Determining Security Factors for Digital Infrastructure in the Financial and Banking Sector: Singapore's Approach

Gorian Ella ORCID: 0000-0002-5962-3929 PhD in Law Associate Professor, Vladivostok State University 690014, Russia, Primorsky Krai, Vladivostok, Gogol str., 41, office 5502 ella-gorjan@yandex.ru Other publications by this author

Relevance. Financial institutions of the developed economies of the world are becoming targets of serious cyber attacks. Singapore is no exception: being the most developed state in terms of information technology in the world, it is also a key international financial and trade center. This makes it an ideal target for cyberattacks, the consequences of which are much more serious than the usual violation of Singapore's social and economic well–being – the entire international supply chain and banking sector, and in the long run, the international economy, are under attack. Therefore, the legislator of this city-state promptly responds to emerging challenges and improves the regulatory framework. For example, in 1993, Singapore was the first Southeast Asian country to adopt the Computer Misuse and Cybersecurity Act. The second decade of the XXI century was marked by the rapid growth of the digital economy, to which Singapore responded with the Personal Data Protection Act 2012, the National Cybercrime Action Plan 2016, the National Cybersecurity Strategy 2016 and the Cybersecurity Act 2018 ^{[1, p. 105]}. In its Cybersecurity Strategy, Singapore has identified four main areas of close cooperation between the private and public sectors to ensure cybersecurity: (i) building a sustainable infrastructure; (ii) creating a secure cyberspace with the involvement of civil society; (iii) developing a dynamic cybersecurity ecosystem by increasing the number of specialists as a result of cooperation with educational institutions; (iv) strengthening international cooperation, especially within the framework of ASEAN (Singapore's Cybersecurity Strategy 2016, URL: https://www.csa.gov.sg/news/publications/singapore-cybersecurity-strategy ).

Singapore was one of the first to realize that the next stage of the digital revolution is the transition from fragmented digital solutions to digital infrastructures. They will stimulate wider adoption of digital technologies in the economy and society ^{[2, p. 2]}. Digital infrastructures ensure compatibility of solutions and uninterrupted services, which allows reaching more people and businesses at lower costs and greater convenience. Public fundamental digital infrastructures are crucial for inclusive economic and social development. Just as physical infrastructure stimulated the emergence of an industrial economy, fundamental public digital infrastructures accelerate the growth of the digital economy.Statement of the research problem.

The financial and banking sector was one of the first economic sectors to move into the digital environment. The digital infrastructure of financial institutions ensures the continuity of trade and economic processes, therefore its security is the key to the stability of credit, financial and commodity-money relations. The security of the financial and banking sector has an informational nature, since in its essence it is a collection of data reflecting the movement of capital and the operation of instruments. And the data exists in digital format, they are processed in information systems that are vulnerable to physical (technical) and human influence. It is possible to counteract information threats on condition of their certainty, that is, the popularity of those indicators (factors) that determine the very essence of the existence of an object. In this regard, the need to determine such factors is an urgent issue facing the regulator. The security of the digital infrastructure of financial institutions from threats affects the degree of trust in these institutions from both counterparties and investors who trust them with their capital. The high volatility of digital assets attracts a large number of non-professional investors who want to increase their capital. Therefore, in the face of continued investment inflows, financial institutions are forced to increase the costs of ensuring the security of digital infrastructures.The purpose of the study is to characterize Singapore's approach to determining the security factors of digital infrastructure in the financial and banking sector.

Methodology.

To obtain the most reliable scientific results, a number of general scientific (system-structural and formal-logical methods) and special legal methods of cognition (comparative legal and formal-legal methods) were used.The subject of the study, the source base of the study, contradictions in existing studies and the author's position.

