Three things can happen when carrying a crate of eggs through a market with any number of people. You can trip yourself, collide against something or someone, or maneuver through unscathed.
Sure, the eggs can be saved in all three cases. Fragility and adversity do not automatically equal failure.
But because there are high chances of that crate falling and causing an unsavory, costly splash, people ensure they do the very maximum to prevent such failures.
The protocol in a market of eggs would consist of three rules. Individuals must carry their crates with utmost care AT ALL TIMES. They should maintain social distancing to avoid collision. Market managers must provide clear lanes with visible direction signs and without potholes, among other things.
You could wholly replicate these rules to our emerging fintech industry, where everyone carries their eggs in personalized crates.
Mobile technology brings the promise of seamless access to financial services. We trust trendy digital finance upstarts to be more tender and personalized to our fast-paced needs than we have ever been used to.
But once in a while, a reminder jolts everyone to a harsh truth: moving fast can break things.
Cowrywise’s customer scare
The first week of September was tense for Nigerian digital savings platform, Cowrywise.
Funmi Oyatogun, an influencer popular in the travel and tourism segments of Nigeria Twitter, accused the company of paying lip service to recovering money stolen from her Cowrywise account.
When they responded to her lamentation after a few hours, it was received as being tone deaf and lacking in empathy.
On Tuesday, Cowrywise acknowledged their failure in communication in an announcement detailing the conclusion of the recovery. Oyatogun tweeted she had received her money and that her faith in the brand had been restored.
Yet, three talking points stand out for current and prospective consumers of digital finance products.
Vigilance, the first line of defense
Cowrywise believes Oyatogun’s account was accessed by someone who knew her login details. To avoid alerting her to the breach, this person supposedly accessed her email account and deleted the post-transaction message Cowrywise sends to customers after each transaction.
Neither party has confirmed that this was indeed how the funds were stolen from Oyatogun’s account, but it points to a core requirement for using digital finance apps.
Bothering about passwords and PINs became a feature of our lives with the advent of ATMs. Until they were introduced, a customer practically handed money over to bank tellers and went to sleep. With digitization, the responsibility for keeping accounts safe has increasingly become shared between bank and customer.
We should expect this to continue as financial services become more digital. The more we move away from the idea of “strongman” banks with impenetrable walls and physical edifices towards mobile-first services, the more each customer will have to be strong for themselves.
There’s simply no shirking this personal vigilance as the first condition for using digital finance apps. You are your first chief security officer, and maybe it should be emphasized more by fintechs even as they promote easy clicks and revolutionary customer experience.
Cowrywise sends a push notification and an email after a transaction has been completed. They encourage customers to turn the former on and look out for the latter.
But would it be helpful to send a one-time password to customers’ mobile phones before large withdrawals are completed?
It would add an extra layer of protection for users because SMS is not as easy to hack as emails are. Multiple authentication requests can be pesky when you feel very familiar with a service. But they are like regular safety drills; you may never need to put practice into action but it’ll be worth it when you ever need to.
There are multiple ways to unlock and authorise access to devices these days – PINs, passwords, face scans and fingerprints. Digital finance startups should consider tapping into the more biometric identifiers to ensure transactions are sanctioned by authorised persons only.
The challenge is for companies to integrate these features without turning them into mediums for sucking personal data.
Banks remain core to fintech’s guarantee
To prove their security capability to customers, fintechs flaunt their PCIDSS (Payment Card Industry Data Security Standard) compliance. They call it “bank-grade security.”
Every Nigerian fintech requires users to sign up with a bank verification number, which presupposes that potential customers must first own a bank account. BVN is arguably the most important innovation in Nigeria’s financial system over the past two decades, and continues to be a leading tool for shaping the system.
It is useful for a sense of perspective especially in conversations around the fintech vs bank wars.
In the particular instance of Cowrywise and Oyatogun, the recovery was possible because a lien was placed on the accounts where her money had been transferred.
It required the involvement of law enforcement, yes, but the digital trackers of the banking system made it easy to define the intruders’ identities and locations.
Maybe the fintech revolution will eventually sweep banks away. For now though, they remain the backbone on which the upstarts build their bragging rights.
But as with any other system, backbones are fragile too as reports of possible breaches at banks show us. Maybe we need this consideration to keep us all sober about digital security in the middle of the fintech high.