Summary of ECLAC Caribbean DFS outputs (2014-2017) 

Report on ITU/ECLAC/TATT 2016 workshop; Exploring Innovation in Transactions & Financing in Caribbean

 

 

The Economic Commission for Latin America and the Caribbean (ECLAC), subregional headquarters for the Caribbean, is pleased to transmit for your attention, (LC/CAR/2017/11) entitled “REPORT OF THE SEMINAR ON SCIENCE, TECHNOLOGY AND INNOVATION FOR SUSTAINABLE DEVELOPMENT- EXPLORING INNOVATION IN TRANSACTIONS AND FINANCING IN THE CARIBBEAN” from the meeting convened in Port of Spain, 1-3 June 2016.

 

Below is a listing of the various DFS outputs produced by ECLAC from 2014 – 2017

=============================================================================

ECLAC Publications and Resources in “Digital Financial Services”

2014

2015

 

Digital currency and mobile money solutions are components of new industry classifications referred to as Financial Technology (FinTech) and Digital Financial Services (DFS).

2016

 

 

 

 

 

Instagram media by beascycle - UN Economic Commission for Latin America and Caribbean #digitalcurrency study finally publishedThis report examines the usage of digital currency technology in the Caribbean subregion with a view to drawing attention to the opportunities and risks associated with this new phenomenon. It discusses the broader context of an emerging activity at the global level and considers how this technology could address subregional deficiencies in the electronic payment infrastructure.The report also discusses mobile money solutions, and the relationship of that technology to digital currency.

 

The workshop is co-organized by the International Telecommunication Union (ITU) in partnership with the Telecommunications Authority of Trinidad and Tobago (TATT) and the United Nations Economic Commission for Latin America and the Caribbean (UNECLAC).

 

Its primary purpose is to provide Caribbean stakeholders from various sectors with interactive sessions along the theme of utilizing technology innovations towards the goal of improving financial transactions and financing arrangements.

 

 

Report of the seminar on science, technology and innovation for sustainable development – Exploring innovation in transactions and financing in the Caribbean (LC/CAR/2017/11) 

 

 

Event video recording

2017

 

Caribbean countries have been seriously impacted by the trend toward “de-risking” in the global financial system, and this is damaging to their economic security and the ability of Caribbean businesses to innovate. De-risking is the name given to the tendency of banking institutions to turn away from working relationships and lines of business for which the cost of regulatory compliance—and the risk of non-compliance— is deemed to be too high in comparison to the returns.

 

This is a phenomenon that is affecting developing economies around the world, but the small and vulnerable economies of the Caribbean have been hardest hit.

 

 

 

The primary purpose and objective of this workshop is to continue providing Caribbean stakeholders from various sectors with interactive sessions along the theme of utilizing technology innovations towards the goal of improving financial transactions and financing arrangements.

 

 

Programme & Presentations available from link above

 

 

Event video recording 

 

Are Caribbean Cybercrime Bills based on flawed model law? (June 2015)

Image result for cybercrime law fingerprint keyboard

***This article was originally published in June 2015 via The Trinidad Guardian & TechnewsTT. It is being republished given the reading of the Cybercrime Bill, 2017, into Parliament on 5th May 2017.***  

I previously presented a partial analysis on the Trinidad & Tobago Cybercrime Bill 2014, entitled “T&T Cybercrime bill demands multi-stakeholder input” which can also be found on my website www.pinaka.co.tt/publications. Within this analysis, some light was shone on perceived problems with outputs of the Harmonization of ICT Policies, Legislation and Regulatory Procedures in the Caribbean (HIPCAR) and Electronic Government for Regional Integration Project (EGRIP) model law exercises. Several Caribbean nations have subsequently used the HIPCAR and EGRIP model laws to develop their proposed cybercrime legislation.

A subsequent December 2014, Council of Europe discussion paper, entitled “Cybercrime Model Laws“, has come to light which examines the various cybercrime outputs from model law exercises in the context of the Budapest Convention.  This Budapest Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing particularly with infringements of copyright, computer-related fraud, child pornography and violations of network security. 

