RBI editor Douglas Blakey speaks with industry experts to gain informed comment on 2020 banking security.
Building a better mousetrap
Andrew Davies, VP, Global Market Strategy, Financial Crime and Risk Management, Fiserv
As we enter a new decade, the perpetual game of cat and mouse between criminals and financial institutions will continue. And each side will be unveiling new moves in an attempt to stay ahead of the other.
Once the purview of well-organised crime syndicates, money laundering has become mainstream. Today it represents between 2-5% of global GDP, or $800bn-$2trn according to the United Nations Office on Drugs and Crime.
Criminal exploits in this area have become more widespread while maintaining a high level of sophistication. And as the technology to detect and prevent money laundering, and the policies to prevent it, have become more advanced criminals are beginning to shift their sights to greener pastures.
2020 banking security: trade finance, securities and insurance in focus
In 2020, we expect to see more criminal activity directed toward areas such as trade finance, securities and insurance. Financial institutions will be meeting this activity head-on. They will be casting the net of monitoring and investigations wider and sharing intelligence with law enforcement, peers and even competitors in the name of preventing financial crime.
At the same time they will be ferreting out the often-associated activities of bribery, corruption and human trafficking.
In particular, machine learning, AI, and real-time transactional data analysis to uncover potential criminal activity will continue to grow substantially. These technologies can consume more data from more sources, more quickly than human investigators. This enables faster analysis of a broader evidence base and, ultimately, more accurate detection as banks build a better mousetrap.
2020 banking security: businesses must up their game
Aaron Zander, Head of IT at HackerOne
Government, healthcare and financial organisations are still very attractive targets for cyber-criminals. These types of businesses hold databases full of sensitive and valuable information. So this threat isn’t going away any time soon.
2019 felt like it was set to be a good year with more companies really starting to invest in security. But it still seems like a small inflection, and not the tipping point. When we look back, almost every company that had a major breach in the past year has fully recovered in stock value.
I want to see more exec heads roll, more fines, and maybe criminal charges in 2020. Negligence with my data should be considered criminal negligence. This will place more pressure on organisations to up their security measures.
Personally, I think 2020 will be the year that we see these fines really pay out. This gives businesses no choice but to up their game.
2020 banking security: ransomware a major challenge
One of the major challenges we have seen in the industry this year is ransomware. It is still devastating banks, hospitals and governments because they have always been behind in investing in security and IT.
Moreover, they haven’t invest in sufficient backups either. If you don’t have a backup and recovery process documented AND tested, do that.
There is definitely a trend towards financial organisations demonstrating that they invest in security. After all, we trust banks with our most valuable data. So, as the public, we want to know our security is being taken seriously.
And there has been more of a move towards public disclosures. It proves you can do security, and it builds trust.
While we need to ensure there are consequences for negligence with data, we don’t want to see cover ups. We should not punishing people who are investing in security and are then honest if a breach occurs. Instead we should celebrate disclosure.
Understandably this can be tricky for financial organisations. However, there are lessons we can all share and learn from. What is important is that as an industry we aim to be secure and are honest.
We are starting to see a line in the stand, drawn by organisations. They want to stand up and say, “we care about security and we care about transparency”. This is something we have seen more of in the past year. And there are some leading financial organisations that are taking these steps and investing vulnerability disclosure programmes.
Some may see this as a “half measure”. There are many hackers in the community that want to see every organisation have a bug bounty. That’s a dream for the future.
What’s important now is ensuring a safe place for people to disclose security issues. Additionally, by disclosing an issue, a company can have a positive impact. It shows it is a trusted leader in the space. A place that greets security feedback with open arms.
And most importantly, cares about its user/customer data.
Banking security 2020: constant innovation is key
Assaf Feldman, Riskified CTO
High consumer expectations and merchants’ desires to meet them will continue to drive innovation. And fraudsters will continue to take advantage. Fraudsters follow shopping patterns and exploit weaknesses that merchants may not have initially recognised.
Mobile apps and omnichannel fulfilment started off safe before fraudsters recognised the opportunities and pounced. This sometimes makes merchants pull back, costing them an advantage.
