Рус Eng Cn Перевести страницу на:  
Please select your language to translate the article


You can just close the window to don't translate
Библиотека
ваш профиль

Вернуться к содержанию

National Security
Правильная ссылка на статью:

Legislative Prevention of New Financial Technologies Threats / Законодательная профилактика правовых угроз новых финансовых технологий

Плешакова Екатерина Сергеевна

ORCID: 0000-0002-8806-1478

кандидат технических наук

доцент, кафедра Информационной безопасности, Финансовый университет при Правительстве Российской Федерации

125167, Россия, г. Москва, пр-д 4-Й вешняковский, 12к2, корпус 2

Pleshakova Ekaterina Sergeevna

PhD in Technical Science

Associate Professor, Department of Information Security, Financial University under the Government of the Russian Federation

125167, Russia, Moscow, 4th Veshnyakovsky Ave., 12k2, building 2

espleshakova@fa.ru
Другие публикации этого автора
 

 
Гатауллин Сергей Тимурович

кандидат экономических наук

декан факультета «Цифровая экономика и массовые коммуникации» Московского технического университета связи и информатики; ведущий научный сотрудник Департамента информационной безопасности Финансового университета при Правительстве РФ

111024, Россия, г. Москва, ул. Авиамоторная, 8А

Gataullin Sergei Timurovich

PhD in Economics

Dean of "Digital Economy and Mass Communications" Department of the Moscow Technical University of Communications and Informatics; Leading Researcher of the Department of Information Security of the Financial University under the Government of the Russian Federation

8A Aviamotornaya str., Moscow, 111024, Russia

stgataullin@fa.ru
Другие публикации этого автора
 

 
Осипов Алексей Викторович

кандидат физико-математических наук

доцент, Департамент анализа данных и машинного обучения, Финансовый университет при Правительстве Российской Федерации

125167, Россия, г. Москва, ул. 4-Й вешняковский, 4, корпус 2

Osipov Aleksei Viktorovich

PhD in Physics and Mathematics

Associate Professor, Department of Data Analysis and Machine Learning, Financial University under the Government of the Russian Federation

125167, Russia, Moscow, 4th veshnyakovsky str., 4, building 2

avosipov@fa.ru
Другие публикации этого автора
 

 
Былевский Павел Геннадиевич

кандидат философских наук

доцент, департамент информационной безопасности, Финансовый университет при Правительстве Российской Федерации; Московский государственный лингвистический университет

125167, Россия, г. Moskow, ул. Leningradskiy Prospect, 49/2

Bylevskii Pavel Gennadievich

PhD in Philosophy

Associate Professor, Department of Information Security, Financial University under the Government of the Russian Federation; Moscow State Linguistic University

49/2 Leningradskiy Prospect str., Moscow, 125167, Russia

pr-911@yandex.ru
Другие публикации этого автора
 

 

DOI:

10.7256/2454-0668.2022.6.39275

EDN:

MRAOCI

Дата направления статьи в редакцию:

29-11-2022


Дата публикации:

30-12-2022


Аннотация: Предметом исследования является проблематика правовой профилактики использования злоумышленниками компьютерно-телекоммуникационных технологий в новых финансовых дистанционных сервисах в России. Рост разнообразия и объема атак неизбежен, учитывая стремление мошенников получить личную и конфиденциальную информацию. За последние годы Россия добилась значительного прогресса в совершенствовании своей инфраструктуры, отвечающей за информационную безопасность. Статья представляет собой комплексный анализ российского законодательства. Представлен аналитический обзор различных направлений развития российского федерального законодательства в последние годы, направленного на превентивное противодействие, устранение ряда условий и предпосылок киберпреступности в финансовой сфере. Особое внимание уделено юрисдикционным аспектам российского законодательства.   Правительству необходимо провести тщательную подготовку, чтобы противостоять целому ряду нежелательных киберсобытий, как случайных, так и преднамеренных. Существуют значительные риски локальных атак и убытков в результате компрометации компьютерных и телекоммуникационных услуг. Выводы содержат итоговые предложения по дальнейшему совершенствованию законодательства с учётом зарубежного и международного опыта. Основными выводами проведенного исследования являются продуктивность выделения в предупредительной деятельности направления стратегической профилактики – превентивного выявления и устранения пробелов в нормативно-правовой базе, а также технических и организационных уязвимостей, делающих возможными различные типы атак и «схем» киберпреступников в финансовой сфере.


