1. A WHITE PAPER PRODUCED BY FINEXTRA
IN ASSOCIATION WITH HID GLOBAL
NOVEMBER 2019
DIGITALTRANSFORMATION
INTHEDATAECONOMYTO
IMPROVETHREATDETECTION
2. 01 Introduction........................................................... 3
02 The changing digital landscape................................ 4
03 An enterprise-wide cybersecurity strategy................ 6
04 The importance of identity and authentication........... 8
05 Adopting the right technology approachā¦................10
06 Recognising the importance of the data economy......12
07 About...................................................................13
7 What should financial institutions be doing about
blockchain right now? 25
3. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
03
01
INTRODUCTION
The digital transformation of the banking landscape has changed the way
financial institutions treat their customer data. Add in the introduction of
open banking and the emergence of crypto assets and this change becomes
even more profound.
Customer data has become critically important in this new data-driven
economy, as has banksā ability to capture and analyse this data in order to
improve both their own performance and their usersā experience.
The creation of a more connected and digital banking market also makes this
data more vulnerable to cyber risk and fraud. With the right technology and
tools, however, the same data can be used to markedly improve banksā fraud
and threat detection.
This white paper will examine the effect of these digital developments on
banksā capture, storage and use of customer data. It will also look at the need
for heightened data security in the open banking environment, as well as the
central role that banks can play in managing and protecting their clientsā
digital identities. What emerges is a compelling requirement for financial
organisations to connect the dots internally, to both maximise the business
benefit of a heightened data, digital identity and threat detection strategy,
and to merge the strengths of hitherto disjointed departments to aid this
transformation. Cybersecurity and fraud departments, for example, need to be
working together to create a robust and secure operation.
Finally, the paper will argue that with the correct use of new and emerging
technologies, banks can not only ensure compliance with relevant regulations
but also improve their customersā banking experience and their own standing
in a new digital and data-driven banking environment.
4. |TDIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
04
02
THE CHANGING DIGITAL LANDSCAPE
The elevated importance of data has been a defining feature of modern banking
practices as well as all other industries. As more services move online, data has
become a new currency and its importance has only increased as banks ramp
up their digital transformation efforts. The emergence of crypto assets and
currencies and the introduction of open banking have also added to the need
for banks to adopt a data-driven strategy if they are to successfully manage the
radical changes to their operating models.
These digital developments all offer significant opportunities for banks, but also
bring potential changes to their place in the changing market model and risk to
their clientsā data.
The world of crypto assets is still yet to be fully addressed by global regulators.
Many national supervisors, from the US to the UAE to the UK, have laid out
initial frameworks and issued guidance but have also conceded that there are
areas beyond their regulatory remit, such as bitcoin trading.
Furthermore, crypto currency theft and scams have surged in 2019.
Cybercriminals have stolen around $4.26bn (ā¬3.84bn) from crypto currency
users, investors and exchanges over the first half of this year, up from $1.7bn
for the whole of 2018. Insider thefts were the largest offenders, causing massive
losses on investors and exchange users.
Meanwhile, open banking initiatives around the globe (see chart) bring an end
to the monopoly that banks have had on their clientsā financial and personal
data, and the way they guard this information. They now have to work with third
parties ā from fintechs to challenger banks to lone developers ā that may not
have the same security standards.
Data lies at the centre of banksā performance, as well as that of any partnersā
service provision. Crucially, data is also at the heart of digital identity, and digital
identity lies at the heart of any digital transformation strategy. Knowing who you
are dealing with, both on the partnership and customer side of things, could not
be more important in the current market.
5. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
05
There is an enormous opportunity on offer to banks that can make best use of
the valuable data they hold. With the right technology, they can use this data
to actually improve their ability to detect fraud and cyber threats and to better
protect customersā personal and financial data.
Cyber and fraud teams coming together to develop and tighten strategy are
crucial to this fight. The fact that data breaches are the bedrock of account
opening fraud is something that banks need to tackle by bringing together
intelligence from the different departments in question, maximising the data they
have in each to inform the otherās approach.
Open banking API playbook
introduced by Monetary Authority,
encouraging adoption of open
banking.
European second
Payment Services
Directive (PSD2)
introduced.
Open banking APIs made
available.
Consultation paper
released.
Australian government
deadline for the big 4 banks
to enact open banking.
