Carla Hindley and Rishi Virani examine the advantages of technology and fintech in the global fight against financial crime, investigating the cyber and criminal risks of an increasingly digitised world.
From the adoption of cloud computing systems to the automation of risk management processes, technological advances have greatly impacted the financial world and continue to do so. However, rapid development in IT infrastructure brings the issue of cybersecurity and the subsequent need to develop apparatus to protect such complex systems. This article examines the digitalisation of the financial industry and whether its benefits outweigh the cybersecurity concerns brought about as a result. It also reviews the preventive methods developed by Fintech companies and their suitability to prevent large-scale attacks.
The financial services industry owes its digitalisation to a multitude of factors. Technological advancements in the connectivity of systems, computing power, and mobile technology have allowed easier, and more efficient access to direct delivery channels, enhancing the ability to transfer information between businesses and customers. As of late 2019, Groupe Speciale Mobile Association (GMSA) estimated that there were nearly 1 billion money mobile accounts worldwide. Developments in computing efficiency and data storage have resulted in the generation of a large wealth of data (both private and industrial), particularly through digital technologies such as social media and e-commerce. Continual improvements in AI and machine learning have enabled efficient analysis of this data to identify the needs, structure, and resources of existing and/or potential clients to offer the financial services that best fit them.
This digital innovation has particularly been useful in solving asymmetric information problems. These arise in economic transactions where one party possesses a greater amount of knowledge than the other. With financial markets, this typically involves the borrower having greater information regarding their financial status than the lender, making it difficult for the lender to determine the likelihood of the borrower defaulting. Current solutions involve borrowers pledging all their tangible assets where collateral is used as an indicator of creditworthiness. However, by leveraging and analysing vast troves of consumer data, lenders can better assess repayment performance through other sources of value, such as access to new inventory or an e-commerce platform to sell goods. Such transparency of information has promoted trust between borrowers and lenders, enabling them to work with a wider range of counterparties, and reducing the need for intermediation.
Digital technologies have also been crucial in reducing transaction and set-up costs for customised products, such as retirement plans and derivatives. This has enabled processes such as searching, processing, and exchanging data to be automated rather than relying on specialised and expensive experts such as loans and investment advisors who consider the needs and circumstances of each individual customer.
Despite all its benefits, sophisticated technology has many drawbacks. Consumers, vulnerable to cyberattacks, are subjected to protection, money laundering, regulation of nonbanks, and IT risks. Digital applications negatively affect the banking sector through payment automation (no concrete payment proof), data-processing, and customer interactions. With the proliferation of online services embedding financial products, criminals can easily obtain credentials, online-banking passwords and control online-banking meetings remotely through the rampant use of trojans. Increasing volume, diversity, and complexity deficiencies in cybersecurity risk management frameworks arise with regulations, technicalities, organizations, and capacity management. Moreover, the growing number of interconnections in finance have increased the participation of non-traditional players. These are companies that may be deregulated, not obliged to report suspicious activity, or lack encryption strategies. The resulting uncertainty could diminish confidence in technological businesses, hampering the fintech sector’s development. The following are examples of cyber attacks: In India, cyber-criminals hacked into two card-processing centres that “handled payment processing for prepaid cards for banks in the UAE and Oman”, stealing $45 million from ATMs in 27 countries.Automation is also endangering countries through terrorist financing, proximity to conflict zones and money laundering. SCTI reports suggest the UAE is the second most targeted country for ransomware attacks in the MENA.
The technology sector is dominated by operational risks. Existing digital solutions do not provide appropriate risk-based technical security and new systems are creating legal, procedural and social barriers in identification systems by financially excluding segments of society (elderly, rural, etc.). Operational challenges arise due to data protection laws in the fintech industry. Most countries possess fragmented distributions of laws, blurring what qualifies as personal data and what data breach penalties ensue. This, coupled with the costs of new technologies and the lack of expertise and resources to understand and supervise the same, add another operational risk by destabilising technology-provider and user relationships. Such operational challenges lead to increasing supply-chain risks as many firms integrate the same third parties when optimizing operational efficiency.
With such meteoric developments in the technology sector, existing technologies quickly become out-dated and require additional investment, causing disinclinations to invest in new technologies. Since fintechs are new, they are vulnerable to business durability and financial feasibility, reinforcing reluctance to incorporate new technologies.
Finally, the technology sector faces regulatory challenges due to uneven risk-based frameworks. Many countries do not have full disclosure on outsourcing regulations specially regarding access, audit-rights, outsourcing, contingency plans, exit strategies, data location, processing and security. This causes cross-sector and cross-border regulatory arbitrage.
However, financial firms are continually developing security principles to manage such pertinent risks. A key strategy involves the sharing of threat intelligence on a trusted global platform. Such a platform allows recent information to be disseminated rapidly in wake of new potential threats. This helps firms develop pre-emptive defences against specific attacks by helping them understand the new techniques and procedures used by attackers. It also supports firms in understanding the modus operandi of attacks and potential outcomes of security breaches, such as publication of confidential data or decryption of data upon payments.
Firms are also investing in building strong asset management programmes which seek potential vulnerabilities in security. This involves assessing factors such as the devices an institution is using, the location of the devices and the software used by the firm. Such a tracking system allows potential sources of attack to be patched quickly.
Whilst developing new security measures is crucial, firms are also looking to continually reinforce their existing defences and skillset. This involves focusing on email security, fortifying endpoints, securing networks, and providing staff training to minimise human error to ensure that the technological processes employed by the firm are robust enough. However, firms may also stimulate attacks themselves to build up the ability of cyber defence teams to ‘threat hunt’ based on their understanding of current threat actors targeting the sector and their attack strategies.
For example, in Britain, companies like Hargreaves Lansdown applied the “HooYu and Equifax customer onboarding KYC journey into its technological ecosystem”. This method generates quicker and smoother-running ways for digital verification. In Lithuania, Nexpay is cooperating with Ondata to “prevent fraud and enable smooth digital onboarding”. Many startups are also providing services to battle cybercrime. Socure is using AI and ML procedures with data from email, phone and the internet to corroborate identities. US-based startup, Jumio, uses “biometrics, ML, computer vision, big data” to verify identities and prevent cybercrime. With customers like HSBC and United Airlines, it closed a $150 million funding round recently. Other startups, like WebID Solutions, are increasingly specializing in data breach prevention by providing secure data-processing systems.
The integration of digitalization in fintech offers enormous advantages in the global fight against financial crime through increased connectivity, cost efficiency, reduced information asymmetries, data-driven decisions and user-friendly experiences. However, while sophisticated technology strengthens the defence, it also presents new opportunities to attackers. The cost of fintech innovation can potentially be the loss of privacy and data security, increased fraud and scams through the resurgence of trojans and operational, regulatory and supply chain ineffectiveness. With the number of Fintechs providing cybersecurity solutions on the rise, and newer regulations in place, the fintech industry can effectively prevent cybercrime and promote financial inclusion, and the world can greatly benefit from digitisation and new technology.
Trojan: type of virus helping criminals access data and install illegal systems
Nexpay banking infrastructure offering quick, secure payments with IBAN
Socure, providing a predictive analytics platform
WebID Solutions: won Golden Garage Award