Uncategorized

In the last few years, we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. One of the biggest reported attacks against financial organisations occurred in early 2016 when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.

Landscape

The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyber attacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.

With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.

Risk management lifecycle

The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.

In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.

In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.

Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way, you establish your organisation’s risk appetite.

To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.

Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.

To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.

Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.

Reporting at each stage is a core part of driving decision-making ineffective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.

Managing with risk transfer

Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cybersecurity standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyber attack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third-party vendor risk.

Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.

The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.

Long-term potential

This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of marketplace, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

By Tom Turner, CEO, BitSight

For many years Jeff Bezos’ online shop has had almost every conceivable item in its range.  Now apparently, Amazon wants to expand and offer some kind of current account or bank to its customers.

The offering will be aimed at young people and other consumers who do not currently have their own account. However, according to a report in the Wall Street Journal, the project is still at an early stage.

If true, does the move really have the potential to change the payment area in much the same way as they have in the literary market? What does the project mean for retailers and the payments industry, and where can the growth of Amazon lead to?

Will Amazon now become a bank?

Amazon does not want to become a financial institution in its own right; instead, the project is likely to be undertaken in partnership with established financial service providers. It is understood that US financial giant JPMorgan is currently in discussions with Amazon.

The reason for this approach is likely to be that if Amazon built its own banking division and applied for a banking license, the company would face much stricter regulations that could slow its aggressive growth in other markets. In any case, it is clear that retailers understand the benefits of having a strong payment service provider at their side who brings the necessary expertise and can quickly and easily integrate new payment methods into existing processes and systems.

Is this E-commerce expansion without limits?In the beginning, Amazon mainly sold books; it then offered CDs and DVDs to its customers.   Today, through Prime, customers are able to stream music, video and much more across smart devices.  Thanks to Alexa, its huge selection of online shops can be accessed by voice command and Amazon even wants to take control of the delivery of its packages.  This announcement hit the stock values of UPS and FedEx.  With Amazon Pay, the company has had its own payment service for a while but gained only moderate traction with other online stores. Here, it seems, the giant had reached its limits.  The company recently opened another lucrative online business with its cloud service, Amazon Web Services. The plan to offer bank accounts is just another link in a long chain of new business ideas. The direction of Amazon’s journey is not yet clear but it is likely that CEO Jeff Bezos is intent on continuing growth. Industry experts assume that in the long term, only one in ten online retailers will remain competitive with this current strategy.

How much influence does Amazon have in daily online commerce?Like Apple and Google, Amazon has been accused of being a “data octopus”. Since the introduction of language command assistants, the accusation is more topical than ever.   There is growing scepticism surrounding the opaqueness of what exactly Alexa stores and what happens to the recordings. Connected to a fully networked smart home, the digital ‘roommate’ could know a lot more and potentially share it: What time people get home? When do they turn off the lights? When do they go to bed? Are they looking into the fridge during the night? Worrying about the potential for very personal information being shared is likely to outweigh the positives of Alexa & co for most consumers.

With the new bank account function, Amazon would also have access to the financial data of its customers. Using this new data it would eventually prove very easy to determine a customer’s individual willingness to pay a certain price for a particular product and then offer it at exactly that price. However, we must bear in mind that nobody is forced to shop at Amazon and invite Alexa into their home. In addition, awareness of data protection is increasing amongst both individuals and Governments. In the future, customers will be increasingly concerned about whether they really want to give their personal data in such a concentrated way to a single provider. Payment service providers form an attractive way out, as they, for example, handle the credit card data on behalf of the merchants, sparing them compliance effort.

Final thoughts In the near future we will still buy our bread from the local bakery and it will not get delivered by an Amazon drone. Nevertheless, one thing is certain: retailers are faced with a harsh reality and online shops may soon cease to exist in their current form. Amazon and a comprehensive portfolio of payment methods will be the challenges for today’s online store owners, but with the right technology and consulting partners on their side, nobody has to worry about the future.  SIX has recognized the potential of Amazon and the dangers that can arise for the retail sector, and we are working on a wide range of solutions that should enable the merchant to keep up with Amazon.  Omni-channel, Conversational Commerce and Internet of Things are all geared to the new customer journey consisting of numerous touchpoints and the changing needs and expectations of consumers.