Treasury recommendation to US
government to affirm Dodd-Frank
act applies to open banking API
users. Open banking remains
discretionary.
Open banking APIs template
and standards produced by
Reserve bank.
Local banks to deploy open
APIs by November 2019.
Source: EBA KPMG Global Banking Fraud Survey
USA New Zealand Hong Kong
AustraliaCanadaEuropeEurope
A summary for open banking timeline across the globe
Singapore
Jan
2016
Nov
2016
Jul
2018
Jan
2019
Feb
2019
Jul
2019
European Banking Authority
extends deadline for SCA
implementation from Sep
2019 to Dec 2020.
Europe
Dec
2020
Nov
2019
Jan
2018
6. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
06
03
AN ENTERPRISE-WIDE
CYBERSECURITY STRATEGY
Banks have good reason to be protective of customersā data at a time when
cybersecurity concerns are rising. New data acquired by UK accountancy firm
RSM via an information request found that financial services firms reported 819
cyber incidents to the UKās Financial Conduct Authority in 2018, a staggering
increase of more than 1000% on the 69 incidents reported in 2017.
The figures do not necessarily reflect a thousand-fold increase in cyberattacks,
which account for just 11% of the reported incidents. Faulty software, change
management and problems with third-party vendors make up the majority of
the incidents. Instead, the increase in cyber incident reporting is most likely due
to the introduction of the General Data Protection Regulation (GDPR), which
requires any cyber incident that jeopardises data to be reported to the regulator.
At the same time, cyberattacks are becoming more frequent and more
sophisticated, especially in a more connected and open banking environment.
Notably, malware is on the rise. According to research from Kaspersky Labs,
malware threats designed to steal banking credentials rose from 19,000 to almost
30,000 in the space of a single quarter (Q4 2018 ā Q1 2019), an increase of close
to 40%.
The KPMG Global Banking Fraud Survey 2019 notes that āfraudsters are
creatively finding new ways to steal from banks and their customersā in the
context of a changing global banking landscape where face-to-face banking is
diminishing and digital payments are increasing. āBanks need to be agile to
respond to new threats and embrace new approaches and technologies to predict
and prevent fraud,ā says KPMGās global fraud lead Natalie Faulkner.
For example, the rules-based tools that have traditionally formed the basis
of most firmsā cyber defenses need to be upgraded. They are still of value but
nowhere near as sophisticated as they need to be in the current environment,
where cyber threats are constantly evolving at a faster rate than the methods
used to combat them. There also needs to be much greater use of artificial
intelligence (AI) and machine learning (ML) in antivirus and cybersecurity tools
7. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
07
as the industry moves away from a purely preventative approach to one based
more on constant monitoring. Speed is of the essence here too and is an inherent
trait of AI and ML capability. And again, the importance of cross-functionality
between the different security and fraud teams is of paramount importance.
Such a move is critical to ensure that incidents do not turn into breaches, and
in turn into manifestations of fraud. The Global Threat Report 2019 from
cybersecurity firm CrowdStrike, shows that the average breakout time (the time
taken for an intruder to move from the initial compromised system to other
places in the network) has more than doubled in the space of a year from one
hour 58 minutes in 2017 to four hours and 37 minutes in 2018. Meanwhile, other
sophisticated malware cyberattacks can lie undetected for weeks or even months
when programmed to be activated long after infiltrating the system.
Another critically important trend in cybercrime is a greater focus on customers.
Hackers and cyber criminals have recognised that end users are the weakest
point in a bankās network ā why bother expending all that energy on breaking
through a bankās firewalls when you can instead directly target the customers?
According to the KPMG survey, āfraudsters are shifting focus from account
takeovers to scams where customers are exploited as a weak link.ā The report
rightly concludes that āmore needs to be done by banks to educate and protect
their customers.ā
The report also notes that in addition to the changing nature of cyber threats,
internal fraud remains a persistent problem for banks. All of these findings
suggest that banks must adopt a more joined-up approach to cybersecurity with
greater communication and collaboration between business lines. It is no longer
an IT issue but one that involves legal, HR, corporate communications, senior
management, the managers of different business lines and also any new trading
counterparties or fintech partners that banks may seek out in the open banking
environment.
As the data economy develops, there is an opportunity for trusted institutions to
take on the critically important role of managing digital identities and ensuring
authentication. Given that banks will have direct access to so much customer data
and will be trusted to protect it, there is an opportunity to take these expectations
further and establish themselves as the de facto guardians of digital identity.
8. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
08
04
THE IMPORTANCE OF IDENTITY
AND AUTHENTICATION
If banks are to successfully capitalise on the need for digital identity
management, they must first solve the challenge that lies at the heart of the data
economy ā how to provide adequate security without adversely affecting the
consumer experience. This challenge has been epitomised in the introduction of
open banking and focused financial services firms on the role of authentication
in the new connected ecosystem, or so-called ādata economy,ā as well as the wider
subject of digital identity management
Take the recent introduction of Strong Customer Authentication (SCA), whereby
online transactions will require a two-step authentication process. It was
accompanied by a comprehensive promotional campaign to alert consumers of
the changes. Thankfully, in the weeks since its introduction, no major issues have
been reported.
Data protection rules around the globe have also caused concern for banks and
their partners. As we know, under various open banking and data protection
rules, any entity wishing to provide banking and payment services must prevent
data loss, identity theft and non-compliance with data protection rules. They
must use identity verification and fraud prevention solutions to ensure their own
compliance and also need to ensure that the third-party providers they work
with, who may not be as experienced with data security, can be trusted.
Consequently, banks will be at the center of the authentication process,
ensuring it does not compromise on security and meets consumersā heightened
expectations of time and convenience for online payments and purchases.
Ideally, authentication must be an adaptive security process where the complexity
of the process is commensurate with the risk of the transaction. Banks will have
to define the parameters involved including malware detection, geolocation,
IP address, device used and behavioral patterns such as unusual time of day,
excessive transactional value or unknown beneficiaries.
9. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
09
Closely connected to authentication is the concept of digital identity. Banks are
increasingly recognising that a thorough and efficient digital identity solution
can achieve more than simply data security and compliance with regulatory
requirements. It could also hold the key to enhancing the customerās digital
experience and kickstarting banksā digital transformations.
As the aforementioned KPMG survey report notes, open banking has āan
integrated digital identity at its foundationā and a consolidated and holistic online
profile āwill enable a secure and seamless authentication experience.ā Not only
do banks want to understand their consumersā digital identity, they want to
maximise the reuse of any identity-related data ā an objective that encapsulates
the data economy.
Banks have the opportunity to capture and harvest data from the beginning
to the end of the client lifecycle ā from onboarding to settlement ā and to use
that data to make that same lifecycle more personalised and valuable for both
organisation and customer. It is imperative that the onboarding process is greatly
sped up, too. Many are looking to build a platform that can consume and re-use
external and internal data and become, over time, a full-blown identity access
management platform where consumers manage passwords, access rights and
everything else involving their digital identities.
There are challenges that come with this ambition, such as the legacy
infrastructure that banks must grapple with and which holds back their digital
transformation efforts. The challenge is heightened by the perceived threat of the
large agile and digital-first internet or tech companies. For all the question marks
about their use of data, they have simple point-and-click features for purchases
which positively shape the user experience.
In contrast, the banks held together by old legacy systems are looking to retrofit
these identity features rather than placing them at the heart of a holistic approach
to digital transformation.
It is therefore imperative for banks to accelerate their digital plans if they are to
benefit from the data economy. They must look at all of their systems, noting
how they interact with clients and manage their data and processes, which
involves a lot of internal work to change all the different workflows. But there are
technologies and vendors that can assist. Data harvested during identification can
be used for authentication and also to inform and improve services and products.
10. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
10
05
ADOPTING THE RIGHT
TECHNOLOGY APPROACH
Just as constant monitoring is becoming the new approach to cybersecurity, a
similar approach is being taken for authentication to develop a solution that can
evaluate the risk of a transaction on various attributes. If the risk is low, then
the authentication can be as simple as a username and password. If the risk is
high, then additional methods will be required. This is risk-based advanced
authentication and understanding the new risks that come with connected
devices.
The Internet of Things (IoT) is another technology trend impacting identity
strategies, with more devices armed with internet connectivity and able to be
part of the open banking ecosystem, like digital avatars. The IoT is growing
exponentially and the industry needs to consider this. The IoT is a new source
of data, reinforcing the data revolution and the relevance for banks to move their
authentication and identification solution toward data analytics, AI and ML.
The developing world of distributed ledger technology (DLT) could also fill in
some of the gaps in digital identity with the use of the blockchain. It is still a
work in progress, but the use of blockchain could enable data owners to be in full
control of the use of that data through public and private key systems.
