Row Over E2EE: Info Safety vs. Vested Interests

Finance Desk
Maziar MotamediMaziar Motamedi

A recent directive by the Central Bank of Iran aimed at enforcing long-gestating and overdue reforms to enhance the security of bank transactions is facing high-profile resistance. But why and what is at stake?

Last Friday, the regulator announced that as of Feb. 4, financial institutions will be prohibited from conducting card not present transactions lacking end-to-end encryption (E2EE) in order to safeguard the bank card information of customers.

But what has stirred controversy is the part asserting that transactions aimed at paying for mobile recharges will not be accepted and processed in the Shetab interbank and Shaparak payment settlement networks.                     

The directive effectively curbs transactions conducted on the platform of Unstructured Supplementary Service Data communications protocols, meaning that aside from a few payment service providers that hold a portion of the phone top-up market, major mobile carriers MCI and MTN-Irancell will face the biggest losses.

Shortly after the directive was publicized, the Communications Regulatory Authority with the Telecoms Ministry dispatched a letter to Nasser Hakimi, the head of CBI’s innovative technologies, calling on him to postpone the implementation of the directive for four months.

The missive, which also noted that Telecoms Minister Mohammad Javad Azari-Jahromi has personally negotiated the deferral of the directive, said 90% of mobile recharges and bill payments of mobile operators are conducted electronically while 50% of those payments go through the USSD gateways.

As that share rises to almost 100% in rural areas and small towns, “cutting off this service could limit the access of people and seriously challenge the business of mobile network operators”.

On top of that, 13 lawmakers sent another letter to the Central Bank of Iran Governor Valiollah Seif, asking him to altogether scrap any restrictions on USSD as it apparently “strengthens Internet businesses” while a number of charity organizations rely on the method to attract donations.

According to Shaparak’s annual report for the previous fiscal year to March 2017, close to 20% of all e-payment transactions made in the whole year were aimed at paying public bills and purchasing mobile recharges, indicating a 7.51% year-on-year increase.

Furthermore, data by the International Telecommunications Union show that by the end of 2016, 62.2% of Iranian households had access to Internet.

So, preventing the implementation of better safety measures by the central bank for fear of mobile operators and some others losing one of their revenue sources amounts to jeopardizing the information safety of millions of people.

The reasoning that E2EE would somehow hamper online businesses and risk the bank card information of people on the grounds that charities would face hurdles are not convincing reasons for its deferral.  

  When Did It Start?

The central bank’s directive did not come out of the blue. The regulator has been working for years to prepare the ground for ensuring bank card information safety.

It created a specialized system called Peyvand to boost information safety and as of April 21, transactions made to pay public bills–that are currently exempt from being secured with E2EE–will become strictly possible through this system and by using mobile phone numbers instead of bank card numbers.

The regulator also put a 2-million-rial ($45) cap on buying top-ups and bill payment transactions two years ago to temporarily boost security.

CBI was partly prompted to do so when close to six years ago, a former PSP c-level executive published the bank card information of three million Iranians on the Internet after fleeing the country to allegedly lay bare “mismanagement by executives” and “lack of commitment to banking and security standards”.

Even though that was an isolated event, the fact remains that if an entity or group manages to lobby for a delay or halt CBI’s directive, ordinary people are liable to feel the sting sooner or later.

  Response of CBI, Other Parties

At the time of writing, the central bank seems to be taking the matter in its stride, as Hakimi on Friday asserted that “using these unsafe platforms is no longer logical”.

“It is natural that some resistance may exist in this regard, but the central bank is ready to alleviate any uncertainties,” the CBI official also told Mehr News website.

Active industry players, including PSP leaders, have also unanimously welcomed CBI’s measure.

Masoud Khatouni, deputy for information technology and communications network at Bank Melli Iran, the country’s biggest bank, has said the directive should have been executed years ago while Sadeq Faramarzi, CEO of Iran Kish Credit Card Company—a PSP firm, and Karim Khamseh, chairman of the board at Pardakht Novin Arian PSP, have hailed it as a positive move.

Chief executives of other top PSPs, including those affiliated with Bank Melli, Bank Mellat and Bank Parsian, in addition to a host of electronic banking experts, have also voiced support for the CBI initiative. 


Add new comment

Read our comment policy before posting your viewpoints