Ключевые слова:

Информационная безопасность, телефонное мошенничество, социальная инженерия, дистанционные финансовые сервисы, идентификация, персональные данные, компьютерное преступление, нормативно-правовая база, законодательство, фишинг

Abstract: The subject of the study is the problem of legal prevention of the use of computer and telecommunication technologies by intruders in new financial remote services in Russia. An increase in the variety and volume of attacks is inevitable, given the desire of scammers to obtain personal and confidential information. In recent years, Russia has made significant progress in improving its infrastructure responsible for information security. The article is a comprehensive analysis of Russian legislation. The analytical review of various directions of development of the Russian federal legislation in recent years aimed at preventive counteraction, elimination of a number of conditions and prerequisites of cybercrime in the financial sphere is presented. Particular attention is paid to the jurisdictional aspects of Russian legislation. The government needs to make thorough preparations to counter a range of unwanted cyber events, both accidental and intentional. There are significant risks of local attacks and losses as a result of compromising computer and telecommunications services. The conclusions contain final proposals for further improvement of legislation taking into account foreign and international experience. The main conclusions of the study are the productivity of identifying the strategic prevention direction in preventive activities – preventive identification and elimination of gaps in the regulatory framework, as well as technical and organizational vulnerabilities that make possible various types of attacks and "schemes" of cybercriminals in the financial sphere.


Keywords:

Information security, telephone fraud, social engineering, remote financial services, identification, personal data, computer crime, regulatory framework, legislation, phishing

Статья подготовлена в рамках государственного задания Правительства Российской Федерации Финансовому университету на 2022 год по теме «Модели и методы распознавания текстов в системах противодействия телефонному мошенничеству» (ВТК-ГЗ-ПИ-30-2022).

Introduction

Strategic prevention is about identifying and addressing fraudulent vulnerabilities in remote financial services, including the increasing use of mobile phones by attackers. The conditions and prerequisites that make possible and facilitate such offenses include a variety of organizational and technical tools that are modified and used by attackers for criminal purposes.

Counteracting cybercrime in the financial sector is a complex and complex system task, including a wide range of diverse aspects, noted the participants of the meeting held on June 3, 2016 in the Government of Russia, dedicated to the issues of information security of the financial industry. In this activity, an important place belongs to strategic prevention - the prevention of crime through the preventive identification and elimination of vulnerabilities, including legal gaps.

1. Legislative prevention of information threats of new financial technologies

Difficulties in the development of legal tools to combat telephone fraud are due to the fact that it is not enough to make changes and new rules to certain federal legislative acts. Work on draft laws in the State Duma of the Russian Federation is already a rather complicated and lengthy process, taking into account the summarized banking practice, statistics of incidents and damage caused, and urgent needs formulated by practitioners. It is necessary to carry out numerous approval procedures with relevant departments, state regulators - the FSB of Russia, the FSTEC of Russia, Roskomnadzor, the Ministry of Digital Development of the Russian Federation, the Bank of Russia. However, for a noticeable positive result, changing individual norms and laws is not enough: as a rule, harmonization with related legislative acts of the federal level and departmental regulations in various branches of law is required. Including the Criminal Code of the Russian Federation, the Code of Criminal Procedure of the Russian Federation, administrative and financial law.

The development of legal instruments substantiating new organizational and technical measures to prevent fraud in the financial sector using computer and telecommunication means is being carried out in several directions. Thus, the main state regulator of the financial sector was empowered to carry out pre-trial blocking of fake Internet resources.

This required an amendment to Art. 46-1 of the Federal Law "On the Central Bank of the Russian Federation (Bank of Russia)", as well as the Federal Law "On Information, Information Technologies and Information Protection" and the Civil Procedure Code of the Russian Federation "(in terms of clarifying the list of information, the dissemination of which in Russian Federation is prohibited)". The Chairman of the Bank of Russia received the exclusive right to make decisions on blocking access to fraudulent web resources, websites of "financial pyramids" and imitation fakes of Internet services of banks and other financial organizations. Due to this, in the first year of the implementation of the new powers of the Bank of Russia about 2,000 fraudulent Internet resources were blocked without wasting time on coordination with the prosecutor's office and court decisions.

The farthest “frontier” of applying legal instruments in the prevention of fraud, including those committed using voice communications and Internet access via mobile devices, is the legislative regulation of the security of new financial instruments. Preliminary examination of their security, forecasting of threats, calculation of risks help at the legislative level to preventively minimize potential damage from intruders. In 2020, federal legislation was supplemented with a number of laws regulating new digital financial instruments [5], including aspects of their security.

