ATM deployers around the world are changing their ATM procurement strategies as software solutions become more powerful and sophisticated
Banks move away from buying ATM software bundled with hardware
Banks around the world are increasingly looking to separate ATM hardware and software purchasing, according to RBR’s new study ATM Software 2016. For many years, ATM deployers tended to use the application software that was delivered with the hardware, but the increasing complexity of the self-service banking channel – and the opportunities that a more sophisticated software set-up can tap – are leading banks to treat ATM hardware and software as separate entities.
Ability to choose new hardware vendors is driving separate software purchasing
For banks, one of the leading drivers of separate hardware and software purchasing is the ability to choose from a broader range of hardware vendors. This means that they are better able to select models that fit their needs, and benefit from more competitive pricing. In the words of major Brazilian ATM deployer TecBan, a participant in the study, “[separate hardware and software purchasing] gives the deployer flexibility to compare vendors and select those which best fulfil its requirements at any given time.”
Drivers of the separation of ATM hardware and software purchasing
Source: ATM Software 2016 (RBR)
RBR’s research shows that banks increasingly look at the total cost of ownership (TCO) in the ATM software sphere, rather than breaking down cost-benefit analyses into testing, rollout, licensing and other elements. According to Daniel Dawson, Associate at RBR, who led the research, “while banks naturally continue to look carefully at the cost of ATM software solutions, the operational factors in favour of separate software purchasing are now far stronger than the factors against it.”
Assisted self-service drives independent software purchasing
Assisted self-service is set to be one of the major growth areas in retail banking technology in the years ahead. Banks wishing to integrate systems such as video conferencing into their self-service channel are increasingly aware that this requires a sophisticated – and unified – ATM software platform. Assisted self-service is bringing the teller and ATM channels together; and combining with mobile and internet banking to turn the “omnichannel” vision into a reality.
Banks benefit from customising their own software architecture
RBR’s study reveals that multiple factors are now driving banks to conclude that a new approach to ATM software is essential. Rather than relying on the software as provided with hardware, which tends to limit the range of facilities that ATMs can offer, and delay the implementation of a genuine omnichannel platform, they are judging software packages on their own merits. The new approach involves proactively building a software architecture that can meet their current needs and those of their customers – as well as laying the groundwork for the exciting technological innovations that will drive the development of self-service banking in the years ahead.
Cloud in Banking: An Opportunity That Can’t be Ignored
By David Rimmer, Research Associate at Leading Edge Forum
Originally offered as a better way to build IT systems, cloud itself did not transform the business. Fundamentally, Infrastructure-as-a-Service (IaaS), as its name suggests, represented a new service model. IaaS brought a radical change in the commercial model for IT (rent vs. buy) and in the time taken to provision IT (instant self-service vs. the months of a standard procurement cycle), but ultimately the same system was still operating in a datacentre somewhere. ‘Lifting and shifting’ systems to the cloud delivered no discernible value for customers. At best, cloud enabled enterprises to provide value indirectly through ability to develop capabilities faster, for example by re-engineering and migrating systems to the cloud to harness its flexibility and speed.
This is absolutely not the case now. Cloud today is as much about delivering business capabilities as it is about IT. The hyperscalers are rapidly building out the range and number of services that they offer. For instance, at the end of 2017, AWS offered around 90 services; today the number is 225. The hyperscalers have expanded their portfolio of tools for developers to build cloud-native applications, thereby enabling more rapid development and testing, but the crucial departure from around 2017 onwards has been the addition of value-adding business components. In particular, the hyperscalers are building specialist services targeted at the major technology trends – for example: blockchain, Internet of Things, edge computing, immersive real-time experiences through 5G, streaming and visualisation, machine learning and artificial intelligence, unstructured data extraction and analysis, digital identity management, marketing analytics and automation.
The hyperscalers are also adding industry-focused solutions – for instance in banking: fraud APIs, payment services, financial data services and solutions optimised for specific core banking systems. Yet, for many, this mental transition has not yet been made, with people continuing to think that cloud is all about IaaS, when today it is as much about business components, and, in future, this will be even more so.
