Translate this page:
Please select your language to translate the article


You can just close the window to don't translate
Library
Your profile

Back to contents

National Security
Reference:

Legislative Prevention of New Financial Technologies Threats

Pleshakova Ekaterina Sergeevna

ORCID: 0000-0002-8806-1478

PhD in Technical Science

Associate Professor, Department of Information Security, Financial University under the Government of the Russian Federation

125167, Russia, Moscow, 4th Veshnyakovsky Ave., 12k2, building 2

espleshakova@fa.ru
Other publications by this author
 

 
Gataullin Sergei Timurovich

PhD in Economics

Dean of "Digital Economy and Mass Communications" Department of the Moscow Technical University of Communications and Informatics; Leading Researcher of the Department of Information Security of the Financial University under the Government of the Russian Federation

8A Aviamotornaya str., Moscow, 111024, Russia

stgataullin@fa.ru
Other publications by this author
 

 
Osipov Aleksei Viktorovich

PhD in Physics and Mathematics

Associate Professor, Department of Data Analysis and Machine Learning, Financial University under the Government of the Russian Federation

125167, Russia, Moscow, 4th veshnyakovsky str., 4, building 2

avosipov@fa.ru
Other publications by this author
 

 
Bylevskii Pavel Gennadievich

PhD in Philosophy

Associate Professor, Department of Information Security, Financial University under the Government of the Russian Federation; Moscow State Linguistic University

49/2 Leningradskiy Prospect str., Moscow, 125167, Russia

pr-911@yandex.ru
Other publications by this author
 

 

DOI:

10.7256/2454-0668.2022.6.39275

EDN:

MRAOCI

Received:

29-11-2022


Published:

30-12-2022


Abstract: The subject of the study is the problem of legal prevention of the use of computer and telecommunication technologies by intruders in new financial remote services in Russia. An increase in the variety and volume of attacks is inevitable, given the desire of scammers to obtain personal and confidential information. In recent years, Russia has made significant progress in improving its infrastructure responsible for information security. The article is a comprehensive analysis of Russian legislation. The analytical review of various directions of development of the Russian federal legislation in recent years aimed at preventive counteraction, elimination of a number of conditions and prerequisites of cybercrime in the financial sphere is presented. Particular attention is paid to the jurisdictional aspects of Russian legislation. The government needs to make thorough preparations to counter a range of unwanted cyber events, both accidental and intentional. There are significant risks of local attacks and losses as a result of compromising computer and telecommunications services. The conclusions contain final proposals for further improvement of legislation taking into account foreign and international experience. The main conclusions of the study are the productivity of identifying the strategic prevention direction in preventive activities – preventive identification and elimination of gaps in the regulatory framework, as well as technical and organizational vulnerabilities that make possible various types of attacks and "schemes" of cybercriminals in the financial sphere.


Keywords:

Information security, telephone fraud, social engineering, remote financial services, identification, personal data, computer crime, regulatory framework, legislation, phishing

Статья подготовлена в рамках государственного задания Правительства Российской Федерации Финансовому университету на 2022 год по теме «Модели и методы распознавания текстов в системах противодействия телефонному мошенничеству» (ВТК-ГЗ-ПИ-30-2022).

Introduction

Strategic prevention is about identifying and addressing fraudulent vulnerabilities in remote financial services, including the increasing use of mobile phones by attackers. The conditions and prerequisites that make possible and facilitate such offenses include a variety of organizational and technical tools that are modified and used by attackers for criminal purposes.

Counteracting cybercrime in the financial sector is a complex and complex system task, including a wide range of diverse aspects, noted the participants of the meeting held on June 3, 2016 in the Government of Russia, dedicated to the issues of information security of the financial industry. In this activity, an important place belongs to strategic prevention - the prevention of crime through the preventive identification and elimination of vulnerabilities, including legal gaps.

1. Legislative prevention of information threats of new financial technologies

Difficulties in the development of legal tools to combat telephone fraud are due to the fact that it is not enough to make changes and new rules to certain federal legislative acts. Work on draft laws in the State Duma of the Russian Federation is already a rather complicated and lengthy process, taking into account the summarized banking practice, statistics of incidents and damage caused, and urgent needs formulated by practitioners. It is necessary to carry out numerous approval procedures with relevant departments, state regulators - the FSB of Russia, the FSTEC of Russia, Roskomnadzor, the Ministry of Digital Development of the Russian Federation, the Bank of Russia. However, for a noticeable positive result, changing individual norms and laws is not enough: as a rule, harmonization with related legislative acts of the federal level and departmental regulations in various branches of law is required. Including the Criminal Code of the Russian Federation, the Code of Criminal Procedure of the Russian Federation, administrative and financial law.

