Editor's Note
Since the Cyberspace Administration of China issued a notice to remove the "Didi Chuxing" app, the national network security review has been escalating. Recently, the State Internet Information Office, together with relevant departments, revised the Measures for Network Security Review and solicited opinions from the public. The Draft for Comments mentions that operators with more than 1 million users' personal information must apply for a cybersecurity review to the Cyber Security Review Office if they go public abroad.
In recent years, the importance of online information security has been increasing, and the February 2021 issue of Tsinghua Financial Review (click to subscribe) has launched a cover topic of "Data Governance and Personal Financial Information Protection" to provide suggestions for doing a good job in data governance, strengthening information protection, solving the dilemma of data security, and promoting the development of financial technology.
Text/Dong Junfeng
Chairman and President of Netlink Clearing Co., Ltd
With the rapid development of online payment, illegal acts such as the abuse of personal information and online telecommunications fraud occur from time to time, and payment security has gradually become a key issue of concern in the industry. Personal information protection, transaction risk prevention and control, and payment system stability are the "three pillars" of building payment security. This paper analyzes the current situation and challenges of the "three pillars" of online payment security, and puts forward suggestions for promoting the development of payment security.
At present, China is in a period of tackling tough problems in transforming the mode of development, optimizing the economic structure, and transforming the growth momentum. General Secretary Xi Jinping stressed at the 2020 Central Economic Work Conference that "we must base ourselves on the new development stage, implement the new development concept, build a new development pattern, take the promotion of high-quality development as the theme, deepen the supply-side structural reform as the main line, take reform and innovation as the fundamental driving force, and meet the people's growing needs for a better life as the fundamental purpose, adhere to the system concept, consolidate and expand the achievements of epidemic prevention and control and economic and social development, and better coordinate development and security." General Secretary Xi Jinping's important speech not only profoundly expounded the concept of promoting high-quality development, but also highlighted the overall balance between development and security, revealing that security is an important prerequisite for high-quality development, which has great guiding significance for the sustainable and healthy development of the online payment industry.
The important role of online payment in the development of the national economy
The booming online payment industry is one of the landmark achievements of inclusive finance in China
China's online payment transaction scale is leading the world, and the network payment model is diversified and developed. According to the Statistical Report on the Development of China's Internet Network, as of June 2020, the scale of online payment users in China reached 805 million, accounting for 85.7% of the total netizens; the scale of mobile network payment users reached 802 million, accounting for 86.0% of mobile phone netizens. During the epidemic, the coverage of online payments has been further expanded. Emerging payment methods such as contactless payment and online payment and offline delivery have further expanded the customer base of online payment and covered rural users and elderly user groups. Online payment has become an inclusive basic financial service that residents cannot do without their daily consumption.
Online payment services are the most important touchpoint and entry point for retail finance
Driven by the double growth of transaction scale and number of users, online payment has accumulated a large amount of information and data resources for commercial banks and payment institutions. In terms of customer acquisition, online payment is a necessary part of the transfer of funds in commercial activities, and commercial banks and payment institutions that provide online payment services have unique resource advantages in customer acquisition. In terms of customer retention, network payment has a small amount of high-frequency transaction attributes, once the user forms a specific habit of use, it will produce a path dependence psychology, and then become a loyal customer of the relevant institutions, and the user stickiness is effectively guaranteed. In terms of live customers, users often produce payment trajectories in the payment process, which contain important information such as transaction habits and consumption preferences, and commercial banks and payment institutions can profile users based on this to provide users with personalized financial services. In recent years, financial institutions have continued to deepen user operations based on payment business and provide high value-added financial services. Online payment business has become an indispensable and important entry point for financial services.
High-quality and efficient online payment business promotes sustained economic recovery and high-quality development
Online payment guarantees people's livelihood consumption during the epidemic. During the epidemic period, traditional offline consumption scenarios such as catering and entertainment, supermarket retail and so on have been greatly impacted. At the same time, with its convenient, efficient and contactless characteristics, online payment supports the orderly progress of online consumption activities and plays a role in "making up" for people's livelihood consumption and economic development. The data shows that at the end of March 2020, the online payment transaction volume of the catering industry increased by 11% month-on-month; in the May Day holiday of 2020, the average daily transaction volume of online payment of some tourism platforms increased by 38% month-on-month, and the average daily transaction volume of some catering enterprises increased by more than 80% month-on-month.