Developing your cloud strategy – it’s not just about IT, it’s about shaping the business
You can capitalise on the hyperscalers’ huge investment by intercepting their development path,
gaining momentum in the market by exploiting the newest cloud services and avoiding investment
in custom-building capabilities that will soon be available as a utility. At a higher level, you will want
to understand which components with rich business value will soon be forthcoming so that you can
short-cut the traditional product development cycle and afterwards ride a wave of future upgrades and enhancements.
Wardley mapping is a valuable aid in developing a strategy that makes optimal use of external capabilities and focuses a bank’s resources on the areas that will deliver the greatest return. In the Wardley map below, we have picked out just a fraction of the public cloud services now available for the banking industry to illustrate how cloud components can directly transform customer products and services, or provide capabilities for internal customers (developers, data scientists, UX designers, analysts, etc.). The vertical axis of the map reflects the degree to which a capability adds value to end customers: the horizontal axis shows the evolution of technology as it passes through stages from genesis, to custom-built, product and utility.
Capabilities that are new to the market (such as voice banking and blockchain-enabled asset management) feature in the genesis stage of the map. Under the custom-built stage come capabilities that are more mature but still highly unique to an individual enterprise, such as development of models and analytics on unstructured data. In the product column, capabilities are very similar from one bank to another, with a less direct yet still significant scope to impact end-customer services – for example, through faster product iteration.
Assembling cloud services to deliver cloud-native business capabilities in the banking environment
The increasing availability of business components opens up the prospect of cloud-native business capabilities that from the very start are conceived, designed and delivered through the cloud. Cloud-native business capabilities represent a higher level of abstraction than cloud-native applications. As a result, cloud-native business capabilities go that much further in enabling the speed, experimentation and ability to scale that underpin the competitiveness of a 21st Century Bank as it strives to bring new products and services to market in ever shorter cycles. In addition, cloud-native business capabilities change the role of the IT Function from developer-intensive build to more automated assembly of components
So, what does this look like in practice? The Fundamental Review of the Trading Book (FRTB) is a set of rules, introduced under Basel III, to standardise the treatment of market risk and impose stricter capital requirements. In order to comply with FRTB, the main steps that banks need to take are develop enhanced risk models; populate models with bank positions and market data, such as prices and credit ratings; and run the models.
Banks can assemble capabilities from the cloud to meet FRTB in a faster and more effective manner than is possible using traditional solutions:
- Faster model development cycles allow “strats” to tune their models to reduce the amount of capital that the bank needs to hold.
- Common real-time reference data removes the need for the disparate reference data and interfaces to be found in most banks. The result is reduced cost, less complexity and standardisation between different parts of the bank.
- Since FRTB requires an increase in the number of models and their complexity, greater compute capacity is necessary (some experts project a twenty-fold increase). Moreover, risk models are run only on an occasional basis to provide internal and regulatory reports, the burst capacity of cloud compute is a natural fit for running FRTB models. In contrast, traditional infrastructure would be sized for the peak, with substantial capacity remaining idle for most of the time.
By adopting a cloud delivery model to address FRTB, banks not only minimise their upfront investment and speed implementation, but going forward have greater flexibility, with ability to scale to meet new demands and capitalise on future investment by the cloud providers in model development and data services.
All this potential to exploit cloud for new products and services comes with a colossal proviso. Today’s catalogue of public cloud solutions can make a direct contribution to new products and services, but fundamentally what they offer is a basket of much more sophisticated components. These components still have to be assembled and configured. Business capabilities have to be built: processes redesigned, staff trained in new skills, culture aligned, new KPIs put in place, new organisation structures set up. Of course, for anyone with experience of business transformation this is no surprise.
