Cyber security: trends and implications in financial services

This editorial was first published in our Web Fraud Prevention and Online Authentication Market Guide 2017/2018. The Guide is a complete overview of the fraud management, digital identity verification and authentication ecosystem provided by thought leaders in the industry from leading solution providers (both established and new players) to associations and experts.

Kronos, Invisible Man, Spy Dealer, Faketoken, Double Pulsar, Trickbot… It’s ok if you thought this was a list of Hollywood blockbusters! These are in fact banking Trojans that hit the headlines in recent past and the creativity of the researchers who named them must be commended!

Artificial intelligence and machine learning, useful tools for the bad guys as well?

Kronos was the first to appear in 2014 – cybercriminals have always targeted financial service institutions, because, well, that’s where the money is. However, the threat landscape has changed considerably in the last few years. The staggering advances in new technologies have made it possible to change the world for the better, with applications of artificial intelligence and the Internet of Things facilitating, for example, further financial inclusion and providing even better consumer experiences. However, this is a double-edge sword as technology has also enabled criminals and fraudsters to become even more innovative.

“Cyber” is now the tool of choice for financial crime as it makes it easier to swipe millions from financial institutions within seconds and dispose of the stolen assets quickly. Indeed, cybercriminals are starting to use machine learning to sift through large amounts of data to classify victims that have weaker defenses, to maximise their return on investment and to conduct effective phishing campaigns on a massive scale.

Even more recently, fraudsters showed incredible nous by poisoning results for financial-related searches to deliver banking malware to unsuspecting consumers. In the UK, the National Cyber Security Centre has dealt with more than 600 “significant” cyberattacks since it was opened. In 2016, we saw the IoT harnessed to create the biggest ever DDoS attack, SWIFT members repeatedly hacked, and the scandalous leak of the Panama Papers. This was also the year when UK cybercrime figures were for the first time included in overall fraud figures, showing a 55% year-on-year increase, a fact that security and fraud professionals had always suspected. The 2017 is proving to be no different, and we only have to look at the massive Equifax data breach and the recent Paradise Papers leak, which brings into question the issue of data protection and privacy and how we manage digital identities.

How to harmonise and protect consumers’ personal data?

With an increase amount of data flowing across ever blurring geographical boundaries, the question of how to tackle fraud across the community and beyond has been both difficult and increasingly important. In this complex landscape, protecting that data is a challenge that governments worldwide are trying to address in an attempt to strike the right balance between technology innovation, competition, risk and security. Regulatory risk has never been so much in the limelight.

Governments have taken different approaches to financial services oversight. India’s attempt to promote financial inclusion, with a universal digital identity scheme and fast demonetisation, has led to a boom in fintech innovation, but also created fraud/security risks which are now being addressed (in a recent move, the Indian Central Bank made the linking of national identity numbers – Aadhaar – to bank accounts mandatory). In China, technology giants Ant Financial (with Alipay) and Tencent (with WeChat Pay) have been quietly leading the mobile payments revolution. They achieved such a dominant position that not only has China’s Central Bank ordered them to operate through a centralised clearing house (to promote competition), but has been worried that promotional activities might interfere with the normal currency flow of the CNY. China has also introduced numerous, and sometimes controversial, cyber security laws. As for the US, the fintech regulatory landscape is so confused that it is a wonder if any startup succeeds.

In the meantime, Europe brings in the 2nd Payment Services Directive (PSD2), the new Anti-Money Laundering Directive, the General Data Protection Regulation (GDPR), and many others. Unlike in any other geography, European regulations aim to be all encompassing at the outset. In one fell swoop, these all intermingled regulations aim to protect and enable consumers (as in India) to foster technology innovation (as in China), and to preserve the integrity of the ecosystem (like everywhere). However, such laudable intentions also have their fair share of controversy, particularly for PSD2 and Open Banking.

Indeed, the EBA RTS on Strong Customer Authentication and Common and Secure Communications has set the cat amongst the pigeons: incumbents (i.e. the ASPSPs) love the stance on APIs and the ban on screen scraping, and the new kids on the block (i.e. AISPs and PISPs) loathe the ban on screen scraping as it may destroy their business model. And the debate goes on. Not to be left out, EMVco recently released the new EMV 3-D Secure Specification. All of these put digital identity and authentication firmly on the agenda.

Yes, Data (YOUR Data) is the new money (or oil, or coal), and technology has enabled new entrants to challenge incumbents by capitalising on that data to understand behaviours and appear more human. Unfortunately, the combination of data proliferation and technology advances has also created more risk. Fighting fraud and cybercrime effectively means being serious about information security and fraud prevention, managing the extended supply chain and understanding how new technologies can streamline operations (and the Regtech industry is currently flourishing...).

Regardless, the threat landscape is constantly evolving and many regulations will come into force in 2018. Organisations must be ready and their success will depend on their foresight, their risk management posture and how they capitalise on new technologies.

About Neira Jones

Neira advises organisations on payments, fintech, regtech, information security, regulations and digital innovation. She holds a number of Non-Executive Directorships and Advisory Board positions and is on the Thomsons Reuters UK’s top 30 social influencers in risk, compliance and regtech 2017 and the Planet Compliance Top 50 RegTech Influencers 2017.

About Emerging Payments Association

The Emerging Payments Association (EPA) has over 120 members from across the payments value chain. We connect the payments ecosystem, encourage innovation and drive business growth, strengthening the payments industry to benefit all stakeholders. Get in touch at info@emergingpayments.org or +44 20 7378 9890.