By Roger Niederer, Head Merchant Services at SIX Payment Services

Does anyone long for a return to more benign economic times? A time when a rise in the base rate simply led to immediate benefits for savers. Well, get prepared for a continued long wait, as last week’s decision from the Bank of England’s (BofE) signals anything but a move to more conventional times.

In fact, this rise, albeit small, has much wider knock-on effects than simply “what does this mean for my mortgage repayments”? Similarly, it obviously increases the costs for anyone trading the capital markets in terms of funding. Even with interest rates at historically low levels, some of the biggest players have been losing double digit millions in unrecovered failed funding costs. And with more hikes down the road, there are further implications of the BofE rate increase for the cost of trading.

As of last Thursday, the cost of the fail funding of trades in Sterling shot up 50%. Therefore, any trader looking to borrow say one million to finance a trade now faces an extra 0.25% per annum in funding costs. One of the main strategies traders use to minimise funding is by buying and selling for the same contractual settlement date. This means paying funds from the proceeds received from a transaction. Take the example of a trader selling Sainsbury’s stock in order to fund a purchase of Tesco shares, both for the same agreed settlement date. The trader expects the cash from Sainsbury’s trade in order to settle the Tesco transaction. There is just one small issue – he hasn’t received the money for his stake in Sainsbury’s. In this, let’s face it not untypical scenario, the only way to pay for the Tesco shares is to borrow the money. The trader in question, now has to take on an additional funding cost to borrow the funds to settle the Tesco trade. If the reason for the fail in the Sainsbury shares was due to the counterparty, it does not seem fair that they are forced to pay this additional cost does it?

Market sentiment

But hey, perhaps it doesn’t cost much? The cost will obviously vary based on the amount of cash open and the length it is outstanding but it could run into USD thousands per trade! And the major trading firms can have thousands of securities, FX, equity and commodity derivatives fails everyday. This may have been hidden because rates have been and are largely still at record lows. But the trend and market sentiment is now unmistakably upwards. However, this is only part of the problem.

There are costs and capital for market participants in the wide range of receivables on their balance sheet. These balances, at least the ones in Sterling, are now half a percent more expensive to fund. So the cost of failing to settle these transactions are now far more than they would have been before the hike. A bank is now at a distinct disadvantage, particularly if they do not have a way to identify, optimise and recover where they are incurring funding and capital costs through no fault of their own. Essentially, by having receivable items open while waiting for money to come in, it will be borrowing cash to cover itself. If a trade fails to settle for say five days, then that is a whole week of extra funding costs that a bank needs to cough up. And not being able to track additional funding costs due to the late settlements is not the only issue. Many banks are still not even identifying the direct cost impact of a trade actually failing. If a bank can’t work out the cost implications of not receiving funds when a trade fails, then how on earth can they identify whether or not they can claim money back from their counterparties?

Trying to work out the many effects of the BofE’s latest monetary policy decision is difficult, but like those with a variable mortgage, trading desks are impacted. Late settlement means higher funding and higher rates means the additional funding costs more. Preparing now to handle the trading cost impact of this small rise and the upwards trend is exactly what’s needed to ensure banks are ahead of the curve whenever the BofE or other countries decide to hike rates again in the future.

By Kerril Burke, CEO of Meritsoft

When adopting new payment methodologies, banks must strike a challenging balance between ease of use and access and the need to put in place stringent levels of security.  With technology evolving at ever-increasing rates, it’s increasingly difficult to keep on top of that challenge.

Banks first need to put in place an expert team with the time, resource and capability to stay ahead of the technological curve. This includes reviewing, and, where relevant, leveraging the security used on other systems and devices that support access into banking systems.  Such a team will, for example, need to look at the latest apps and smartphone devices, where fingerprint authentication is now the norm and rapidly giving way to the latest facial recognition functionality.

Indeed, it is likely that future authentication techniques used on state-of-the-art mobile devices will drive ease-of-use further, again without compromising security, while individual apps are increasingly able to make seamless use of that main device functionality.

This opens up great potential for banks to start working closely with software companies to develop their own capabilities that leverage these types of security checks.  If they focus on a partnership-driven approach, banks will be better able to make active use of biometric and multifactor authentication controls, effectively provided by the leading consumer technology companies that are investing billions in latest, greatest smartphones.

Opportunities for Corporate Cards

This struggle to find a balance between security and convenience is, however, not just about how the banks interact directly with their retail customers. We are witnessing it increasingly impacting the wider banking ecosystem, including across the commercial banking sector. The ability for business users to strike a better balance between convenience and security in the way they use bank-provided corporate cards is a case in point.

