Author: Clari5

Fintech has brought unprecedented disruption in the financial services ecosystem. While traditionally, fintech was used for back office functions by leveraging software to help banks manage customer databases, execute transactions and handle accounts, today it has DIY modes where customers rely less on a brick and mortar bank for their banking needs, and instead have a multitude of digital channels at their disposal. With 24/7 device-agnostic access, virtually every transaction is now digitally possible.

Digitization has fundamentally transformed banking as we know it today. Mobile payment revenue worldwide in 2015 was $ 450 billion and is expected to cross $1 trillion in 2019. Smartphones with intuitive apps have given customers the advantage of real-time transactions. Close to 40% of the world’s population will own a smartphone by 2021, up from a third of the global population in 2017.

Payment apps integrated with bank accounts allow seamless mobile to mobile payments, online payments, investments and transfers. Reports indicate that 39% of shoppers today prefer electronic payments. Meanwhile, growth in Real-time Retail Payment Systems has been encouraging, with 18 countries now having a ‘live’ RT-RPS systems in place.

The Power Of Digital: Some Key Fintech Trends

• Omnichannel banking challenging branch banking: With omnichannel banking enabling customers to use social, online, mobile channels there has been a steep decline in customers visiting the friendly neighborhood branch. In the EU, 9100 bank branches closed down in 2016, owing to widespread adoption of electronic payments and mobile banking.
• Automation with Machine Learning and Artificial Intelligence: For most banks, this means technology and people working in tandem. Banks like UBS Group AG and Goldman Sachs have already put an AI/ML based solution in place. They have not only replaced tiresome back office work with efficient machines but also used the intelligence gathered from the process to fine tune financial services. For example – The system allows their wealth management customers to find answers to financial questions asked in plain English, as well as create individual client profiles matching them to relevant wealth management products.
• Biometrics for instant authentication: With incredibly faster authentication, biometrics does away with the frustration that comes with multiple passwords besides providing advanced validation techniques. Several banks have begun investing in biometrics-based authentication that use the smartphone cameras to scan the iris and the phone’s inbuilt fingerprint scanners. They are also considering solutions like vocal patterns and facial recognition to add an extra layer of authentication. According to an HSBC survey, 46% of the 12000 people surveyed across 11 countries trusted biometrics, with UK at the forefront of adopting the technology.
• Growth of blockchain: Blockchain provides transparency, minimizes risk, human errors and transactional fees. The distributed ledger system of blockchain leverages stringent controls enabling smart contracts and auditable data. Trust being core to it, blockchain provides the perfect trading platform for securities exchanges. An Accenture Survey reports that 90% of European and North American banks are exploring possibilities in creating new services and improving existing services; to make blockchain ubiquitous.

The Fintech Explosion: How Banks Are Responding

• Open innovation: For large financial institutions, open innovation means engaging with knowledge capital and assets, opening the organizations’ IP, cultural transformation to digital and tapping new areas for growth. For example – Barclays Bank is creating a global community for fintech innovation and has initiated an accelerator program aimed at fintech startups. ANZ Bank has appointed a global panel of tech experts to advise its Board on the strategic application of new and emerging technologies and technological trends that could affect the bank’s strategy.
• Collaboration: Traditionally, financial services institutions partnered only within the industry for innovation and process improvements. This will go a step further in the future, to build ties with those in different industries and with different outlooks, and to identify new ways to generate value.

E.g. – the Minimum Viable Product concept (MVP is the most trimmed down version of a product that can still be released) allows fintechs to quickly test-market-test prototypes. Risks can be mitigated at the design phase by the partnering bank that provides a wealth of consumer insights. But fintech firms need to be wary of product functionality, flexibility, scalability and compliance keeping in mind the partnering financial institution’s threshold for errors. This is a tricky balance, but good partnerships are able to manage it well.

• Accelerators: Established financial services firms make venture capital investments in fintech startups to innovate for their business. While fintech companies have the advantage of innovation, financial institutions provide a sandbox for proof of concept and scale. But implementing transformation takes time and by the time a new innovation is implemented, there is a high chance that it may have become obsolete.

Digital Disruption: What next?

Legacy financial institutions looking to become digital-enabled face two main challenges. First, the business models and personal skills that have served the industry well for decades has been disrupted by digital innovation and no longer works in the new banking ecosystem.

Second, attempts to create new, viable models for the digital age will flounder unless people and organizations are willing to disrupt themselves. This paradox has been termed ‘the innovator’s dilemma’ and was first outlined almost 20 years ago by Clayton Christensen.

Because of the existence of current profitable business sectors and personal successes from the past, there is a normal lack of incentive to identify radically new ways to conduct business. This leads to insufficient decisiveness to commit human or financial resources to experiment with new models.

Also, digital disruption has not been without a flip side. Cyber-attacks (malware, ransomware, phishing, etc.) have been growing steadily along with digitization, so conventional authentication mechanisms are no longer enough to thwart fraudulent attempts. Smarter security protocols and extreme real-time, cross-channel fraud management systems are now available to protect institutions and customers.

Success will depend on how banks quickly respond to opportunities for innovation. The strategy should be to stay focused on growth with digital innovation at the core. Even as the digital disruptions continue, the ecosystem will see deeper collaboration between financial institutions and fintech firms.

References:

The Future of Fintech and Banking: Digitally disrupted or reimagined? – Accenture

D is for digital: Innovation, disruption and opportunity in the fintech sector – Alok Mittal

Digital Disruption: How fintech is Forcing Banking to a Tipping Point – Tripp Sheehan

5 ways fintech is disrupting the financial services industry – Dennis Gaba

Preferred payment methods of online shoppers worldwide – Statista

Smartphone user penetration from 2014 to 2021 – Statista

Cybercrime continues to be an unending botheration for banks. While the focus of attempts and attacks until recently, tended to be on the banks’ customers (via card and account detail compromises), of late fraudsters have become more sophisticated and have raised the stakes.