The subject of the study is the main regulatory legal acts in the field of ensuring the security of Singapore's digital infrastructure. The topic we have chosen for the study has not yet been sufficiently studied in the Russian scientific literature and is a logical continuation of our research within the framework of the RFBR grant "Ensuring the rights of investors in the banking and financial sectors in the conditions of digitalization of the economy in the Russian Federation and the leading financial centers of East Asia: a comparative legal aspect". However, it should be noted the work of O.M. Makhalina and V.N. Makhalin, in which they prove the need to consider the costs of information security as "strategic investments that ensure the continuity of their business processes and that create advantages in an era of rapidly developing cyber threats" ^{[3, p. 136]}.The main part.

The Monetary Authority of Singapore has identified four key components of the basic digital infrastructure in 2021: 1) digital identity, 2) authorization and consent, 3) functional compatibility of payment systems (payments interoperability) and 4) data exchange ^{[2, p. 2-3]}. The level of security of these main components affects the ability to carry out digital operations, together they provide the foundation of the digital economy. In science, it is customary to distinguish several security factors of information systems ^{[4, p. 30]}: cognitive, social, information-technical and organizational-administrative. Consequently, digital infrastructures, being complex information objects, can be influenced by processes and phenomena that negatively affect their functionality. At its core, digital infrastructure is a complex of technologies and digital products built on their basis, providing computing, telecommunications and network capacities, and working on a digital basis (Digital transformation. Terms and definitions: STB 2583-2020. – Introduction. 2021-03-01. – Minsk: Gosstandart, 2020. – 16 p.). Therefore, the key components of the digital infrastructure allocated by the Monetary Authority of Singapore determine the level of security of the production processes of financial institutions. Let's look at them in more detail.

A key element of the digital infrastructure is a reliable digital identity that allows individuals, businesses and government agencies to represent themselves and act on behalf of others in the digital space. The digital identity of a person is understood as "a set of unique personal data of a person presented in digital form, allowing to identify this person from other subjects of digital interaction" ^{[5, p. 9]}.

Digital identity allows you to automate access to services provided by computers, and allow computers themselves to mediate relationships. It acts as a common, reliable and reusable method of data transmission. Digital identity allows users to use one means of authentication through several digital services (including websites, applications, devices). This data collectively defines an individual and can be used to identify an individual, an enterprise, or a government agency. The purpose of digital identity is broader than the general identification of the end user: it can confirm his ability to access services or perform a specific task.

Digital identity is associated with mechanisms that ensure the proper use of personal data (Personal Data Protection Act 2012, URL: https://sso.agc.gov.sg/Act/PDPA2012 ). They are necessary to ensure proper security, fraud prevention and other control measures, as well as for other purposes implied by the nature of data use. Such use of personal data is legal and all types of use must be properly reported/brought to the attention of users. As a result, users should understand how their data is used and for what purposes, and the amount of data should be sufficient to achieve a specific goal. Information system operators should use notifications and consent forms so that users of digital infrastructures understand how their personal data is used.

By eliminating the need to use multiple passwords and identity verification procedures, digital identity allows customers to use a single means of identifying themselves in several digital services, including websites, applications, devices, etc. This allows the user to identify himself as the final recipient of the service or product. Digital identity belongs to, is managed and controlled by an individual, which means that he has the right to access his personal data, change and delete them, and also has the right to protection in case of violation of his rights. Due to the complexity of monetary, financial, trade and economic relations involving several entities in the legal plane at the same time, there is an objective need to create a so-called "ecosystem", a complex digital infrastructure that provides secure data exchange between end users, information intermediaries, service providers and data verification service providers, as well as personal data operators together with technical devices for storing such data ^{[2, p. 10]}.

Authorization is defined as the process of granting a user or a group of users certain permissions, access rights and privileges in a computer system ^{[6, p. 402]}.

In order for information systems to work effectively, most countries and regions have put into effect a set of legal norms and other requirements that guarantee users' understanding of the processes of using information in each digital context. The purpose of these requirements is to ensure transparency of information for individuals, as well as greater accountability of all operators (both public and private persons) who may use personal and confidential data to carry out transactions or provide services (Cybersecurity Act 2018, URL: https://www.csa.gov.sg/legislation/cybersecurity-act ).

