HPS 2403: MONEY AND BANKING

BPCM/BSCM
LECTURER: DR. ANAYA SENELWA
GROUP ASSIGNMENT

GROUP MEMBERS;
1. Wewa Mainga-HDE223-1256/2019
2. Eunice Dondo-HDE222-1201/2019
3. Faustine Okari-HDE222-1203/2019
4. Edwin Mwangi Mureithi-HDE222-1375/2019
5. Wendy Kimaru-HDE222-1376/2019
6. Kipchirchir Sang Hezron-HDE222-1378/2019

1
Question 2
(A) i. Describe both the direct and indirect damages that banks are likely to face
cybercrime activities.
Cybercrime is defined as any criminal offense that is facilitated by or involves the use of,
electronic communications or information systems, including any electronic device, computer
or the internet. Cyber-attacks aim to disable, disrupt, destroy and control computer systems in
order to alter, block, delete, manipulate or steal the data held within these systems.
Cybercriminals use various strategies to undertake this crime:
(i) Through phishing- These are attacks that seek to steal personal or business
information used to perform financial transactions. Phishing involves an e-mail
message sent to as many Internet e-mail addresses as the cybercriminals can obtain,
claiming to come from a bank, card company or financial company conducting
financial transactions. For example, an email from PayPal arrives telling a victim that
their account has been compromised and will be deactivated unless they confirm their
credit card details. The link in the phishing email takes the victim to a fake PayPal
website and the stolen credit card information is used to commit further crimes.
Cybercriminals rely on the fact that people are busy; at a glance, these spoof emails
appear to be legitimate.
(ii) Through hacking- This refers to gaining access to someone’s bank account without
the permission of the account holder. This is mainly done to steal money from the
bank account. This activity identifies weaknesses in a computer system or a network
and exploits the security to gain access to personal data or business data. For example,
using a password-cracking algorithm to gain access to a computer system.
(iii) Through fraud- Bank fraud is the use of potentially illegal means to obtain
money, assets or other property owned or held by a financial institution; or to obtain
money from depositors by fraudulently posing as a bank or other financial institution.
This causes a misbalance in the economy often leading to the weakening of the
market. Due to fraudulent activities, stock markets face huge crashes thereby affecting
the economy in a big way. This causes a slowdown in economic growth often leading
to the weakening of the economy and often the disappearance of foreign investment.
These cybercrime activities affect banks and other financial institutions negatively and
damages that follow may either be direct or indirect. Direct damages are the losses that banks
and other financial institutions suffer directly and do not include any kind of compensation.

2
Some include:
a) Damaged brand identity and reputation- After a cyberattack, it undermine
customers' trust in a company and that company's ability to keep their financial data
safe. Following a cyberattack, firms not only lose current customers, but also lose the
ability to gain new customers.
b) Altered Business Practices- Cybercrime can impact businesses in more than just
financial ways. Companies have to rethink how they collect and store information to
ensure that sensitive information isn't vulnerable. Many institutions have stopped
storing customers' financial and personal information, such as credit card
numbers, Social Security numbers and birth dates. Some institutions have shut down
their online stores out of concern they cannot adequately protect against cyberattacks.
Customers are also more interested in knowing how the businesses they deal with
handle security issues and they are more likely to patronize businesses that are upfront
and vocal about the protections they have installed.
c) Stolen Intellectual Property and Information- A bank’s product designs,
technologies, client information and go-to-market strategies are often among its most
valuable assets. Much of this intellectual property is stored in the cloud, where it's
vulnerable to cyberattacks. Cyber-attacks result in breaches to data security and
sabotage. This data becomes lost hence even giving an upper hand to your
competition in the market.
d) Lost Revenue- One of the worst outcomes of a cyberattack is a sudden drop in
revenue as cautious customers move elsewhere to protect themselves against
cybercrime. Companies can also lose money to hackers who try to extort their
victims.
Indirect damages that banks face are;
a) Loss of money by banks will lead to customers losing confidence in the
organization- Banks tends to be vulnerable especially when attacks are made
internally. Cybercrime is a humongous threat to any nation's economic activities and
it's well-identified in financial firms
b) Operational Disruption- In addition to actual financial damages, companies often
face indirect costs from cyberattacks, such as the possibility of a major interruption to
operations that can result in lost revenue. Cybercriminals can use any number of ways
to handcuff a company’s normal activities, whether by infecting computer systems
with malware that erases high-value information or installing malicious code on a