But that’s the pace of change in eCommerce. Merchants need to continue innovating to stay ahead of the competition. To do so safely means embracing an approach to fraud that does the same.
The EU’s PSD2 regulation is likely to help reduce fraud rates among card-not-present (CNP) transactions. But it will come at a cost. Added friction will lead to consumer frustration and cart abandonment. This will in turn lower merchant revenue. Merchants will need to make maximising approvals and providing the best customer experience a priority in order to minimise their losses.
Beyond that, fraud is not going away. Fraudsters view it as a business, and they’re resourceful and adaptive. With PSD2 closing some doors, fraudsters will look to open windows. And merchants should look out for other potential vulnerabilities. It’s likely fraudsters already are.”
We saw a major increase in the number of account takeover (ATO) attacks in 2019. I see no signs of this slowing in 2020. Merchants encourage customers to create accounts to drive loyalty and repeat business while improving the shopping experience. But fraudsters also see their potential. Fraudsters will be looking to take advantage of weak links such as stored payment methods, positive histories and more.
This can be costly for merchants, but it’s not only the result of the fraudulent orders. ATO is also a brand reputation problem, as shoppers blame the merchant for allowing their accounts to be taken over. Any merchant offering customers a means of creating a loyalty account or accumulating rewards should think carefully about how they’ll protect those accounts.
Finally, merchants are starting to realise that their losses aren’t only from fraud. Policy abuse is also putting a significant dent in their bottom lines. Merchants often set policies to govern the use of special offers or promotions, such as ‘one item per shopper’ or ‘20% off for new customers.’
Even the now-expected free shipping and returns tend to have limits stated within a merchant’s terms and conditions.
Policy abuse is when shoppers take steps to get around those limits. They create multiple accounts using multiple names and email addresses to turn ‘one item per shopper’ into ‘10.’
These abuses cost merchants, and they often take an aggressive approach to solving them, by changing policies or banning customers.
But they can be better addressed with a smart application of technology.
An AI solution can recognise the person behind the checkout attempts even across multiple logins, devices and details.
By recognised that ‘John Doe,’ ‘J. Doe’ and ‘Jane Dozier’ are all the same person, merchants can enforce their policies as intended, giving good customers the great experience they expect and limiting the impact of abusers.
Merchants will start making a concerted effort to do just that in 2020.
2020 banking security: three predictions from FICO
Frank Holzenthal, senior director of consulting, compliance
Behind the headlines on financial crime compliance are big challenges. Criminals are getting more and more sophisticated. Rapid payments, instant payments, PSD2 have been vehicles to further misuse the financial system for laundering money. This harms banks, their customers and the economy worldwide.
On the other side, there is a lot pressure on banks to stop the constantly increasing costs of being compliant.
Many institutions expanded the size of their compliance headcount by over 500% in the past few years. North American financial services firms nowadays spend more than $31.5bn a year on ensuring AML compliance.
Financial crime compliance has become a real cost burden for most banks in times of shrinking profits. Hence, the focus shifts for many institutions on operationalising compliance to become more efficient and effective at the same time.
Here’s what I see for next year.
Prediction 1 – More AI
I see a trend and a mind shift of regulators which will help financial institutions. Regulators are more open to new methods like the use of AI (artificial intelligence), machine learning and robotics. In fact, they are actively encouraging banks to consider, evaluate and, where appropriate, implement these innovative technologies.
I have asked many regulators if they would allow financial institutions to fulfil regulatory requirements with the use of AI. The answer has been: that would match the expectations. As long as the AI provides a proper explanation as to WHY an alert was generated.
That leads us into the topic of explainable AI. Reason codes that business managers can understand help investigators and satisfy regulators.
This trend does not mean we throw away the existing risk-based approach. That is based on a good compliance knowledge in defining “detection scenarios” (e.g., based on FATF2012) with rules. What I see is a co-existence. A hybrid of the existing scenarios and the AI mechanisms. This will help:
- Prioritising the scenario-based alerts, and
- Quickly and automatically adopt new money laundering schemes.
Prediction 2 – More Robots
Robotic process automation allows banks to streamline and automate the process of investigation and alert handling in KYC and AML. Nothing can be more boring and expensive than hiring armies of investigators to simply close false positive alerts, which typically range between 75-90%.
