by Andrew Wingfield, Corporate partner at global law firm King & Wood Mallesons.

The digitalisation of the retail banking sector presents two related challenges for the management of banks: developing a coherent digital strategy and, in implementing that strategy, coming to terms with swathes of new measures being put in place across the EU, designed to address the risks presented by an increasingly digital world.

The digital age has given rise to a new competitive environment in the financial sector. Alternative technology-driven providers use new technological developments to target particular transactions, offering accessibility and ease of use to customers whilst leveraging off traditional banking platforms. Such providers not only benefit from technological expertise, in terms of both systems and staff, but also have lower barriers to entry andare subject to less regulatory scrutiny than mainstream banks.  This new competitive environment, combined with both technologies that allow for product comparison and fewer hurdles to switching accounts, presents challenges for market incumbents, who must rethink their strategy to retain the custom of digitally-focussed consumers.

The growing range of services offered via a technology interface and increased use of digital or mobile platforms provides an opportunity for banks to utilise big data and provide consumers with a more personalised service. However, it also has major implications for banks’ risk processes; leaving banks open to an increased number of opportunities for cyber-security breaches. As such, the threat of cyber-crime has moved to the top of the risk agenda for boards; from a conceptual risk to one that affects banks on a daily basis. A cyber-security breach can have serious operational, financial and legal implications for a bank; including financial loss from fraud and theft, loss of data or IP, service disruption, cost of increased security, and a negative impact on reputation and consumer confidence.

Should a bank suffer a cyber-security breach, it would also need to consider whether it has breached any applicable law or third party contract by failing to protect data.  If a bank has been negligent, it must be prepared for claims for damages from those affected.  To reduce the risk of data theft, confidential data in computers, mobile devices, in servers, databases, backup media and storage platforms should be encrypted and access to systems controlled. A financial institution should not allow the use of unsafe internet services, cloud-based internet storage sites, and web-based emails to communicate or store confidential information.

It is imperative that banks have the IT systems in place needed to support the increased reliance on technology solutions.  However, banks’ core IT systems are struggling under the weight of digital requirements and are increasingly susceptible to failure and cyber-security breaches. Though the economic cost of overhauling these legacy IT systems is high, it is a necessary step in enabling traditional banks to compete with challenger banks/Fintech companies who, having not inherited archaic IT systems, are able to choose modern and resilient technology platforms. Migrating to a new platform itself is high-risk, as banks operate daily with huge numbers of live customers and business worth billions of pounds.

Digital distribution also brings with it the risk of allowing customers to make ill informed decisions and leaving banks exposed to allegations of misselling or not acting in customers’ best interests. Banks must be alert to the circumstances in which a customer may not aware of the consequences of a decision and ensure that adequate measures are in place to address this.

The adoption of digital banking has so far outpaced the regulatory response and regulation is yet to reflect the consequences of the new digital banking environment. Recent instances of hacks/leaks have highlighted the ease with which customer information can be accessed and future attacks causing widespread financial losses will provoke a draconian response from regulators. Banks are already facing heightened regulation in areas such as data protection and payment processing. The compliance burden will be further increased where a bank has worldwide operations or has outsourced its IT infrastructures, as banks will be expected to ensure that third party providers are dealing with information appropriately. Banks could be set to face a period of heavy regulation as regulators come to terms with unfamiliar and unknown risks. As such, banks need to stay ahead of the curve by treating rafts of new regulations as the “new normal” and being proactive in their approach to compliance.