 We're here in the ITU studio this morning in Geneva, and I'm with Vijay Mori, who is program coordinator for ITUT, for the Telecommunication Standardization Bureau here at ITU, and he's also chair of the Fiji Security Infrastructure and Trust Working Group. Vijay, welcome to the studio. Thank you. Now, we're talking today because we've got the Fiji security clinic happening very shortly. Perhaps you could tell us a little bit about security issues, and one of the main security issues in digital financial services at the moment. Yes, so the digital financial services sector is a complex sector. It's not what we say a vertically integrated sector, it's a very fragmented sector. That is, there's a lot of players in the sector, and they are kind of interconnected. So for example, the bank may be using the services of the mobile network operator for communications, and they may also be using services of payment service providers, agents, and other network service providers for efficient delivery of the financial services. In this case, as you can see, the security risk is not only the concern of the bank or of the DFS provider. It also concerns all the other players that are involved in the industry in providing the service. So as you know, security is only as strong as a weaker slink in the chain. So there is a need to actually coordinate among all the players on the security risk to ensure that these are well managed in the value chain of digital financial services. And with new technologies coming into play, like for example with FinTech technologies, with the use of artificial intelligence, with the use of big data analytics, there are new risks that are introduced in the service delivery, and these new risks also have to be managed. So as you can see, it's not a process, it's actually a continuous process to keep your security well-tuned in line with security best practices, and this is becoming more and more complex nowadays, and this is why we see that security in digital financial services is challenging because of the need to handle the risk that is introduced in the whole ecosystem. I think people understand the internet. They understand that if they're going to go on the internet, that they might be risked, that they might go on to a mirrored website or something like that, but is it much more complicated when you're on your mobile phone? Yeah, exactly because you need to trust also the device that the user is actually handling to perform the transaction. There is a need to educate users also about device security, how you keep your device secure, because if your device also is not secured, then there is also the risk that the user is also going to lose his money or his identity may be used for other purposes, so there are all these risks that have to be managed. So let's talk a little bit about the main outcomes of the Fiji security infrastructure and trust working group so far. Yeah, so the security infrastructure and trust working group was actually set up to study the different security risks of the telecoms infrastructure which is used to deliver digital financial services. We also look at the security challenges of emerging technologies like distributed ledger technologies, artificial intelligence, big data analytics in the use of, in providing digital financial services for financial inclusion. We also look at the proliferation of digital Ponzi schemes or unlicensed digital investment schemes, how these can be better managed through good coordination between the telco and financial services sector regulators. One thing which is important in financial services is to ensure that it's the right person who is actually making the transaction and that there is no fraudulent transaction happening, so authentication and digital identity is another aspect that we also examine. So we have a report on strong consumer authentication technologies and the application in digital financial services. And of course we have a recommendation on methodologies as well. So methodologies for managing risk in digital financial services. We call this the report on DFS security assurance framework. And we also have another methodology on measurement of quality of service KPIs for digital financial services. And this is very helpful for telecom regulators to be able to monitor the performance of the mobile network system in delivering digital financial services. So all these reports have been, in these areas that I mentioned, these reports, there's about seven reports that have been produced in 2019. Some of them were already presented at the Fiji Symposium in January this year. And four of these reports are going to be presented at the Fiji Security Clinic in this week. And these reports have also led to new standardization work in the ITUT study group. So for example, the report I mentioned on methodology for measurement of quality of service KPIs has led to a new recommendation in ITUT study group 12. And the reports on mitigation of the SS7 vulnerabilities and the report on strong consumer authentication technologies have been presented to ITUT study group 11 and 17 respectively. And these reports were also adopted in these two study groups and will lead to a new creation of new work items. And the remaining reports that I mentioned also going to be presented next year in the other ITUT study group. So we can see there's a good uptake of the reports from the security infrastructure and trust working group in the standardization work that's happening in the ITUT study groups. And also these reports also being fed to the country implementation teams to support their work as well. Let me go back a little bit on the ones that you just mentioned. You mentioned Ponzi schemes. Perhaps for those who are not in the know, what are the Ponzi schemes entail? What are they involved? And how are they seen in the context of digital financial services? Yes. In the context of digital financial services, a Ponzi scheme is actually spread through either SMS or through social media channels like Facebook or Twitter. So basically these are schemes that invite people to invest their money in return for a high rate of return. And ultimately, these people never get back their money and they lose a lot of money. This has happened in some countries. I mean, based on our study in the security infrastructure and trust working group, countries like Nigeria, Bangladesh, and also to some extent Kenya, or some countries where people have been victims to these unlicensed digital investment schemes. But the common factor of all these schemes is they originate more or less in the same place. And then they start up in one country. Then when they are closed down, it's the same actually that opens up in another country. So what we need is actually a kind of coordination at national and international level to basically take action at an early stage before they start spreading. And in this context, in the security infrastructure and trust working group, we are developing what we call measures to help the telecom regulator and the financial services regulators to work together. And at the clinic, we have also invited the Interpol to come and give some information on how they investigate these unlicensed digital investment schemes on their side. And also, we are planning to have a more, let's say, elaborate session at the next Fiji Symposium in 2020. You mentioned regulators. What can regulators do to ensure the security of digital financial services? Yes. So that's actually a very good question. And this is something that we are actually studying in the security infrastructure and trust working group, because we're not talking about one regulator here. We're talking about the, in some cases, there's two regulators. In some cases, there's three or four. So in some countries, the main regulators we're talking about is financial services and telecom regulators. Some countries, they have another regulator specifically for data protection. So we need to involve that regulator as well in the discussion. And in some countries, you also have what we call the competition commissioner, which also needs to be involved in the discussion. And I think in the working group, what we recommend is to have basically good regulatory dialogue at the end of the day. It's not just the regulators talking to each other, but they also need to involve the players in the sector, listen to their needs and requirements, and come up with a regulation that will create a balance between the security needs of consumers, because consumers need to have the assurance that their rights are actually being protected. And also that there is actually due diligence on the side of the DFS providers and the other players in the industry. And to come up with processes and measures and regulation that can monitor the compliance of the DFS providers without putting too much of a burden on the DFS providers at the same time. So it's not an easy task, but it's something that can be achieved through what I would say regulatory dialogue. And in actually the report on SS7 vulnerabilities, we actually propose a template for a moment random of understanding between the telco regulator and the central bank, how they can work together in addressing specifically the SS7 security issues to clearly delineate the responsibilities of each institution. And they can also work together in establishing minimum security baselines for the sector. So it's not just regulation, but I would say in terms of technical guidelines, both regulators could work together in terms of establishing minimum security baselines that can be implemented by the DFS providers. And during the clinic we give a few examples on these, what we mean by security baselines. For example, in the sessions on the 5th of December, the app security framework, where we talk about how to implement an app security framework, we'll have someone from a central bank actually coming and explaining how the central bank went about developing an app security framework for DFS providers that want to use the, that wants to provide DFS services in their country. Well, we wish you the very best of luck with these two, I'm sure, fun filled days of exchange of information here with the top players in the digital financial services industry and the regulators and all the other people gathering here in Geneva. And we look forward to catching up with you again soon. Thank you very much. It was my pleasure. Thank you.