John Wilson, Field CTO at Agari
Financial institutions (FIs) are among the biggest spenders when it comes to cyber security -the financial sector has the second highest investment in security in the UK.
However, there is a key area of continued weakness for FIs, and that is advanced email attacks that bypass traditional cyber security technologies and target employees and customers.
Earlier this year reports uncovered an 80% increase in cyber-attacks against FIs, and now intelligence gathered from fifty top banks and FIs in the States and Europe shows a massive increase in Dark Web activity linked to targeted attacks on these institutions. While such attacks take different forms, they almost always start with an email – in fact 93% of successful breaches begin this way.
The most dangerous form of email attack, Business Email Compromise (BEC), occurs when criminals impersonate a trusted contact in order to persuade an employee, customer, or partner to transfer funds or divulge sensitive information. According to the FBI,BEC has led to more than $12.5 billion in losses for US businesses since October 2013. Beyond the direct financial losses, BEC has resulted in the dark web being flooded with stolen data including account details, logins, credit card numbers and other vital PII.
This increase in dark web activity suggests that banks and FIs are in for a digital blitzkrieg over the next year. Despite the mounting evidence of the coming storm, 80% of FIs lack the proper technologies to detect and block sophisticated BEC attacks.
Most financial organisations still rely on traditional anti-spam/anti-malware/anti-virus systems, which were never intended to stop modern email-based social engineering attacks. Meanwhile, the attackers have learned to evade these traditional defences by utilizing low-volume highly targeted attacks rather than the spray-and-pray techniques the defenses were designed to prevent. It’s as though financial institutions are still relying on barbed wire, while the attackers have traded their horses for tanks.
Social engineering isn’t new. The famous hacker and social engineer Kevin Mitnick used to go diving in the rubbish bin to prepare for his exploits. Armed with just enough credible information, Mitnick could walk into just about any company and get access to their computers and phone systems. Today it’s much easier and far less risky, due to the wealth of information available on our corporate websites and social networks just as LinkedIn and Facebook. Add to that the enormous volume of PII aggregated from hundreds of high-profile data breaches, and suddenly attackers from every corner of the globe can target an individual, department, or corporation.
Using tactics such as display-name fraud, domain spoofing, lookalike domains and, when possible, previously hijacked email accounts, a typical BEC campaign has a success rate of 3.7%. The most successful attackers will spend weeks or even months to gain the trust of an unsuspecting mark before going in for the kill. Patience is clearly a virtue for attackers, as a successful BEC attack can score $130,000 or more, according to CNBC.
In 2016 hackers pulled off an $81 million heist against the Central Bank of Bangladesh. It is believed that hackers infiltrated the systems needed to transfer funds through BEC attacks against low- and mid-level officials.Crime syndicates such as the Carbanak crime network, armed with $1.2 billion in loot from malware and phishing attacks, continue to hone their techniques to increase their success rate.
When it comes to customer targeting by the fraudsters, fake fraud alerts, account confirmations and suspension emails are among the top 10 most effective lures scammers use to hook their prey.
Like the Carbanak operation, many cybercriminals use “work from home” scams to recruit money mules to help them launder money. Others use the victims of online romance scams to help them move money. Despite some recent headlines touting multinational law enforcement actions against organized cyber criminal gangs, cyber crime continues to be a $2 trillion scourge on the global economy, amounting to a whopping 2%-5% of global GDP.
Traditional approaches to fighting BEC and other email threats haven’t proven effective at countering schemes that use identity impersonation and social engineering.
Machine learning is nothing new in the anti-spam space. Traditional solutions are trained to find a needle in a haystack by understanding what a needle looks like. It’s pretty easy to design a needle that doesn’t match the machine’s definition. Some financial institutions are finding success using modern machine learning technologies that assess people, relationships and behaviours in order to prevent malicious messages from reaching their targets. To continue the analogy, these modern machine learning algorithms learn what hay looks like so they can ignore it to find the needles.