The changing roles of business and IT leaders
At this point, it is clear that the transformation from build to assembly is of such a wide-ranging and fundamental nature that the active intervention of CEOs, COOs, CFOs and other business leaders is essential. However, the success in driving a cloud business strategy (as opposed to a cloud IT strategy) entails major changes in the roles of business and IT leaders.
CEOs, COOs & Boards
- Cloud business strategy – Once a cloud strategy has the potential to become a business-shaping strategy rather than an IT strategy, responsibility clearly needs to sit at the top of the enterprise. Here, vision and imagination in how and where to combine components that bring differentiation will be vital. Of equal importance will be championing this new perspective on how business capabilities can be built and challenging where traditional custom-build approaches are being applied without sound reasoning.
- Vendor strategy – As the richness of capabilities and the ease of integration between them increases, so critically does vendor dependence. This greatly raises the importance of vendor strategy. When you needed a vendor strategy for each level of the stack or each significant component, this responsibility sat in IT and procurement. If you are buying the entire stack and non-interchangeable modules with rich business capability – potentially across huge spans of your business – then these vendor strategies and relationships will sit at CEO or Board level.
- Operating model and culture – Some of the biggest barriers to strategy execution will be your existing operating model and culture. Both will require transformation in order to harness the potential to assemble business components from the cloud, rather than build systems and capabilities in-house using traditional tools and processes. Without drive from the top to change culture and operating models, any cloud strategy will remain still-born.
Business unit leaders & their IT partners
- Market insight – A critical role of business leaders and their IT partners is to understand where genuine differentiation can be gained in the market and how the current and future products of the cloud vendors can be assembled to enable this differentiation; or, alternatively, where custom-build and niche industry capabilities are the answer. In this process, it will be essential to understand the wider cloud strategy of your organisation so that you can see what capabilities have been or will be adopted elsewhere. This will drive re-use and simplification, which in turn bring lower costs and greater speed. Finally, business unit leaders and their IT partners will need close relationships with niche industry software companies and other IT firms to see where they can bring unique capabilities or act as partners in developing new solutions.
IT leaders & their teams
- Advice – With cloud strategy becoming a business issue, CIOs and their teams will play a vital role in educating and advising their colleagues about cloud capabilities and the individual cloud vendors. The industrialisation of IT through assembling rather than building components is a far cry from traditional models, so the extent of education and explanation that will be required should not be underestimated.
- Orchestration – As focus moves from build to assembly, the CIO and his or her team will become orchestrators of change. This is both in a literal sense by laying the technical foundations to assist assembly and inter-operation of cloud across the enterprise, and in a figurative sense through shaping and combining strategies from across the enterprise to ensure standards and re-use that are essential to low costs and flexibility. In fulfilling this role, definition of business and technical architectures will be essential, as these architectures will describe components and how they are combined.
- Vanguard of change – CIOs and their teams will play an essential role in galvanizing the organisation and acting as the vanguard for change. They will need to be cheerleaders for the changes in operating model and culture that are key to transformation. In addition, CIOs will on occasion need to recognise when traditional functions of the IT function (such as build and control) are a hindrance and they need to step aside to let business units take the lead.
Some practical steps to building your cloud strategy
So, what is your public cloud strategy? Here are some of the key questions that you will need to answer:
- What are the new products and services that will add most value to our internal and external customers?
- Which components are available from the cloud to support new products and services?
- How does the map look for each of the hyperscalers – they each have very different strengths and strategies – and which will provide the best fit for our business?
- How many cloud providers will we use? Will we go deep with one to drive fast and transformational change? Or will we partner with several to tap into different streams of innovation and maintain leverage in negotiations?
- In which areas will we want to devote our own resources to custom-build differentiating capabilities that cannot be sourced from elsewhere?
- Where will we use partners to assemble and manage cloud components because they bring distinct experience and skills, and/or the capabilities in question do not deliver meaningful difference in our customers’ eyes?
- What changes are required in the enterprise’s operating model to take advantage of potential to build cloud native applications and assemble (rather than build) cloud-native business capabilities?
- What does our composite map look like?