The development of legal instruments substantiating new organizational and technical measures to prevent fraud in the financial sector using computer and telecommunication means is being carried out in several directions. Thus, the main state regulator of the financial sector was empowered to carry out pre-trial blocking of fake Internet resources.

This required an amendment to Art. 46-1 of the Federal Law "On the Central Bank of the Russian Federation (Bank of Russia)", as well as the Federal Law "On Information, Information Technologies and Information Protection" and the Civil Procedure Code of the Russian Federation "(in terms of clarifying the list of information, the dissemination of which in Russian Federation is prohibited)". The Chairman of the Bank of Russia received the exclusive right to make decisions on blocking access to fraudulent web resources, websites of "financial pyramids" and imitation fakes of Internet services of banks and other financial organizations. Due to this, in the first year of the implementation of the new powers of the Bank of Russia about 2,000 fraudulent Internet resources were blocked without wasting time on coordination with the prosecutor's office and court decisions.

The farthest “frontier” of applying legal instruments in the prevention of fraud, including those committed using voice communications and Internet access via mobile devices, is the legislative regulation of the security of new financial instruments. Preliminary examination of their security, forecasting of threats, calculation of risks help at the legislative level to preventively minimize potential damage from intruders. In 2020, federal legislation was supplemented with a number of laws regulating new digital financial instruments [5], including aspects of their security.

After the creation of a legal framework for digital assets, online trading (“marketplace”), the use of biometric data for simplified secure customer identification, the legislative support for the regulated legalization of cryptocurrencies in the Russian Federation and the start of the issuance of the digital ruble were on the agenda. Following the adoption of Federal Law No. 211-FZ “On Financial Transactions Using a Financial Platform” dated July 20, 2020, five registered financial platforms providing services only to individuals were entered in the register of the Bank of Russia.

Federal Law No. 46-FZ dated March 8, 2022 “On Amendments to Certain Legislative Acts of the Russian Federation” expands the range of opportunities for financial platforms, opening up the possibility for legal entities and individual entrepreneurs to act as their operators. The list of goods and services offered by financial platforms will become wider when operators apply customer identification procedures provided for by legal norms against the legalization of illegal income.

New financial instruments, which are widely discussed in the professional environment, include cryptocurrencies, digital money and, more widely, blockchain technologies used in the financial sector - decentralized distributed registries [2]. Amendments to the Federal Law "On the Central Bank of the Russian Federation (Bank of Russia)" dated July 10, 2002 No. 86-FZ expand the functions of an industry mega-regulator in relation to aspects of the issuance and circulation of the national digital currency. At the same time, such risks of "digital money" for the financial market as the creation of fraudulent "pyramids" are taken into account, which can be prevented by complying with the requirements of effectively built information security.

2. Preventive minimization of legal risks of digital money

The attitude of state regulatory bodies and legislators, as well as domestic information security specialists in the financial sector, to cryptocurrencies can be characterized as critically constructive. Cryptocurrencies can serve as a tool for illegal financial transactions, including money laundering by phone scammers and criminals of other profiles. Significant threats to Russian citizens and national interests when using cryptocurrencies come from cross-border crime, as well as from special services of states unfriendly to Russia [4].

The use of cryptocurrencies whose issuers are hidden is burdened with speculative risks, market and non-market threats of exchange rate instability, including both overt and covert organized betting on an increase or decrease. A negative example is the initially successful stable bitcoin El Petro from Venezuela, whose rate collapsed after US sanctions. The restrained position of the Bank of Russia regarding the legalization of bitcoin warned many millions of Russians against investing in this highly volatile financial instrument and prevented them from significant losses when its exchange rate fell.

At the same time, cryptocurrencies can serve as a tool for financial settlements and international transactions that are not controlled by governments and organizations of countries that impose sanctions and take other unfriendly actions against the Russian Federation [8]. Significant opportunities for the introduction of the digital ruble are also seen in our country, therefore, with the participation of the Bank of Russia, the Federal Law “On Digital Financial Assets, Digital Currency and on Amendments to Certain Legislative Acts of the Russian Federation” dated July 31 was developed and then adopted by the State Duma of the Russian Federation 2020 No. 259-FZ. The legalization of cryptocurrencies is carried out under strict regulation by the state, in accordance with the principle of centralization of emission, transactions, wallets, etc.