The "Three Pillars" of Online Payment Security
With the rapid development of online payment, illegal acts such as the abuse of personal information and online telecommunications fraud occur from time to time, and payment security has gradually become a key issue of concern in the industry. General Secretary Xi Jinping stressed that "security is the guarantee of development, and development is the purpose of security". Payment security is an important guarantee for the orderly and healthy development of the payment industry, and personal information protection, transaction risk prevention and control and payment system stability are the "three pillars" for building payment security. Personal information protection focuses on the collection, circulation, storage, use and management of personal information of users in each link of payment; transaction risk prevention and control focuses on the joint prevention and control of risks in the payment industry, realizes the safe flow of payment funds, and is committed to protecting the people's "money bags"; the payment system smoothly focuses on the safe production and operation of the whole link of the industry, improves the response efficiency of each link of the link, and ensures that the payment service is not interrupted. Only when the "three pillars" are stable and solid can we effectively ensure the long-term development of the payment industry.
Trends and challenges in the protection of personal information
The protection of personal information in China is in the ascendant
The introduction of the European Union's General Data Protection Regulation (GDPR) has sounded the clarion call for personal information protection, and personal information protection has been promoted to an increasingly important position. 2020 is a key year for the construction of China's personal information protection system, and relevant departments frequently "combine fists" to promote the construction of relevant laws and regulations, accelerate the rectification of industry chaos, and build a solid protective barrier for personal privacy and information security. In May 2020, the National People's Congress voted to pass the Civil Code of the People's Republic of China, clarifying that personal information is protected by law; in July and October 2020, the highly anticipated Data Security Law of the People's Republic of China (Draft) and the Personal Information Protection Law of the People's Republic of China (Draft) were successively released. China is establishing a set of institutional rules with clear rights and responsibilities, balancing the interests of multiple parties and maintaining a good ecology in cyberspace. At the same time, the central bank launched the "Trial Measures for the Protection of Personal Financial Information (Data) (Preliminary Draft)" to solicit opinions and issued the "Technical Specifications for the Protection of Personal Financial Information", marking that the financial industry has officially ushered in the era of personal information protection standardization, which is bound to have a profound impact on the protection of personal information in the payment industry.
The high concentration of the network economy poses challenges to the protection of personal information
In recent years, China's network economy has developed vigorously, and new formats and models have emerged in an endless stream, which has played an important role in promoting high-quality economic development. At the same time, the market concentration of the network economy is showing an increasing trend, and the concentration of market resources to the head platform is accelerating. Online payment is an important infrastructure for the network economy. The above trends and current situations have brought profound challenges to the protection of personal information in online payment business.
Some market entities have forcibly obtained user authorization through their dominant market position. Although China's current laws and regulations have made it clear that the consent of the information subject is required for the collection and use of personal information, and the Draft Law of the People's Republic of China on the Protection of Personal Information (Draft) also emphasizes that "personal information processors shall not refuse to provide products or services on the grounds that individuals do not agree to process their personal information or withdraw their consent to the handling of personal information", at present, there are still cases where major applications (Applications, hereinafter referred to as Apps) strongly bind user authorization to the provision of services. It may result in the personal information submitted by users in the online payment process being used against their will beyond the scope of their wishes. In particular, at present, some mainstream apps, due to their wide service coverage and large number of users, have a "necessity" nature, and their collection of personal information has a tendency of "overlord clauses", which should arouse great attention from all walks of life.
Significant results have been achieved in the prevention and control of payment transaction risks
All parties in the payment industry actively participate in the prevention and control of transaction risks. In accordance with the work arrangements of the Party Central Committee and the State Council on the special rectification of Internet financial risks, all parties in the payment industry, under the guidance of the People's Bank of China, actively prevent and crack down on telecommunications fraud, online gambling and other illegal activities, and cooperate with the public security organs to carry out black and gray production countermeasures such as "card breaking" to ensure the safety of the people's funds. In the process of digital transformation, the payment market entities have strived to build a full-process, full-link intelligent risk control system, strengthened the application of new technologies such as big data and artificial intelligence, continuously improved the level of risk identification accuracy and intelligent decision-making capabilities, and gradually formed a working mechanism for joint defense collaboration, and achieved good results.
Clearing institutions play a special role in the process of preventing transaction risks. In the payment industry, clearing institutions undertake the heavy responsibility of preventing and resolving financial risks and promoting the compliance and healthy development of the payment industry, which is an important part of the security prevention and control of payment transactions. Clearing institutions focus on developing an automated, intelligent and digital risk control system focusing on supporting regulatory science and technology, supporting the demand for regulatory services and helping to implement regulatory policies in the field of payment. The first is to ensure the safety of reserve funds. Cooperate with supervision to carry out fund flow monitoring, identify risks such as misappropriation of funds and fraudulent transactions, track abnormal suspicious transactions, verify the whereabouts of funds, enhance the effectiveness of reserve fund supervision, and ensure the safety of people's funds. The second is to support cracking down on illegal activities. Clearing institutions should establish a monitoring model system focusing on identifying new types of network violations and crimes, coordinate with all parties to maintain a closed-loop mechanism for risk disposal, help market entities avoid the risk of violations of laws and regulations by customers and related parties, and prevent the flow of criminal funds across institutions. The third is to establish a joint prevention and control mechanism. Clearing institutions cooperate with government departments and industry self-regulatory organizations to establish joint prevention and control mechanisms, enhance the ability of matching and traceability of the entire network's capital chain, and strengthen the crackdown on cross-network criminal activities.
