TheWall: Protecting users is paramount

This article first appeared in Personal Wealth, The Edge Malaysia Weekly, on September 28, 2020 - October 04, 2020.
-A +A

Many financial technology (fintech) companies manage vast amounts of transactions on behalf of their users. This means there is a need to ensure that their systems are always working as planned. However, sometimes problems and glitches do occur.

A recent example happened on July 27, when a number of investors on digital investment management (DIM) platform StashAway Malaysia found that their bank accounts, which were linked to the platform’s direct debit feature, had been incorrectly debited 26 or 27 times.

In a detailed post-mortem report, StashAway explained that the glitch was caused by a technical issue, involving its third-party direct debit provider Curlec. What StashAway’s system thought were failed direct debit collection attempts were actually successfully processed by Curlec, resulting in more than 40,000 direct debit collection requests instead of 1,500, to be handed over to the banks for processing.

These funds were credited into StashAway’s account the next day (July 28). Shortly after, upon learning about the glitch, the team began the refund process immediately. By 11pm, 1,174 customers had received their refunds while the rest got theirs by July 30.

To avoid such incidents in the future, StashAway will review workflows such as deposits, withdrawals, rebalancing, fee-charging and customer onboarding at a granular level to detect any anomalies, country manager Wong Wai Ken tells Personal Wealth. “We will establish a set of thresholds to further strengthen the monitoring process and ensure appropriate alerting is in place to notify tech and operational teams of unusual behaviour. These thresholds and alerts will proactively mitigate the recurrence of a situation like this.”

Photo by Patrick Goh/The Edge

The platform will also perform an in-depth review of all of its financial service providers’ integrations. These integrations will be analysed for error handling and reporting, retry logics, deduplication logics, monitoring and alerting, he adds.

Peer-to-peer financing platform Funding Societies Malaysia is another company that partners Curlec. Its chief technology officer Ishan Agrawal says the platform has built various checks and balances to ensure user data security and integrity.

“We are consumers of various fintech products ourselves and understand that such issues can cause a lot of distress. I am a StashAway user myself and have used the product since its early days. I heard about this incident and came across the report the same day it was published, and even shared it with our engineering team [for lessons to be learnt].

“In technology, we have the concept of blameless post-mortems after every incident, where we analyse an incident and learn from it, instead of finding out who was to blame for it. It is not very different from the ‘black box’ analysis after plane crashes,” says Agrawal.

“In line with that, rather than finding blame, I appreciate the detailed incident report produced by the StashAway and Curlec teams and that steps are being taken to prevent such issues from happening again.”

He clarifies that while the two platforms share the same service provider, its integration is slightly different. Funding Societies’ platform does not have a direct integration with Curlec for direct debits, hence its system cannot automatically trigger a retry on any failed direct debit transactions.

Khairil Abdullah, CEO of e-wallet platform Boost, says there are several positives that can be learnt from how StashAway handled the incident, which resonates with the e-wallet provider’s own approach. One that stood out was the quick response to the incident — StashAway was able to process 95% of the refunds just one day after the glitch was discovered.

The second was transparency, says Khairil. “StashAway demonstrated accountability, especially in resolving the incident between the different parties, by making the incident report public on its website. None of this would have been possible had they not emphasised the value of trust in the ecosystem in which they operate, as we do.”

Corrective and recovery measures

Beyond auto-debit issues, this raises concerns about the technologies, systems and measures that various fintech firms implement on their platforms to ensure that users’ accounts are secure. In Malaysia, most fintech companies are regulated either by the Securities Commission Malaysia (SC) or Bank Negara Malaysia. This means they are required to adhere to a certain standard of security to ensure consumer protection.

StashAway, for example, is a regulated fund management company that holds a Capital Market Services Licence for DIM, issued by the SC. It is obligated to identify and verify its customers’ identity as part of its due diligence requirements. Documents are only requested via its corporate device, which is connected to its secure network that is protected by a firewall and requires multi-factor authentication to access.

As part of its regular compliance exercise, StashAway has undergone internal and external audits with no adverse material findings in its efforts to ensure that its operational process and control measures are always consistent and effective in safeguarding its clients’ information, interests and assets. The platform also complies with local regulations and guidelines such as the Personal Data Protection Act and Guidelines on Management of Cyber Risk.

Photo by Suhaimi Yusuf/The Edge

“With regards to the security of their cash and securities, following the SC’s strict regulations, StashAway has ensured that client funds are protected by a Citibank Trust Account when we first receive deposits, followed by a custodian account with Saxo Capital Markets for their securities and cash. This ensures that client funds are always kept separate from and unmingled with StashAway’s finances,” says Wong.