In this discussion paper, the importance of having proper model law upon which to base legislation development is explained by the author, Zahid Jamil, Barrister-at law. The paper goes further to explain problems of developing legislation based on poor model law by describing the possible situation which states may find themselves in, when seeking international cooperation:

Thus, poorly drafted and divergent model laws can cause countries to enact cybercrime legislation with gaping lacunas whilst at the same time criminalizing and labelling conduct as cybercrime which other countries (especially many members to the Convention) from whom they may seek cooperation would never view as cybercrime.

The paper is also very critical of the methodology adopted in carrying out some model law exercises. For example, in summarizing the methodology employed in the ITU run @CP-ICT Programme which resulted in three model law exercises including HIPCAR, the paper states:

The Models largely appear to have been prepared through input from participants at workshops rather than representatives or experts with an official mandate from State parties and have not received any official assent from the general body of the ITU.

Of interest to the Caribbean, the paper includes analysis and discussion of the HIPCAR and EGRIP model law exercises and highlight significant problems with not only the methodology but also the eventual outcome of these exercises.   For example, specific to the HIPCAR model law output, the paper highlights various deficiencies, continuing:

Its greatest challenge, however, stems from its deviation and attempts to improve upon the language of the Convention (Budapest Convention) whilst inserting unique new offences within the scope of cybercrime, the language of which border on technical and legal absurdities.    

The question which comes to my mind at this point is: are there any instances of problematic model law clauses which have been subsequently incorporated into actual Caribbean cybercrime legislation? In performing analysis on the HIPCAR model law, the paper cites several instances of ‘invention of offences’.  Among these is one item in particular concerning illegally remaining on a system:

It attempts to invent an offence of “Illegal Remaining” which relates to conduct after the initial illegal access of the computer system. The offence considers the conduct of remaining logged in by the offender without any further action or consequence to be an aggravated offence of illegal remaining.

Subsequent analysis of Trinidad and Tobago Cybercrime Bill, 2015, reveals clause 6 which speaks to an offence of illegally remaining on a system as described above.  Hence, is Trinidad and Tobago considering the creation of an offence which is inconsistent with international best practice?   There are some other instances of problems with the HIPCAR cybercrime model law, as cited within the paper, which seems to have been subsequently integrated into our cybercrime legislation; however, I leave this up to others to explore and comment.

Is this kind of deviation from international norms a legitimate concern?  There may very well be legitimate reasons for these deviations, but it is incumbent upon the Government to explain same. The question also arises as to which other Caribbean states may have issues with their proposed cybercrime legislations based on HIPCAR and EGRIP exercises?  The paper cites that the EGRIP model law is even more divergent and problematic than the HIPCAR model law and highlights the case of Grenada which needed to remove certain EGRIP derived clauses from its cybercrime legislation.

In my previous July 2014 article I commended the efforts of Dominica to go beyond the HIPCAR and EGRIP model law efforts in seeking out assistance from the Council of Europe, OAS and Commonwealth Secretariat to review their proposed cybercrime legislation and ensure compliance with the Budapest Convention.  Is this the solution which other Caribbean states should be exploring?

At this juncture when we debate the future of own cybercrime bill, I again make the call for better stakeholder engagement in the development of this legislation and maybe even a review in light of the findings of this paper.

Additional food for thought…  

What about the other laws within Trinidad & Tobago’s e-Legislative agenda which were derived from the HIPCAR exercise?  

Do the methodology problems found in the HIPCAR cybercrime model law exercise extend to these other model laws as well? 

How sufficiently differentiated is our e-Legislative agenda from the HIPCAR model laws?

The Need for Developing a Cyber Security Ecosystem of Professionals

Snapshot showing Caribbean ‘attack’ activity from Norse

 

Over the period 6th and 7th February, 2017, it was my honour and privilege to participate in, and make contributions to, a closed expert group meeting to assess future threats as executed by a national intelligence agency. The following is the paper I presented on developing cyber security capacity to meet future challenges.