Repeatable manual tasks are typically
- Prone to error
- Based on clearly defined rules and criteria
That is what a machine — a robot — can do much better. Clearly defined alert rules and case rules (which are specific to the situation of the financial institution, the products, the customers, etc.) will take away certain repeatable manual tasks from a user.
Investigators can thus focus their activity on the remaining more complex tasks. Robotics should be integrated into an enterprise-wide alert and case management. I foresee that the next version of anti-financial crime solutions will provide a large variety of capabilities in this area.
Analytics-driven alert prioritisation and RPA helps lower costs in the short term. But the combination of both can also lead to enormous effectiveness and efficiency gains.
Our experiences have shown that these technologies can increase the number of SARs by 20% while at the same time producing efficiency gains of 30% in alert and case management.
Prediction 3: Fraud and Financial Crime Management Convergence
Another way financial institutions will look to lower costs and improve results in 2020 is through the convergence of AML and fraud detection. The systems used today for these functions are similar and fulfil many common requirements, such as detecting unusual behaviour. But banks still operate them in a siloed manner. In their recent survey Ovum found that more than 80% of financial institutions want to achieve the goal of breaking down the siloes from an organisational point of view within the next 8 years.
Using a fully scalable IT environment fulfilling both the requirements for detecting fraud and AML at a time not only provides an economy of scale. It also allows institutions to take a “cross border” view to detecting illicit activities.
2020 banking security: cyber the most critical priority
Evgenia Ostrovskaya, Business Development Director, Genetec
2019 has seen the continuation of a very pronounced transition within the banking sector. The traditional bank is changing from a bureaucratic machine to one focused on three main functions. Being a trusted advisor a problem solver and a digital ambassador. A reason for this change is a reaction to the increasing centrality of digital services. Not to mention the popularity of challenger banks. Their exceptional digital platforms have created high expectations of more customer centric offerings.
Therefore, this modern climate dictates that institutions become more agile. They can do this by cutting down on costly assets where possible and the remainder being audited for optimisation.
As a result, outsourcing has become vital a practice. For instance, this year I’ve noticed banks have had a tendency to opt for subscription models and the cloud. This has replaced buying on-premises hardware.
Furthermore, 2019 has seen an industry-wide push towards investigating and testing the cloud as a viable alternative to on-premise. But I think 2020 will see this approach become an industry best practice.
5G: a potential game changer
The imminent arrival of 5G will increase speeds, bandwidths and open up new possibilities on the digital front. I believe this could be a game-changer.
Another key trend within the industry has been to optimise operations where possible. Just like the retail sector, demand for the physical store has lessened. As a result there has been an increased need to optimise to reduce running costs. Resultantly, banks have been optimising through the unification of their systems. These include security, IT and operations, as integrated platforms cut down on maintenance and training costs.
We’ll likely also see the bank branch shrink, not only in the building size, but staff numbers as well. In addition there will be a reduction in opening hours too. Additionally, there’s a new trend of measuring corporate building utilisation to minimise wasted space. So a lot of staff travel and work from home.
Unified systems are also a great vehicle for this optimisation as companies have all their data consolidated into a single platform. This allows staff to more easily identify trends within a branch.
And make changes to improve the customer experience. Examples include branch layout to deal with queues, or the number of ATMs or staff that are available at any given time.
Internal personnel shifts
Therefore, I think 2020 will likely see an internal personnel shift within banking. These new data-driven insights will require new staff to carry out these changes.
However, the most critical priority for the banking sector in 2019, and no doubt moving into 2020 has been cybersecurity. The last few years have seen highly publicised incidents of large companies being unable to protect their assets. This is often followed by heavy criticism from the public. And unsurprisingly cyber is always front of mind for banking mind decision-makers.
Banking security 2020: integration is key
James Somerville-Smith, Global Customer Marketing Leader – End-User Programmes Honeywell Commercial Security
As we enter a new decade, the direction of B2B banking in 2020 and beyond will be towards better integration.
The commercial finance industry has been slower than some to embrace technological developments. But the growing threat of cybercrime is pushing companies to be more conscious of the risks than ever before. In addition, the physical and non-physical sides of security are increasingly becoming one and the same.
