The rise of virtual products and services in banking is revolutionizing the financial industry all around the globe. Suddenly, people who never had access to financial services now find themselves with a plethora of options available with a few taps on their smartphones.
For example, data from the International Monetary Fund published in September 2019 shows that in Afghanistan, “where less than 200 out of 1,000 adults have bank accounts” indicates that mobile money has increased fourfold over the past five years “to reach 1.2 percent of GDP in 2018.”
And the phenomena isn’t limited to developing countries or even just the financial industry itself–suddenly, companies across the board are taking an interest in offering financial services in various capacities to their users as their search for new revenue streams and new ways to serve their clients.
In fact, PriceWaterhouseCoopers, in its “Financial Services Technology 2020 and Beyond: Embracing Disruption” report, said that all over the world, “finTech start-ups are encroaching upon established markets, leading with customer-friendly solutions developed from the ground up and unencumbered by legacy systems.”
This has caused some anxiety among established industry players who are concerned about being able to keep up with the pace of technological innovation. 70% of respondents to the company’s Global CEO Survey said that the “speed of change in technology was a concern” as far as keeping up with the competition.
However, being able to match the agility of challenger banks and fintech startups isn’t perhaps the only reason to be concerned about the pace of innovation in financial technology.
Indeed, the acceleration of technological innovation presents a new and unique set of security risks to the users of virtual banking and fintech platforms.
What are these risks? And is the development of cybersecurity solutions and safety nets moving as quickly as the development of these fintech platforms?
Problems in APAC could be an indicator for the rest of the world
The issue has been a matter of concern in regions of the world where virtual banking has taken a particularly prolific stronghold.
Indeed, in its latest Global Fintech Adoption Index, multinational professional services firm Ernst & Young (or EY) found that the APAC region is charging ahead in terms of the proliferation of fintech platforms.
“In just two years, consumer usage rates of FinTech-powered services have doubled, and in some cases tripled, across key Asia-Pacific markets,” the report said. This includes Hong Kong, Singapore, and South Korea, which have each achieved 67% FinTech adoption; Australia follows close behind at 58%.
Still, the report says that at 87% penetration, China is the clear leader in fintech adoption–”except for India, which is now nearly tied with Asia’s leading digital power.”
But with the rapid rate of adoption has come the rapid introduction of new kinds of security risks. In a report entitled “eKYC is Streamlining Digital Banking: An Asia-Pacific Perspective”, Jumio found that 78 percent of banks in the APAC region say that the introduction of things like real-time payment platforms in their home countries has resulted in an increase in fraud-related losses. Socially-engineered scams were named by 40 percent of banks as the top form of attacks by fraudulent actors.
Similarly, in its 2019 Global Identity and Fraud Report, the company found that 50% of businesses in APAC had seen an increase in fraud losses over the past 12 months from related to identity theft and account takeovers. The report also found that 67% of businesses reported an increase in concern for fraud losses since 2018.
The risks–and the fallout they cause–are global problems
While APAC’s increased rate of adoption may have brought the risks associated with fintech adoption closer to the surface, the problems are similar elsewhere in the world.
“There have been many malicious groups aiming their efforts at taking advantage of banking networks directly,” Mr. Klein explained.Dave Klein, Senior Director of Architecture & Engineering at Israeli-based cloud security firm Guardicore, told Finance Magnates that across the globe, “banks and financial services firms are leading targets for cybercrime”, and that “cyberattacks cost financial institutions more than firms in any other industry, averaging 50 percent more than all others combined.”
The fallout from these cyberattacks isn’t specifically limited to the loss of funds alone. Peter Berg, VP of Business Development & Strategy at Very Good Security (VGS), told Finance Magnates that “data security—and increasingly, data privacy—is a pressing issue in all corners of the financial industry. “
Indeed, “the fear of data breaches creates a multi-faceted challenge,” he explained. “First, customers lose trust in institutions that can’t keep their sensitive data safe. Second, it creates hesitancy from long-standing financial institutions to work with innovative fintechs and startups. Third, it pushes each company to build compliance and security systems from scratch, which is incredibly time and resource-intensive.”
Regulatory requirements add another layer of complexity to the issue
Essentially, “especially as systems shift to remote and online, data has shifted from being an asset to a liability,” Mr. Berg explained.
Indeed, in a way, the presence of so many online platforms has presented opportunistic criminals with a plethora of new opportunities to find their way into users’ accounts and to sensitive information.
This kind of “data sprawl” is the center of the problem–therefore, “limiting data sprawl is more relevant and difficult than ever.”“The explosion of digital financial services combined with cloud computing initiatives and new application delivery models has expanded the attack surface that criminals can exploit,” Mr. Berg explained. “It is felt the greatest in payment transactions and in privacy portions revolving around customer data.”