 

Introduction

 

The cyber security implications of technological advancements, such as, the Internet of Things (IoT) or smart technologies, along with the possibility of cyber warfare and realities of cybercrime are thought-provoking areas around which intelligence agencies must develop threat awareness. However, a more significant threat which will affect the cyber security of Trinidad and Tobago over the next five years is lack of an environment which can stimulate and foster the growth of local cyber security professionals.

Indication of such a deficient environment can be gleaned from the examples below.

  • At a government agency with responsibility for implementation of the national strategy towards Information and Communication Technology (ICT), a senior position with responsibility for cyber security has been vacant since 2010.
  • At “M4 an event by Microsoft” held in Nov 2014, Mr. Roberto Arbelaez, Chief Security Advisor for the Americas at Microsoft, stated that he knew many world class Information Security professionals of Trinidadian heritage. However he went on to state that unfortunately they all worked outside of Trinidad and Tobago.
  • At a 2016 Christmas dinner event for an association of lawyers, a prominent lawyer lamented that Trinidad lawyers, having opted not to pursue continuing education, were lacking in areas of increasing import including cybercrime[1].

While this may be considered anecdotal evidence, the lack of attention to cyber security does not allow for formal research to provide proper evidence on the state of cyber security locally.

 

Cyber security ecosystem of professionals

Within their research Thomas et al illustrate the cybercrime underground economy as a complex ecosystem of actors within a value chain where profit centres are built upon underlying support infrastructure.  This allows criminal entrepreneurs to devise scams by procuring the necessary resources al a carte; taking advantage of specialization and economies of scale and resulting in a web of interactions which potentially span the globe. One can argue that such a criminal ecosystem, like many other cyber security threats, can only be disrupted by an equally powerful cyber security ecosystem of professionals.

 

 

In their paper “Framing Dependencies Introduced by Underground Commoditization”, Thomas et al illustrate the value chain relationships between various entities to scam victims as potentially spanning the globe

What response can Trinidad and Tobago provide to the threat of cybercrime? Working in our favour we do have efforts to bolster the capacity of the cybercrime unit of our law enforcement arm and there have been several attempts to address lacunas which exist in our existing legislative framework to address cybercrime. Additionally, Trinidad and Tobago is progressing in the development of a CSIRT and can boast of participation in regional efforts coordinated by international bodies such as the Commonwealth Secretariat (ComSec) and the Organisation of American States (OAS) towards addressing cyber security deficiencies.

However, in pronouncing on the results of five regional cyber security needs assessment exercises at the Caribbean Stakeholders Meeting; Cyber Security and Cybercrime, in April 2016 (CSMII), ComSec bemoaned the fact that there still exists a lack of awareness on cybercrime and lack of basic cyber hygiene within the private sector and within regional governments. The Commonwealth Telecommunications Organization also cited a lack of human resources and political support as challenges towards the implementation of cyber security strategies.

Close observation of the availability of opportunities to work on the development of cyber security regionally would reveal a predominant approach where international bodies work exclusively with assigned public sector employees.  Given the highly sensitive nature of the work involved in cyber security, such an approach is expected; however at a national level we may be missing out on opportunities for broader capacity development when such opportunities arise or when training occurs.  For example, a representative of a multinational which routinely provides cyber security capacity building exercises to law enforcement across the globe previously divulged that suitably qualified private sector experts can participate in these exercises if they are appropriately recognized by law enforcement personnel.

Hence, a more inclusive approach needs to be found to ensure that a national pool of talent, at all levels, is being developed today to address unknown future needs.  The status quo will forever bind us to a dependency upon the importation of expertise or hopefulness towards the return of qualified diaspora who wish to contribute to developing cyber security.  The up-skilling of a national pool of experts also presents Trinidad and Tobago with opportunity in providing exportable resources both regionally and internationally as others seek to develop cyber security.