Every company that receives mail also sends mail to their customers, partners, and employees. Protecting external parties presents its own set of challenges, as you have zero control over the protections in place outside your own organisation. Fortunately, there’s a standard known as Domain-based Message Authentication Reporting and Conformance (DMARC) that can prevent exact-domain spoofing. While it’s heartening that most financial services organisations have deployed a DMARC policy, only 20% of financial institutions have published a strong policy that goes beyond monitoring to actually prevent spoofing.
Will any of this help? There are certainly signs of progress. In fact, organisations seeking solutions to advanced email threats can take a cue from companies that are blazing trails against these and other emerging challenges.
With Dark Web activities pointing to increased attacks on major banking system transfer platforms such as SWIFT, as well as stepped-up assaults on consumers, FIs need to heed the warnings and deploy effective solutions against email-borne social engineering attacks.
With 30% of UK companies reporting that they have sacked an employee for negligence around data breach, it is not just money and reputation on the line. It is careers too.
Boost for consumers as banks recognise room for improvement on service and delivery
- 42% of banks are looking to improve service provision and boost customer satisfaction in the year ahead
- Less than half of banks (47%) are happy with their current ability to manage and process payments
- Majority (55%) see open banking as the solution to their efficiency concerns
An international study of over 1,000 senior professionals in banks, lenders, PFMs, investment companies and retailers, by leading open banking provider Yolt Technology Services (YTS) has revealed that 42% of banks recognise the need to improve their service offering and boost customer satisfaction levels in the year ahead.
In particular, bankers noted shortcomings in their organisation’s ability to manage and process payments, with just 47% currently happy with their abilities in this space.
Banking professionals’ dissatisfaction with current services comes during the COVID-19 pandemic, which has seen millions of customers start to use digital financial services in the absence of branches, causing banks to face more online requests and applications than ever before. Naturally, customers still expect an accessible and convenient service from banks, who are competing with neo-banks better equipped to keep up with customer demands during the pandemic, largely due to being designed to offer super-fast digital services.
As a result, adoption of open banking technology is well underway among banks, who see it as a solution to stay competitive and deal with the accelerated digitisation of financial services. Banks led adoption among previously analogue sectors when it comes to investment in at least one form of open banking technology, with nearly two thirds (63%). Only personal finance management tools were higher with 68%, which is expected given their strong fintech credentials.
The research also revealed how banks expect to deliver the much-needed improvements. A majority (55%) recognise open banking’s ability to improve efficiency overall, a much-needed enhancement given the concern over processing speeds. In areas such as applications and payments, widespread adoption of open banking by banks would allow consumers to know about whether a loan or mortgage had been approved in minutes, rather than days or even weeks.
Alongside this, 44% of bankers expect open banking to improve the customer experience, a boost for consumers who can expect more personalised offerings and the ability to find out more about their finances in one place through services such as data enrichment.
To support these businesses and the remaining 37% who are yet to adopt, in delivering the required improvements through open banking, Yolt Technology Services has recently launched a series of guides to Unlocking the Value of Open Banking, available to download here: https://yts.yolt.com/whitepapers/value-open-banking
Leon Muis, Chief Business Officer at Yolt Technology Services comments:
“What consumers and businesses look for from their financial service providers has transformed dramatically in recent years, and many of the larger banks have been blindsided by the pace of change and as a result now find themselves out of step with what their customers need. The COVID pandemic and resulting lockdown period has served to bring this growing gap into sharp focus and, as our research shows, the banks themselves are increasingly recognising the need to change.
“Many banks understand that open banking offers substantial opportunities for them, including cutting costs, and for their customers, particularly the ability to provide a more personalised and faster user experience that allows them to access more of their financial footprint in one place.
“The specific issues banks have identified within their operations, such as weaknesses in the management and processing of payments, can be tackled with open banking technology. Payment Initiation Services (PIS) have the power to transform banks’ ability to cost-effectively execute and analyse payments on behalf of consumers, and are made possible thanks to PSD2 open banking legislation.