- Where do we begin?
Ignore it at your peril
The failure to see cloud for what it is and what it has to offer is currently widespread. However, experience shows that banks that can define a strong cloud strategy, and act on the business transformation needed in order to make it a reality, open up the potential for a market-leading competitive advantage. Building new products and services and replacing aging infrastructure, they are able to respond rapidly to market demands with low technical, regulatory and financial risks. Cloud is ready for banking. Banks now just need to decide whether they can really afford to ignore the opportunity.
Ensuring ATMs aren’t the weakest link to banking cybersecurity
By Elida Policastro, Regional VP – Cybersecurity division at Auriga
Digital banking brings huge benefits to customers, but the risks of cyber-attacks continue to rise. For banks, there is a need to stay ahead of the game, anticipating new methods of attack so that innovative solutions can be put in place in time to minimise those changing threats.
In terms of attack targets, the ATM ecosystem is complex and made up of heterogeneous hardware and software that is expensive and difficult to update especially when ATMs and customer touchpoints need to be available 24/7. Because of this, financial organisations usually do not have the latest security policies in place, nor a centralised view of the ATM attack surface. It is vital that banks and ATM operators strike the balance between software deployment and hardware maintenance with keeping control of changes in software and hardware and ensuring the ATM network is as secure as possible.
This is critical because ATMs and central servers, which are the systems that control ATMs, have become a popular target for cyber-attacks. Last year, over a half (58%) of the global banking industry respondents to the ATMIA Global Fraud and Security Survey 2019 reported that ATM attacks, which includes both physical security breaches and fraud incidents, had increased.
ATM fraud attacks fall into three categories:
- Data fraud, resulting from data breach, such as account numbers, pin codes, and other personal data
- Physical fraud, consisting of theft of valuable assets, such as cash by stealing cards
- Cyber fraud – logical attacks to the systems and communications
Jackpotting is a an increasingly popular form of cyber-attack that exploits physical and software-based vulnerabilities in ATMs to get cash and thus an immediate financial reward for the attacker. It is estimated that in the last five years, financial organisations have lost millions to jackpotting. For example, the Ploutus family of ATM malware, which originally appeared in Mexico in 2013, has created losses of over $450 million dollars (€398 million) around the world.
ATMs suffer physical and logical attacks for several reasons: one is that the physical cash inside acts as an incentive, and another is that cash machines contain confidential information like debit card numbers and PIN codes, which can be stolen and sold.
Critically, ATMs are a weak link in a bank’s security systems. They appeal to attackers because they are often poorly monitored and little logical action is taken to protect the data in them. In addition, cyber-criminals have also realised that ATM networks utilise security infrastructure that is based on a great deal of legacy hardware and software. This is more vulnerable to attacks because of the high cost of upgrades and difficulty to install security updates with machines that are geographically dispersed and use older operating systems and protocols. Unfortunately, this results in insecure systems that can be easily exploited.
On top of all of that, there is a real risk of an insider threat. There are a lot of different people and roles responsible for the upkeep of an ATM and these all have administration rights, including employees from the financial institutions, service providers, developers and installers.
One of the main ways cyber adversaries attack ATMs is via the ‘XFS layer’, a standard interface designed to have multivendor software running on manufacturers’ ATMs and other hardware. While the XFS layer uses standard APIs to communicate with self-service applications, there is no standard way of secure authentication that comes with it, making it easy for cyber-criminals to exploit this vulnerability. Cyber-attackers can therefore deploy malware into banking touchpoints such as cash machines to trick them into giving ‘cash out’ commands and dispense money. The card reader may also be compromised – able to steal card numbers and track the pin pad to learn pin numbers, making the XFS layer a very attractive target. The importance of cybersecurity in banking is therefore only going to increase.
So, how should banks and ATM operators best prevent attacks? For ATMs, typical endpoint protection security such as anti-malware technology is just not enough. ATM networks and systems are critical infrastructure devices that need to be constantly available and so they require greater protection and a different approach.