Beyond the need for a coordinated approach to develop a cyber security pool of talent, there seems to have been an emphasis on getting legislation in place while the technical controls, which can actually prevent threats from becoming exploited, are not given due attention.  This position was also articulated by Mr. Arbelaez, at the Caribbean Stakeholders Meeting (CSMI) in May 2014.

Are we lagging behind regionally?

 

Awareness, capacity development and technical controls are all areas which require attention to adequately build threat response capability over the next five years and there is much we can learn from our own Caribbean neighbour, Jamaica.  Having delivered presentations in November 2016 at three conferences in Jamaica as hosted by the Jamaica Computing Society, UWI Mona (4th National Cyber Security Conference) and the Jamaica Bar Association (Continuing Legal Education)[2], I can personally attest to a comparatively more mature response towards cyber security.

Presented on UN ECLAC sponsored research into opportunities and risk of digital currency within the Caribbean at the Jamaica Bar Association, Continuing Legal Education, Annual Week-end Conference 2016

 

Such fora have been productive towards supporting and encouraging local capacity development of technical capabilities in the private sector and building public awareness on cyber security.   At Jamaica’s 3rd National Cyber Security Conference in 2015, the audience was challenged to consider cyber security as an opportunity for the growth of an industry and economic development, rather than a threat, in the same vein as highlighted above.  It is interesting to note that these fora also exemplify what a cyber security professional ecosystem should look like with active participation from technical professionals, policy/regulatory/legal professionals, academics and civil society.

Moving forward

 

We need to ask some difficult questions if we are to position ourselves to cope with future cyber security threats:

  • Can we define if there is a community of experts exists in Trinidad and Tobago focusing on cyber security; and if yes, who are the persons comprising this community?
  • Is this a formal community or a loosely defined community which comes together temporarily during exercises such as this one?
  • Does its membership lean towards greater participation from the public sector or the private sector?
  • Is there recognition that private sector interest from a Small Medium Enterprise (SME) is not the same as the private sector interest of a large commercial entity?
  • How are potential candidates encouraged to contribute within this community?
  • Is the community comprised in such a way that both of fresh ideas and a wealth of experience are expressed in deliverables?
  • Do the participants of this community come from different professions, back grounds and skill sets?
  • Can such a community adopt value chain relationships to be transformed into an active ecosystem[3] of professionals seeking to promote national cyber security?
  • Can this forum be the catalyst in the formation of such an ecosystem?

 

 

Recommendations

 

In conclusion the following recommendations can be put forward for consideration in the development of the aforementioned ecosystem of professionals

 

  1. Cyber security must be given recognition as a field of specialization and not be simply lumped under ICT. Such recognition should extend to the appointment of national champion to oversee the development of cyber security locally.
  2. Establish a national consultative body for cyber security which can serve as a sounding board for various plans towards developing cyber security. The membership of such a body cannot be exclusively comprised of public sector employees and large corporate entities.  It must include cyber security focused SMEs.  This formal body will lead to the formation of the informal cyber security ecosystem of professionals.
  3. Encourage participation from the private sector in local and regional meetings being facilitated by the aforementioned international bodies, for example ComSec and OAS. Appropriately qualified entities from this set should also be invited to participate in the training and capacity building exercises arising from such meetings.  Support for such entities should include financial assistance to participate.
  4. Assessment of institutions which are deemed critical infrastructure as well as a key Ministries and agencies.  The organizational structure of these bodies should reflect cyber security maturity extending to the roles and responsibilities of key personnel dedicated towards cyber security.  A comprehensive set of Information Security policies and audit mechanisms also need to be defined for such organisations.
  5. Information Security Governance training needs to be administered to boards and senior management of various key organisations. Additionally, Information Security Awareness training needs to be administered for the general population of employees.
  6. Alignment between the academic institutions, the national development needs scholarship system and the intake of graduates into the public and private sectors needs to take place to ensure that Information Security professionals are being developed academically and professionally. There also needs to coordination with corporate entities towards the creation of funding for cyber security research.
  7. The Government needs to facilitate the creation of opportunities within the private sector to build and develop competencies which they can call upon in the future. We need security researchers, writers, lecturers, practitioners, policy makers, legal specialists and technical experts to name but a few. The government must lead by example and procure services from fledgling entities seeking to provide services in cyber security.
  8. Information Security awareness training needs to be conducted extensively within the primary and secondary school system.
  9. Take advantage of training and capacity development exercises from international bodies and multinational corporate entities to up-skill the national pool of experts (public and private sector) towards the goal of developing cyber security for economic development.