“Whilst some may be hesitant of investment during these times, open banking technology can boost efficiency, create a smooth digitisation process and cut costs at a time when these things have never been more important for businesses and their consumers.”
5 ways social listening is transforming the banking sector
By Michalis Michael, CEO of DigitalMR
Social media has impacted the banking sector significantly over the last decade and, particularly in recent years, tools like social listening have played a leading role in revolutionising banking businesses and their customer relationships.
Also known as ‘social intelligence’, social listening is the monitoring of a brand’s social media channels for any customer feedback, direct mentions, or relevant discussions, followed by an analysis to gain insights and act on emerging opportunities.
Banks today are facing immense pressure from ever-increasing customer expectations. In fact, a recent social intelligence report compiled by DigitalMR analysed customer sentiment and conversation drivers amongst 11 leading global banks during the period of February 2018 to April 2020 and found customer relationships hit an all-time low during the peak of the coronavirus pandemic.
As a result, traditional financial institutions have a lot of work to do to rebuild their reputations while at the same time competing with countless challenger banks, and embracing digital tools like social listening will be key for them to stand out against competition and draw customers back in.
Here are 5 of the main ways social listening is transforming the banking sector and becoming paramount for organisations to optimise their marketing and growth strategies and, ultimately, get ahead.
- Customer experience
Social media isn’t just about communicating a brand – it’s about learning what consumers want, and what they don’t want. It plays a key part in customer experience, which directly affects the way every business is perceived.
Many banking customers turn to social media to talk about their experiences with a brand and will sooner tweet the bank or post a scathing review on Google than call customer service about any issues.
Using social listening to monitor what customers think about everything, from their marketing campaigns to product quality and in-branch service, banks can uncover valuable information which allows them to positively impact a customer’s experience and commitment to their brand.
- Marketing campaigns
Banks’ marketing teams spend a lot of time coming up with new campaigns to launch but lack the insight into whether or why their campaigns have succeeded, and how to improve or build upon those efforts.
However, using social listening, they can identify ways to improve the value of their marketing campaigns by tracking changes in the volume of their brand’s mentions before, during and after. This will ultimately help determine how well they are working and highlight areas that need to be modified and improved.
Not only that, banks can use social listening to gather qualitative insight and decipher the reasons why specific campaigns have done well [or not so well]. Social listening allows them to quickly gather sentiment around specific campaigns and find out which aspects of the campaign are resonating with customers the most.
- Competitive analysis
Social listening enables banks to gather insight not only into their own brands, but into their competitors’ brands, too. Using semantic analysis, they can analyse what people say about one company compared to another and evaluate the share of conversation that takes place online about a given brand. Social listening can also make it easier for traditional banks to understand how their brand is doing compared to FinTech start-ups [challenger banks], which are becoming a growing threat to many banks and taking their customers away.
Social listening analytics reveal what customers like and dislike when it comes to challenger bank service features and give traditional banks the opportunity to upgrade their products and services to catch-up or [if they are really determined] gain a competitive edge, as well as understand how to market to customers interested in innovative app features.
- Identifying crises
With how fast-moving social media is, it takes no time at all for something to go ‘viral’, and therefore banking institutions need to monitor closely for negative press at all times. Unhappy customers can post anything they wish online to try and hurt their bank’s brand, regardless of whether their claims are based on fact, and their comments can quickly gain attention and be seen by thousands.
Banks can use social listening to catch potential crises as they emerge and shut down a problem in the early stages, so they don’t end up with a full-blown crisis management situation on their hands.
- Product development
Banks can power their product and service development by intelligent listening to social media and monitoring customer reviews. This allows them to gain additional input and ideas on how to better improve their existing offerings to suit the preferences and expectations of their customers, as well as to identify which new product lines to prioritise launching first. They can use social listening to test the waters before a new launch or roll-out, and reduce the risk involved in bringing new products or services to market.