They have shifted their focus and are now directly targeting banks. They have begun deploying increasingly sophisticated methods of circumventing individual controls in the banks’ local environments and have probed deeper into systems to execute well-planned and finely orchestrated attacks.

One area where fraudsters have increased malicious attacks is Correspondent Banking, especially via SWIFT.

SWIFT was developed at a time when the primary focus was on interconnectivity and security was not really a concern. However, with increased adoption of the SWIFT network, security lapses / gaps in the entire value chain, especially the weaker links, have started getting exposed.

Fraudsters have discovered that they can leverage vulnerabilities in SWIFT’s member banks’ processes and procedures, particularly in countries where regulatory and security controls are less robust.

Here are a few instances –

Bangladesh Central Bank

The February 2016 SWIFT heist was a watershed moment for the payments industry. Though not the first case of fraud against a bank’s payment endpoint, it was the sheer scale and sophistication of the attack which shook up the global financial community.

The fraudsters used the following process to decamp with $81 million –

• Compromising the customer’s environment – by introducing malware using techniques such as phishing or email compromise scams.
• Capturing valid operator credentials – typically through access to password files or by putting key-loggers in place to capture password details, and thereby gaining an understanding of the payment environment and associated behaviors.
• Hiding the transaction activity – by removing payment information from local databases, modifying incoming statement information or rendering the local environments inoperable; and thereby delaying the discovery of the attack and increasing the possibility for the funds to be settled.

A similar modus operandi was seen in the incidents at several other banks as well – Vietnam’s Tien Phong Bank, Ecuador’s Banco del Austro and recently in an Indian private bank.

Indian Private Sector Bank

In this case the modus operandi for the SWIFT attack was on these lines –

• The fraudsters got hold of the operators’ credentials and also quite possibly of the bank’s SWIFT system approvers (probably by planting malware via emails).
• Day 1, 1800 hours approx. – fraudsters initiate the SWIFT instructions from the hacked accounts.
• The transactions were made to 3 different beneficiaries in different geographies – Turkey, China and UAE – to avoid detection. Interestingly, 3 different Correspondent Banks were used for the transactions.
• The fraudsters disabled the printer connected to SWIFT platform, preventing the bank from receiving acknowledgement messages for the fraudulent payment instruction.
• This was a delaying tactic because it ensured that the bank’s staff would not be able to detect the remittances before the next morning.
• Day 2, Morning – the unauthorized remittances are discovered during reconciliation. Approx. $1.8 million is gone.

The root cause

In both cases, even though not all of the money made its way into the fraudsters’ hands, they are still alarming examples of how systems can be duped.

The success of these frauds is an outcome of a combination of factors –

• Exploiting weaknesses in the cyber, fraud, and possibly staff monitoring controls
• Deep, exhaustive and practical knowledge of how banks interact with funds transfer systems
• Sophisticated malware tailored to the target
• Access to detection and response mechanisms, besides funds transfer systems

Banks must counter-attack this combination in a holistic rather than a piece-meal fashion to gain an upper hand over the fraudsters. They must rally efforts on better coordinating their cyber-security, anti-fraud, and staff risk management programs.

SWIFT meanwhile has initiated a Customer Security Program (CSP), wherein it provides elaborative security controls. However, banks should put additional transaction monitoring checks using intelligent fraud detection and prevention systems. This should eliminate fraudulent cases where cyber-security systems have failed in the past.

How a smart enterprise-wide fraud management system helps

A good enterprise fraud management system has the capability to solve most problems in the fund transfer process and prevent big ticket frauds. Some of the highlights of a multi-centric approach of a smart fraud management system are –

• Cross-channel Platform – Banks must remove siloes in their IT ecosystem to allow generating centralized, cross-channel intelligence required to fight multi-faceted frauds. An intelligent, real-time enterprise-wide fraud management system unifies the bank’s CRM, core banking system and remittance processing systems at a single centralized point to generate cross-channel intelligence. It provides a real-time remittance transaction surveillance capability to block suspicious transactions based on centralized fraud intelligence.
• Transaction Monitoring – Real-time remittance transaction monitoring can go a extra mile to reduce instances of cyber fraud. Banks can validate remittance transaction parameters against third-party watch lists, custom high-risk countries and beneficiaries’ lists. Banks can apply transaction velocity or cumulative value-based checks on the outward remittances based on multiple perspectives viz. sender, beneficiary, correspondent bank, user etc. Cross-pollination of remittance instructions’ data with the data from CRM, core banking and other systems provides multi-channel intelligence to counter fraud.
• Limits Monitoring – Banks should implement limits monitoring and control policies at various levels in the fund transfer process (originator, beneficiary, correspondent bank, beneficiary bank, destination country, etc).
• Staff Fraud Management – Operating procedures and processes should limit and protect administrator and system privileges. Banks must implement staff specific remittance transaction checks and controls. It should check for users who abuse or exceed their access. Also, identify anomalies in credentials or access to fund transfer systems (e.g. excessive logins, logins at unusual times) and raise red flags.
• Centralized Case Management System – to enable following up on the red flags raised and to plug loopholes. A Centralized Case Management System clubs together inter-linked suspicious activities for easier and faster investigation.

With cybercriminals continuing to attempt penetrating traditional strongholds, it is imperative that financial institutions take necessary steps to secure their environments. Enterprise-Wide fraud management is one of the approaches that can enable financial institutions to prevent the attacks, as well as increase the likelihood of an attack being detected in time.