3
 server that blocks access to your website. Disrupting business as usual is the favored
tool of so-called cybercriminals who have been known to breach the computer
systems of even government agencies and multinational corporations in the name of
calling out a perceived wrong or increasing transparency.
c) Reduced Business opportunities- Since the bank’s reputation is damaged, it makes it
difficult for these institutions to run effectively because acquiring investors and
convincing them to invest with your bank becomes challenging hence limiting
business opportunities and future growth.
d) Increased Costs- Banks that want to protect themselves from online criminals have to
pull out their wallets to do so. Firms may incur any number of expenses, including:
 Cybersecurity technology and expertise
 Notifying affected parties of a breach
 Insurance premiums
 Public relations support
In addition, businesses may have to hire lawyers and other experts to remain compliant with
cybersecurity regulations. And if they’re the victim of an attack, they may have to shell out
even more for attorney fees and damages as a result of civil cases against the company.

ii. Risk mitigation measures that should be adopted by banks to ensure development of
sound financial systems.
Risk mitigation offers the potential to reduce both the possibility of risk occurrence and its
potential impact.

Financial institutions especially banks are exposed to various types of risks with a setback to
its functions and operation which include credit risk, liquidity risk, market risk as well as
operational risks.

As a means to manage risk they associate basic methods for risk management as foundation
to formulate appropriate risk mitigation strategies which are;

Improvement/maintenance of software

Due to the new age innovation of digital banking/mobile banking which has given access to
more personalized financial services which also has a fair share of risks. The portals
/accessible by individuals are prone to cyber vulnerabilities therefore financial institutions
would focus to improve the software on a regular basis to eliminate cybercrime loopholes.

4
Continuous cyber security Risk assessment programs

This is an assessment program which incorporate a continuous process of determining,

analyzing, prioritizing, assessing risk to critical systems .The program should be that it
considers the evolving and emergency threats and is able to tune security controls in response
to identified risks.

Credit analysis programs

As a part of its function, lending is a key activity for banks hence management of credit risk
should begin when potential customer ask for credit .Making the decision to extend a loan is
where mistakes are made, the decision to lend should be based on borrower’s ability and
willingness to repay loan. The ability to accurately project financial performance is
dependent on accurate rigorously applied accounting standards therefore programs such as
credit score which are enable financial institutions determine credit worthiness of individuals.

Third party Risk Management

This are risks from engaging with external party .Understanding and managing the risk
associated with engaging third parties, financial can more confidently pursue opportunities
therefore ensuring that third party relationships align with the institution's risk appetite.
Collaboration and communication around risk management can further enhance risk
mitigation.

Conscious financial planning and analysis

The strategy wins at foreseeing a bank liquidity requirements as insufficient reserves crates
risk of not meeting obligations of using depositor’s money. Therefore deliberate financial
planning allows for monitoring cash flow, optimizing network capital and holding enough
liquid assets.

Stress testing

Enables financial institution to gauge their potential vulnerability to exceptional but plausible
adverse events, once the downside potential risk is understood steps to mitigate and ensure
you have sufficient capital to manage risks.

5
Hedging Contacts

Strategy tries to limit risks in financial assets by using financial instructions to offset risk of
adverse price movements.

Hedging provides a sort of insurance cover to protect against losses from an investment
consists of shielding a portfolio by using one financial instrument investment to offset the
risk of another investment.

Other additional measures include;

i. Every single employee should have their own user account, with a policy requiring
password changes in every three months. Employees must not be allowed to
download or install unauthorized software.
ii. All employees must be informed about the dangers of opening or uploading email
attachments from unidentified sources. Educate personnel about the importance of not
leaking or sharing sensitive information about the institute.
iii. The IT department of a bank must ensure that a firewall is enabled on every
workstation and Internet-connected device in the organization because firewall blocks
all communication from unauthorized sources.
iv. Banks must use 'two-factor authentication (2FA)' apps or physical security keys and,
wherever possible, enable 2FA on all online accounts.
v. All PCs' operating systems must receive regular security updates.
vi. To find out if there is any ransomware or malicious software on the network, anti-
spyware and anti-virus software must be installed on all PCs. All passwords and
wireless networks must be kept secured and well-protected.
vii. Banks must employ verification methods such as dynamic device authentication and
web-based transaction verification as more consumers use mobile devices.
viii. Customers must receive notifications and automated messages from their banks
confirming the validity of their transactions.
ix. Customers must be given instructions on how to verify the legitimacy of any sources
that are asking information of personal accounts. Customers must also be given
instructions on how to stay safe when using the bank's websites.
x. When using banking application or internet banking, use a secure network.