The finance industry was slow to embrace social media, but the institutions that did take the plunge are reaping the benefits. Social intelligence will continue to transform the sector in years to come, and now is a critical time for the rest of the industry to follow suit if they want to remain competitive and drive stronger, profitable and mutually beneficial relationships in this new social reality.
Cloud in Banking: An Opportunity That Can’t be Ignored
By David Rimmer, Research Associate at Leading Edge Forum
Originally offered as a better way to build IT systems, cloud itself did not transform the business. Fundamentally, Infrastructure-as-a-Service (IaaS), as its name suggests, represented a new service model. IaaS brought a radical change in the commercial model for IT (rent vs. buy) and in the time taken to provision IT (instant self-service vs. the months of a standard procurement cycle), but ultimately the same system was still operating in a datacentre somewhere. ‘Lifting and shifting’ systems to the cloud delivered no discernible value for customers. At best, cloud enabled enterprises to provide value indirectly through ability to develop capabilities faster, for example by re-engineering and migrating systems to the cloud to harness its flexibility and speed.
This is absolutely not the case now. Cloud today is as much about delivering business capabilities as it is about IT. The hyperscalers are rapidly building out the range and number of services that they offer. For instance, at the end of 2017, AWS offered around 90 services; today the number is 225. The hyperscalers have expanded their portfolio of tools for developers to build cloud-native applications, thereby enabling more rapid development and testing, but the crucial departure from around 2017 onwards has been the addition of value-adding business components. In particular, the hyperscalers are building specialist services targeted at the major technology trends – for example: blockchain, Internet of Things, edge computing, immersive real-time experiences through 5G, streaming and visualisation, machine learning and artificial intelligence, unstructured data extraction and analysis, digital identity management, marketing analytics and automation.
The hyperscalers are also adding industry-focused solutions – for instance in banking: fraud APIs, payment services, financial data services and solutions optimised for specific core banking systems. Yet, for many, this mental transition has not yet been made, with people continuing to think that cloud is all about IaaS, when today it is as much about business components, and, in future, this will be even more so.
Developing your cloud strategy – it’s not just about IT, it’s about shaping the business
You can capitalise on the hyperscalers’ huge investment by intercepting their development path,
gaining momentum in the market by exploiting the newest cloud services and avoiding investment
in custom-building capabilities that will soon be available as a utility. At a higher level, you will want
to understand which components with rich business value will soon be forthcoming so that you can
short-cut the traditional product development cycle and afterwards ride a wave of future upgrades and enhancements.
Wardley mapping is a valuable aid in developing a strategy that makes optimal use of external capabilities and focuses a bank’s resources on the areas that will deliver the greatest return. In the Wardley map below, we have picked out just a fraction of the public cloud services now available for the banking industry to illustrate how cloud components can directly transform customer products and services, or provide capabilities for internal customers (developers, data scientists, UX designers, analysts, etc.). The vertical axis of the map reflects the degree to which a capability adds value to end customers: the horizontal axis shows the evolution of technology as it passes through stages from genesis, to custom-built, product and utility.
Capabilities that are new to the market (such as voice banking and blockchain-enabled asset management) feature in the genesis stage of the map. Under the custom-built stage come capabilities that are more mature but still highly unique to an individual enterprise, such as development of models and analytics on unstructured data. In the product column, capabilities are very similar from one bank to another, with a less direct yet still significant scope to impact end-customer services – for example, through faster product iteration.
Assembling cloud services to deliver cloud-native business capabilities in the banking environment
The increasing availability of business components opens up the prospect of cloud-native business capabilities that from the very start are conceived, designed and delivered through the cloud. Cloud-native business capabilities represent a higher level of abstraction than cloud-native applications. As a result, cloud-native business capabilities go that much further in enabling the speed, experimentation and ability to scale that underpin the competitiveness of a 21st Century Bank as it strives to bring new products and services to market in ever shorter cycles. In addition, cloud-native business capabilities change the role of the IT Function from developer-intensive build to more automated assembly of components
So, what does this look like in practice? The Fundamental Review of the Trading Book (FRTB) is a set of rules, introduced under Basel III, to standardise the treatment of market risk and impose stricter capital requirements. In order to comply with FRTB, the main steps that banks need to take are develop enhanced risk models; populate models with bank positions and market data, such as prices and credit ratings; and run the models.