The best approach is a centralised security solution that protects, monitors, and controls ATM networks and thus manages the entire banking asset network in one place and take appropriate action, such as stopping malware spreading throughout the network from infected ATMs.
Such modern technology solutions not only provide invaluable cybersecurity protection, they can also save banking organisations time and money, as ATM and infrastructure management is centralised into a single hub. Actions can be executed remotely to quickly establish new defences via techniques such as network segmentation or implementing new firewalls.
It is particularly important for banks to have several layers of protection in one single platform. Such layers could involve full disk encryption, application whitelisting, hardware protection and file integrity protection.
Although financial organisations are making a concerted effort to improve their security landscape, cyber-criminals are continuing to innovate their attacks, making it an environment of threats that is evolving and advancing. From this, banks must constantly be proactive in implementing and testing their cyber-defences. It is therefore wise to draw upon external counsel with specialist security knowledge to double check on security plans and processes and help ensure ATM security is up to date and preventative.
Cyber Threat Intelligence (CTI) can provide banks with an early warning system to detect and contain potential threats before they become incidents. This intelligence is essential for any business as cybersecurity threats become increasingly indiscriminate. Once they become aware of any relevant threats and vulnerabilities, then they will begin to understand where and how these can be exploited, as well as the impact this may have on both the business and individuals.
Awareness of the threat landscape is vital for banks to understand what could be exploited and utilised for future cyber-attacks. If they do not, they open themselves up to the very real possibility of experiencing security breaches, loss of sensitive customer data, and of course stolen cash.
Bank fraud prevention in a post-COVID-19 world
By Pierre-Antoine Dusoulier, Founder and CEO, iBanFirst
Fraud on the rise
According to recent research from a leading UK retail bank, there was a 66 per cent increase in reported scams in the first six months of 2020 compared with the last six months of 2019 – due to the COVID-19 pandemic.
Across the summer months, Action Fraud UK reported a total financial loss of £11,316,266 by 2,866 victims of coronavirus-related scams.
The rise in fraud rates is a warning that banks, building societies and other financial providers need to be as alert as ever in identifying fraud.
So, what do banks need to do to ensure their customers are protected from fraud in a post-COVID-19 world?
Educate your customers to safeguard against fraud
On the customer level, banks need to be informing their customers on the types of common fraud to ensure that they are protected for all eventualities.
Authorised push payment scams are one of the fastest growing types of fraud. According to the FT, £354 million pounds was stolen this way last year. It is where a company or individual is tricked into paying money into a criminal’s account. Emails come from a genuine email address but are then intercepted by a criminal, so it’s imperative that businesses have end-to-end email encryption, and the customer double-checks the account details with the supplier on the phone prior to making a payment.
At the same time, scammers can also exploit the company’s invoicing process, where criminals create a bogus invoice for a small amount and send it to a company’s accounting department. If the finance team does not identify this as fraudulent, it can result in the business losing a considerable amount of revenue over a long period of time.
Supplier fraud is also a widespread scam. This involves the fraudster taking on the appearance of a supplier that has changed their bank details. The fraudster will have collected information on the suppliers of the targeted company, in order to pose as an official supplier. This can be prevented by ensuring that the supplier is contacted to confirm the legitimacy of the communication. It’s important not to call or email the supplier using the details provided on the suspected fraudulent correspondence. Instead they must check the original details of the supplier and speak to them on their official telephone number or email on file.
Banking malware is the least commonly cited type of fraud but has a greater financial risk attached to it. Malware is sent by email redirecting the recipients of the message to a fake banking interface, as a way of transferring funds to offshore accounts.
Remodel processes post-COVID-19 to keep customer data safe
To fight cyber fraud and scams, banks must also play their part. In a world where entire workforces are working from home banks must remain vigilant with customer data. COVID-19 has created a change in working habits and banks need to carry out the right level of training for its employees to protect customer data. Virtual team meetings and remote data sharing poses a threat to exposing sensitive information to malicious actors, and banks need to put the necessary safeguards in place.
