enhance the future IS strategy in line with a broader initiative within the organization to “reset” IT.
The CISO wanted to achieve ISO 27001:2013 ISMS Certification for the Bank as part of the roadmap to enhance information security posture and build investor confidence