Banks can assemble capabilities from the cloud to meet FRTB in a faster and more effective manner than is possible using traditional solutions:
- Faster model development cycles allow “strats” to tune their models to reduce the amount of capital that the bank needs to hold.
- Common real-time reference data removes the need for the disparate reference data and interfaces to be found in most banks. The result is reduced cost, less complexity and standardisation between different parts of the bank.
- Since FRTB requires an increase in the number of models and their complexity, greater compute capacity is necessary (some experts project a twenty-fold increase). Moreover, risk models are run only on an occasional basis to provide internal and regulatory reports, the burst capacity of cloud compute is a natural fit for running FRTB models. In contrast, traditional infrastructure would be sized for the peak, with substantial capacity remaining idle for most of the time.
By adopting a cloud delivery model to address FRTB, banks not only minimise their upfront investment and speed implementation, but going forward have greater flexibility, with ability to scale to meet new demands and capitalise on future investment by the cloud providers in model development and data services.
All this potential to exploit cloud for new products and services comes with a colossal proviso. Today’s catalogue of public cloud solutions can make a direct contribution to new products and services, but fundamentally what they offer is a basket of much more sophisticated components. These components still have to be assembled and configured. Business capabilities have to be built: processes redesigned, staff trained in new skills, culture aligned, new KPIs put in place, new organisation structures set up. Of course, for anyone with experience of business transformation this is no surprise.
The changing roles of business and IT leaders
At this point, it is clear that the transformation from build to assembly is of such a wide-ranging and fundamental nature that the active intervention of CEOs, COOs, CFOs and other business leaders is essential. However, the success in driving a cloud business strategy (as opposed to a cloud IT strategy) entails major changes in the roles of business and IT leaders.
CEOs, COOs & Boards
- Cloud business strategy – Once a cloud strategy has the potential to become a business-shaping strategy rather than an IT strategy, responsibility clearly needs to sit at the top of the enterprise. Here, vision and imagination in how and where to combine components that bring differentiation will be vital. Of equal importance will be championing this new perspective on how business capabilities can be built and challenging where traditional custom-build approaches are being applied without sound reasoning.
- Vendor strategy – As the richness of capabilities and the ease of integration between them increases, so critically does vendor dependence. This greatly raises the importance of vendor strategy. When you needed a vendor strategy for each level of the stack or each significant component, this responsibility sat in IT and procurement. If you are buying the entire stack and non-interchangeable modules with rich business capability – potentially across huge spans of your business – then these vendor strategies and relationships will sit at CEO or Board level.
- Operating model and culture – Some of the biggest barriers to strategy execution will be your existing operating model and culture. Both will require transformation in order to harness the potential to assemble business components from the cloud, rather than build systems and capabilities in-house using traditional tools and processes. Without drive from the top to change culture and operating models, any cloud strategy will remain still-born.
Business unit leaders & their IT partners
- Market insight – A critical role of business leaders and their IT partners is to understand where genuine differentiation can be gained in the market and how the current and future products of the cloud vendors can be assembled to enable this differentiation; or, alternatively, where custom-build and niche industry capabilities are the answer. In this process, it will be essential to understand the wider cloud strategy of your organisation so that you can see what capabilities have been or will be adopted elsewhere. This will drive re-use and simplification, which in turn bring lower costs and greater speed. Finally, business unit leaders and their IT partners will need close relationships with niche industry software companies and other IT firms to see where they can bring unique capabilities or act as partners in developing new solutions.
IT leaders & their teams
- Advice – With cloud strategy becoming a business issue, CIOs and their teams will play a vital role in educating and advising their colleagues about cloud capabilities and the individual cloud vendors. The industrialisation of IT through assembling rather than building components is a far cry from traditional models, so the extent of education and explanation that will be required should not be underestimated.