Similarly, behavioural biometrics could help enormously with the use of mobile
devices for banking by examining the way people use and hold their phones.
Along with facial and voice recognition, these metrics could dramatically increase
security without impinging the consumer experience, especially among a younger
generation that is well-used to fingerprint access on their smartphones.
The most important emerging technologies at present are ML and AI. Both
can be used to detect patterns by collecting transaction data and recognising
risk levels to make real-time decisions on whether to allow or block certain
transactions and to define security levels. We will also see a decrease in the use
of static multi-factor authentication, as well as a migration to continuous data
analysis and authentication.
11. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
11
Instead of asking a user to put in a username and password for every activity,
financial institutions should be able to use AI to continually monitor the account.
If users are exhibiting normal behaviour they should not have to provide
additional authentication.
Big technology companies such as Google and Microsoft are already using this
technology to look for changes in user behaviour and to create threat vectors or to
spot compromised accounts, all based on the data generated from their activities
ā which will only increase as a result of open banking. Furthermore, such an
approach fits ideally with GDPR and data sovereignty, helping customers to own
their identity and to decide who sees it, who uses it and what data are used.
By using and analysing the data generated by open and digital banking, institutions
will not only ensure regulatory compliance but will also help build more innovative
and personalised payment and banking services, signalling a robust approach to
security and guaranteeing a better user experience.
12. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
12
06
RECOGNISING THE IMPORTANCE
OF THE DATA ECONOMY
Open banking and digital transformation both recognise the importance of the
data economy and the opportunities it provides for all market participants ā
from established banks to alternative payment providers, and from software
developers to end consumers. Banksā success will be dependent on balancing
reinforced security with a seamless user experience.
Therefore, digital identity and intelligence-based authentication should be at
the heart of institutionsā open banking plans, digital transformation efforts and
threat detection strategies. By using and analysing the data generated by open
and digital banking, institutions will not only ensure regulatory compliance but
will also help build more innovative and personalised payment and banking
services, signalling a robust approach to security and guaranteeing a better user
experience. Banks can build a more holistic view of the customer based on data
from the beginning through the lifetime of the customer journey. The pillars of
customer experience, the economy of data and the business opportunity can be
brought together to improve the outcome for all concerned.
13. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
13
07
ABOUT
Finextra
This report is published by Finextra Research.
Finextra Research is the worldās leading specialist financial technology
(fintech) news and information source. Finextra offers over 100,000 fintech
news, features and TV content items to visitors to www.finextra.com.
Founded in 1999, Finextra Research covers all aspects of financial technology
innovation and operation involving banks, institutions and vendor
organisations within the wholesale and retail banking, payments and cards
sectors worldwide.
Finextraās unique global community consists of over 30,000 fintech
professionals working inside banks and financial institutions, specialist
fintech application and service providers, consulting organisations and
mainstream technology providers. The Finextra community actively
participate in posting their opinions and comments on the evolution of
fintech. In addition, they contribute information and data to Finextra surveys
and reports.
For more information:
Visit www.finextra.com, follow @finextra, contact contact@finextra.com
or call +44 (0)20 3100 3670
14. |DIGITALTRANSFORMATIONINTHEDATAECONOMYTOIMPROVETHREATDETECTION
14 HID Global
HID Global powers the trusted identities of the worldās people, places and
things. We make it possible for people to transact safely, work productively and
travel freely. Our trusted identity solutions give people convenient access to
physical and digital places and connect things that can be identified, verified
and tracked digitally.
We enable organizations to protect digital identities in a connected world and
accurately assess cyber risk to deliver trusted transactions while empowering
smart decision-making. Our innovative solutions help organizations to
detect fraud and mitigate threats in real time while ensuring only authorized
people can securely access sensitive information without compromising user
experience.
HIDās comprehensive identity lifecycle management offering for digital and
physical security includes digital PKI certificates, mobile and cloud based
solutions. Our extensive portfolio offers secure, convenient access to on-line
services and applications and helps organizations to meet growing regulatory
requirements while going beyond just simple compliance.
Headquartered in Austin, Texas, HID Global has over 3,000 employees
worldwide and operates international offices that support more than 100
countries. HID GlobalĀ® is an ASSA ABLOY Group brand.
For more information:
For more information: Visit www.hidglobal.com