Ageing technology is leaving a vulnerability in security systems, while criminal techniques are becoming more advanced. A report by Cisco cybersecurity found that a massive 92% of devices analysed had known vulnerabilities in their software. In parallel, there are signs that security specialists are making up a smaller percentage of IT staff.
Security management technology allows businesses to keep an eye on all touchpoints from one screen, on-site or remotely. And it is gaining in popularity.
Combining inputs from physical security devices supported by cloud integration, such as CCTV and intruder alarms, with intelligent access control systems which limit access to sensitive areas of both the building and IT systems, allows a clearer picture. And a quicker response in the case of an incident.
Seamless and responsive security
With the example of access control systems, the technology used here will continue to develop apace. Biometrics – including fingerprint and iris recognition – near-field communications, encrypted communications within systems, wireless access and smart card technologies which bring all systems into one device, are growing in popularity.
Iris recognition and retinal scan technologies are particularly promising. This uses DNA to ensure access is granted to the right person. But in the shorter term more budget friendly solutions, such as fingerprint recognition, will continue to be favoured. Fibre and improved IP networks are key to creating a seamless and responsive security system between these devices.
The future of banking security is safer, integrated, more convenient and efficient. Many companies are nervous of the investment needed to benefit from new and advanced technology. But there are options at all price points. And systems can be built over time or even retrofitted. This avoids the need for rip-and-replace and potentially costly downtime.
2020 banking security: a huge year for biometric adoption
Stan Swearingen, CEO of IDEX Biometrics
I see the potential for a lot of growth in the biometric payment card and access control markets for 2020. And I expect to see positive developments in manufacturing and certification of biometric payment cards. This is thanks to increasing consumer demands for secure payments. It’s my strong belief that both the biometric payment card and access control markets will fully materialise in the coming year. Therefore, my predictions for the biometric industry in 2020 are:
APAC will lead the way in biometric adoption
Biometric payment technology will become increasingly necessary to combat payment fraud in 2020. It looks like Asia will be leading the way in this field, in terms of adoption, production and implementation. 2020 will be pivotal as we start to see certification for the biometric payment card take off across Asia.
IDEX is also excited to see growing interest from Australasia. I expect to be introducing biometric smart cards there in 2020 with Quest Payment Systems, Australia’s largest payment technology supplier.
European regulation will drive innovation
Delays to the Strong Customer Authentication (SCA) ruling will prove a key driver for biometric adoption in 2020. Biometric payment cards to authenticate online payments will offer an important way to balance security measures meeting the SCA regulation. And at the same time they also deliver ease-of-use for the consumer.
Contactless payment limits will disappear
Thanks to advancements in biometric fingerprint authentication technology, payment security no longer comes at the cost of convenience. Next year, increased fingerprint biometric authorisation will secure payment cards. This removes the need for PINS and reduces the need for the £30 payment limit. Simultaneously, it makes the transaction process faster.
Young consumers will demand biometric adoption
Regulation aside, it will ultimately be people power that propels biometric payment technology to mass adoption. We already know that Generation Z will make up 40% of all consumers by 2020. So it’s important to acknowledge that they expect to be using new, secure biometric technology for increased payment security and convenience. Our latest research found 62% of Generation Z think all banks should offer biometric payment cards to help reduce fraud.
In response to this demand, banks will have to introduce fingerprint biometric payment cards to keep young customers. And protect users from fraud and build trust with the consumers of tomorrow.
Financial inclusion will come to the fore
1.7 billion adults remain unbanked today. 2020 is the year this will have to change. Payment methods must be accessible and come at an affordable cost for all consumers. In the coming year, fingerprint authentication cards will eradicate a number of obstacles that stand in the way of financial inclusion.
Consumers can be linked directly to their card by their fingerprint alone. This supports those without official identification. Meantime, home enrolment devices also save individuals from having to leave the house to register. This will allow consumers to hold on to financial independence for longer, no matter their physical or financial restraints.