Meanwhile, Funding Societies — which is also regulated by the SC — has adopted the “defence in depth” philosophy in its approach to security. This means the platform has several layers of protection to prevent and address vulnerabilities in its applications and infrastructure, from multiple angles. Its head of information security Ishan Girdhar says this massive, ongoing effort is undertaken by numerous teams and departments.

Funding Societies’ security features include hosting its applications on Amazon Virtual Private Cloud and Google Cloud as well as using Amazon Web Services’ Key Management Service and HashiCorp Vault to limit, record and automatically rotate credentials regularly (changing passwords, certificates or keys to reduce vulnerabilities to credential-based attacks or exploitation). These are in compliance with the regulatory guidelines provided by the SC, Monetary Authority of Singapore and Financial Services Authority of Indonesia.

“Robust encryption algorithms and hashing techniques protect the information at transit and rest. We also use data replication for data resiliency, snapshotting for data durability and backup testing,” says Girdhar.

Apart from the wide range of security features that Funding Societies has on its platform, it also encourages coordinated disclosure of security vulnerabilities via its external Bug Bounty programmes. These programmes provide recognition and compensation to individuals who report bugs, especially those pertaining to security vulnerabilities.

“We are currently running a private Bug Bounty programme on the HackerOne platform, the most extensive security researchers’ platform. We have received really interesting reports of bugs that were fixed within our Bug Bounty programme service-level agreement,” says Girdhar.

An official e-wallet licensee that comes under the purview of Bank Negara, Boost’s security is compliant with the regulator’s security controls and the industry’s best practices in areas such as access management, network security, host security, application security and vulnerability management, says Khairil. This means any security guidelines applicable to banks are also applicable to the e-wallet provider.

“As a precaution, we routinely conduct penetration testing, where we get external IT security experts to test our infrastructure security. We also have a team of data and fraud analysts who monitor for unusual activities and keep an eye out for anomalies that could indicate possible fraudulent transactions. A safeguard that we have put in place is, if the system detects any fraudulent activity, the user’s account will be frozen immediately while we investigate the incident,” he adds.

“From an app front-end and user standpoint, we have introduced biometric authentication — fingerprint scanning for Android users and Face ID for iOS users — which we strongly encourage users to switch on as an added layer of security for authorising transactions.”

Boost has an “Auto Top-Up” feature, which automatically tops up the balance in the e-wallet when it falls below a certain threshold defined by the user. This auto-debit process is carried out by the credit or debit card issuer and can be triggered only once a day, says Khairil.

When it comes to the security of auto-debit facilities, platforms say they have implemented standard operating procedures to manage any unexpected situations. DIM platform Raiz Invest, for example, runs a special software that monitors the interaction between the platform and its payment gateway in real time, says CEO Aidi Izham. If the software detects any unusual activity, it will notify and “talk” to the development and operation team via its business communication platform. Raiz Invest allows users to auto-debit on a daily, weekly or monthly basis.

“The payment gateway provider has similar services that would notify us of any unusual activity and can shut down the gateway. However, anything is possible — although it is highly unlikely. The immediate course of action would be to return the cash as soon as possible and to communicate,” says Aidi.

“[Enhancing security features] is a continuous process. We upgrade our back-end software at least twice a week. We are currently in the process of transitioning to a better way of communicating with our payment gateway. This is the business we are in and it is a never-ending story.”

Likewise, Funding Societies’ Agrawal says the platform’s 24/7 automated alerting system will notify the team of any issues that affect its direct debit facility with a third-party platform. This will activate its incident response process, where detailed steps of dealing with incidents are documented and practised on a regular basis.

“It becomes a top priority for the whole team. The most important thing here is to keep our customers informed and minimise any damage by focusing on fixing the issue as soon as possible,” he says.

Meanwhile, Ronnie Tan, CEO of GAX MD, which operates DIM platform MYTHEO, says the platform is hosted on a tier-3 data centre and all of its critical transactions require two-factor authentications. All the transactions are audit logged and there is daily monitoring for any abnormal transactions and activities.

He points out that the platform does not allow multiple debits per debit cycle and that investors can set a maximum amount allowed per debit. “If [a glitch] does happen, we have very clear guidelines drawn up in terms of a recovery plan as well as clear communication plans with our investors, partner banks and PayNet. So, I believe we are equipped for any mishaps,” says Tan.