All virtual meetings should use the banks’ private company network, and file sharing should be carried out through secure, encrypted company drives. Meanwhile, banks need to provision for all employees to receive regular software updates that will keep customer data safe, and ensure that they are aligned with new and existing data processing regulations.
Monitoring suspicious payments
A vital element to fraud detection is through monitoring customer transactions in real time, and harnessing emerging technologies such as artificial intelligence and machine learning to spot the signs of a scam or fraud before it is too late.
One way that banks protect businesses from fraud is through keeping a log and examining regular transactional history. Any transactions which appear suspicious based on location, amount, the beneficiary, and the method will be alerted to the business customer, to mitigate the immediate and future financial risk to the business.
Know your transaction
To understand financial flows better, every bank has a Know Your Customer (KYC) engine. This is a payment infrastructure that supports onboarding processes and risk-based transaction monitoring. This system is already well known and we don’t need to elaborate on this further, as it is the fundamental building block to ensure the highest level of traceability across all transactions – including remittances and receipts of funds and foreign exchange transactions internationally.
However, KYC is limited and doesn’t include real-time analysis. What can be overlooked is a KYT engine – Know your Transaction. The aim of KYT (Know Your Transactions) is to identify potentially risky transactions and their underlying unusual behaviour for detecting money laundering, fraud or corruption. An automated concentration of transactions with accurate and relevant information directly from the original data sources is essential.
Finally, banks and payment companies need to implement anti-fraud modules to defend against cyberattacks, based on the latest algorithms capable of analysing transactions issued in real time and detecting anomalies or suspicious behaviour upstream, strengthening the security and transparency of payments and building a network of trust between issuers and recipients of payments.
In a post-COVID-19 world it’s clear that scams will become more common place. Within this environment there is a shared responsibility when mitigating the risk of financial fraud. The bank must educate and inform customers to enable them to protect themselves, while ensuring a robust technological infrastructure and ways of working are in place that protects customer data; their finances, and fundamentally their business and livelihood.
Regulating innovation: the biggest challenge in payments
By Fady Abdel-Nour, Global Head of M&A and Investments, PayU Over the course of the last six months, the payments...
Investors remain worried about COVID, but positive towards stamp duty holiday
By Jamie Johnson, CEO of FJP Investment The journey back to economic normality will be strenuous. COVID-19 has imbued many...
Creating a culture of cybersecurity in Financial Services
By Martin Landless, Vice President for Europe at LogRhythm As the financial services sector increasingly moves online and reaps the...
How the financial sector can keep newly acquired customers returning time and time again
By Dicken Doe from Foolproof, a Zensar company Covid-19 has changed the financial lives of millions; what worked for people...
Creating an engaging email marketing campaign that avoids the junk folder
By David Wharram, CEO of Coast Digital With more than 280 billion emails sent every day, email marketing is a...
Cloud in Banking: An Opportunity That Can’t be Ignored
By David Rimmer, Research Associate at Leading Edge Forum Originally offered as a better way to build IT systems, cloud...
Increased contactless spending could be linked to higher fraud and payment disputes, warns global risk expert
The rapid adoption of contactless payments during COVID-19 may be contributing to multiple strands of fraud Monica Eaton-Cardone, COO and...
Pay and Go, why seamless checkout is essential for the customer experience
By Ralf Gladis, CEO, Computop Shopping for many is therapy…until they reach the queue for the checkout. It’s easier online...
VP Bank Selects AxiomSL to Meet Multi-Jurisdictional Risk and Regulatory Reporting Requirements
Consolidates bank’s reporting on a single platform for financial/statistical, AnaCredit, and CRR2/Basel-driven mandates including ICAAP and ILAAP, and provides foundation...
How to communicate when the world is in crisis
By Callum Jackson Account Executive at communications agency Cicero/AMO Across sectors both private and public, the coronavirus crisis has brought...