Connect with us

Technology

Data breaches – emerging trends for financial services firms

Data breaches – emerging trends for financial services firms

By Tim Hickman, Partner at Global law firm White & Case

As public attention is increasingly drawn to major cyber security incidents, such as the recent Travelex ransom ware attack, clear trends in data protection enforcement have begun to emerge. Financial services firms can learn from these enforcement trends in order to help reduce their own regulatory risks in this area.

Cyberattacks are a fact of life

The growing integration of technology into all areas of business have seen remarkable improvements in efficiency and productivity across a range of sectors – especially financial services. Transactions are now performed across digital networks at speeds and in volumes that would have been unthinkable just a few decades ago. However, as financial services firms have become increasingly dependent on networked systems, they have also become more exposed to the security risks that are inherent in those systems.

Networked systems cannot ever be completely secure. It is almost always possible for a sufficiently determined and well-resourced attacker to compromise a system, given enough time. Moreover, the threats in this space are continually evolving. Many security features that were state-of-the-art just a few years ago can now be overcome with relative ease, using tools that are readily available on the dark web. As a result, financial services firms need to be constantly vigilant against the changing landscape of cyber threats.

Keeping personal data safe

Tim Hickman

Tim Hickman

In addition to the obvious financial and reputational risks associated with cyberattacks, financial services firms involved –especially those involved in retail finance– also face increasing regulatory scrutiny from data protection authorities, due to the large volumes of personal data they process. The processing of personal data in the EU is governed by the General Data Protection Regulation (the “GDPR”) which imposes penalties of up to the greater of €20 million or 4% of worldwide turnover on firms that fail to process data lawfully. The GDPR also requires firms to notify the relevant regulator (which, in the UK, is the Information Commissioner’s Office (the “ICO”))) within 72 hours after becoming aware of a data breach. Moreover, where there is a risk of harm to affected individuals, then firms are also required to notify those individuals without undue delay. At the end of the Brexit transition period, the GDPR will cease to apply in the UK, but essentially the same requirements are set out in the Data Protection Act 2018. This means that these obligations will continue to affect financial services firms in the UK, even after the Brexit process has been completed.

Although the rules on data breach reporting are relatively clear in theory, they can be very difficult to implement in practice. Earlier this month, foreign exchange company Travelex was hit with a major cyberattack. It is reported that the attackers gained access to Travelex’s systems, and demanded a significant ransom to restore access to the affected data. In response, Travelex took its public website offline and its staff were forced to use manual systems. At the time of writing, more than three weeks later, the Travelex website remains offline. The business disruption caused by this attack is difficult to quantify at this stage, but regulatory scrutiny is only just beginning.

Knowing whether to report a data breach can be complicated. First, not every cyberattack is necessarily a data breach. A data breach only happens where there is destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a data breach can only happen in systems that include personal data. Systems that only record information that is not personal data (e.g., records of transactions between businesses) can obviously suffer cyberattacks, but because no personal data are involved, those attacks are not data breaches and are not reportable to the ICO. Even for systems that include personal data, an unsuccessful cyberattack (or a cyberattack that did not affect the personal data on the system) would generally not be a data breach and would not be reportable to the ICO.

Second, it is often very difficult to ascertain facts quickly. At the start of any cyberattack investigation, there is often only a suspicion that something has gone wrong – not necessarily a certainty that there has been a successful attack or that personal data were affected. But the 72-hour reporting window in the GDPR does not leave firms with much leeway. As a result, some firms decide to simply over-report, sending the ICO a notification of every suspected breach, in order to ensure that they meet the reporting deadline, even if they will in most cases file a subsequent follow-up notification informing the ICO that they have concluded that the breach did not meet the threshold for notification after all. This consumes significant resources, but ensures that the firm cannot be penalised for under-reporting.

On the other hand, the risk of over-reporting is that once a firm issues a data breach notification to the ICO, it is effectively admitting that it believes (at least for the moment) that it may have suffered a data breach. This can create significant PR challenges and can also lead to regulatory risks in other areas – especially for listed entities, which are typically subject to stricter reporting obligations. As a result, financial services firms need to be able make the right call when it comes to reporting a suspected data breach to the ICO.

