Banking on IT Security

 Author: Phil Allen, VP EMEA, Ping Identity

In January, Santander, one of the big five high streets banks, announced that it would be closing 140 branches in the UK. The reasoning was lack of demand and the move supports data from the Office for National Statistics (ONS) which shows that nearly 6,000 local branches have shut since 2010, a fall of around a third. The decline in high street banking is moving in lock step with a wider switch to ecommerce and away from in-store retail that has led to lower footfall in town centres. However, the death of the high street bank heralds a wider trend across financial services which is embracing internet-based alternatives within an increasingly cashless society.

Phil Allen
Phil Allen

The UK is not alone in this shift. In Germany, Deutsche Bank, the country’s largest bank, has been working through a two year project to close down or merge 188 of its 723 branches. In France, long a bastion of high street retail banking, Société Générale announced plans to close 20 per cent of branches by 2020.

Yet the decline of the high street bank is not a signal that demand for financial services is waning. The data suggests otherwise as highlighted by a 2017 survey by The Telegraph, a UK national newspaper, which found that 97% of the UK population has at least one financial product such as a current account or savings account – a rise from around 91% in 2001 according to data from CSR Europe, a monitor of Corporate Social Responsibility. In fact, the number and variety of financial institutions has flourished in the UK as new entrants such as retailers have entered the market over the last decade alongside the growth of easier mechanisms for switching products that have been mandated in law.

Yet the biggest shake up has been around internet and mobile banking. According to the Office of National Statistics, 10 years ago, around 1 in 3 people used online banking which by the end of 2018 had risen to 7 out of 10 and still growing. The Telegraph survey also highlights that 50% of new products and services are applied for online (38%) or on mobile (12%).

The enabler for this trend has been three-fold. Firstly, the ubiquity of broadband connectivity has made online banking easier for consumers and therefore, banks have invested heavily in internet and mobile ready platforms. The familiarisation with technology and especially smartphone apps has also helped to streamline the process. The last major element has been improved security leading to more consumer confidence and trust.

Although several consumer sentiment surveys during the 2000s registered fear over cyber criminals breaching internet banking platforms, the reality has seen few breaches of online banking systems. The overwhelming majority of the £300 million of annual fraud experienced by UK consumers is through stolen card details or phishing emails and calls that trick customers into giving personal details to fraudsters.

The main mechanism now adopted by all the major banks to secure access to online banking is based around multi-factor authentication systems that require two or more independent credentials before gaining access: what the user knows (password), what the user has (such as a smartphone or separate card reader) and what the user is (biometric verification). This reduces the risk of unauthorised people gaining access to online bank accounts and carrying out illicit transactions.

However, the growth of online banking is likely to accelerate even further over the next few years as banks and others including retailers start to transition towards open banking as prompted by the EU-led second Payment Services Directive (PSD2). PSD2 is aimed at providing more consumer choice around how they share their financial information with the aim of instigating more competition in the market. Although PSD2 has come into law, implementation is way behind schedule across the EU27 – with the UK slightly ahead of the game but still not yet widely implemented.

Yet with more choice and freedom, there is still the issue of encouraging consumers to exercise their rights and making the process easier. From a security standpoint, the industry needs to ramp up education to help consumers adopt safer practices to reduce fraud through fake phone calls and spoofed emails. Technical controls also need to be more widely agreed upon. Although PSD2 has several security requirements, there needs to be more common agreement around how all online services are secured to create a cultural mindset that sets a minimum-security level which applies to every online account or consumer interaction. Once this criteria is established, it will allow more services to be moved online, and we are already seeing some of these innovations filtering through to the market through new paperless mortgage applications and mobile based account aggregation services.

The financial services sector is starting this process and industry groups such Open Banking UK, which includes nine major banks in the UK, offer a template for the rest of Europe to emulate. But as non-banks start to become more ingrained in core financial services, the notion that security must be baked into every service from design to delivery will ensure that the closure of high street retail outlets is not a negative outcome but the herald of a better long-term future for consumers and the financial services industry.