By Victor Acin, Threat Intelligence Analyst, Blueliv
Financial services firms are increasingly being told to embrace disruption in order to compete in a fast-evolving market. But this very disruption threatens to drive a new type of risk: the risk of data loss, service outages and fraud on a massive scale. The resulting hit to the bottom line and corporate reputation may undo all the good work that digital transformation has helped to foment.
As we enter a new decade, banks need to think carefully about how they respond to these mounting cyber-risks, without holding back digital innovation. Cybersecurity, with threat intelligence at its core, must be a central part not just of business strategy but also of corporate culture.
Digital goes mainstream
According to PwC, financial institutions are increasingly migrating infrastructure to public cloud systems, as “digital becomes mainstream” in 2020. These investments are helping to create the more user-friendly services that customers are demanding today. With fintech innovators often leading the way, lenders have invested heavily in mobile app-based services at the front-end and more streamlined processes for opening accounts and other laborious tasks. In the future, it’s predicted that AI and robotics will become commonplace, and that blockchain will disrupt.
However, PwC also warns that amidst all this change, cybersecurity will be one of the top challenges facing financial institutions in 2020. The truth is that financial institutions have always been a main target for hackers — after all, they guard huge volumes of highly sensitive data, as well as money. And as they build out more digital infrastructure, cyber-risk increases unless proper controls are put in place.
What does cyber-risk look like?
The bad news is that hackers have developed multiple ways to get what they want. A typical financial institution’s attack surface covers not just core banking IT systems, but also customer accounts and the wider payment ecosystem. That’s a lot to protect.
Humans are often perceived as the weakest link in the security chain. That’s why attackers target banking customers in raids aimed at accessing their back accounts. Phishing emails, automated tools which try huge volumes of breached passwords (known as credential stuffing), and malware are some of the most popular mechanisms for account takeover. In fact, earlier this year Blueliv’s threat researchers noticed a 283% increase in activity linked to Trickbot, one of the key botnets used to spread a banking Trojans designed to compromise customer accounts.
Humans are also targeted inside banks themselves. Phishing emails sent to employees are a common first step in potentially sophisticated multi-stage attacks designed to illegally transfer huge sums of money or steal large data troves. Other threats to banks and their customers come from ransomware and DDoS, designed to extort money and deny critical services, and attacks aimed at harvesting payment card details — either from POS systems in retail and hospitality outlets or from e-commerce sites.
Money, money, money
If any indication were needed of the riches to be gained from targeting financial institutions, it’s the relatively large number of sophisticated attack groups that have emerged over recent years. The Carbanak/Cobalt gang is believed to have stolen $1.2 billion from over 100 banks in 40 countries, installing malware internally via phishing emails which either dispensed cash via ATMs or facilitated illegal SWIFT wire transfers, for example.
Others include Dridex, the group behind one of the most prolific banking Trojans ever created, and the North Korean state-backed Lazarus Group, which is thought to have been responsible for the audacious $81 million cyber heist at Bangladesh Bank.
As for the victims of such attacks, there’s a host of potential knock-on effects that can undermine financial stability and customer confidence. There are costs associated with: investigation and remediation of the incident itself; customer notification and possible credit monitoring; and business interruption, if services are taken offline. Legal costs may follow if customers take their bank to court and there may be follow-on fraud attempts to tackle. Then there are the less immediate impacts such as regulatory fines, declining share price, damaged reputation and customer churn.
The latter risk is particularly acute given the UK’s new Open Banking environment, in which a new breed of fintech start-ups are entering the market. More than ever, banks have to prove that they can offer their customers value, and keep their data and finances safe.
What happens next?
The bad news is that attacks are on the rise. The number of cybersecurity incidents reported to the FCA jumped by 1000% between 2017 and 2018. But there are things financial institutions can do.
A layered approach to security is required, promoted from the top down by engaged executives. Company-wide security awareness training is also essential: even by spotting and reporting phishing emails more effectively, staff could transform from being the weakest link to a formidable first line of defence against attacks. Tried and tested incident response plans are also essential: it’s inevitable that hackers will eventually target an organisation, so best be prepared.
Most importantly, banks need to improve their threat intelligence. Systems powered by accurate, real-time data from multiple sources can enhance decision making, improve the resilience of existing cyber-defences, automatically block attacks and support incident response. They can also scour dark web marketplaces to alert security teams if customer card data or user logins are about to be traded by cyber-criminals.