In the context of the monopoly of the Bank of Russia, the key state regulator of the financial sector, on the issuance of the “digital ruble”, in order to reliably protect users, it is necessary to determine and distribute responsibility for the stability and continuity of the infrastructure of this new, “third form” of the national currency (in addition to cash and non-cash money ). The technological and operational infrastructure for it is formed by connecting credit and other financial institutions, which will require regulatory regulation by by-laws. There are corporate platforms for issuing digital assets created by Sberbank, Norilsk Nickel and Transmashholding.

The strategic directions for the prevention of telephone fraud, along with related and similar crimes using computer and telecommunications tools, include increasing the security of identifying legal clients of financial services, especially when making payment transactions and money transfers. At the same time, the security of identifying users of financial services must be balanced with the convenience of this procedure, including the effort, time and other parameters expended [7].

The introduction of simplified identification for the use of remote financial services, which increases convenience for customers, requires special forethought: at the same time, close attention had to be paid to ensuring that the increase in comfort was not at the expense of security [6]. The legislative framework for simplifying the procedures for identifying clients of financial services in 2021 was developed taking into account the regulatory requirements for combating money laundering.

To this end, Art. 7 of the Federal Law "On counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism" dated August 07, 2001 No. 115-FZ. Some of the changes concerned the possibility of carrying out the exchange of banknotes or coins for an amount equivalent to no more than 40,000 rubles without identifying the operation. For a larger amount, up to 100,000 rubles, as well as in case of doubt, the operator of the operation provided for simplified identification of the client or his representative using the number of his driver's license. Cash operating organizations are provided with the opportunity to check, through the ESIA, the accuracy of the information provided by the client for identification.

3. Regulatory security of the use of biometrics in the financial sector

A technological solution that improves the convenience and security of identifying users of financial services is the use of biometric personal data of citizens. This new technical identification tool for obtaining financial services is especially in demand in remote regions of Russia, as well as sedentary citizens and people with disabilities. However, as some vulnerabilities of other, former methods of identification are removed, it is necessary to foresee, calculate and prevent the implementation of specific information security threats specific to biometric data [1]. This task falls, among other things, on the shoulders of legislators.

The legal basis for the wider use of the Unified Biometric System in the provision and use of remote financial services was the Federal Law “On Amendments to Certain Legislative Acts of the Russian Federation” No. 479-FZ dated December 29, 2020. The work on the bill took two years, as it required a lot of approvals from various federal executive authorities. The parties considered various aspects of the safety and security of the collection, transfer, storage and use of biometric data of Russian citizens.

In the course of work on the bill, the originally intended areas of application of biometric data were expanded, from identification for opening bank accounts to concluding contracts for a wide range of financial services. In addition, the possibilities of biometric identification were extended to order and receive state and municipal services [3]. The Unified Biometric System (UBS) acquired the status of a centralized official resource, the network of points for citizens to submit their biometric data was expanded to include multifunctional public service centers. The state regulator of the financial sector, the Bank of Russia, was empowered to formulate requirements for the collection of biometric information for various structural divisions of banks: branches, branches, operating cash desks, etc. Credit institutions with a basic license to provide banking services have acquired the right, at their own discretion, to transfer or not transfer the collected biometric data of citizens to the EBS.

Legislative innovations have also affected commercial organizations that create and use their own biometric databases. They were also allowed to conduct such activities, but were required to obtain accreditation according to established procedures, as well as to transfer the collected biometric data to the EBS. Control and supervisory activities in this area were assigned, in addition to the Bank of Russia, to three other federal executive bodies regulating the financial sector - the FSB of Russia, the FSTEC of Russia and Roskomnadzor.

In 2021, the EBS was given the state status of an information system at the federal level. The permission to connect to it has been expanded from banks to other financial institutions, non-credit, insurance investment companies, brokers, operators of digital assets and marketplaces that carry out transactions with other types of property that are subject to regulatory regulation and control and supervisory activities of the Bank of Russia. It became possible to provide financial services after identification through the EBS not only of citizens, but also of individuals as representatives of organizations, legal entities, endowed with the right of representation without a power of attorney.

Numerous objections and criticisms have been raised about the ability of banks to provide remote financial services in mobile applications and web services to new customers from January 1, 2022, identifying them through biometric data. Since many credit institutions did not have time to take the organizational and technical measures necessary for this, the date for the entry into force of the new rule was delayed to September 1 of the same year. The entry into force of the requirement for state accreditation for organizations operating information systems that process citizens' biometric data for identification was postponed to the same date. The transfer was legally formalized in the Federal Law of December 30, 2021 No. 441-FZ “On Amending Article 153 of the Federal Law “On Information, Information Technologies and Information Protection” and Articles 3 and 5 of the Federal Law “On Amending Certain Legislative acts of the Russian Federation".