Emerging trends in data breach reporting

Enforcement of the GDPR began on 25 May 2018. The first clear trend to emerge since that date is that although the GDPR provides potentially very large fines (as noted above) the deluge of major financial penalties that had been feared has yet to materialise. While penalties of under £1million remain reasonably common, there have only been two major enforcement actions announced, neither of which has yet been finalised. Large financial penalties are even scarcer in the rest of the EU – only France’s CNIL has issued a GDPR penalty of more than €10million. There are a number of reasons for the lack of appetite among data protection authorities for issuing major fines, but the greatest single reason is likely the threat of litigation. Firms are unlikely to litigate penalties of under £1million because the cost would outweigh the benefit. However, larger fines –especially those based on a percentage of turnover– are much more likely to be challenged in the courts, because there is more money on the table. This means that if a data protection authority wishes to issue a very large fine under the GDPR, it has to be confident that its reasoning is sufficiently sound, and its evidence is strong enough, to survive court scrutiny. This requires considerable investment by the data protection authority, and reduces the number of cases that are likely to be subject to such fines.

The second trend is that both of the ICO’s multi-million pound enforcement actions to date were in respect of large-scale data breaches involving payment card data of hundreds of thousands of individuals. Although it is difficult to draw firm conclusions from the small number of enforcement actions to date, the fact that the ICO chose to invest significant resources in investigating these breaches, and will likely have to invest even more in defending these enforcement decisions in court, appears to have been motivated in part by the potential for financial impact of those data breaches upon the affected individuals. Violations of the GDPR in other areas (e.g., unlawful data transfers; failure to provide appropriate processing notices; etc.) have received far lower penalties and much less scrutiny.

Conclusion

All financial services firms are potentially at risk of suffering a cyberattack. While the financial and PR consequences of any such attack can be serious, there are additional data protection consequences for any firm that suffers a cyberattack involving personal data. Based on enforcement trends since the start of GDPR enforcement, the likelihood of incurring a multi-million pound penalty for violation of the GDPR appears to be relatively low. However, those fines become significantly more likely for any firm that suffers a large-scale data breach involving financial data of individuals. As a result, financial services firms that handle any personal data need to pay special attention to ensuring that appropriate protections and compliance measures have been implemented on all systems that are used to process such data.

Technology

IDnow: Putting a new face on identity verification

IDnow: Putting a new face on identity verification 1

By Charlie Roberts, Head of Business Development UK&I at IDnow

Munich headquartered IDnow is an identity verification provider which uses AI-based technology to check all security features on ID documents. With its Identity Verification-as-a-Service (IVaaS) platform that combines humans and technology, IDnow has set out to make the connected world a safer place, by enabling the identity verification of more than seven billion potential customers from 193 different countries.

IDnow’s expert knowledge of German regulation, which is considered one of the most highly regulated markets globally, has become critical. Indeed, the firm is currently in talks with the UK government about creating “immunity passports” for people who have recovered from Covid-19 to determine how recently someone has been tested and whether they can return to work.

Since launching its solutions in the UK in November last year, IDnow has seen enormous demand from organisations for its AI-based products.  Compared to the same period in 2019, the firm has reported a 358% increase in order intakes as Covid-19 accelerates the need for digital processes

So why the increased demand? We caught up with Charlie Roberts, Head of Business Development UK&I at IDnow, to talk about the AI identity verification market and how AI can help financial services organisations detect and mitigate identity fraud.

So why has IDnow seen such increased demand for its identification products?

While technology is – on the whole – changing the way people do business for the better, it nevertheless carries with it a certain degree of risk to security.  In the current climate in particular, with an accelerated move towards buying and selling online, identity fraud is on the rise. In fact, our research estimates this type of fraud has doubled in the last year alone. And, while banking and financial services may be the lowest hanging fruit in terms of targets for attempted identity fraud, the threat is certainly not restricted to this sector.

The problem is the cost to the economy. In June this year, Action Fraud announced that over £6.2m has reportedly been lost in the UK due to coronavirus-related scams, making cyber fraud one of the biggest threats in our economy and the fastest growing crime.

So we have seen an enormous uptick in enquiries about AutoIdent and VideoIdent because of their combined human and machine approach. Any identity verification check that doesn’t look 100% accurate gets automatically passed through to a human for extra security, all on the same platform, in a matter of minutes.

What are the most common fraud methods?

