The Central Bank continues to tighten regulation of the MFI market

The Bank of Russia continues to tighten regulation of the microfinance market. Now the requirements for information security, data storage, collection and processing are increasing. This will require microfinance companies (MFCs) to invest more in IT infrastructure. Market participants warn that this could make it harder for clients to obtain loans.

The Central Bank has published a draft decree toughening the requirements for microfinance organizations (MFIs) in terms of information security. In fact, the regulator made clarifications to the previously developed document, Regulation of the Bank of Russia dated April 20, 2021 No. 757-P.

The document establishes more stringent requirements for storing information about incidents, improving the security of applications and infrastructure, and using cryptography for online loans. The Central Bank will accept proposals for the project until September 18.

Online loans are considered the most risky in terms of fraud. They account for about 80% in the total portfolio of MFI loans at the end of 2022, follows from the materials of the Central Bank.

Moreover, not only short “payday loans” (up to 30 thousand rubles for 30 days) were issued online, but also medium-term ones. One of the key advantages of online loans for consumers is precisely the speed of data verification, ease of application, and speed of decision-making and issuance. However, this is exactly what scammers used in their attempts to issue loans to other persons.

The requirement of the Central Bank is aimed at checking not the data themselves, but the sources of their provision, explains Elena Stratieva, director of SRO MiR. “Reporting will become tougher, compliance with the requirements will require additional costs on the part of companies,” she admits. But, says Ms. Stratieva, “this will not affect the advantages of the online segment in any way.”

However, there is another point of view. “Introducing the changes will require MFIs to shift their focus to the work of IT departments and, possibly, attract additional specialists. And this, in turn, may be the reason and justification for increasing the cost of loans,” notes Natalia Bunina, special adviser on corporate issues at Pen & Paper.

The growth of requirements for information security occurs against the backdrop of a general tightening of industry regulation (from July 1, the maximum rate on loans is 0.8% per day instead of 1% per day earlier, and the allowable amount of overpayments on a loan cannot exceed a coefficient of 1.3 instead of 1.5 ) and attempts by the IFC to find ways around new restrictions and new niches for earning (see “Kommersant” dated June 22).

Companies are reluctant to comment on the new norms and look at the prospects for another regulatory initiative for the sector with caution.

“MFIs will need to increase the level of information security maturity and strengthen the degree of data protection. Perhaps this will reduce the amount of fraud, but at the same time, there is a risk that clients will switch to illegal MFIs, where the procedure for obtaining a loan will be simpler, ”explains Alexei Akhmeev, head of the Moneyman information security department.

The costs of MFIs will increase significantly, Fedor Muzalevsky, director of the RTM Group’s technical department, believes. “Firstly, the annual pentest, which in the simplest version costs from 150 thousand rubles,” he explains. “Secondly, the conformity assessment according to ODU4 (not to mention certification), which costs from 1.5 million rubles. Thirdly, the transition from a simple electronic signature without special functions prescribed by these changes to cryptography (in fact, to domestic solutions) can cost even an order of magnitude more.

At the same time, Alla Khrapunova from the ONF “For the Rights of Borrowers” ​​is sure that the responsible MFIs of the market have already set up processes related to security: “The stage of equalizing requirements for all market participants is coming. A clear regulation of requirements in a regulatory document leads to the fact that their non-compliance is punishable by the use of supervisory response measures, up to exclusion from the register (see “Kommersant” of June 20)”.

Polina Trifonova, Maxim Buylov