We have already seen that consumer payment methods using biometric authentication are becoming increasingly mainstream – and that provides an opportunity for banks.  Extending this functionality into the corporate card arena has the potential to make the commercial payments process more seamless and secure. Mobile wallets, sometimes known as e-wallets, that defer to the individual’s personal attributes to make secure payments on these cards, whether authenticated by phone or by selfie, offer one route forward. There are still challenges ahead before the above becomes a commercial reality though.

First, these wallets currently relate largely to in-person, point of sale payments. For larger, corporate card use cases such as settling invoices in the thousands, the most common medium remains online or over the phone.

Second, there are issues around tethering the card both to the employee’s phone and the employee. The 2016 Gartner Personal Technologies Study, which polled 9,592 respondents in the U.S., the U.K. and Australia revealed that most smartphones used in the workplace were personally owned devices.  Only 23 percent of employees surveyed were given corporate-issued smartphones.

Building bridges

Yet the benefits of e-wallet-based cards in terms of convenience and speed and ease of use, and the potential that they give the businesses offering them to establish competitive edge are such that they have great future potential.

One approach is to build a bridge to the fully e-wallet based card:  a hybrid solution that serves to meet a current market need and effectively paves the way for these kinds of cards to become ubiquitous.  There are grounds for optimism here with innovations continuing to emerge bringing us closer to the elusive convenience/security balance. MasterCard has been trialling a convenient yet secure alternative to the biometric phone option. From 2018, it expects to be able to issue standard-sized credit cards with the thumbprint scanner embedded in the card itself. The card, being thus separated from the user’s personal equipment, can remain in the business domain. There is also the opportunity to scan several fingerprints to the same card so businesses don’t need to issue multiple cards.

Of course, part of value of bringing cards into the wallet environment is ultimately the ability to replace plastic with virtual cards.  The e-wallet is both a natural step away from physical plastic and another example of the delicate balancing act between consumerisation of technology and security impacting banking and the commercial payments sector today. There are clearly challenges ahead both for banks and their commercial customers in striking the right balance but with technology continuing to advance, e-wallets being a case in point, and the financial sector showing a growing focus on these areas, we are getting ever closer to equilibrium.

by Russell Bennett, chief technology officer, Fraedom

They say imitation is the sincerest form of flattery. Challenger banks are doing what their name suggests, and research indicates they are gaining ground. For established lenders, replicating the characteristics of their smaller, more agile competitors, will help them defend their position. Outsourcing is the key, argues Sarah Jackson, Director, Equiniti Credit Services.

The market for lenders is buoyant. Consumer borrowing leapt by 10.3% in the 12 months to May 2017, according to The Bank of England^[1]. There is a tussle going on between established and alternative lenders as both vie to grow their market share. Established lenders are built on decades of customer loyalty and trust. But resting on their laurels is dangerous. Alternative lenders are lean and agile, and produce disruptive offerings that turn heads. For the borrower price is the deciding factor, evidenced in many ways, by the prolific use of comparison sites. This is creating a level playing field and there is all to play for.

The tide is turning

Alternative lenders currently own around a quarter of the borrowing market according to research from ‘Great Expectations: The Demanding Market for Credit’, a report examining consumer credit attitudes published last month by Equiniti Credit Services^[2]. The winds of change, however, are blowing. 47% of the study’s respondents indicated that they would borrow from an unfamiliar lender in future.

Across the board, brand loyalty has given way to price. Customers are now divided into two camps – those who will only borrow from an established lender but are price-conscious and those who shop on price alone, irrespective of the provider.

Low rates rule the roost

Research indicates low interest rates are fundamental in borrower’s loan selection criteria followed by low repayments. This is no surprise, with interest rate rises announced recently, consumers are searching for new ways to make their money work harder.

With price the deciding factor, the use of comparison sites is making it easier than ever for savvy customers to shop around. Research reported that 86% of respondents would use a price comparison site to compare loan rates, with 78% believing that they would get a cheaper loan from online lenders. The established lenders have an opportunity here, and investment in technology will be key to maintaining market share.

The same study indicated that transparency and clarity in a product’s terms and conditions are just as important. Here, the ability to demonstrate responsible lending practices and conduct appropriate affordability checks will strengthen consumer confidence and satisfy the Financial Conduct Authority, at the same time.