Of all fraud methods, social engineering is the biggest issue for companies. It has become the most common fraud method in 2019, accounting for 73% of all attempted attacks. It lures unsuspecting users into providing or using their confidential data and is increasingly popular with fraudsters, being efficient and difficult to recognise.

Fraudsters trick innocent people into registering for a service using their own valid ID. The account they open is then overtaken by the fraudster and used to generate value by withdrawing money or making online transfers.

They mainly look for their victims on online portals where people search for jobs, buy and sell things, or connect with other people. In most of the cases, the fraudsters use fake job ads, app testing offers, cheap loan offers, or fake IT support to lure their victims. People are even contacted on channels like eBay Classifieds, job search engines and Facebook.

Fraudsters are also creating sophisticated architecture to boost the credibility of these cover stories which includes fake corporate email addresses and fake websites.

In addition, we are seeing more applicants being coached, either by messenger or video call, on what to say during the identity process. Specifically, they are instructed to say that they were not prompted to open the account by a third party but are doing so by choice.

How can we fight social engineering?

The first priority is to ensure people are aware of the problem, and then ensure people have the right technology in place to be able to track fraudulent activity and react quickly.

Crucially, it requires a mix of technical and personal mechanisms. Some methods include:

  • Device binding: To make sure that only the person who can use an app – and the account behind it – is the person who is entitled to do so, the device binding feature is highly effective. From the moment a customer signs up for a service, the specific app binds with their used device (a mobile phone for example) and, as soon as another device is used, the customer needs to verify themselves again.
  • Psychological questions: To detect social engineering, even if it is well disguised, trained staff can be used as an additional safety net both during detection, but also in addition to the standard, automated checks at the start of the verification process. They can ask a customer an additional set of questions once a risk of a social engineering attack has been detected. These questions are constantly updated as new attack patterns emerge.
  • Takedown service – with every attack, organisations can learn. This means constantly checking new methods and tricks to identify websites which fraudsters are using to lure in innocent people. And, by working with an identity verification provider that has good links to the most used web hosts, they are able to take hundreds of these websites offline.

Is social engineering the only type of identity fraud?

No! There is also false identity fraud. Our research indicates fake IDs are available on the dark web for as little as £40 and some of them are so realistic – including the use of holograms – they can often fool human passport agents. The most commonly faked documents are national ID cards, followed by passports in second place. Other documents include residence permits and driving licenses.

Charlie Roberts

Charlie Roberts

Similarity fraud is another method of identity fraud in use, although it’s not as common thanks to the development of easier and more efficient ways (like social engineering). This method involves the use of a genuine, stolen, government-issued ID that belongs to a person with similar facial features.

Can anything be done about this?

Biometric security is extremely effective at fighting this kind of fraud. It can check and detect holograms and other features like optical variable inks just by moving the ID in front of the camera. Machine learning algorithms can also be used for dynamic visual detection.

To fight similarity fraud, biometric checks and liveness checks used together are very effective – and they are much more precise and accurate than a human could ever be without the help of state-of-the-art security technology.

The biometric checks scan all the characteristics in the customer’s face and compares it to the picture on their ID card or passport. If the technology confirms all of the important features in both pictures, it hands over to the liveness check. This is a liveness detection program to verify the customer’s presence. It builds a 3D model of their face by taking different angled photos while the customer moves according to instructions.

The biometric check itself could be tricked with a photo but, in combination with the liveness check, it proves there is a real person in front of the camera.

This all sounds like a significant time investment for companies?

It does but, if you can find a solution that offers both a fully automated system AND a video identification solution on a single platform, then it becomes pretty friction-free and part of the workflow. In fact, customers can be checked in a matter of minutes. Organisations worldwide need to be taking this very seriously. With over 1.9 billion websites and counting, there is a huge potential for fraud, and it’s a serious problem that must be slowed down.

The threat of identity fraud is not going away and, as fraudsters become more and more sophisticated, so too must technology. With the right investment in advanced technology measures, organisations will be in a much stronger position to stop fraudsters in their tracks and protect their customers from the risk of identity fraud.

Continue Reading

Technology

NextGen Communications – the future of customer experience

NextGen Communications – the future of customer experience 2

By Andrew Beatty, Head of Global Next Generation Banking at FIS

As software development increasingly resembles push updates in services, how can financial institutions best take advantage of their investments? The answer is leveraging today’s technologies to empower institutions to elevate their customer experience with personalised and integrated communications.