Online payment transactions still face three major risk tests
Under the trend of mobile and online, the payment industry is facing greater cybersecurity threats. With the digital transformation of the payment industry, payment services are becoming more open and convenient, the speed of innovation in the payment field is accelerating, the trend of online and mobile is obvious, the vulnerabilities that endanger system, network and application security are increasing, the network security threats for Internet applications are more direct and prominent, the information leakage security security risks such as dragging libraries, credential stuffing, and illegal crawlers are also more serious and more hidden, and network attacks such as hacker intrusion and fake identity have brought a severe test to the industry's network security prevention and control.
The incidence of online fraud cases is high, and the integration of illegal transactions is intertwined, so there is a long way to go to ensure the safety of customer transactions and funds. In recent years, criminal methods such as telecommunications network fraud have been continuously renovated, and network crimes such as brushing single agents, online shopping refunds, "pig killing plates", and fraudulent loans have emerged in an endless stream, and criminal gangs have used various emerging technological means to hide the capital chain. The criminal scene extends from the original account embezzlement, fraudulent transfer payment to online loans, false merchants, credit cards and financial management and other fields, all kinds of criminal capital transactions are intertwined, fraud risks, compliance risks, credit risks and other risk forms are integrated, the risk prevention and control situation is more complex and severe, and ensuring customer funds and transaction security has become the focus of prevention and control.
Online black industry crimes show a trend of industrialization, collectivization and specialization, and the challenges of risk prevention and control have escalated. Online black industry has emerged the trend of industrialization, collectivization and specialization, the upstream provides equipment and tools for committing crimes, the midstream is responsible for illegally obtaining and lending id cards, mobile phone numbers, bank card numbers and other user personal information, the downstream for telecommunications fraud, gambling and other criminal activities to launder and sell stolen goods, and can even provide one-stop solutions such as data packaging, precision customization and technical crowdsourcing. The network black industry crime chain is developing in the direction of fine division of labor, flexible organization, and rapid circulation of funds, with stronger concealment and escalation of risk confrontation, which brings greater difficulties to the whole chain of crackdowns.
The importance and challenges of a smooth payment system
A stable payment system is an important foundation for economic and social stability
As the "artery" of social capital turnover, the payment and clearing system is an important infrastructure to support China's economic and social development, and the safe and stable operation of the payment and clearing system is related to the convenience of life and payment experience of the broad masses of the people, and affects the people's confidence in economic development and financial security. The meeting of the Standing Committee of the Political Bureau of the CPC Central Committee proposed to give full play to China's super-large-scale market advantages and domestic demand potential, and build a new development pattern in which domestic and international dual cycles promote each other. Promoting traditional consumption, cultivating new consumption, and promoting the in-depth integration of online and offline consumption formats of various consumption formats are extremely important links to improving the domestic large-scale circulation system and expanding effective domestic demand. As an important payment method to ensure the people's consumption and shopping, small and medium-sized and micro enterprises to receive and pay funds, the efficient and accurate processing of its business is of great significance to promote the normal operation of the domestic large cycle.
The development of payment business puts forward higher requirements for the smooth operation of the system
The increase in the scale of payment business requires the payment system to undertake smoothly. With the rapid development of the payment industry, the scale of payment business has shown a rapid upward trend. In the face of rising transaction volume, all parties in the payment industry must make greater efforts to prepare for system redundancy, reserve system resources, smoothly undertake the rising payment transaction "water level", and ensure the stable operation of the payment system throughout the network and link.
Changes in payment business models require payment system adaptation and tuning. In recent years, financial security has been elevated to the height of national security, regulators have successively introduced regulatory policies to further regulate the innovative business of market entities, and the regulatory policies of the payment industry have shown a prudent and strict trend. Changes in the regulatory policy environment may have a greater impact on the business logic of market entities, which in turn will affect the system configuration requirements. All parties in the payment industry need to combine the impact of the regulatory policy environment on their own business, pay attention to and maintain the system capacity, processing logic, and operation in a timely manner, and achieve smooth operation of the system on the basis of maintaining business continuity. It can be said that the current system of the payment industry is in a state of deep coupling with business models and regulatory policies, and the challenges are unprecedented.