- Orchestration – As focus moves from build to assembly, the CIO and his or her team will become orchestrators of change. This is both in a literal sense by laying the technical foundations to assist assembly and inter-operation of cloud across the enterprise, and in a figurative sense through shaping and combining strategies from across the enterprise to ensure standards and re-use that are essential to low costs and flexibility. In fulfilling this role, definition of business and technical architectures will be essential, as these architectures will describe components and how they are combined.
- Vanguard of change – CIOs and their teams will play an essential role in galvanizing the organisation and acting as the vanguard for change. They will need to be cheerleaders for the changes in operating model and culture that are key to transformation. In addition, CIOs will on occasion need to recognise when traditional functions of the IT function (such as build and control) are a hindrance and they need to step aside to let business units take the lead.
Some practical steps to building your cloud strategy
So, what is your public cloud strategy? Here are some of the key questions that you will need to answer:
- What are the new products and services that will add most value to our internal and external customers?
- Which components are available from the cloud to support new products and services?
- How does the map look for each of the hyperscalers – they each have very different strengths and strategies – and which will provide the best fit for our business?
- How many cloud providers will we use? Will we go deep with one to drive fast and transformational change? Or will we partner with several to tap into different streams of innovation and maintain leverage in negotiations?
- In which areas will we want to devote our own resources to custom-build differentiating capabilities that cannot be sourced from elsewhere?
- Where will we use partners to assemble and manage cloud components because they bring distinct experience and skills, and/or the capabilities in question do not deliver meaningful difference in our customers’ eyes?
- What changes are required in the enterprise’s operating model to take advantage of potential to build cloud native applications and assemble (rather than build) cloud-native business capabilities?
- What does our composite map look like?
- Where do we begin?
Ignore it at your peril
The failure to see cloud for what it is and what it has to offer is currently widespread. However, experience shows that banks that can define a strong cloud strategy, and act on the business transformation needed in order to make it a reality, open up the potential for a market-leading competitive advantage. Building new products and services and replacing aging infrastructure, they are able to respond rapidly to market demands with low technical, regulatory and financial risks. Cloud is ready for banking. Banks now just need to decide whether they can really afford to ignore the opportunity.
Satisfaction with Credit Card Issuers in Canada Remains Flat Amid COVID-19, J.D. Power Finds
Tangerine Bank Ranks Highest in Overall Credit Card Customer Satisfaction for Second Consecutive Year With 73% of credit card customers...
The benefits of automated pension plans
While many people will prefer to speak to fellow human beings when discussing their investments, automation is already part of...
Pandemic risks eclipse treasury priorities as businesses diversify investments to mitigate impact
The Covid-19 pandemic has shunted aside existing challenges to sit atop treasurers’ priority lists, according to “The resilient treasury: Optimising...
Boost for consumers as banks recognise room for improvement on service and delivery
42% of banks are looking to improve service provision and boost customer satisfaction in the year ahead Less than half...
By Paddy Osborn, Academic Dean, London Academy of Trading Whether you’re negotiating a business deal, playing a sport or trading...
The impact of the Accounts Payable risk landscape
By David Thorley, Director of Customer Development, FISCAL Technologies The current economic climate has never been so uncertain. Not since...
The Viral Return On Investment
By Sabine Saadeh Author of Trading Love Investment Pitch It was around August 2018 when a friend of mine approached...
How AI and ML are changing insurance for good
By Alan O’Loughlin, Director of Analytics and Statistical Modelling, International and John Beal, Senior Vice President of Analytics at LexisNexis®...
How Assistive Learning Technology Is Making Online Learning Inclusive
By Sandra Goger is Learning Technology Analyst at Iflexion, Denver-based software development company. The global online learning market is expected...
Can your company data make you famous?
By Kerry Gould, Associate Director, Speed Communications Businesses gather and generate reams of data every day on everything from purchasing...