Mr. Klein also said that the problem is compounded by the fact that banks and fintech platforms are “subject to numerous complex regulatory requirements.”
“For the larger banks, regulatory compliance comes in international monetary transactions compliance called SWIFT,” he said. “They also must comply with PCI compliance for credit card transactions.”
At the same time, “privacy laws are burgeoning everywhere.”
Indeed, “consumers demand it,” he said. “It has become the new norm,” he continued. “If banks do business in the EU, there is GDPR, in NY there is SHIELD. At the same time, “in California [there is] CCPA and in Mexico, there is the Federal Data Protection Law.” The list goes on.
The problem grows more or less complex depending on where these banks and companies operate. “For the smaller community banks who rely on check processing by the Federal Reserve, and credit card, money transfer services, and ATM services from third parties, they must adhere to the ad hoc requirements of each vendor they work with.”
Solving a multi-pronged problem
So, what is the solution?
Ideally, fintech companies and banks should aim to adopt an approach that both effectively protects customers and addresses as wide an array of compliance requirements as possible, while avoiding over-burdening users with onboarding steps.
Jumio recommends the adoption of electronic know-your-customer (eKYC) and anti-money laundering (AML) solutions that safely and compliantly acquire customer data without placing an extra burden on customers. (It should be noted that Jumio provides eKYC and AML services itself.)
Indeed, Jumio said that finding this kind of a solution is a “delicate balancing act”: on the one hand, “prioritizing fraud detection adds incremental friction to attain higher levels of identity assurance.”
On the other hand, however, “if you have too much friction, conversion rates drop off and you’re left with disenfranchised prospects.”
Alexey Khitrov, co-founder and President of identity verification firm ID R&D, also noted this trend in an email to Finance Magnates. “While digital banking requires strong security, customers are not willing to sacrifice ease and speed,” Mr. Khitrov said.
Solutions must be tailor-made depending on a company’s needs, but they must address a certain set of issues
In other words, with concerns of cybersecurity, compliance, and user-friendliness, fintech’s cybersecurity problem is very complex–and as such, it probably requires complex solutions. This could mean the creation of home-grown solutions that attempt to address each aspect of identity verification and cybersecurity, or the use of a number of different third-party solutions that separately address various aspects of the problem.
In either case, there is no one-size-fits-all answer: each company’s solution will need to be tailor-made, one way or another.
Still, Mr. Klein says that there is a guiding set of “Zero-Trust” principles that companies are increasingly adapting to form the security and compliance infrastructures that they use.
“In response to these threats financial institutions are increasingly adopting Zero Trust strategies and active defense measures to protect critical financial systems like SWIFT payments infrastructure, cardholder data environments (CDE) and customer PII to reduce the attack surface and meet data protection and compliance requirements,” Mr. Klein said.
These “Zero-Trust” infrastructures reduce risks by taking steps toward decentralizing customer data, making it more difficult for a malicious actor to gain access to it.
In other words, this “micro-segmentation” makes it possible for companies to score KYC data in one place, while transaction data and account access data may be stored separately. Therefore, if a hacker gains access to one set of data, they may not be able to access other pieces.
“A Zero-Trust architecture abolishes the idea of a trusted network inside a defined corporate perimeter,” he explained. “At the core of Zero-Trust is the application of ‘micro perimeters’ of control around sensitive data assets.”
“These ‘micro perimeters’ require micro-segmentation and software-defined segmentation to segment off critical banking systems, reduce the attack surface and streamline compliance in any environment,” Mr. Klein said.
This means that “financial institutions can reduce the attack surface of critical financial systems and prevent the exfiltration of sensitive data by applying micro-segmentation for fine-grained access control.”
Building a “Zero-Trust” infrastructure
What does this kind of Zero-Trust infrastructure look like on a practical level? Mr. Klein told Finance Magnates that “Institutions that seek to adhere to Zero Trust principles must successfully leverage security solutions that are specifically designed to provide the following:
Total visibility. Real-time and historical capability to visualize and map application dependencies and flows across financial systems. This visibility is key to producing error-free, accurate, granular and tight micro-segmentation policies.
Enforcement capabilities around these micro-segmentation policies that include process, user and fully qualified domain name. These capabilities enable teams to reduce the attack surface and limit exposure to crown jewel applications.
Meet compliance requirements. Quickly map and separate compliance-related systems and infrastructure such as SWIFT, PCI, CCPA, SHIELD, GDPR, Mexico FDPL, et cetera.
In addition, these systems “must work across the complex, heterogeneous banking environment from legacy systems to virtualized workloads, and to containers, serverless and clouds.”
Looking into the future, Mr. Klein said that in general,” banks and other enterprise organizations must do more to shore up low hanging fruit that attackers take advantage of. They must address things like poor password control and dual-factor authentication, certificate management, running workloads under least privilege (without admin rights), account management control and vulnerability assessment and patching.”