
In today’s interconnected world, financial markets are increasingly exposed to misconduct due to information asymmetry and the high cost of obtaining reliable information. The recent signing of the United Nations Convention Against Cybercrime underscores the urgency of strengthening global frameworks to combat digital threats.
Financial misconduct, defined as the “risk of financial loss, reputational damage, or harm to market integrity arising from inappropriate, unethical, or unlawful behavior of financial institutions or their staff,” is a key subset of operational risk. It stems from failures in governance, culture, or behavior and can severely erode consumer trust in financial institutions. Beyond direct losses, misconduct damages reputation and profitability, diverting resources from productive investments toward penalties and remediation. As technology advances and cyber threats intensify, fraud has become a global issue, underscoring the critical importance of data protection and privacy in the financial sector.
Global Trends in Financial Fraud
In 2023, the global financial system lost an estimated $485.6 billion to scams and bank fraud, including $33.83 billion in credit and debit card fraud. Cyber risks are escalating rapidly: from 2021 to 2024, the share of financial institutions worldwide experiencing ransomware attacks surged from 34% to 65%. From November 2022 to October 2023, the finance industry faced the highest exposure to basic web-based application attacks.
Fraud losses have risen in 73% of organizations across Europe, the Middle East, Africa, and Asia and the Pacific. Common forms include account takeovers, identity theft, fraudulent account openings, and authorized push payment scams. Asian economies have been particularly affected. In India, cyber-fraud cases quadrupled from 2023 to 2024, with reported losses of ₹1.8 billion ($21 million) and UPI/OTP scams surging by 85%. Thailand experienced losses of around B70 billion ($1.92 billion) between March 2022 and July 2024, though authorities successfully prevented B5.9 billion ($162 million) in losses through initiatives like the Anti-Online Scam Operation (AOC 1441). The Philippines registered approximately 15 million covered and suspicious transaction reports in 2023, while Indonesia shut down over 12,000 illegal fintech entities between 2017 and January 2025 and established an Anti-Scam Centre in 2024.
Fraud-Induced Systemic Risks
Financial misconduct, especially when it involves systemically important and large institutions, can have spillover effects and evolve into major systemic risks. Examples include large-scale corporate failures, most notably the collapse of Lehman Brothers in 2008; the NTT Docomo smartphone payment fraud in Japan in 2020, which exposed vulnerabilities in digital payment infrastructure; the Bangladesh Bank cyber heist in 2016, which highlighted cross-border cyber risk via the Philippines’ financial system; and the 2018 Punjab National Bank scam in India, which revealed serious lapses in internal controls and trade financing risks. These cases demonstrate how misconduct can have far-reaching implications, extending beyond individual losses to trigger systemic financial crises that affect the entire financial system.
Financial Data Protection Regulations in Asia
Asian countries have enacted various laws to safeguard growing concerns around consumer financial data protection and privacy. The Philippines enacted the Data Privacy Act (2012) and the Anti-Financial Account Scamming Act (2024), supported by a Cyber Resilience Plan (2024–2029). Japan updated its Act on the Protection of Personal Information through 2022, adding fraud prevention and victim compensation. Thailand’s Personal Data Protection Law (2019, enforced 2022) mandates customer consent for sharing the data of third parties. Malaysia established a National Scam Response Center (2022), and India introduced the Digital Personal Data Protection Act (2023) emphasizing data localization and mandatory consent.
Despite ongoing efforts, significant disparities persist across the region. Singapore, Australia, and the People’s Republic of China have enacted comprehensive data privacy and protection laws with enforcement mechanisms, although challenges remain in terms of cost, capacity, and cross-border coordination. Japan, Indonesia, the Philippines, Malaysia, Thailand, and India have legal frameworks in place, but enforcement and institutional capacity are still evolving. Meanwhile, Cambodia, the Lao PDR, and Mongolia lack standalone data privacy laws and rely on fragmented rules, and Timor-Leste has only Financial Intelligence Unit-based provisions. Most countries, with the exceptions of Cambodia, Timor-Leste, and Bhutanhave deposit insurance in place. Consent remains the primary basis for data sharing across jurisdictions. Two-factor authentication and transaction encryption are widely adopted, but secure API integration is still lacking in many countries. Biometric authentication is not yet utilized in smaller developing economies, such as the Lao PDR and Timor-Leste.
Gaps and Uneven Progress
Despite growing awareness, significant gaps and uneven progress persist in the region. Emerging technologies such as artificial intelligence (AI), machine learning, crypto-assets, and advanced digital payments often fall outside traditional regulatory mandates, highlighting the need for clearer frameworks. While financial technology innovations offer benefits, they also heighten the risks of cyber fraud, and data insufficiency hinders regulators’ ability to effectively tackle these evolving trends.
A major challenge is the lack of public awareness and low financial and digital literacy, which leaves consumers vulnerable to cyberattacks and phishing scams. Additionally, many countries face constraints on technical and human capacity for supervision, weak enforcement of existing regulations, and differing development levels, all of which pose further hurdles to effective financial data protection.
Policy Priorities for a Safer Digital Future
To strengthen financial data protection across Asia, policymakers must focus on several interrelated priorities. First, regulatory frameworks need to be updated to cover emerging technologies such as blockchain and big data analytics. Second, cybersecurity and data governance must be enhanced through the use of AI-resilient algorithms, consent-based data sharing, and regular cyber-resilience testing. Third, promoting consumer protection and improving digital financial literacy, especially among vulnerable groups, is essential to reduce exposure to cyber threats. Finally, strengthening technical and human supervisory capacity through regulatory technology and supervisory technology, along with better cyber fraud reporting, will help identify fraud patterns and mitigate future risks more effectively.
This blog draws on insights from discussions during the ADBI event on Bank Regulation and Supervision Practices in Southeast and East Asia, held in Bangkok, and from a presentation delivered at the Global Financial Consumer Forum 2025 at Sungkyunkwan University in Seoul, reflecting shared regional perspectives on strengthening financial consumer protection.
