The fundamental basis of banking and financial services is trust; trust that our money and personal data are safe and that we won’t wake up some morning to find that a criminal has walked away with the lot. In an era when data is increasingly being shared between banks and third parties and money is being transmitted around the world in nanoseconds at the click of a mouse, the challenge maintaining this trust is becoming ever more difficult, particularly when the cybercriminals appear to be getting smarter and more inventive with each passing day.
“There is a natural tension between the desire for open, transparent, shared information on the one hand and very valid concerns about privacy on the other”, says Jamie Woodhouse, managing director of finance and risk at Accenture. “Regulations like GDPR [EU General Data Protection Regulation] are based on the guiding principle that the individual owns their data and the banks and other organisations are just stewards of it. We have to make sure that customers’ privacy is guarded.”
The GDPR comes into force in 2017 and will impose fines of up to €20 million or 4 per cent of global turnover on organisations that have been subject to data breaches and fail to respond adequately.
Privacy at the centre
Anna Scally, tax partner and fintech lead with KPMG, says GDPR is the most significant change to EU privacy law for more than 20 years. “The key issue is how fintechs will handle the new requirements, especially those who might be operating with manual processes or legacy systems in client companies.”
She says the fintech industry is busy getting ready for GDPR across many areas and they know that organisations can no longer afford to treat privacy as an afterthought. “Cybersecurity and the battle against online attacks has dominated the [chief information officer]’s agenda for some time, but cybersecurity is not the same as privacy. GDPR represents a fundamental shift towards the view that privacy must be at the centre of an organisations’ strategy when dealing with customers’ data.
“GDPR is the most comprehensive attempt to define a clear regulatory framework for privacy rules, governments worldwide are intensifying their focus on the issue and are introducing new legislation to offer even greater protection to consumers – and more severe penalties for those who commit privacy violations,” Scally adds. “Transparency should be the guiding principle. Fintechs need to ensure they fully understand what they want to do with customer data, and where and how they are storing it, and then explain it to customers in a clear and simple way.”
Mobile challenge
Karl McDermott, head of ICT at Three Ireland, believes the big challenge for the fintech sector is that customers are becoming increasingly more mobile. “That means they have to make mobile services available and that makes them attractive targets for cybercriminals,” he says. “They also have to deal with legacy systems and have been quite slow to move off them. Now they have to move very quickly to provide new services to customers and deal with new regulations like GDPS at the same time. It’s definitely a big challenge for the financial sector.”
The question is what they can do about cyberthreats without shutting up shop. “It’s about technology, people and process,” he says. “The technology has to be in place and that includes all the layers from firewalls, through anti-virus and anti-malware to monitoring and reporting systems. Regular software and systems updates have also been shown to reduce vulnerability. People is the next part. A huge amount of attacks come from within. People can knowingly or unknowingly become compromised and organisations need to address this through training and other measures. The final piece is around process. What do you do when you have been attacked? How do you respond? How do you react? What do your people do? What gets switched off?”
Too connected?
Andreas Hoepner, professor of operational risk, banking and finance at UCD, says expertise at the top is critically important. “It is important that the chief technology officer is an expert in the area and not just a manager,” he says. “If you want to be safe, there are two ways to do it. One is to shut up shop completely. But that will be difficult in the world of IoT [the Internet of Things]. When you have heating systems connected to the internet you could get WannaFreeze malware demanding a ransom to switch your heating back on. You have to ask if you really need to connect certain things.”
Expertise is the other option. “The second way is to have a really expert CTO who understands what’s happening in systems. For example, neural networks can do wonderful things but no one really knows what happens in all the layers. People don’t worry as long as the system gets it right. But how do you know when it gets it wrong? That’s why you need an expert CTO who understands these things.”