After the creation of a legal framework for digital assets, online trading (“marketplace”), the use of biometric data for simplified secure customer identification, the legislative support for the regulated legalization of cryptocurrencies in the Russian Federation and the start of the issuance of the digital ruble were on the agenda. Following the adoption of Federal Law No. 211-FZ “On Financial Transactions Using a Financial Platform” dated July 20, 2020, five registered financial platforms providing services only to individuals were entered in the register of the Bank of Russia.

Federal Law No. 46-FZ dated March 8, 2022 “On Amendments to Certain Legislative Acts of the Russian Federation” expands the range of opportunities for financial platforms, opening up the possibility for legal entities and individual entrepreneurs to act as their operators. The list of goods and services offered by financial platforms will become wider when operators apply customer identification procedures provided for by legal norms against the legalization of illegal income.

New financial instruments, which are widely discussed in the professional environment, include cryptocurrencies, digital money and, more widely, blockchain technologies used in the financial sector - decentralized distributed registries [2]. Amendments to the Federal Law "On the Central Bank of the Russian Federation (Bank of Russia)" dated July 10, 2002 No. 86-FZ expand the functions of an industry mega-regulator in relation to aspects of the issuance and circulation of the national digital currency. At the same time, such risks of "digital money" for the financial market as the creation of fraudulent "pyramids" are taken into account, which can be prevented by complying with the requirements of effectively built information security.

2. Preventive minimization of legal risks of digital money

The attitude of state regulatory bodies and legislators, as well as domestic information security specialists in the financial sector, to cryptocurrencies can be characterized as critically constructive. Cryptocurrencies can serve as a tool for illegal financial transactions, including money laundering by phone scammers and criminals of other profiles. Significant threats to Russian citizens and national interests when using cryptocurrencies come from cross-border crime, as well as from special services of states unfriendly to Russia [4].

The use of cryptocurrencies whose issuers are hidden is burdened with speculative risks, market and non-market threats of exchange rate instability, including both overt and covert organized betting on an increase or decrease. A negative example is the initially successful stable bitcoin El Petro from Venezuela, whose rate collapsed after US sanctions. The restrained position of the Bank of Russia regarding the legalization of bitcoin warned many millions of Russians against investing in this highly volatile financial instrument and prevented them from significant losses when its exchange rate fell.

At the same time, cryptocurrencies can serve as a tool for financial settlements and international transactions that are not controlled by governments and organizations of countries that impose sanctions and take other unfriendly actions against the Russian Federation [8]. Significant opportunities for the introduction of the digital ruble are also seen in our country, therefore, with the participation of the Bank of Russia, the Federal Law “On Digital Financial Assets, Digital Currency and on Amendments to Certain Legislative Acts of the Russian Federation” dated July 31 was developed and then adopted by the State Duma of the Russian Federation 2020 No. 259-FZ. The legalization of cryptocurrencies is carried out under strict regulation by the state, in accordance with the principle of centralization of emission, transactions, wallets, etc.

In the context of the monopoly of the Bank of Russia, the key state regulator of the financial sector, on the issuance of the “digital ruble”, in order to reliably protect users, it is necessary to determine and distribute responsibility for the stability and continuity of the infrastructure of this new, “third form” of the national currency (in addition to cash and non-cash money ). The technological and operational infrastructure for it is formed by connecting credit and other financial institutions, which will require regulatory regulation by by-laws. There are corporate platforms for issuing digital assets created by Sberbank, Norilsk Nickel and Transmashholding.

The strategic directions for the prevention of telephone fraud, along with related and similar crimes using computer and telecommunications tools, include increasing the security of identifying legal clients of financial services, especially when making payment transactions and money transfers. At the same time, the security of identifying users of financial services must be balanced with the convenience of this procedure, including the effort, time and other parameters expended [7].

The introduction of simplified identification for the use of remote financial services, which increases convenience for customers, requires special forethought: at the same time, close attention had to be paid to ensuring that the increase in comfort was not at the expense of security [6]. The legislative framework for simplifying the procedures for identifying clients of financial services in 2021 was developed taking into account the regulatory requirements for combating money laundering.