6
(B) a) What is open banking and what does it mean to business in the Post Covid 19
pandemic period.

Open banking is the practice of enabling secure interoperability in the banking industry by
allowing third-party payment service and other financial service providers to access banking
transactions and other data from banks and financial institutions.

COVID-19 affected many businesses, with the banking industry among the first to feel its
effects. In December 2020, Kenya’s Central Bank released its four-year strategy and
highlighted Open Infrastructure as one of its main strategic objectives. Earlier in 2019, two
large South African banks embraced open banking and at the height of the pandemic, South
African and Nigerian startups TrueID and Okra, respectively, announced they had received
significant funding to develop open banking infrastructure.

COVID-19 has accelerated digital transformation

The pandemic has brought about a new normal, and open banking can help boost the
recovery from its effects, enrich customer experiences and transform banking as we know it.
Some of the major effects of open banking include but not limited to;

Payments

Instant payments, automated bulk payments, government payments as well as checkout

points in e-commerce solutions are some examples of how open banking has changed the
world of payments. PesaLink, developed by the Kenya Banker’s Association fully owned
fintech firm IPSL facilitates inter-bank transactions and covers all the above examples. What
was previously a fragmented environment from a data perspective appears to bring positive
implications of a more connected financial ecosystem.

Lending

Lending platforms leverage customer financial data, credit scores and access to other data
such as social media and online activity using artificial intelligence (AI) and machine
learning (ML) to make for better informed data-driven lending decisions. Individuals and
businesses applying for loans experience reduced paperwork and approval timelines from
days to minutes, dispensing with the need to physically go to banks to apply for loans.

However, online lending has come with its share of adverse negative effects including:

Increased indebtedness by individuals due to multiple loans from different lenders;

7
Transparency issues on loan terms and conditions such as unclear and often high interest
rates;

 Hidden fees and clients’ lack of ability to compare rates;

 Aggressive and sometimes misleading marketing practices;
 Customer data privacy issues, including lack of information on data collection practices,
lack of control over customer data and in some cases, the misuse of customer
information;
 Lack of, or irresponsible credit reporting and consumer complaint management practices.

In a bid to boost confidence in this category, players and regulators have began working
together to safeguard customer interests. This can be seen with the passage of data privacy
laws across many African countries, the establishment of digital lending associations such as
Kenya’s Digital Lenders Association (DLAK) and regulators amending their laws to extend
oversight to digital lenders.

Customer verification and onboarding

Customer data access has also brought innovation in know you customer (KYC) and risk
assessment procedures. The solutions seek to reduce the customer onboarding process while
at the same time offering better customer experiences.

Regulatory frameworks

Outside of Africa, open banking is driven by market forces and regulatory interest. Some
have pointed to the EU as the “cradle of open banking” because of the Payment Services
Directive (PSD2)10 and the UK’s open banking standard which essentially pioneered it.

In Africa, one may observe a similar approach. Most, if not all countries, are yet to
implement open banking legal frameworks, but regulators have begun promoting and offering
guidelines on the rolling out of these platforms. Kenya’s Central Bank (CBK), for example,
has prioritized open infrastructure in its 2021-2025 strategy. The policy paper states, in part
that “CBK will facilitate development of industry wide standard for open but secure APIs in a
way that guarantees access, safety and integrity of data sharing systems. These standards will
include API specifications for identification, verification, and authentication; customer
account information/data access; transaction initiation; and formats and coding languages for
APIs. Due to the risk associated with opening up data from financial institutions to third-

8
parties, CBK will define clear risk management frameworks and standards, including
providing clarity on liability and consumer protection.”

Further, as data sharing forms the basis of open banking, a strong data protection regime is
critical to its success. Banks play the dual role of data controller and processor as they are
both holders of customer data and processors through their own sandboxes or APIs.

Data protection laws operationalize the constitutional right to privacy and mandate banks and
third-party providers to keep customer information confidential even when passed through
APIs. This will involve incorporating privacy in the design of these systems to achieve a high
level of compliance. This means, in part, being allowed access to data only for lawful
purposes and giving the customer their rights back through well-articulated opt-outs and the
return and subsequent deletion of their data.