Card-not-present fraud will be tackled head-on
The next crucial step for IDEX Biometrics and the wider industry will be to tackle card-not-present (CNP) fraud effectively. Biometric payment cards have the potential to strengthen online payment security and SCA compliance for e-commerce retailers. The addition of a digital dynamic Card Verification Value (CVV) number on the card, for example, will present a new one-time code whenever the card owner’s fingerprint is presented on the card. As a result it makes online payment fraud a thing of the past.
Coping with cloud misconfiguration
Caroline Paddle, director, Skybox Security
Cloud as a platform is being brought in to deal with the increase in big data, build out banking platforms, and improve operational efficiency. But the race to deploy new cloud services is leading to security being side-lined. And more new risks being introduced through misconfigurations of access points.
Third parties will go under the microscope
Paul Williams, senior technical advisor, operational risk and resilience at the Bank of England (BoE) recently said that monitoring third parties’ cybersecurity is a growing concern for banks. If banks don’t have full control over all ingress and egress points, they could be leaving their critical infrastructure worryingly exposed.
Dealing with the tech debt
There is an incredible amount of legacy technology still being used by financial organisations. The ATM industry is particularly at risk because a majority of their operating systems rely on Windows 7, whose support by Microsoft is ending in January 2020.
More generally, banks, on top of their old systems, are looking to deploy new controls – so how can they protect this growing web of aging technology?
Resurgence of ransomware
We came into 2019 fearing the rise of Cryptominers. As the value of cryptocurrency has declined, so has the use of this once-dominant malware.
What about people and processes?
Financial companies struggle to retain talent in their cybersecurity teams. This is compounded by the ongoing cybersecurity skills crisis. Over 2020, FIs will have to find new ways to use their existing resource more effectively.
Mobile becomes the standard platform for financial interactions.
Mark Crichton, Senior Director of Security Product Management, OneSpan
Because of this the corresponding increase in the attack surface that fraudsters will have access to gets worse. Whether mobile is already part of your offering, or you will be launching a new mobile app – security needs to be baked in from the beginning, not bolted on at the end.
Many fraudsters look for loopholes in the process or registering, activating or using a mobile device in relation to an online account or transaction. App development whether in-house or outsourced needs to consider the best security mechanisms to protect the app and importantly the brand.
Process flows also need to be streamlined. The ability to make intelligent decisions about applying the right level of security at the precise time is going to be largely driven by machine learning.
Financial institutions need help embracing AI to its full potential
Financial institutions are still holding back from providing enough data to use AI in its most complete from in the effort to prevent fraud. Currently a lot of banks have siloed data pools which can’t be pulled, however over the next year, it will be rare to see banks not using AI in an efficient way.
When complex fraud detection models are able to be read and understood by people, then we firmly believe the power of AI will shine through across the banking industry.
Hackers will exploit open banking
Frederik Mennes, Director of Product Security, Security Competence Centre, OneSpan
2020 will see the introduction and adoption of open banking applications that are used by consumers and enterprises, stimulated by PSD2 in Europe and similar legislations in other regions (e.g. Australia, Singapore, Hong Kong).
Open banking will give rise to new security threats and vulnerabilities, such as data breaches at third-party providers using open banking interfaces, as these companies might lack investment in security. Next to it, we may see that vulnerabilities in the IT infrastructure of third-party providers may lead to fraudulent payments.
Brexit will pave the way for smaller FIs to succeed
Steven Murdoch, Innovation Security Architect, OneSpan
In the short term, we will not see significant divergence between the UK and the EU, in part because UK banks will want access to EU customers. However, the UK will lose its voice within the EU structures, where it has been consistently calling for reduced regulation and support for the interests of large banks based in the UK. The changes will be subtle and take time to have effect but gradually we expect a shift toward increased consumer protection and greater consideration of the interests of smaller financial institutions.
Advanced liveness detection will be a critical part of cybersecurity
Conor Hickey, Head of Solution Architecture, OneSpan
The adoption of facial recognition and facial comparison has been hampered until now because it has been easily spoofed using video. Technology in the form of advanced liveness detection has now closed this gap in security. Combining both static and dynamic liveness detection is something that we could also see more of. In more general terms, technologies such as facial recognition and its use of artificial intelligence will come under more scrutiny.