Along with many other countries, Canada saw a precipitous spike in the use of and reliance on digital payments in the wake of the pandemic.
And while digital payment technologies were already a significant focus for businesses in the financial services sector before the crisis, the acceleration of these systems continues to raise unique issues for both consumers and companies.
In this article, we explore this trend and how organizations can adapt their strategies and develop a risk mitigation approach to seize opportunity and stay competitive in the evolving digital payments ecosystem.
Shifting to a cashless society
Consumer behavioural changes triggered by the spread of COVID-19, and the resulting shutdown of the physical economy, have accelerated pre-existing trends in Canada toward adoption of digital payments1. A recent Payments Canada study comparing consumer spending habits pre-COVID-19 found that at week five of the pandemic, 62% of Canadians were using less cash. The study also showed a dramatic increase in the use of e-transfers, PayPal and contactless payment apps for food delivery services such as Uber Eats and Instacart. A total of 42% of Canadians said they avoided shopping anywhere that did not accept contactless payments2.
For business transactions, the shift to widespread use of digital payments is here to stay. It is estimated that, as a result of COVID-19, by 2025, 67% of global transactions (by value) will be done digitally—a significant increase from the 57% previously estimated for that time period3.
While digital payment systems benefit both consumers (efficiency, consumer choice) and businesses (market penetration, access to valuable consumer data), they also come with privacy and cybersecurity risks that organizations need to be mindful of as they refine their digital payment and risk mitigation strategies to take advantage of the ongoing shift toward a cashless society.
Risks facing consumers
The move to online payments has coincided with increased instances of data breaches and cyber scams aimed at exploiting consumer data to perpetuate identity theft and financial fraud. Cyber criminals are taking advantage of the pandemic as a thematic lure or subterfuge for their malicious activities4.
For instance, one notable SMS phishing campaign claimed to provide applicants for the Canadian Emergency Response Benefit (CERB) with a link where they could access their benefits, but only once they divulged personal financial details5.
Key consumer-related risks associated with digital payments include:
- Increased risk of phishing and social engineering scams. Consumers new to digital payments may be at an increased risk of scams leading to identity theft and other forms of fraud. Phishing and social engineering scams have become more sophisticated, making them harder to spot—and therefore, more successful. In most instances, cyber criminals focus on real-time compromises of consumer devices or exploiting communication channels. For instance, a customer who has recently downloaded a digital payment app may not be surprised to receive a message asking for more information or directing them to further validate their account password as part of a two-factor authentication step. This makes them more likely to click on a link that installs data-stealing malware on their phone, or to type their personal information into a fraudulent website that looks nearly identical to a legitimate one.
- Insider threat. Instances of malicious insiders include current or former employees, vendors, or contractors who have misused their access or misappropriated other employees' credentials to mine an organization's data for personal gain. These insiders may sell the data to cyber criminals or use it themselves for fraudulent purposes6. While this risk has traditionally been difficult to detect even under normal business conditions, the rise of digital payments by consumers and businesses multiplies the risk of harm. Consumers may now share banking and other financial data directly with businesses that previously used intermediaries (or cash), or when seeking technical support for online payments, delivering new, highly valuable data to malicious insiders.
- Systems breakdown. The breakdown of part or all of the digital payment ecosystem due to a systems outage (e.g., technical or equipment failure), cyber-attack (e.g., zero day attacks), or natural disaster is always a risk. However, as more consumers rely primarily, or exclusively, on digital payments, the consequences of a service disruption could have much more significant consequences for individual financial transactions and for the Canadian economy more broadly. Such breakdowns could also expose customer data to cyber fraud and identity theft.
Risks for organizations
As they implement products and services within the digital payments' lifecycle, businesses must consider their risks and vulnerabilities.
- Data breaches. When businesses enter the digital payment space there is an increase in cyber-related threats in part because the volume, variety and sensitivity of information an organization may process is expanded. A business that relied on in-person transactions, or that has pivoted from wholesale to consumer service, may traditionally not have collected the sensitive personal data associated with digital consumer payments, and may be unprepared to adequately protect it. COVID-19 further compounds these risks because employees may be accessing sensitive payments data from personal devices or home Wi-Fi networks that are poorly secured in comparison to corporate IT infrastructure or using new tools that may not be vetted by corporate IT.