COVID-19 has accelerated digital transformation. The pandemic has brought about a new
normal, and open banking can help boost the recovery from its effects, enrich customer
experiences and transform banking as we know it.

Customer experience

Open banking is all about client data. Platforms need to be designed with the customer’s
experience and interest in mind. The products and services created should consider the
customer’s journey online and banking must be plugged in wherever required. As an
example, EverSend, a Ugandan mobile-only bank that facilitates money transfers for
customers anywhere in the world, allows users to instantly set up virtual debit cards that can
be topped up with funds to facilitate online shopping.

Data Privacy

Data privacy and security are the most important factors for the success of open banking as
the ability to securely process data while complying with data privacy and information
security standards and laws will ensure customer confidence and acceptance to the processing
of their data and drive the adoption of open banking. Otherwise, regardless of its benefits,
consumers will not be convinced to share their personal data. It will be prudent and crucial
for companies to review their data security policies considering the sensitivity of the data
exposed. For example, interest rates and exchange rates can be shared without worry of

9
security. On the other hand, personal information such as customer names and account details
must have high levels of security such as multi-layered verification features.

While this is purely best market practice, sound regulations need to be passed to complement
these efforts. As it stands, there is still a high degree of risk that may impede its success. Data
privacy laws are relatively new in Africa with further guidelines and regulations yet to be
rolled out. And except for countries like Rwanda and South Africa where open banking is
highly regulated, other central banks are yet to follow suit.

Acceleration of digitalization

Regional lockdowns have pushed bank customers to switch to online channels. With cashless
transactions becoming the norm, use of digital products will likely increase. This will push
banks to invest in digital products to offer new experiences to their customers. Absa Bank,
for example, marked its first anniversary in Kenya by committing a multimillion-USD move
to digital services aimed at improving the customer experience.

b) Describe how Kenya can take advantage of localized data protection and privacy
laws through the Data Protection Act (2019) to optimize the benefits of open banking
for the good of different stakeholders.

i. Increase in efficiency and innovation. Data protection can be an advantage to both

customers and banking service providers. The safety created by the Act allows all the
stakeholders to feel safe in doing business flawlessly. Part IV of the act ensures that
set principles and guidelines are followed.
ii. Geographic restrictions on data export. Part VI of the Data Protection Act (2019)
describes the conditions for data transfer outside the country. Sub-section 49 (1)
further goes on to state that the processing of sensitive personal data out of Kenya
shall only be effected upon obtaining the consent of a data subject and on obtaining
confirmation of appropriate safeguards.
iii. Implementing standard-based regulations allowing institutions to move data more
freely outside the originating jurisdiction and at the same time ensuring the security
and privacy of customer data.
iv. Provision of business opportunities. The act allows bankers to share information
with verified third parties (open banking). This initiative is effective in obtaining
more trustworthy business partners.

10
 v. Security. Security is at the core of open banking. All third-party payment service
providers must meet the highest security standards to operate in the market. Open
banking has also brought more transparency to the banking industry since more
players share data, and security features are more widely standardized.
vi. Centralized information. Open banking enables the sharing of information that was
previously only kept by banks. This data can now be transferred to licensed service
providers with a consumer's consent, making banking operations quicker and more
convenient. Consumers can now get more services in one place. Financial services
can meet more customers' needs by providing advice, loan information, and managing
bank transfers with more visibility. This means that business operations are done
faster, which is very important especially in the post covid 19 era.
vii. New financial technologies. Open banking enabled licensed companies to join the
playground, which, for a long time, was limited to legacy banks. These companies
bring in new ideas and can create innovative financial solutions that banks rarely had
the resources or motivation to invest in. more companies are quickly joining the
market and offering various innovative financial technologies that benefit both
consumers and banks that are willing to collaborate.

11
 References

Alunge, R. (2020, March). Consolidating the right to data protection in the information
age: A Comparative appraisal of the adoption of the OECD (Revised) guidelines into
the EU GDPR, the Ghanaian Data Protection Act 2012 and the Kenyan Data
Protection Act 2019. In International Conference on Innovations and
Interdisciplinary Solutions for Underserved Areas (pp. 192-207). Springer, Cham.

Gozman, D., Hedman, J., & Sylvest, K. (2018). Open banking: Emergent roles, risks &
opportunities. In 26th European Conference on Information Systems, ECIS 2018.
Association for Information Systems. AIS Electronic Library (AISeL).

12