ICT and payment services

Developments

Financial institutions reported a few more ICT-related incidents in 2020 than in 2019. The proportion of security incidents was greater than the year before. None of these were related to the Covid-19 pandemic. During the year, two different variants of infected software were reported that could enable criminals to attack institutions’ networks from within and destroy or steal data. However, no institutions have registered that any damage has been done. The Financial Infrastructure Crisis Preparedness Committee (BFI) held a number of meetings in 2020 to review the institutions’ current status and measures to handle the Covid-19 crisis. Finanstilsynet did not observe any particular operational irregularities in the payment systems as a result of the crisis.

Fewer IT inspections than normal were carried out in 2020. A lot of work was devoted to processing reports on outsourcing and changes in payment systems, including changes in providers of a shared payment infrastructure. Finanstilsynet followed up requirements in accordance with PSD 2 and the Regulations on Systems for Payment Services. These include requirements concerning interfaces for trusted third parties, requirements for strong customer authentication for e-commerce card payments and new fraud and risk reporting to Finanstilsynet.

Supervision, monitoring and control

Supervision of ICT and payment services

Finanstilsynet conducted 17 on-site inspections in 2020 focusing on ICT and payment services. There were fewer inspections than planned, which was primarily due to the Covid-19 pandemic. Most of the inspections in 2020 were carried out on digital platforms. Five of the 17 inspections were conducted at banks, three at insurers, three at investment firms, two at debt collection agencies, one at a real estate agency, two at audit firms and one at an external accounting firm. Two of the inspections at banks were thematic AML inspections focusing on the banks' systems for electronic monitoring of suspicious transactions.

Through its inspections, Finanstilsynet has noted challenges relating to management and control of IT activities when the entity is part of group that is responsible for parts of ICT operations on behalf of all the group entities. Being part of a group offers the entity advantages in the form of a shared infrastructure and access to resources and expertise. However, Finanstilsynet notes that individual entities in the group may not have a separate risk analysis of its IT operations nor an IT strategy, and that there are several levels between the entity and the outsourced operations. The entities must ensure that they manage and control their IT operations themselves.

Lack of or inadequate testing of disaster recovery solutions was commented on at several inspections in 2020. Finanstilsynet also pointed to the heightened risk arising from giving service providers responsibility for application development and at the same time access to the production environment. To compensate for this, strict controls are required.

Supervision of banks' systems for monitoring suspicious transactions linked to money laundering and terrorist financing showed that the banks have established customer-specific rules. However, this has less effect when the risk classification of customers, which forms the basis for proper use of the rules, is inadequate.

Incident reporting

207 incidents were reported in 2020, which is a slight increase from the year before. 20 of these were security incidents. Most of the security incidents were DDoS attacks, but several institutions reported two different variants of infected software that could enable criminals to attack the institutions’ networks from within and destroy or steal data. These were reported at the beginning and the end of the year, respectively. None of the institutions had registered that any damage had been done.

The increase in the number of incidents appears to be due to the fact that several types of financial institutions are actively reporting incidents and that a greater variety of incidents are reported. Four incidents were reported in which the institution discovered vulnerabilities in its own software before the vulnerability was exploited. Two incidents regarding failure to submit data to debt registers and eight incidents concerning discrepancies in the electronic AML transaction monitoring were reported. Five incidents were reported by debt collection agencies. Incidents reported by banks and entities in the securities sector are predominant. Insurers reported only six incidents in 2020. The incident that received most attention in 2020 was an operational incident in DNB in June that caused several days’ delay in salary and holiday allowance payments to a large number of customers. In July, an operational incident in Nets attracted considerable attention because it affected the payment services of several institutions for an extended period in the afternoon/evening.

Number of reported ICT incidents

Source: Finanstilsynet

ICT outsourcing

In 2020, Finanstilsynet received more than 250 notifications of outsourcing. Of these, there were 36 from insurers and 13 from finance companies. Most of the notifications concerned changes relating to providers of the shared payment infrastructure for banks, including Nets' sale of account to account services to Mastercard and the planned relocation of BankID’s operations, as well as changes relating to ’cash services in store’ (KiB). These notifications were also given in accordance with the requirements of the Act relating to Payment Systems on changes in or new payment services. Some of the notifications came from cooperating groups of banks on behalf of several banks. Extensive follow-up was required of banks' notifications concerning Nets' sale of account to account services to Mastercard.

System for payment services and payment institutions

Interface for trusted third parties

The Revised Payment Services Directive (PSD 2) sets requirements, elaborated on in Commission Delegated Regulation (EU) 2018/389, for interfaces that give payment agents and account information service providers, so-called trusted third parties (TPP), right of access to payment accounts belonging to customers of account servicing payment service providers. Account servicing payment service providers are required to ensure that TTPs are given such access. In 2020, Finanstilsynet was in close contact with account servicing payment service providers and TPPs and provided guidance on how the regulations should be understood. In June 2020, Finanstilsynet conducted a survey among all account servicing payment service providers to assess whether the interfaces met the requirements of the regulations. The responses revealed that the account servicing payment service providers still had some way to go, making it difficult for TPPs to start offering their services. As a result, the TPPs were exposed to financial risk and reputational risk in the market. Finanstilsynet is following up the entities.