With this in place, banks can move from a reactive to a proactive security posture, hunting down those who seek to do them harm, cancelling cards and resetting passwords before an attack can even be monetised. Collaboration within and between organisations is also key. The bad guys are past masters at sharing information and expertise to get what they want. It’s time the security teams within our banks did the same.
WHY DIGITAL TRANSFORMATION IS CRUCIAL FOR BANKS
David Murphy, Managing Partner, Financial Services EMEA & APAC at digital consultancy Publicis Sapient
Over the past five years, disruptor banks such as Monzo, Revolut and Starling Bank have upended the idea of a bank and have challenged the longstanding dominance of traditional players.
Through a digital-only approach, challenger banks have grown rapidly by exploiting poor customer service and lack of innovation in many parts of the industry. They have uprooted the need for bank branches by making the very idea of queueing in a physical location to transfer money or waiting on hold on the telephone for customer support seem unusual or eccentric.
As a result, the market share for current accounts of the big four legacy banks (Barclays, Royal Bank of Scotland/NatWest, HSBC and Lloyds) has lost ground, from 92% of all bank customers a decade ago to around 70% today. Research has also found that digital-only banks Monzo and Revolut are on track to triple their customer base to more than 35 million over the next 12 months.
In the face of new competition, many banks already realise that they can no longer rely on old practices and that they must digitally transform. However, transforming an embedded culture and organisational structure is easier said than done. It requires traditional banks to completely rethink their practices in order to meet shifting customer preferences and the emergence of new technologies such as banking apps.
At Publicis Sapient, we have outlined three clear models of digital business transformation in order to help banks compete against digital-only banks.
When transforming for the digital era, banks must gradually change mindset and infrastructure, working towards a more effective structure. This is fundamental to the future success of any cultural approach, as moving too fast can produce cultural backlashes that can hold back innovation and adoption of new ideas or practices.
Moving slowly is only one part of this approach. In order to ensure that company mindset truly evolves, banks must also revisit their ethos and structure, invest in communication and training, and create a clear and comprehensible digitalisation plan. As part of this, it’s crucial to eliminate silos and develop robust strategies for employees to get behind their new plan.
Fundamentally, the evolve approach requires banks creating a “movement” that facilitates change across the wider organisation. This requires banks demonstrating the value of digital transformation to employees across multiple offices and organisations.
The jump method centres on platform modernisation. In other words, this approach is less about incremental change, and more about ‘jumping’ in feet first. It involves creating a new shell onto which the existing business can migrate. In order for this method to be successful, a step-change in cost-to-income ratio and customer experience is crucial. By adopting new strategic platforms and ways of working, with continued but reducing connections to the existing business systems, this model requires a willingness to trial new approaches and, in turn, decommission the legacy systems.
Banks that follow the ‘attack’ approach try to recreate the dynamism of fintech startups within their organisation. This can mean creating either an internal innovation lab or going into a partnership with an external technology provider to create a separate, almost rival banking platform. Initiatives such as these allocate space to incubate ideas internally with considerable time and investment. They also overcome the cultural issues that big organisations come up against by building small teams in the company to develop new, competing platforms. However, they must be customer-oriented: new, self-contained enterprises within the business should focus on addressing a unique customer need rather than delivering a specific product.
When digitally transforming, legacy banks need to ensure that they implement a strategy that works best for their organisation. However, most banks when considering where to invest their change budgets should take a “portfolio approach” looking across their business lines to see where it is most effective to Evolve and look for opportunities to either Jump a business line such as Payments to a new platform or even create separate digital enterprise through an Attack approach. Essentially, banks must take a holistic view on changing both cultural attitudes and structural problems.
THE ‘LEGO-IFICATION’ OF BANKING IT AND THE RISE OF DIGITAL FINANCE ECOSYSTEMS: FOUR PRIORITIES FOR BANKS IN 2020
Danny Healy, financial technology evangelist, MuleSoft
The advent of the open banking era and continued emergence of fintech has forced customer experience up the banking agenda. According to McKinsey, of the 50 largest global banks, three in four have now pledged themselves to some form of customer experience transformation.
Understanding the importance of customer experience is one thing, being equipped to deliver a good one is another thing entirely. As banks look to technologies such as multi-cloud and AI to support more sophisticated customer experiences, their IT teams face an uphill struggle to integrate these initiatives with their existing systems. Across all industries, more than four in five (84 percent) of IT leaders claim these challenges are putting the brakes on their organisation’s digital efforts.
