The use of digital technology is a double-edged sword. If financial industry players use digital technology well, it can be great. If you are half-hearted in investing or even take it lightly, it is actually dangerous.
By
RICO USTHAVIA FRANS
·6 minutes read
SALOMO TOBING
Rico Usthavia Frans
Digital financial transactions have grown rapidly. One indication of this is the increase in outstanding online loans, which reached Rp 49.34 trillion (about US$3.30 billion) as of October 2022. On the payment system side, Quick Response Indonesia Standard (QRIS) transactions from the beginning of the year to September 2022 reached Rp 29.7 trillion, an increase of 298 percent on an annual basis. Meanwhile, electronic money transactions on all channels increased by 43.2 percent to Rp 35.5 trillion on an annual basis. Digital banking transactions rose by 30.9 percent to Rp 9 quadrillion until November 2022 year-on-year.
But when there is sugar there are ants. The rise of digital financial transactions has invited criminals to exploit system weaknesses or user carelessness. There are two modus operandi, namely technical hacking and social engineering. Technical hacking is done by hacking the system so that it can be misused for the hacker's advantage.
Almost all banks and financial technology services (fintech) have experienced technical hacking attacks. Losses can reach billions of rupiah per incident. If a bank or fintech says it has never been a victim, maybe it is not aware, it is lying, or the company is too small to be attacked.
On average, big players have mitigated technical hacking. However, many relatively smaller players have not implemented information technology security best practices such as qualified firewalls, well-protected servers or disciplined IT security policies. They also rarely have a chief information security officer (CISO) or a security operations center monitoring 24/7. This is the tasks of the regulator as well as the industry to encourage financial institutions to adopt such a security operation.
Meanwhile, social engineering is an attack carried out with a social approach. One mode that is often used is phishing, in which the criminal sends an e-mail containing a link to a certain site and the recipient is tricked into entering a user ID and password. Another mode is asking customers to provide one-time- passwords (OTP) with the lure of prizes. There are also those who offer cheap car auctions and potential victims are asked to transfer money.
Social engineering is closely correlated with financial literacy. Based on a survey by the Financial Services Authority (OJK), the financial literacy of Indonesian people is around 49.68 percent, while financial inclusion is at the level of 85.10 percent. It means that quite a lot of people are exposed to financial products and services without adequate understanding, including about the risks. Therefore, it is important for financial industry players and regulators to educate the public.
Protecting customers does not mean always fulfilling customer demands even if they are wrong, but rather educating them to be more careful and take responsibility for the security of their accounts.
Some payment industry players, especially electronic money issuers, offer money-back guarantees in the event of a balance loss. In the short term, this is helpful for adoption, but in the long term it is detrimental because it gives a false sense of security.
Recently, a large bank insisted on not returning a customer's money because the customer neglected to protect their passbook (saving book) and their personal identification number (PIN). It is an unpopular step, but it is necessary for customers to learn. Regulators should support such actions. Protecting customers does not mean always fulfilling customer demands even if they are wrong, but rather educating them to be more careful and take responsibility for the security of their accounts.
Speed vs. security
Another aspect is the balance between transaction speed and security. Lately, Bank Indonesia has been aggressively promoting real-time digital financial transactions, such as QRIS and BI-Fast. Such infrastructure makes it easier for criminals to move the proceeds of their crimes. Therefore, Bank Indonesia together with the Indonesian Payment System Association (ASPI) should encourage the development of infrastructure that enables payment system providers to block the proceeds of crime in real time.
For this reason, it is necessary to create a legal umbrella, because if blocking has to wait for a letter from the police, it will of course be too late. In addition, technically, instructions to block funds must be carried out in real time by involving the switching agency and all parties receiving funds. Today, like a car, the speed is getting faster, but the brakes are never upgraded.
The server-based e-money Know Your Customer (KYC) process and virtual account services are more relaxed than the KYC process for opening a savings account, making it easier for criminals to create accounts to collect the proceeds of their crimes. Regulators need to raise the standard of the KYC process for electronic money and virtual account service providers, for example by requiring data validation of prospective customers to the population and civil registration system (dukcapil) as well as implementing good liveness detection standards.
Almost all digital transactions use cell phones and e-mail as the basis for opening an account. Therefore, the digital financial industry also needs to have a blacklist database of cell phone numbers and e-mails.
The laundering of funds resulting from digital financial transaction crimes is carried out in various ways. Laundering by withdrawing cash from an ATM is not scalable for criminals. Another alternative that is easier and scalable is to purchase mobile credit or game vouchers. Currently there is no standardization of how much prepaid credit one SIM card can have for a certain period.
There was a case that one SIM card was used to collect the proceeds of crimes of up to several hundred million rupiahs. In order to block phone credits resulting from crime, cellular operators require a police report. This is just for temporary blocking. To return credit proceeds from a crime, a court decision is required. The OJK and Bank Indonesia together with industry associations should partner with cellular operators to regulate this, including making rules for the recovery of proceeds of crime without having to go through a complicated and lengthy court process.
The use of digital technology is a double-edged sword. If financial industry players use digital technology well, it can be great. On the other hand, if you are half-hearted in investing or even take it lightly, it is actually dangerous.
The role of regulators and industry associations in mitigating digital transaction crimes is also very important. The strategy and its implementation should not be reactive or incomprehensive.
RICO USTHAVIA FRANS, a member of the Steering Committee of the Indonesia Fintech Society
(This article was translated by Hendarsyah Tarmizi)