To this end, Art. 7 of the Federal Law "On counteracting the legalization (laundering) of proceeds from crime and the financing of terrorism" dated August 07, 2001 No. 115-FZ. Some of the changes concerned the possibility of carrying out the exchange of banknotes or coins for an amount equivalent to no more than 40,000 rubles without identifying the operation. For a larger amount, up to 100,000 rubles, as well as in case of doubt, the operator of the operation provided for simplified identification of the client or his representative using the number of his driver's license. Cash operating organizations are provided with the opportunity to check, through the ESIA, the accuracy of the information provided by the client for identification.

3. Regulatory security of the use of biometrics in the financial sector

A technological solution that improves the convenience and security of identifying users of financial services is the use of biometric personal data of citizens. This new technical identification tool for obtaining financial services is especially in demand in remote regions of Russia, as well as sedentary citizens and people with disabilities. However, as some vulnerabilities of other, former methods of identification are removed, it is necessary to foresee, calculate and prevent the implementation of specific information security threats specific to biometric data [1]. This task falls, among other things, on the shoulders of legislators.

The legal basis for the wider use of the Unified Biometric System in the provision and use of remote financial services was the Federal Law “On Amendments to Certain Legislative Acts of the Russian Federation” No. 479-FZ dated December 29, 2020. The work on the bill took two years, as it required a lot of approvals from various federal executive authorities. The parties considered various aspects of the safety and security of the collection, transfer, storage and use of biometric data of Russian citizens.

In the course of work on the bill, the originally intended areas of application of biometric data were expanded, from identification for opening bank accounts to concluding contracts for a wide range of financial services. In addition, the possibilities of biometric identification were extended to order and receive state and municipal services [3]. The Unified Biometric System (UBS) acquired the status of a centralized official resource, the network of points for citizens to submit their biometric data was expanded to include multifunctional public service centers. The state regulator of the financial sector, the Bank of Russia, was empowered to formulate requirements for the collection of biometric information for various structural divisions of banks: branches, branches, operating cash desks, etc. Credit institutions with a basic license to provide banking services have acquired the right, at their own discretion, to transfer or not transfer the collected biometric data of citizens to the EBS.

Legislative innovations have also affected commercial organizations that create and use their own biometric databases. They were also allowed to conduct such activities, but were required to obtain accreditation according to established procedures, as well as to transfer the collected biometric data to the EBS. Control and supervisory activities in this area were assigned, in addition to the Bank of Russia, to three other federal executive bodies regulating the financial sector - the FSB of Russia, the FSTEC of Russia and Roskomnadzor.

In 2021, the EBS was given the state status of an information system at the federal level. The permission to connect to it has been expanded from banks to other financial institutions, non-credit, insurance investment companies, brokers, operators of digital assets and marketplaces that carry out transactions with other types of property that are subject to regulatory regulation and control and supervisory activities of the Bank of Russia. It became possible to provide financial services after identification through the EBS not only of citizens, but also of individuals as representatives of organizations, legal entities, endowed with the right of representation without a power of attorney.

Numerous objections and criticisms have been raised about the ability of banks to provide remote financial services in mobile applications and web services to new customers from January 1, 2022, identifying them through biometric data. Since many credit institutions did not have time to take the organizational and technical measures necessary for this, the date for the entry into force of the new rule was delayed to September 1 of the same year. The entry into force of the requirement for state accreditation for organizations operating information systems that process citizens' biometric data for identification was postponed to the same date. The transfer was legally formalized in the Federal Law of December 30, 2021 No. 441-FZ “On Amending Article 153 of the Federal Law “On Information, Information Technologies and Information Protection” and Articles 3 and 5 of the Federal Law “On Amending Certain Legislative acts of the Russian Federation".

Additionally, citizens who have a verified account in the state Unified Identification and Authentication System (ESIA) were given the opportunity to place their biometric data in the EBS independently, including through mobile applications. To confirm the identity in this case, it is necessary to have a foreign passport, in which the biometric data of the owner is contained on an electronic storage medium.

Conclusions

Legislative support for the strategic prevention of telephone fraud and many other types of "high-tech" crimes and offenses is to predict potential threats, in particular, those associated with the introduction of new financial instruments, technologies and services. Foreseeing related threats and measuring, as far as possible, risks makes it possible to make informed decisions about the format for legalizing such innovations, and “embed” security tools and counteracting intruders into legislation in advance.

The direction of strategic prevention is also indicated in the practical activities of legislators, an example of which is the legalization of digital money and blockchain technologies. This activity deserves further development and improvement in order to increase the effectiveness of preventive information security, minimize the legal risks of new financial technologies.

Библиография
1.
2.
3.
4.
5.
6.
7.
8.
References
1.
2.
3.
4.
5.
6.
7.
8.

