Cyber security has long been a serious matter for financial institutions and corporates alike, but fintech and the digital era make cyber security more of an issue. Delivery of products and services through digital channels means that more systems are available to scrutiny by malefactors. The continuing adoption of fintech APIs (by which institutions provide their clients with third party services) and cloud computing may introduce further vulnerabilities. Meanwhile, the growth of the digital economy is also creating a large population of highly trained technologists — potentially creating greater numbers of cyber attackers and cyber thieves.
Cyber threats affect all industries, but financial institutions are particularly at risk, because of the direct financial gain possible from a cyber intrusion. The recent use of the SWIFT messaging network to fraudulently divert US$81m in funds from Bangladesh’ central bank is an indication of the increasingly dire nature of these threats, and a harbinger of things to come. It also demonstrates that cyber security is as much a threat to corporate banking as to the consumer side.
As the above fraud case also shows, cyber intrusions are expanding beyond data theft to encompass a range of sophisticated threats that present specific risks to an institution, as summarised below:
Information security breaches: theft of consumer account or credit card data is the classic example.
Operational crime by employees or external partners.
Financial crime: fraud and money laundering.
Espionage and crime
Sabotage and terrorism
The US Federal Financial Institutions Examination Council’s (FFIEC) Information Security Booklet aims to provide a principles-based guide to cyber security for financial institutions. Its recommendations include:
Security controls: Access control, encryption, malware prevention.
Network protection: Firewalls, packet inspectors.
User education to promote safe computing practices among employees.
Systems development and maintenance safeguards and best practices.
System hardening: Turning off unused features to prevent back doors.
Personnel security: Background checks and onboarding of IT staff.
Security monitoring: Network and server monitors to detect anomalous traffic and unauthorized changes.
Activity monitoring: Intelligent sensors to detect anomalies.
Condition monitoring: Internal and third-party auditing of the FIs’ cyber security efforts.
Analysis and response to red flags.
An important question is whether security guidelines issued by the FFIEC and other organisations will continue to be adequate in the age of fintech and digital financial services (which, again, is developing on both the retail and corporate sides). Fortunately, the evolution of fintech also entails the development of new technologies aimed at creating the next generation of cyber security.
A number of startups are beginning to develop applications using semantic analysis and machine learning to tackle know your client (KYC), anti-money laundering (AML) and fraud issues. Significantly, IBM Watson and eight universities recently unveiled an initiative aimed at applying artificial intelligence to thwart cyber-attacks.
Artificial intelligence (AI), as advanced as it is, still represents the traditional cyber security paradigm of “defence,” putting up physical and virtual walls and fortifications to protect against attacks, breaches, and fraud or other financial crime. What if there were a technology that broke through this “defence” paradigm and instead made cyber security an integral aspect of financial technology?
This is precisely the approach taken to cyber security by blockchain technology.
Bank consortia and startups alike are engaged in efforts to develop distributed ledgers for transfer of value (payments) and for capital markets trading (where the execution of complex financial transactions is done through blockchain-based smart contracts). Accordingly, distributed ledgers and smart contracts are likely to one day have a place in treasury operations, for both payments and trading.
Blockchain is gaining attention primarily because its consensus-based, distributed structure may create new business models within financial services. In addition, though, blockchain technology has at its core encryption technologies that not only keep it secure, but are actually the mechanism by which transactions are completed and recorded. In the case of Bitcoin, blockchain has demonstrated that its encryption technologies are quite secure. The further development of blockchain will necessarily entail significant enhancements in next-generation encryption technologies such as multi-party computation and homomorphic encryption, which are already under development. In other words, blockchain is likely to not only play a role in altering the way payments and capital markets transactions are undertaken, but also in the way next-generation financial systems are secured.
For more information, please see Celent’s recent reports Banking in the Cloud: Between Rogues and Regulators, Governing Risk: A Top-Down Approach to Achieving Integrated Risk Management, and Cryptotech 101: Confidentiality as a Service.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.
Politicians have united in urging the Reserve Bank of Australia to lend its backing to the digital currency by officially recognising it.