One of the most common methods of ensuring transparency and obtaining consent from an individual is to send a notification to an individual, and then request consent for the use specified in the notification. There are various notification and consent models that have been deployed by a number of systems. The most common is the explicit notification and consent mechanism, which allows end users to choose how their data is used when they digitally interact and carry out transactions with their chosen service providers (Technology Risk Management Guidelines for Financial Institutions 2021, URL: https://www.mas.gov.sg/regulation/guidelines/technology-risk-management-guidelines ). This gives users the ability to control their data, consent to data exchange or initiate payments. This method is a high-trust model that allows users to exercise some control over their actions and transactions in the digital economy.

All authorization and consent mechanisms require clear and transparent disclosure of information about how and what information will be collected, used and transmitted. In order for the digital environment to function and inspire trust among users, transparency (transparency) is the key to ensuring that the parties understand their responsibilities to each other. Depending on the confidential nature of identification and personal data, as well as how this information will be used and how widely it will be distributed or published, it is important that all parties understand the need to ensure the security of information and the principle of data minimization (collection, use and storage of only those data that are necessary for the creation and provision of this services). All parties must disclose, either initially or upon request, all uses of the data. To further achieve trust and control of users, it is necessary to introduce technologies to increase confidentiality and security, if possible, in order to minimize the exchange of personal and confidential data in open form, in order to provide the protection necessary for all parties ^{[2, p. 11]}.

Consent services are usually presented in the form of an information panel or data warehouse that provides users with information about what data will be used, for what purposes and with which service providers. After authorization, the user works with the consent service, choosing a number of services for which he allows the use of his data, and gives permission or consent to the use of his data for a number of transactions or services. This type of permit can be issued for an unlimited period of time or have a specific validity date. It still allows the user to set the level and type of information exchange and usage types. The user can log back into the data warehouse or toolbar at any time to change their settings or permissions and/or select new services with which to share their data. The advantage of this method is that it eliminates the friction associated with repeatedly interrupting data flows to obtain consent from a person. It also has the disadvantage that users do not necessarily regularly review their personal accounts to make sure that they remember or fully understand the consequences of their consent and the associated data exchange.

To ensure smooth payments between both digital and digital and physical environments, the interoperability of payment systems (interoperability of payment systems) is necessary. Interoperability is a complex and multifaceted concept that includes management components, technical aspects and branding. Governance includes a set of rules and contracts that allow parties to participate in the clearing and settlement process (commonly known as a "scheme"). Management can be established by a local act of a financial institution or by law (Payment Services Act 2019, https://www.mas.gov.sg/regulation/acts/payment-services-act ). Technical components are the infrastructure through which payment (or related) messages are exchanged, as well as formats, networks, security protocols and mechanisms that ensure risk-free and timely execution of clearing and settlement functions.

The functional compatibility of payment systems depends on the following factors: 1) access subjects - access to the payment scheme is often not limited to banks. Companies and third-party solution providers (payment gateway providers, gateway providers) may also have access in accordance with the rules and structure of the scheme; 2) the non-discriminatory and simple nature of access means simple and reasonable parameters for joining the payment scheme. They include adaptation and ongoing participation. Small banks or new entrants to the industry should not face unreasonably high or inadequate entry barriers; 3) innovativeness - the design of the scheme and its infrastructure should encourage innovation. Ease of access and common message standards are key. In a practical way, it is necessary to identify and implement new options for using payment systems (regardless of the underlying payment schemes; 4) user protection - measures should be provided to protect users' rights, in particular, data protection and fraud detection; 5) time of operations – payment processing can be carried out according to a schedule, i.e. batch processing (batch, scheduled processing) or in real time. Recently, there has been a shift in favor of the latter all over the world. However, batch processing still has significant advantages where real-time mode is not required, such as monthly salary payments; 6) risk management is a key issue for payment schemes. Mechanisms are required to eliminate settlement risk, manage reputational risk and enable banks to manage credit risk; 7) the possibility of replacement is an important factor in reducing risk and providing a choice for the user. The possibility of replacing one payment scheme with another (for example, making payments in real time and batch payments) helps to reduce the risk of technical failure of the bank or payment scheme. The replacement also allows buyers and sellers to choose the most appropriate payment option; 8) Communication standards based on ISO 20022 are common open standards. They help banks and other institutions optimize their systems and enable vendors to develop services and products. It is allowed to replace common message standards; 9) security - security standards directly support the integrity and contractual nature of the payment scheme. Standards should be strong enough to withstand the latest threats, and should ensure authentication, confidentiality, data integrity and non-repudiation of work. Non-repudiation is the key to maintaining the contractual nature of the payment scheme and the system of responsibility for it ^{[2, p. 12]}.