To get around this challenge in 2020, banks now need to focus on re-imagining their IT departments in order to unlock their digital capabilities and empower business-wide innovation. Here are four key areas that banking IT teams will need to focus on in the year ahead to make this a reality.
Repackaging IT into reusable building blocks
IT efficiency is crucial to the success of digital transformation initiatives; it’s one of the main reasons why small, nimble fintech companies have been able to steal a march on their more established rivals. As such, banking IT departments are under substantial pressure to deliver more, faster. However, IT can no longer keep up with the demands of the business; little over a third (36 percent) of IT professionals were actually able to deliver all projects asked of them last year.
To get around this growing IT delivery gap, we’ll see IT move away from trying to deliver all IT projects themselves in 2020. The IT team’s role will evolve to changing, operating and securing the bank’s core IT assets along with building and managing reusable APIs, exposing digital functionality that the rest of the business can consume to create the solutions they need. Essentially, IT begins to create new building blocks (APIs) that can empower both the technical and the broader lines of business users to innovate and build new digital banking solutions without compromising the core IT estate. Banks have already been compelled to create API strategies to open up collaboration opportunities with third parties; this year, we should expect to see them apply the same principles internally. Rather than being the bottleneck that prevents banks from launching innovative new products, IT can empower them to digitally transform and innovate faster than ever before, shifting from being an “all doing” to an “enabling” organisation.
A wise investment in AI
Banks are investing more in AI each year, as they look to use the technology to transform traditional banking processes. In principle, AI has the potential to revolutionise everything from credit decisions through to risk management and trading platforms, alongside the capability to offer highly personalised customer experiences. Yet for most banks AI hasn’t yet reached its full potential, as data is locked up in siloed systems and applications.
In 2020, we’ll see banks unlock their data using APIs, enabling them to uncover greater insights and deliver more business value. If AI is the ‘brain,’ APIs and integration are the ‘nervous system’ that help AI really create value in a complex, real-time context.
Harnessing the power of containerisation with APIs
Despite taking a more cautious approach to the cloud than other industries, many large banks are now using multiple clouds to support the delivery of both internal and external services. But multiple clouds are difficult to manage and being able to move workloads between them remains a significant challenge.
This year, we will see banks begin to use APIs in tandem with containers to navigate multi-cloud complexity. APIs will unlock the data and unique functionalities of applications residing in multiple cloud environments, while containers will neatly package up code and all its dependencies, so the application runs quickly and reliably from one computing environment to another. For example, HSBC has built a multi-cloud application network to meet growing customer demand. Turning to the cloud to accelerate IT delivery, HSBC has built and published thousands of APIs that were deployed across multiple environments using containers to unlock legacy systems and power cloud-native application development.
Open banking and the rise of the digital ecosystem
When it first appeared, open banking gave rise to all manner of opportunities for banks to collaborate with third parties on shared services. This year, we can expect to see banks take this further, and experiment with broader digital ecosystems where their services seamlessly fit in with those from other providers across diverse industries. This is the start of a fundamental shift from traditional financial services, where banks look to ‘own’ customer engagements entirely. In the new model, each of these provider will coordinate their financial services across the same ecosystem, without ever ‘owning’ the customer.
Banks will thereby look to extend their own capabilities and customer data to other businesses via APIs. For example, Mastercard has turned many of its core services into a platform of APIs, allowing it to create the Mastercard Travel Recommender, which allows travel agents and transportation providers to access customer spending patterns and to offer customers targeted recommendations for restaurants, attractions and activities. Expect to see other financial services companies take this approach in the year ahead, along with focusing on providing an excellent developer experience around their APIs to drive competitive advantage.
The year of connectivity
Data and digital transformation are both well-established priorities for the entire financial services industry. As we continue into the new decade, attention will increasingly shift towards the connectivity that unlocks the value of data and underpins the success of digital transformation initiatives.
APIs will play the key role in meeting the banks’ new connectivity requirements. By reimagining digital assets as a set of digital building blocks, bankscan enable every stakeholder within the business to contribute to digital projects, democratising the ability to innovate. By doing so, they can transform the IT department from a cost centre into a source of value that will truly help to create the bank of the future.
WHY DIGITAL TRANSFORMATION IS CRUCIAL FOR BANKS
David Murphy, Managing Partner, Financial Services EMEA & APAC at digital consultancy Publicis Sapient Over the past five years,...