Результаты процедуры рецензирования статьи

В связи с политикой двойного слепого рецензирования личность рецензента не раскрывается.
Со списком рецензентов издательства можно ознакомиться здесь.

Предмет исследования. Рецензируемая статья "Законодательная профилактика правовых угроз новых финансовых технологий" посвящена анализу законодательства и существующих юридических механизмов противодействия киберпреступности в финансовом секторе. Автор убежден, что предупреждение преступности возможно путем превентивного выявления и устранения уязвимостей, включая правовые пробелы. Именно эти проблемы он исследует в своей работе.
Методология исследования. В ходе выполнения работы использовались современные методы исследования, как общенаучные, так и частные. Методологический аппарат составили следующие диалектические приемы научного познания: абстрагирование, индукция, дедукция, гипотеза, аналогия, синтез, исторический, теоретико-прогностический, формально-юридический, системно-структурный правового моделирования, а также, применение типологии, классификации, систематизации и обобщения. Применение современных методов позволило изучить сложившиеся подходы, взгляды на предмет исследования, выработать авторскую позицию и аргументировать ее. В работе сочетается теоретическая и эмпирическая информация.
Актуальность исследования. Актуальность темы статьи не вызывает сомнения. Рост числа киберпреступлений (и прежде всего с применением мобильных средств связи) в финансовой сфере требует новых юридических механизмов обеспечения безопасности. Трудности в разработке правовых инструментов борьбы с телефонным и Интренет-мошенничеством связаны с тем, что недостаточно вносить изменения и новые правила в отдельные федеральные законодательные акты, требуются специальные механизмы правоприменения. Также немаловажно отметить, что законодательная деятельность является довольно сложным и длительным процессом, учитывая обобщенную банковскую практику, статистику инцидентов и причиненного ущерба, а также насущные потребности, сформулированные практиками. Все эти обстоятельства указывают на важность и значимость своевременности законодательных инициатив для противодействия киберпреступности в финансовом секторе экономики.
Научная новизна. Тема статьи не является абсолютно новой для российской правовой науки, но аспект исследования обладает элементами новизны. Автор поднимает вопрос об информационной безопасности при использовании в сфере финансовых услуг биометрических персональных данных, отмечая при этом не только сторону "удобства" такого формата общественных отношений и прогнозируя возможные риски и угрозы. Так, автор пишет, что "Технологическим решением, повышающим удобство и безопасность идентификации пользователей финансовых услуг, является использование биометрических персональных данных граждан. Этот новый технический инструмент идентификации для получения финансовых услуг особенно востребован в отдаленных регионах России, а также малоподвижными гражданами и людьми с ограниченными возможностями. Однако, по мере устранения некоторых уязвимостей других, прежних методов идентификации, необходимо предвидеть, рассчитывать и предотвращать реализацию конкретных угроз информационной безопасности, характерных для биометрических данных".
Стиль, структура, содержание. В целом статья написана на высоком научном уровне. Содержание статьи раскрывает заявленную тему и включает в себя кроме введения и заключения, три результативных части (1. Законодательное предотвращение информационных угроз новых финансовых технологий; 2. Превентивная минимизация юридических рисков цифровых денег; 3. Нормативная безопасность использования биометрии в финансовом секторе). Материал изложен последовательно, грамотно и ясно. Заслуживают внимания вывод автора о том, что законодательное обеспечение стратегического предотвращения телефонного мошенничества и многих других видов "высокотехнологичных" преступлений и правонарушений заключается в прогнозировании потенциальных угроз, в частности, связанных с внедрением новых финансовых инструментов, технологий и услуг.
Библиография. Полагаем, что недостаточно изучено автором библиографических источников по теме исследования. Тема актуальная, хотя и новая, уже опубликован ряд работ отечественных и зарубежных ученых.
Апелляция к оппонентам. Автор в своей статье весьма корректно обращается к мнениям других ученых. Все цитирования оформлены сносками на источник опубликования.
Выводы, интерес читательской аудитории. Статья "Законодательная профилактика правовых угроз новых финансовых технологий" отвечает установленным требованиям, предъявляемым к работам подобного рода и рекомендуется к опубликованию в научном журнале "Национальная безопасность / nota bene" (при условии доработки библиографического списка и внесения соответствующих дополнений в статью). Полагаем, что статья будет представлять интерес для российской и зарубежной читательской аудитории, занимающихся вопросами компаративистики.