What can established lenders do to defend their market position?

The age of uncontested brand loyalty is over. Price should be considered as equally important as service for lenders looking to create differentiation in their offering. For many, agile technology can drive down the cost of operations, enabling them to protect their margins and pass the saving on to the customer through lower-rate products. Outsourcing facilitates this by reducing time-to-revenue for new loan products allowing lenders to refocus internal resources on innovation, product development and market differentiation. Established lenders can replicate the agility of alternative lenders by outsourcing their loan management portfolio, allowing them to compete head on and maintain market share.

The outsourcing market is evolving to meet the needs of established lenders. A new breed of specialist organisations is offering tailored solutions that combine their own proprietary loan management technology, with expert customer service staff and auditable, best-in-class processes. With this model, established lenders can mount their own challenge and take on the new competitors at their own game.

By Sarah Jackson, Director, Equiniti Credit Services

Financial services will become more reliant on customer experience

With the rise of open banking in 2018, there will be an even greater emphasis on Financial Services (FS) organisations to use customer experience as a means of differentiation in an increasingly level playing field. The end consumer will gain even greater control and access to their own data, and third party tools will start to break down the siloes between different banking groups. If Financial Services organisations want customers to continue to consolidate services within their one group, they will have to do more to win their loyalty through outstanding customer experience

Finding the right balance

We should expect them to continue to find the right balance between security, simplicity, convenience and innovation. Many of the above aspects are in direct competition with each other – for example, the quicker and more frictionless (i.e. the more convenient) you make a payment system, the more susceptible it is perceived to be open to fraud and security concerns. As consumers of other products outside the FS world continue to benefit from greater innovation and in a lot of cases simplicity, FS organisations need to follow suit and keep up, while at the same time allaying security fears that inherently come with the industry.

FS organisations will stretch the limits of CX

In my opinion, further blending a personalised experience with an increasingly tech and mobile heavy experience will become crucial for FS organisations. If these companies can find the right balance between the convenience of technology, with the personalisation of the human touch – especially needed on low frequency, high-value purchases –  this is where they will excel.

 From Ross Durston, MD Financial Services, Maru/edr:

 =====================================================

Banks need to overcome the ‘digital’ obstacle:

Thanks to the rise of digital channels, online accounts and investments in banking apps, banks have already successfully transferred many customers online, which has helped to bring an element of personalisation to the banking experience. But in their move to digital, banks face a key obstacle in that they don’t get to see or interact with their customer very often now that the majority of banking is done remotely and online. Their challenge is to map key customer journeys through their business to identify real moments – or “hotspots” – where they cannot fail. Doing this will also help banks to better understand where they have an opportunity to differentiate themselves.

Steve Brockway, Chief Research Officer, Maru/edr:

===========================================================

Security by design

Google’s discovery of a flaw in the architecture of Intel and other chipmakers’ products highlights the urgent need for security vigilance when designing technology. Time and time again, we see how failure to design in security from the beginning, whether into software, hardware, or firmware, puts our data, our health and our privacy at risk.

“GDPR-like ‘security by design’ has not been the default position to date and we must take steps to make it so. It is therefore imperative that organisations make targeted investments in people, process and technology, to ensure we truly are secure.

“Google is an excellent example of this, undertaking independent research is to find flaws in technology whether hardware or software.  In parallel, Sonatype has continuously invested in research to discover vulnerabilities in millions of open source software components, which comprise 80-90% of a modern enterprise application. These investments make it possible to quickly disseminate actionable information to help control and remediate these issues while keeping innovation moving at DevOps-native speed.

Derek Weeks, vice president and DevOps Advocate at Sonatype

======================================================

For those unfamiliar with Bitcoin, here’s a brief primer. Created in 2009 by an unidentified software developer and inventor who goes by the pseudonym of Satoshi Nakamoto, Bitcoin is a form of digital currency that’s created and held electronically. Bitcoins aren’t printed like traditional currency; instead, they’re produced by a network of ‘miners’ who create Bitcoins using a complex algorithm. The network of miners and machines (servers) operate independently of any central authority, government, or middle man. The miners receive Bitcoins as a reward for creating them. As they’re created and purchased, the coins are stored in a digital wallet and can be used for transactions, which are then tracked through Distributed Ledger Technology, also known as the Blockchain.

Why all the hype?

The Future of Digital Currency: The Implication for Investment Banks

Sharing market news online