CYBER SECURITY IN SACCOS

cropped-leaderboard-ad

An information technology ( IT) working with a leading Sacco recently observed that as digital products ( for instance mobile money) further their spread, Sacco must keep pace with the trend in order to stay afloat. The pressure for SACCOs to digitize is enormous. This is both from within and without. This is informed by the numbers presented to the public discourse. According SASRA’s 2018 Annual Supervision Report, total loans increased by 13% to Kshs 374.28 billion. SASRA reported that as of 2017, SACCOs served about three million customers annually. Around the same period, fintechs were giving digital loans to approximately 6.1 million users according to a survey done by Genghis Capital.

The pressure to digitize for this key sector that has half of the customers in the digital space, who could also be borrowers from the same fintechs is therefore immense. There have been a couple of operational and legal hindrances for SACCOs to move with the agility that fintechs have in order to take up the opportunities available for digitization.

Burning venture capital

Consider the requirements to setup a SACCO. Whereas a fintech startup just needs a bunch of founders who are passionate about a problem, a prototype of a product and lots of funding from venture capitalists, that is not so for SACCOs. Their requirements for setting up a branch are stringent. It cannot be a prototype and the capital adequacy must meet a certain minimum standard.

Structurally, one insider has observed: “SACCOs boards of directors are mostly made up of old people who are not normally flexible on matters technology hence the slow adoption”. Whereas this observation is debatable, to a certain extent, it is right. The process of electing board members among Saccos is through a formalized process where members vote. Their mandate is first to protect the assets and funds of members as much as possible. On the other hand, fintechs burn venture capital without these kinds of shackles.

Limited options

Still making reference to the SASRA 2018 report, there is a segment on customer complaints. According to that report, claims for refunds of savings and deposits or shares transfer accounted for 44% of the total complaints for SACCOs. These claims generally revolve around delays by SACCOs to refund or pay up deposits or savings refund to members who have withdrawn. This points to a friction in exit of members compared to the opt-in and opt-out or delete app for some of the fintech equivalents. Having said that, it isn’t that SACCOs aren’t taking any action regarding their seemingly archaic friction-prone deposit and lending model. The SACCO Societies Regulations 2010 provide that deposit taking SACCOS must maintain a management information system (MIS) that is capable of performing accounting for all transactions and providing minimum reports as required by the regulator.

Front end and back end

SACCOs generally have adopted a two tier architecture that characterizes their operations. To use technical terms, there is a front end and a back end. The front end is what is called Front Office Services

Activity (FOSA) – a system which performs banking activities for the SACCO. This is largely the front end used by customer-facing SACCO employees to give service to customers. The FOSA has been extended to offer internet banking, mobile banking, automated teller machines (ATM) as well as agency services. The back end is what is called the Back Office Activities (BOSA). This includes membership management, general ledger among others. Other non-core modules are extended on top of BOSA such as human resource (HR) and payroll management, inventory management as well as document management. The FOSA and BOSA make up one monolithic application that is meant to run the SACCO.

That architecture explains in part why agility is nearly impossible. Imagine if changes were to be made on FOSA to include an app that does real time credit scoring. This could mean that a customer logs in and is authenticated, picks data from membership and general ledger modules, the data is passed through an application programming interface ( API) to a credit reference bureau in real-time and the customer gets their credit score. How much interruption would have to be made to the various dependent components to achieve this?

Easy targets

On this account, the concerns of exposure and vulnerabilities to attacks may be top of the minds of the board. According to Serianu’s Sacco Cybersecurity Report of 2018, hackers find SACCOs easy targets. In that report 125 deposit taking SACCOs representatives participated in the survey. The findings showed that over 50% of SACCOs did not have an established cyber security training programme on cyber risks. 38% of the SACCOs allowed their staff to bring their own devices (such as flashdisks) that increased the number of attack vectors that an attacker would use to gain unauthorized access into the SACCOs digital ecosystem.

The SASRA 2018 report has a section on inspection and surveillance. The inspections are generally administrative and operational in nature. They are conducted monthly, quarterly or annually. The objective of the inspection is to ascertain SACCOs’ compliance with capital adequacy requirements; the composition of assets, liabilities and equity accounts; the quality of earning assets; financial, operational and business risks; and any other matter which in the opinion of the authority is relevant to the performance of its mandate under the Act.

As SACCOs consider digitizing, it will be prudent for the regulator to introduce surveillance and inspection of the digital platform where services are delivered. In 2016, the Bangladesh Central Bank’s SWIFT system was infiltrated by hackers and thirty-five transactions were issued. Five of the thirty five requests were successful in transferring $101 million. When investigators reviewed the cyber security posture of the bank, it was established that one year before the hack, the Governor of Bangladesh Bank had foreseen cyber security vulnerabilities and had hired an American cyber security firm to bolster the firewall, network and overall cyber security of the bank. However, due to multiple bureaucratic hurdles, the security firm could not come on board and it only started its operations in Bangladesh after the cyber heist.

Unrelenting

The Serianu Report stated that only 9% of SACCOs invested over Kshs. 500,000 in 2018 on cyber security. This means that as SACCOs digitize, security reviews either are not done (or they are poorly done) and the interventions required are not addressed as they should. How up to date are the security patches on the server infrastructure that runs the FOSA and BOSA? What are the security policies adopted internally to safeguard data access and sharing within the organization? How are roles segregated in conducting transactions and what is the audit trail of those transactions? How often are staff and customers trained on cyber security?

According to the World Economic Forum, new technologies and new users will reshape cybersecurity in 2020. Emergence of 5G networks in 2020 will result in broader access for both devices and people. It is estimated that close to 40 billion devices will be connected by the end of 2020.These devices will share data while accessing multiple services. The linkages between these services and movement of such data if poorly managed will expose users to attacks. Here is Kenya for example; ID number and phone number are becoming powerful pieces of information in impersonating someone.

According to a cyber security report in 2018, Kshs. 466 million was lost through computer fraud, business emails, fake cheques and identity theft. The attackers are unrelenting as long as an internet address (IP) device of interest is traceable. The key question is, are SACCOs ready to digitize on one hand and to deal with the cyber security risks that come with digitization on the other? It doesn’t have to be complicated. Leaders can start with the known rather than the unknown. Assessing the adequacy of and strengthening the security of existing infrastructure, putting in place information security policies and procedures and investing in education for the internal and external stakeholders is a good start.

About the Author

Peter Muya, is an award enterprise transformation practitioner, possessing 20years experience conducting mid and large-scale transformation projects in the telecommunications, financial services and public sector industries. He is the co-founder and a managing partner of PTI Consulting, a pan-African consulting practice providing ICT related business advisory services

Web: www.pticonsulting.co.ke

Email: themuyas@gmail.com

LinkedIn: https://www.linkedin.com/ in/petermuya

Twitter: @themuyas  

cropped-leaderboard-ad