A fast-growing ecosystem, Brazil’s fintech sector will likely face increasing cybersecurity costs in the coming years as digitization moves forward.
By almost every measure, the evolution of digital banking in Brazil during the pandemic years has been massive. Throughout the country, fintechs have included millions in the financial system. The quick adoption amid lockdowns drove the ecosystem further, with fintechs reporting a 66.1% growth in the number of companies in the past two years, from 464 startups to 771.
In the meantime, regulation has progressed, paving the way for new business models to emerge. The central bank has successfully rolled out the instant payment system Pix, which as of last month, surpassed the 1 trillion reais threshold in monthly transactions, or roughly $200 billion. Open finance also opens the door for increased data sharing among institutions.
With those numbers in sight, the need to strengthen cybersecurity has been an increasing concern for fintechs, more so in the face of new regulation which makes them accountable for certain scams. This growing risk is leading companies to allocate resources to security as Brazilians turn to digital banking.
Scams proliferated in Pix
Indeed, new means of payment, such as Pix, have brought several advantages to the population. But despite its enormous gains, the transition has not come without bumps. Scams related to Pix have increased since its launch, with criminals taking advantage of its convenience to commit fraud.
“In the wake of this evolution, fintechs have been investing more and more in cybersecurity,” Diego Perez, President of ABFintechs, said. “The ease with which we make transactions today needs to be secure, both for users and companies.”
With the advent of digital banking, the mobile phone has become a gateway into financial accounts and payments. Data from a survey carried out by cybersecurity company PSafe showed 844,821 attempted attacks involving Pix from January to June of this year, up from 65,433 in the year before, CNN reported.
“This consolidated power of mobile as a financial management tool greatly increased the attractiveness of illegally obtaining and diverting customer funds,” Carlos Augusto de Oliveira, a fintech board member at Bossa Nova Investimentos, said to Fintech Nexus. He added that the lack of cybersecurity awareness among the newly banked also makes them a clear target for social engineering.
Fintechs focus on cybersecurity and awareness
The largest fintechs in Brazil have already taken measures. C6 Bank, one of the largest digital lenders in the country, released the so-called “Safe Locations” security check. This allows the customer to withdraw holdings only if the mobile phone is in an authorized region, such as the client’s home. It has also incorporated facial biometrics when authenticating transactions that could permanently disconnect a device if an unfamiliar face is tested. One of its competitors, Nubank, recently launched “SOS Nu” for its roughly 70 million clients in Brazil, an online platform to address security-related events.
“There is a need for Brazilian fintechs to increase cybersecurity investments,” Aylton Gonçalves, a Senior Associate at BBL Advogados specializing in banking and fintech, told Fintech Nexus. “Technological advances create new risks for these companies, and cybersecurity professionals are now in high demand by fintechs.”
The Brazilian banking sector has traditionally been ahead of the curve regarding cybersecurity. According to the banking association, banks invest around 3 billion reais annually, amounting to 10% of banks’ total technology budget. Still, estimates point out that scams can cause losses of 2.5 billion reais (roughly $0.5 billion) this year, of which 70% would originate from Pix.
A challenging environment
“As (Nubank) operates in a challenging environment in terms of cyber threats, it continuously invests in controls and technologies to defend against these threats,” executives from the digital bank noted in a securities filing. “IT risks, including cyber risk, are a priority area for the company. Thus, there is a dedicated structure.”
Yet, in the case of smaller-sized fintechs, the need to increase cyber spending could be hefty for strained pockets. Companies must hire sought-after professionals and make financial efforts to build a solid operational cybersecurity structure.
According to a report by the Inter-American Development Bank, just 3% of fintechs in Latin America had some kind of cyber insurance as of last year. In contrast, almost half had not yet defined a framework to respond to incidents. However, 80% identify cyber-attack as a threat to their business.
Regulatory risks
The risks of neglecting cybersecurity spending are not only reputational but also regulatory.
“All authorized institutions must keep daily records detailing occurrences of fraud or attempted fraud, including the corrective measures adopted,” Gonçalves said.
More recently, facing growing concerns related to Pix, the central bank of Brazil announced new regulations for financial institutions related to fraud and scams. Under these rules, which should be in effect as of January, entities are held accountable whenever fake accounts are opened to conduct fraud.
Related:
- Brazil’s central bank to tighten onboarding security as Pix frauds proliferate
- In Brazil, Pix reaches 1 trillion reais in transactions per month
- Open banking regulation to boost LatAm fintech growth
To mitigate this, large fintechs in Brazil have pushed awareness campaigns to prevent losses, explaining how best to treat financial and personal data.
“Brazilian regulation aims to protect us from scams, invasions, and data kidnapping, known as cybercrime,” said Perez. “In addition to these regulations, LGPD (General Data Protection Law) compliance management, enacted in 2020, encourages fintechs to invest even more to prevent data leaks, among other frauds.”