 

[1] CNC3 News, Nov 2016

[2] Presentation to the Jamaica Bar Association was on the digital currency which also has emerging threat and cyber security dimension to it.

[3] It is important to recognize that an ecosystem differs from a community in that an ecosystem speaks to a non-siloed approach, coordination and symbiotic relationships towards growth of entities.

OTT VoIP in the Caribbean: A Vexing Policy Issue

tatt open forum

The Telecommunications Authority of Trinidad & Tobago (TATT) held their 21st ICT open forum on 18th June 2015 posing the question “Should Over The Top Services Be Regulated” to the three regulatory heads of the regional mobile providers Digicel, TSTT and LIME Caribbean, and the audience, no doubt, 100% comprised of mobile customers.

TATT’s representatives presented a summary of their consultative document “Towards the Treatment of Over-The-Top (OTT) Services” which remains open for public comment through till Monday July 6th 2015.  While the consultative document starts off speaking to Over The Top (OTT) services in general and mentions that OTT services includes other services including  video; within this forum (as within their document) there was a clear focus on OTT Voice over Internet Protocol (VoIP) services.  The focus on OTT VoIP was subsequently brought up in the Q&A portion of the proceedings with audience member, Mr Simon Fraser of UWI, posing comments around the future ‘can of worms’ scenario of which OTT services should be regulated or not.   In defining OTT VoIP, three categories were mentioned:

OTT VoIP Category Example
App to App Viber to Viber call
App to PSTN Viber to call terminating on mobile provider network
PSTN to App Call from mobile provider network terminating on Viber

 

In making a determination on regulation of OTT VoIP, TATT has to take into consideration the Authorised Service Providers’ (ASPs’) perspective and the threat posed by this innovation to their; (i) potential loss in revenues (ii) utilization of network resources (iii) having to compete with an unregulated service i.e. uneven playing field.  TATT also has an obligation to ensure that consumers are protected in this tango between ASPs and OTT services and indeed within their consultative document they note:

With the increase in demand for OTT services by the public, there may be a negative impact on the market if such services are removed

TATT offered few possible scenarios for resolution, including.

Solution Explanation
Aggressive Blocking of OTT VoIP services as was done by Digicel in Jamaica and Haiti
Collaborative Partnering with select OTT VoIP players to develop a mutually beneficial relationship
Opportunistic Creation of premium data packages which allow for OTT VoIP

 

Positioning to Block or Collaborate

In presenting Digicel’s case for possible regulation of OTT VoIP, Mr Kieran Meskell, Head – Regulatory Affairs, stated that OTT VoIP service providers had an unfair competitive advantage over ASPs as they had no cost to build and maintain networks neither did they have any obligations to fulfil as regulated ASP. They painted a bleak future scenario of Caribbean mobile network operator insolvency due to drastic loss of revenue from their mobile voice calls business and increased cost of upgrades and maintenance of mobile networks.  They highlighted that they had a contract in place with Viber to provide OTT services over their network, which Viber chose not to honour. This is what led to their action of seeking to block the service which TATT previously negotiated to stave off pending further investigation.

TSTT, who previously communicated the position that they will not block OTT VoIP services, took a more restrained approach, but stated none the less that they were concerned with OTT services which are in direct competition with licensed communication services.  Ms Christa Leith, Head – Regulatory & Policy Affairs,  noted OTT services as bypassing traditional distribution systems within their network and indicated their desired for a symbiotic relationship rather than a parasitic relationship.  While citing several regulatory imbalances in comparing ASPs against OTT service providers along several dimensions (including licenses, quality of service, fees and interconnection), they acknowledged that traditional business models in the telecoms sector needed to be re-examined.  TSTT expressed a position of “refining their OTT strategy” and stated they were open to collaborating with OTT services providers via “appropriate business models”.