A few suggestions to promote the development of payment security for the better
The protection of personal information should not be limited to the legal level
With the development of legislation, personal information protection has received more institutional support, but there are still challenges outside the law in the actual implementation process. Establish a three-tier governance structure for law enforcement supervision bodies, industry self-regulatory organizations, and market entities, which is conducive to effectively supervising and standardizing personal information handling on the basis of legal compliance, promoting the rational use of personal information, and protecting personal information rights and interests. First, strengthen supervision and inspection of the implementation of personal information protection. Personal information collection exists in all aspects of capital flow, and after the promulgation of corresponding laws and regulations, it is recommended that law enforcement supervision agencies pay further attention to whether payment market entities have "overlord clauses" for personal information collection and previous improper disposal of personal information, and promptly stop them, so as to curb the risk of personal information abuse and leakage. Second, the payment industry self-regulatory organization can incorporate the content of personal information protection into the construction of the industry standard system. For areas and special business scenarios that are difficult to take into account by national laws and regulations, the payment industry self-regulatory organization may, in combination with the actual business development, organize the formulation of industry standards from the aspects of the necessity of personal information acquisition, the scope of information collection, information processing methods, information storage and storage, information destruction, etc., and constrain market entities through industry standards, so as to minimize information collection, make information processing necessary, and information destruction timely. Third, payment market entities and clearing institutions can start from the design of business processes to improve the security of personal information. In 2020, the netlink platform, in coordination with banks and payment institutions, innovated and launched a one-stop signing function to support users to complete quick payment signing in banking environments such as bank Apps, offline self-service devices, and offline outlets, so that users' personal information does not need to be transferred to payment institutions, reducing unnecessary information interaction and interface jumps, and improving personal information security.
Trade risk prevention and control must strengthen industry coordination
With the advent of the digital payment era, the payment industry has entered a new period of development, in the face of new risk situation challenges, the whole industry should deepen consensus, enhance coordination, strict prevention and control, and ensure the security of payment transactions in terms of information sharing, industry collaboration, and legal punishment. First of all, the development of regulatory technology is a powerful hand to strengthen penetrating supervision. It is recommended that regulators increase the research and development and application of regulatory technology, explore digital regulatory technologies such as big data and artificial intelligence with technology-to-technology, improve regulatory efficiency, put the regulatory process ahead, and strengthen the supervision of violations. Clearing institutions can give full play to the advantages of data and technology to provide underlying support for the development of regulatory technology. Secondly, industry collaboration is the key to improving the intelligence of transaction risk control. Through various forms of cooperation such as risk data sharing, model co-construction, and joint research and development, payment market entities can establish a full-process risk monitoring and identification system, improve the accuracy of risk early warning, strengthen real-time and quasi-real-time detection and handling capabilities, and achieve accurate crackdowns on illegal and criminal activities. Clearing institutions can play the role of industry hub and provide organizational coordination services for industry collaboration. Finally, joint prevention and control is the only way to deal with the industrialization, collectivization and specialization of black production. All parties in the payment industry should deepen cooperation in the field of risk control, expand the sharing of risk information, realize multi-dimensional correlation analysis of risk information, enhance joint research and judgment and data clue interaction, respond to changes in criminal methods in a timely manner, timely adjust risk control strategies and models, and improve the effectiveness of collaboration. Clearing institutions can provide a centering platform and unified interface for joint prevention and control to help optimize the cost and efficiency of joint prevention and control.
Connectivity is a key measure to ensure the continuity of payment business
With the increasing concentration of the online payment industry, the single point risk of individual systems has become the main risk point affecting the stability and business continuity of the payment system, and the interconnection of payment systems has become an important measure to solve the problem. Some institutions place funds, transactions and data in a closed loop within their own systems, resulting in artificial separation and demarcation between payment systems. At the same time, with the trend of high concentration in the online payment market intensifying, once the main institutions have problems, other institutions cannot provide services for users and merchants in their systems, which may cause large-scale service interruptions, which in turn will lead to systemic financial risks and social unrest. In view of this, on the one hand, we should actively promote the blossoming and balanced development of the online payment industry; on the other hand, we should promote the interconnection between institutions, guide all kinds of payment market entities to open up their business authority to each other, build a sharing network with equal participation and undifferentiated participation of payment market entities, realize the all-round interconnection of online and offline transactions, and ensure that in the case of any payment tool service interruption, users and merchants can still enjoy continuous and stable payment services, protecting the rights and interests of consumers. Take good care of the national financial technology brand of online payment.
This article was published in the February 2021 issue of Tsinghua Financial Review (click to subscribe) and published on February 5, 2021, by Wang Yejun