Long a staple of the British market, digital banks are expanding worldwide. The pandemic played to the strengths of these organisations. With branches closed or restricted, the accessibility and flexibility of these banks were major assets.

To better understand just why digital banks succeed, we need to look at their operating models. Using Software as a Service (SaaS) and Platform as a Service (PaaS) operating models rather than more traditional and slower alternatives allows them to supercharge development.

These new technologies can elevate customer experience (CX), with a specific focus on customer communications – an area often neglected in favour of purely aesthetic upgrades to flashy-looking front-end systems.

Communicating effectively

Every minute of every day, institutions globally generate 18 million texts, 188 million emails, 511,000 tweets, 232 VoIP calls and use 4.4 million GB of internet data. This colossal amount makes it difficult to provide a consistent experience that meets ever-higher customer expectations across all communication interactions and devices. Banks need to be accessible and provide a seamless experience through any and all of the channels their customers prefer, be that Native App Push, email, SMS, print, social media, Call Centre or bots.

FIs typically lack an integrated experience. What’s needed is enabled by a consistent data schema and workflow foundation that elevates the communications experience. Customers may not know to specifically request these, but they will notice their absence. Fundamental to these capabilities are application programming interfaces (APIs) that enable banks to pick and choose best-of-breed technologies, allowing banks to focus on improving the CX and increasing Operational Efficiency and Governance.

Loyalty matters

Banks succeed on the backs of loyal customers. What inspires loyalty in customers is a banking relationship that includes both listening and speaking. Research shows that 63% of customers would consider switching banking providers if communications don’t meet their expectations. For customers who said that their banks did not proactively offer them personalised services, the customer satisfaction experience rate fell to 39%.

Research shows that more than 70% of CX leaders struggle to design projects that increase customer loyalty. Contrast this number with 75% of enterprises aiming to beat their competitors by offering the best digital consumer experience, and we can gain a sense of just how crucial communications are; a seamless CX is more important than ever to meet these goals.

These last few months have been a testing ground for banks old and new. Every email, every statement about actions taken during the pandemic is a chance to prove (or disprove) that a bank has a robust, customised communication solution. Integration across all interactions is critical.

Questions to ask

Here are six questions executives who want to improve CX at their banks need to ask when evaluating infrastructure improvements:

  1. How will capabilities evolve without requiring extensive development to support new data schemas, workflow, communication types and new channels?
  2. Will the new solution allow accelerated change management (business user-enabled) of all communications to meet internal and external demand, or will we be handcuffed to an internal or external software release for these updates?
  3. Will our middle/back office and call centre benefit from this solution by having the capability to send ad-hoc communications from a previously approved library?
  4. Will we have end-to-end tracking of all our as-delivered communications for all stakeholders (call centre, back office, etc.)?
  5. How is delivery remediation handled? (e., failed email delivery to SMS)
  6. Are all required delivery methods supported in one centralised platform?

Consider these questions before embarking on a major project. This should help ensure the selected solution results in improved Customer Experience, superior Operational Efficiency, and better Governance for your financial institution.

FIs must take advantage of emerging technologies and investment in core technologies by considering service options for all key elements of their CX. A robust data integration and workflow layer along with API integrations allow the different components of technology infrastructure to have seamless real-time integrations with third-party Customer Communication Management technologies. This can accelerate existing digital transformation initiatives and take full advantage of a modern core transformation investment – putting technology to work for FIs and their customers.

Continue Reading

Technology

The Derry Group launches new employee engagement and communications app

The Derry Group launches new employee engagement and communications app 3

The Derry Group, a one stop shop for the distribution, storage and order picking of chilled and frozen products has today announced the launch of its new employee engagement app, Thrive.App.

Their flagship company Derry Refrigerated Transport is a leading service provider for chilled and frozen distribution throughout Ireland, the UK and Europe. Derry Refrigerated Transport is the first haulage company in Ireland to sign up to the newest self-service, rapid deployment Thrive.App which brings together the key features needed for businesses to power up their internal communications for their frontline teams.

With hundreds of employees working across multiple locations in Ireland, communication, organisational engagement and information sharing is essential for the growing business.