- Regulatory and related risks. Digital payments
bring with them new forms of data to which organizations may
previously not have had access, including transaction and consumer
behavioral data. Organizations need to ensure that they collect,
use, share, and safeguard such data in compliance with regulatory
and contractual obligations as well as industry standards. In
addition to privacy and competition law obligations, organizations
need to be mindful of whether they are required to comply with
industry-based regulations such as the Payment Card Industry
Data Security Standard, and/or contractual obligations by
financial institutions, payment card networks etc.
Organizations also need to prepare for upcoming changes in the regulatory landscape such as the federal government's proposed introduction of open banking in Canada (read our analysis on open banking reforms here). Failure to comply with one's regulatory obligations can result in consumer complaints to regulators or independently attract a regulator's attention, which in turn can result in regulatory penalties.
Québec, as part of its privacy reform, is proposing to impose monetary administrative penalties of up to $10,000,000, or the amount corresponding to 2% of the organization's worldwide turnover, for a variety of contraventions, including for failure to report a breach and processing of personal information in contravention of Québec's private sector privacy act.
- Litigation. Organizations are increasingly facing civil liability for failing to comply with their regulatory obligations, predominantly in the form of privacy and data breach class actions (for more on our analysis of privacy data breach related litigation risk trends, see our articles here and here). Compliance violations associated with sensitive consumer payments data are particularly likely to attract civil litigation.
Adjust your digital strategy to mitigate risk
Companies that see—and seize—opportunity in the current crisis to invest in proactive measures and build relationships of trust with their customers will fare best in this time of rapid transformation for the digital payments environment.
Companies that invest in prevention, detection, monitoring, and ongoing response to cyber threats will stand out amidst companies that merely try to ride out these changes without investing in their infrastructure or relationships. This may be the time to map your company's data flows, test your organizational infrastructure, identify weaknesses that fraudsters could exploit, and triage the plan for improving those systems.
It is also the time to undergo careful diligence on any third parties you partner with for payment processing, ensure you have contractual safeguards so that third parties remain accountable, and confirm that backstop measures such as cyber insurance, alternative data processors, and record keeping systems to address the risks associated with consumer payment incidents. It would also be timely to review internal cyber and privacy training plans and the frequency of refresher communications.
The current momentum in the adoption of digital payments offers an opportunity to build on existing relationships with customers and clients through communication and education on privacy and security.
- Explain the risks and make sure your customers are clear on how you will or won't communicate with them so that they can better avoid falling for scams.
- Remind consumers of the importance of creating difficult passwords and changing them regularly, and send out "calls to action" when passwords are changed.
- Consider creating a reporting service where customers can participate in helping to curb fraud by informing you of suspicious texts and emails they receive—Interac was able to take down 4,400 phishing sites that were fraudulently using its logo through this method alone7.
Businesses at the forefront of these changes will build enhanced trust with their customers and within the wider community, gaining a competitive advantage as they move to implement robust digital payment systems in their organizations.
1 Digital payments are a form of payment where the payer and payee use electronic modes to send and receive money. This can include online money transfer services like Paypal, contactless and online app-based payments, as well as digital wallets and digital currency exchange.
2 Payments Canada's May 13, 2020 Report.
3 Bain Analysis, Figure 2.
4 The Canadian Centre for Cyber Security noted in their June 2020 Bulletin that as of 27 April 2020, they are aware of over 120,000 newly registered COVID-19 themed domains, a large proportion of which was considered malicious or related to fraudulent activity.
5 See Canadian Center for Cyber Security's June 2020 Bulletin.
6 Even though negligent or error prone insiders also expose organizations to cyber risks (e.g., social engineering hacks—phishing, impersonation, business compromise fraud etc.), these types of insider risks are easier for organizations to address through a combination of training and robust information security systems.
7 See Interac's Report on Fraud Prevention.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.