Additionally, citizens who have a verified account in the state Unified Identification and Authentication System (ESIA) were given the opportunity to place their biometric data in the EBS independently, including through mobile applications. To confirm the identity in this case, it is necessary to have a foreign passport, in which the biometric data of the owner is contained on an electronic storage medium.

Conclusions

Legislative support for the strategic prevention of telephone fraud and many other types of "high-tech" crimes and offenses is to predict potential threats, in particular, those associated with the introduction of new financial instruments, technologies and services. Foreseeing related threats and measuring, as far as possible, risks makes it possible to make informed decisions about the format for legalizing such innovations, and “embed” security tools and counteracting intruders into legislation in advance.

The direction of strategic prevention is also indicated in the practical activities of legislators, an example of which is the legalization of digital money and blockchain technologies. This activity deserves further development and improvement in order to increase the effectiveness of preventive information security, minimize the legal risks of new financial technologies.

References
1.
2.
3.
4.
5.
6.
7.
8.

Peer Review

Peer reviewers' evaluations remain confidential and are not disclosed to the public. Only external reviews, authorized for publication by the article's author(s), are made public. Typically, these final reviews are conducted after the manuscript's revision. Adhering to our double-blind review policy, the reviewer's identity is kept confidential.
The list of publisher reviewers can be found here.

The subject of the study. The reviewed article "Legislative prevention of legal threats of new financial technologies" is devoted to the analysis of legislation and existing legal mechanisms for countering cybercrime in the financial sector. The author is convinced that crime prevention is possible through preventive identification and elimination of vulnerabilities, including legal gaps. It is these problems that he explores in his work. Research methodology. In the course of the work, modern research methods were used, both general scientific and private. The methodological apparatus consists of the following dialectical methods of scientific cognition: abstraction, induction, deduction, hypothesis, analogy, synthesis, historical, theoretical-prognostic, formal-legal, systemic-structural legal modeling, as well as the application of typology, classification, systematization and generalization. The use of modern methods made it possible to study established approaches, views on the subject of research, to develop an author's position and to argue it. The work combines theoretical and empirical information. The relevance of research. The relevance of the topic of the article is beyond doubt. The growing number of cybercrimes (and primarily with the use of mobile communications) in the financial sector requires new legal mechanisms to ensure security. Difficulties in developing legal instruments to combat telephone and Internet fraud are related to the fact that it is not enough to make changes and new rules to individual federal legislative acts, special enforcement mechanisms are required. It is also important to note that legislative activity is a rather complex and lengthy process, taking into account generalized banking practice, statistics of incidents and damage caused, as well as urgent needs formulated by practitioners. All these circumstances point to the importance and relevance of timely legislative initiatives to counter cybercrime in the financial sector of the economy. Scientific novelty. The topic of the article is not completely new to Russian legal science, but the aspect of the study has elements of novelty. The author raises the issue of information security when using biometric personal data in the financial services sector, noting not only the "convenience" side of such a format of public relations and predicting possible risks and threats. Thus, the author writes that "A technological solution that increases the convenience and security of identifying users of financial services is the use of biometric personal data of citizens. This new technical identification tool for obtaining financial services is especially in demand in remote regions of Russia, as well as sedentary citizens and people with disabilities. However, as some vulnerabilities of other, previous identification methods are eliminated, it is necessary to anticipate, calculate and prevent the implementation of specific information security threats specific to biometric data." Style, structure, content. In general, the article was written at a high scientific level. The content of the article reveals the stated topic and includes, in addition to the introduction and conclusion, three effective parts (1. Legislative prevention of information threats of new financial technologies; 2. Preventive minimization of legal risks of digital money; 3. Regulatory security of the use of biometrics in the financial sector). The material is presented consistently, competently and clearly. The author's conclusion is noteworthy that the legislative support for the strategic prevention of telephone fraud and many other types of "high-tech" crimes and offenses consists in predicting potential threats, in particular, related to the introduction of new financial instruments, technologies and services. Bibliography. We believe that the author has not studied enough bibliographic sources on the research topic. The topic is relevant, although new, and a number of works by domestic and foreign scientists have already been published. Appeal to opponents. The author in his article very correctly addresses the opinions of other scientists. All citations are provided with footnotes to the source of the publication. Conclusions, the interest of the readership. The article "Legislative prevention of legal threats of new financial technologies" meets the established requirements for works of this kind and is recommended for publication in the scientific journal "National Security / nota bene" (provided that the bibliographic list is finalized and appropriate additions are made to the article). We believe that the article will be of interest to Russian and foreign readers dealing with comparative studies.