 

“Vexing issue at the policy level…”

Head – Regulatory Affairs & Policy, LIME Caribbean / Columbus Communication Trinidad Limited, Mr David Cox came to the podium without a power point presentation but articulated the most thought provoking delivery of the evening.  Coming from a telecoms regulator background he had a perspective on the problem from both sides of the table and he chose to convey his thoughts as a conundrum facing the nation, and indeed the Caribbean, via a series of exploratory questions.  Grounding his delivery with a statement that his organisation has adopted an open internet policy (no blocking, no throttling), Mr Cox spoke less of OTT services and more about information and the differentiation between networks and information.  He acknowledged the need for proper regulatory balance in the telecoms sector agreed that money for the maintenance and upgrade of network will evaporate if this balance is not achieved.  However, he went on to question whether regulation of networks implied regulation of information and suggested at times, a light-handed approach to regulation is beneficial.

Some of his question included:

  • Are ASPs the best agents to manage access to information? Should this be left to consumers?
  • Is there a role for self-regulation? What if companies make their decisions to block and let market forces prevail (i.e. let customers express their dissatisfaction by moving to another provider)?
  • What regulatory approach best promotes competition in the market place?
  • Can premium rate charges for OTT services and market forces solve this problem?

Citing a deficiency of in-market data presented by TATT, he suggested the use of foreign data on usage of OTT services may not paint an accurate picture within the local market usage of OTT services.  He also posed a final question to Digicel querying if Viber had not reneged on their agreement, would such an agreement be considered as a solution to the OTT problem or would that have been a temporary fix until a regulated solution was gotten from TATT.   It would seem that this is the question which should have kicked off the proceedings, or any future proceeding on this topic, for that matter.

 

From the Floor

In taking to the microphone, consumers spoke of their reliance upon these services to overcome international rates and burdensome data roaming charges and questioned the network providers’ claims of delivering a level of Quality of Service, citing recent outages and call quality concerns. Other notable concerns included:

  • Mr Lassana Murray, Quenk Technologies, noted that the blocking of OTT services would lead to a lost market opportunity for local software developers to create applications in that space.
  • Ms Tamara Ragoonath of DirtecTV questioned why TATT was playing such a leading role in the OTT VoIP debate when they had an outstanding issue with respect to local subscription television services providers carrying international channels which they did not have the rights to broadcast, thereby placing DirectTV on an unlevelled playing field with these providers (…in response TATT stated that a final resolution on this matter, possibly in the form of cessation notices to offending service providers was coming soon).

 

 

Conclusion

There is no doubt the OTT VoIP has the potential to erode mobile operator’s revenues, but with two out of three mobile operators willing to at least explore non-regulated solutions, one is left wondering if the future is as bleak as Digiciel made it out to be.  Additionally, they all seemed to all agree that Telco business models need to be re-examined.  Hence possible solution scenarios include a light-handed regulatory approach plus collaborative mechanisms between ASPs and OTT services (as advocated by TSTT) or some combination of opportunistic measures via the use of premium rate charges and aggressive measures of allowing ASPs to block what they want and let market forces to prevail (as raised by Mr. Cox).

OTT services are but one innovation we are currently experiencing locally and in the Caribbean, but globally mobile operators are emerging from their traditional business models and immersing themselves into mobile money, payment systems and financial transactions. In fact, the International Telecommunications Union (ITU) currently has a focus group examining Digital Financial Services which is seeking to standardize mobile money technology and solutions.  Hence mobile operators have the ability to derive revenues from new streams such as these and even begin competing with financial institutions.  One can only speculate the kickback local and regional Telcos will experience from traditional financial institutions once this round of innovation and perceived encroachment comes around.