These factors determine the need to develop services based on local clearing and settlement infrastructure. As an example, we can give a proxy (proxy) - an alternative to bank account numbers and a service such as Request-to-Pay (RtP). Proxy literally translates as "intermediary". This is a minimal set of data (QR code, phone number or email address, for example), to which the bank details of the beneficiaries are linked. Payments are made by simply specifying the beneficiary's proxy, keeping his personal or confidential data secret from the payer. A proxy is an alternative well–known and convenient identifier that ensures the security of bank account data. It also works independently of the current account and its associated bank (in other words, the account holder can move his account to another bank, and payments will follow as long as the information about the single proxy/account is updated).

Request-to-Pay literally translates as "request for payment" and means that the recipient of the payment initiates a request for a specific operation from the payer. The system provides a digital request that the payer can receive on his mobile device. It can appear in a mobile banking application or through a third-party application. After that, the payer can accept or reject the payment request. Depending on the region, the request may also include detailed information about the transaction, the date of payment or other details of the invoice. If the payer approves the payments, a real-time transfer is initiated to the payee. This service provides a fast way to carry out transactions between two parties without the need to remember or search for complete account information.

Data exchange allows end users to make their data available and accessible to their service providers for a set period of time and for a specific purpose. Data can be exchanged to enable financial planning through apps and financial advisors, making it easier to collect information for filing taxes or applying for loans based on verified information. Data exchange can also support payments by authenticating the accounts of their owners and providing digital identification by providing information to authenticate a person. The data to be exchanged may include credit details, transaction data, demographic data, and assets. Like other elements supporting digital infrastructure, technical and management components will be required for data exchange.

In order for data exchanges to be carried out properly in the context of a specific digital infrastructure, it is necessary to take into account the purposes for which data exchange will be used and the following design criteria. Firstly, these are security requirements that ensure that data exchange is secure, but at the same time flexible enough to implement the latest technologies. Secondly, these are confidentiality requirements that ensure transparency and clarity of the processes in which data is used for users, as well as consent to the transfer and use of their data and the ability to revoke this consent. Thirdly, these are technical standards that ensure the compatibility of data transmission mechanisms. Application programming interfaces (API) must provide data of the required quality in the same format for certain use cases. Fourth, these are standards for the authentication of individuals or legal entities in their accounts and data to limit fraudulent access and restrict the exchange or storage of bank credentials. Fifth, there are incentives for data providers (for example, financial institutions) to ensure timely access to data, since the lack of incentives can create obstacles to data exchange. And finally, it is parity of access to data for individuals and small businesses to obtain full economic benefits for all participants of the ecosystem, as well as equal modes of activity for all participants of the ecosystem. This will allow for competition between data providers (for example, financial institutions), data aggregators (i.e. technical intermediaries and service providers) and data users (such as a provider of payment functions) ^{[2, p. 13]}.