REACHING THE NOT-SO DIGITAL NATIVES
By Garry Hamilton, Group Business Development Director, Equator It’s 2020. There’s no denying that banks and financial institutions have...
THE ‘LEGO-IFICATION’ OF BANKING IT AND THE RISE OF DIGITAL FINANCE ECOSYSTEMS: FOUR PRIORITIES FOR BANKS IN 2020
Danny Healy, financial technology evangelist, MuleSoft The advent of the open banking era and continued emergence of fintech has...
WHAT TO DO WITH YOUR LIFE SAVINGS, RETIREMENT AND INSURANCE POLICIES WHEN EMIGRATING
By Renier Hugo, Alexander Forbes Certified Financial Planner With South Africans increasingly opting to live abroad, a hot topic...
MOBEY FORUM: BANKS’ BIG OPPORTUNITY IN DIGITAL ID WON’T LAST FOREVER
New report offers strategic insights for banks following in-depth review of seven prominent digital ID schemes across Europe and North...
THE END OF YEAR TAX CHECKS THAT COULD SAVE YOU THOUSANDS
Charlie Reading, Founder and MD of Efficient Portfolio After HMRC’s tax return deadline at the end of January, it can be...
RISK VS REWARD: IS AI TAKING OVER?
Xavier Fernandes, Analytics Director at Metapraxis A study by Oxford University academics into “The Future of Employment” in 2013 prompted...
HALO TRUST USES ADAPTIVE INSIGHTS FOR STRATEGIC BUSINESS PLANNING
Cloud-based financial planning helps HALO Trust deliver greater benefit to communities affected by war Adaptive Insights, a Workday company,...
IS DATA PROTECTION AND PRIVACY RELEVANT ACROSS ALL STRATA IN INDIAN SOCIETY?
A Study by Pensaar Design With CGAP Pensaar Design has been working on a research study with CGAP to better...
THE RISE OF CHALLENGER BANKS AND HOW LEGACY BANKS ARE TRYING TO KEEP UP
Jean Van Vuuren, Regional VP for UK, Middle East and South Africa at Alfresco The finance world has been...
NEW STUDY: AI HELPS ORGANISATIONS GROW PROFITS 80 PERCENT FASTER
Global research highlights how organisations are capitalising on emerging technologies to enhance finance and operations for competitive advantage Organisations...
UK START-UPS MUST MAKE THE MOST OF A SMALL WINDOW TO CAPITALISE ON INVESTMENT OPPORTUNITIES, FOX WILLIAMS WARNS
Despite rising investment, Brexit and growing interest from tech giants could cut off start-ups’ opportunities in 2020 While a...
XPEDITION UPGRADES MORE THAN ONE MILLION OPENWORK CLIENTS TO THE DIGITAL AGE
Xpedition, leader in the implementation of cloud-based business applications, has deployed a new system which has digitally transformed the customer...
ORACLE AND MICROSOFT BRING ENTERPRISE CLOUD INTEROPERABILITY TO EUROPEAN CUSTOMERS
Today, Oracle is announcing the continued expansion of its cloud interoperability partnership with Microsoft with a new cloud interconnect location in Amsterdam....
THE EMOTIONAL AND FINANCIAL COST OF WORKING WITH OUTDATED TECHNOLOGY
Slow Tech Could Waste 24 Hours of Worktime a Year In this digital age, businesses are hugely reliant on technology...
HOW TECHNOLOGY IS FUTUREPROOFING STOCK MARKET TRADING
Tony Shaw, Executive Director, London Office and Head Sales UK & Ireland at the Swiss Stock Exchange Markets are shifting,...
REVEALED: THE TOP 10 COUNTRIES THAT ARE REDUCING THEIR RELIANCE ON OIL
Ben Lobel, Copywriter at DailyFX New tool charts global commodity trading over the last decade The UK has reduced its...
‘MOVE FAST BUT DON’T BREAK THINGS’ – WHY FINTECHS WILL COME TO LOVE REGULATION
Alex Johnson, Director of Portfolio Marketing, FICO The guiding ethos of fintech is move fast and break things. It’s...
OFFSHORE COMPANY FORMATION TACTICS FOR SMEs
James Turner, Director at company formation specialists, Turner Little Starting a business brings with it its own set of challenges,...
EMV® 3DS – PAVING THE WAY FOR SEAMLESS AUTHENTICATION
Jean Fang, Product Manager, FIME The growth of e-commerce, m-commerce and remote commerce transactions is showing no signs of...