In order to meet the additional challenges presented by the current global pandemic and the fact that the company works out of various locations throughout the country The Derry Group recognises the need to look at new ways in which all employees can more effectively communicate and share information with each other.

Commenting on the deployment of the new Thrive.App, Patrick Derry, Managing Director, said,

“We have worked hard to build and transform our business to what it is today, and our employees are key to our success. It is important to us that we give them everything they need to carry out their roles successfully as well as feeling supported and recognised for what they do. With the Thrive.App our employees can now easily access the information they need to support them in their role, they see important updates as they occur, and they know what is happening across all areas of the business.

The launch of Thrive.App will bring everyone closer together, which is particularly important during the current challenges of Covid19 and the fact that we have teams in various parts of the country.

The Thrive team have provided the best support and guidance in helping us to launch the employee app and we are confident they will continue to support us to make it a success across our organisation.”

James Scott, CEO, Co-Founder of Thrive, adds; We are delighted to help and welcome The Derry Group as a new client and look forward to working together to ensure their employee communications and engagement app is a success and loved by their teams within the Group structure whether based in Armagh, Dublin or Cork. 

Our goal is to help organisations in shifting their communications from traditional methods such as printed newsletters, notice boards and team briefings to instant, modern apps and we have loved helping The Derry Group do this. We look forward to seeing the direct positive impact the app will have on their employee communications and engagement.”

Continue Reading

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

The ultimate tech guide to remote working for the casual worker   4 The ultimate tech guide to remote working for the casual worker   5
Business18 hours ago

The ultimate tech guide to remote working for the casual worker  

By Paul Routledge D-Link Country Manager Like many others, you may have grabbed your laptop in the middle of March...

Safeguarding international logistics arrangements during the coronavirus crisis 6 Safeguarding international logistics arrangements during the coronavirus crisis 7
Business19 hours ago

Safeguarding international logistics arrangements during the coronavirus crisis

By Adam Ewart, CEO and Founder of Send My Bag It has certainly been a whirlwind couple of months. The coronavirus...

The Future of Finance Teams: Digitally Transformed 8 The Future of Finance Teams: Digitally Transformed 9
Top Stories19 hours ago

The Future of Finance Teams: Digitally Transformed

By Simon Bull, Sales Operations & Business Development Manager at Aqilla Finance teams haven’t always been at the forefront of...

High-yield bonds will help, not hinder, businesses’ recovery 10 High-yield bonds will help, not hinder, businesses’ recovery 11
Finance19 hours ago

High-yield bonds will help, not hinder, businesses’ recovery

By Jesse Chenard CEO of fintech MonetaGo, One of the best indicators of stock market growth is high-yield bonds. The junk...

A holistic view of organisational security 12 A holistic view of organisational security 13
Business19 hours ago

A holistic view of organisational security

By James Ward, Senior Cyber Consultant at MASS The finance sector is typically more developed than others when it comes...

IDnow: Putting a new face on identity verification 14 IDnow: Putting a new face on identity verification 15
Technology19 hours ago

IDnow: Putting a new face on identity verification

By Charlie Roberts, Head of Business Development UK&I at IDnow Munich headquartered IDnow is an identity verification provider which uses AI-based...

Finance leaders must act against increasing fraud 16 Finance leaders must act against increasing fraud 17
Finance19 hours ago

Finance leaders must act against increasing fraud

By David Thorley, Director of Customer Development, FISCAL Technologies The COVID-19 pandemic has resulted in a whole host of increased...

NextGen Communications – the future of customer experience 18 NextGen Communications – the future of customer experience 19
Technology20 hours ago

NextGen Communications – the future of customer experience

By Andrew Beatty, Head of Global Next Generation Banking at FIS As software development increasingly resembles push updates in services,...

The UK Property recovery has begun 20 The UK Property recovery has begun 21
Finance23 hours ago

The UK Property recovery has begun

By Jamie Johnson is the CEO of FJP Investment, The UK property sector will be integral to the country’s economic...

The Derry Group launches new employee engagement and communications app 22 The Derry Group launches new employee engagement and communications app 23
Technology1 day ago

The Derry Group launches new employee engagement and communications app

The Derry Group, a one stop shop for the distribution, storage and order picking of chilled and frozen products has...