The security of data exchange depends on several factors. This is, first of all, the functional security of the API and similar data transfer mechanisms to ensure the ongoing data exchange between data providers, any intermediaries and the end user of the data. Authentication of users in their accounts should be carried out in a safe and reliable way, which reduces the risks of fraud. Data governance and data management capabilities should be provided to convert the provided data into the necessary information for specific use cases, for example, for performing analysis in order to prevent fraud. Data management includes processes from data creation to data deletion. Data management consists in creating rules and solutions for operational processes that run within these processes (therefore, data management is not a separate process). And finally, an important factor is the development, adjustment and updating and adjustment of management and technical standards by authorized state bodies and self-regulatory organizations.

Unlike Internet infrastructure, the creation of digital infrastructure requires not only compliance with technical standards. For example, when performing digital transactions, internal and external exchanges of financial information are based on trust networks that are regulated by legal, business and technical agreements and standards. As data becomes increasingly valuable in the digital economy, there is a strong case for applying "digital payment management" mechanisms to ensure trust in digital infrastructures. This ultimately leads to the creation of a digital infrastructure that allows end users to control both their money and data in a reliable way, placing a person at the center of the digital ecosystem.

The Monetary Authority of Singapore has taken the initiative to unite the efforts of all regulators to develop a common strategic understanding, identify appropriate regulatory instruments and interaction of relevant stakeholders. The financial regulator criticized the tendency of the state apparatus to over-regulate the introduction of innovations. In his opinion, the best motivation for innovation has historically been the commercial factor. ^{[2, p. 3]}. Technological innovations are regularly introduced by companies looking for market niches, which are the unmet needs of end users (consumers, companies or governments). Innovations should bring the desired and necessary results. The government should assume the role of creating a favorable climate for investment in innovation. Singapore has long been a global leader, having established the right balance between encouraging investment in new technologies in the financial and banking sector and protecting its population from unscrupulous actors. This is the result of active interaction between the state apparatus and the management of financial institutions.

Conclusions. As a result of the conducted research, we came to the following conclusions. The Monetary Authority of Singapore puts forward the same requirements for the security of digital infrastructures in both the public and private sectors. In any digital infrastructure, the security of four key components must be ensured: 1) digital identity, 2) authorization and consent, 3) functional compatibility of payment systems (payments interoperability) and 4) data exchange. Digital identity defines confidence from two sides of digital interaction. Each participant must be sure that the party at the other end is the subject he pretends to be. Therefore, mechanisms should be developed to ensure authentication and confirmation of the user's identity while ensuring the confidentiality and security of information. Digital interaction should be transparent, safe and effective. The data should be used in accordance with the purposes for which they are provided, and in a way that is expected and understood by users. The digital infrastructure should have built-in tools and mechanisms explaining to users how their information is collected, used and exchanged, as well as enabling them to own, manage and control their personal and confidential data. Ensuring the functional compatibility of payment systems includes managerial and technical factors, the consideration of which affects the security of transactions. Approaches to data exchange should be similar: data providers (financial institutions) should ensure the use of data in the interests of a particular person. Data exchange allows you to make payments, carry out financial planning, create a digital identity, create credit files and perform other actions due to the nature of the digital infrastructure.

The main security factors of the digital infrastructure of the financial and banking sector are the following. This is a holistic approach to the development of regulatory policy, as well as the defining role of the financial regulator in the creation of digital infrastructure. In addition, it is important to remember that the technical side is only one of the elements of the digital infrastructure: it is necessary to balance regulatory, technical and business standards. Attention should be focused on building the trust of the end user. The protection of the digital infrastructure of financial institutions from threats increases the degree of confidence in these institutions on the part of investors. Therefore, Singapore's financial institutions have a high investment attractiveness.

The research was carried out with the financial support of the RFBR as part of the scientific project 20-011-00454  "Ensuring the rights of investors in the banking and financial sectors in the context of the digitalization of the economy in the Russian Federation and the leading financial centers of East Asia: a comparative legal aspect"