Strong customer authentication

PSD 2 sets requirements, included in Section 5 of the Regulations on Systems for Payment Services, concerning strong customer authentication (SCA) when the customer logs into the payment account via the web, initiates an electronic payment transaction or takes action that may involve the risk of fraud or other abuse. Payment service providers were granted a deferral until 31 December 2020 to introduce SCA for e-commerce card payments. In 2020, Finanstilsynet obtained statistics from card issuers showing developments in the number of transactions and users for which SCA had been applied or where technical solutions were in place for applying SCA. Finanstilsynet provided information about the transition to SCA on its website and called upon card issuers to inform users about the transition and offer active user support during the transition period.

Fraud reporting

In 2020, Finanstilsynet received the first reports on fraud statistics in accordance with the requirements of PSD 2. The institutions reported the total number of transactions and fraudulent transactions for the second half of 2019 and the first half of 2020 in accordance with the pan-European specification in the guidelines issued by the European Banking Authority (EBA). Some of the results of the reporting for the second half of 2019 were published in Finanstilsynet’s Risk and Vulnerability Analysis 2020. Aggregated data was sent to the European Central Bank (ECB) and to EBA.

Risk reporting

Section 2 of the Regulations on Systems for Payment Services requires payment service providers to report to Finanstilsynet, at least once a year, an overall assessment of the operational and security risks associated with the provider’s payment services and of whether the measures taken by the provider are adequate. In 2020, Finanstilsynet published forms for such risk reporting, setting the deadline for first reporting on 17 February 2021. The reporting in 2020 was cancelled as a result of the Covid-19 pandemic.

Survey of cash services

In 2020, Finanstilsynet was commissioned by the Ministry of Finance to chart the banks' total range of cash services and assess whether trends in the offering of such services will require new measures or regulatory changes. Finanstilsynet was asked to exchange facts and assessments with Norges Bank. Feedback will be sent to the Ministry of Finance by the end of February 2021 and will form the basis for a review of whether the cash offering to Norwegian bank customers can be considered satisfactory across the country, or whether further regulation of the banks' duties may be required.

Relevant changes in the cash offering are the industry's launch of ‘cash services in store" (KiB) and the phasing out of banking services through ‘in-store postal outlets’ (PiB). KiB is a collaboration between Vipps/BankAxept and NorgesGruppen. All Kiwi and Meny stores will offer the service. It currently includes 1 437 user sites, which gives a coverage ratio of 98 per cent of Norway's population. Finanstilsynet collected information about cash handling services from relevant actors and sent questionnaires to all the banks with questions about their cash services offering. The banks responded by the end of 2020.

Risk and vulnerability analysis (RAV)

In its Risk and Vulnerability Analysis 2020 of financial institutions' use of ICT, presented in May 2020, Finanstilsynet points to observations and assessments made in the course of its supervisory activities. The report was presented at a press conference and is published on Finanstilsynet’s website.

Contingency preparedness

Finanstilsynet heads, and is secretariat to, the Financial Infrastructure Crisis Preparedness Committee (BFI). The BFI held three regular meetings in 2020. In addition, it called 13 additional meetings, primarily in March and April, to review the prevailing situation and measures related to the Covid-19 pandemic. The BFI thus ensured that it had an updated overview of how financial institutions, service providers and the authorities were handling the Covid-19 pandemic. Experience from the crisis shows that the key players in Norway’s financial infrastructure have good emergency response plans and can quickly implement measures. The BFI exercise in 2020 should have been participation in the civil national exercise Digital 2020 arranged by the Norwegian Directorate for Civil Protection (DSB), the scenario being an incident in the financial sector. The exercise was changed in consequence of the Covid-19 crisis and was thus little suited for BFI's participation. Finanstilsynet took part in the exercise.

In 2020, Finanstilsynet and Nordic Financial CERT (NFCERT) established regular monthly meetings. This is one of the steps taken to enable Finanstilsynet’s to fulfil its role as sectoral response body for that part of the financial sector for which it is responsible.

Norges Bank and Finanstilsynet initiated a cooperation in 2020 to establish a security testing framework for the Norwegian financial industry based on the TIBER framework (Threat Intelligence-based Ethical Red Teaming).

In 2019, Finanstilsynet became a partner at the National Cyber Security Centre (NCSC) and participated at regular status meetings at the NCSC in 2020, where the status report for the national digital threat picture is reviewed.

Licensing – payment institutions

In 2020, seven institutions were granted a licence to operate as payment institutions. Of these, four were licensed to provide the following two new payment services: account information services and payment initiation services. In addition, the licences of one payment institution and one electronic money institution were extended to include the two new payment services.

In the course of 2020, Finanstilsynet received six applications for a licence to operate as a payment institution/electronic money institution, five of which were received in the second half of the year. The applications of two of these institutions concern the two new payment services.

On 1 April 2019, a notification requirement was introduced for payment services that are exempted from the licensing obligation pursuant to Section 1-8 of the Financial Institutions Regulations. During 2020, Finanstilsynet processed a number of notifications from institutions pertaining to section 1-7 letter (k) nos. 1 and 2 of the Financial Institutions Regulations: exemptions for payment instruments that can only be used within a limited network or to acquire a very limited range of goods or services.