By Brendan Jones, Chief Commercial Officer of Konsentus
This article is in response to one from Matt Cockayne of Envestnet Yodlee published 5th October 2018 that stated the biggest threat to open banking was the lack of the FCA in the UK to extend the definition of an AISP to include non-consumer facing data aggregators.
And thus, by implication state that Yodlee and similar data aggregators that do not deal directly with Payment Service Users can not be regulated by them as AISPs.
I would push back on this premise in two areas, firstly to some of the arguments he states and then more importantly by highlighting what is a far bigger threat to open banking.
The Role of UK OBIE
Matt states that the Open Banking Implementation Entity (OBIE) only allows companies registered with the relevant regulatory authority (the FCA in the UK), to directly access Open Banking APIs in the long-term. Without this direct access, third party providers must register such companies as their ‘outsource provider’ so they can gain access to the Open Banking APIs indirectly.”
I would contend that there is significant misunderstanding of the role of UK OBIE here. UK OBIE was created and mandated by the UK Competition and Markets Authority (CAM) for the 9 largest banks in the UK, commonly referred to as the CMA9, to be a member of and implement Open Banking standards under their instructions and directions. There is however NO mandate for any Third Party Provider (TPP) to register with UK OBIE to gain access to any Financial Institution (FI) the UK – FI’s of course as term also cover Electronic Money, Payment Institution, Building Society and Credit Card accounts, under the European Payment Services Directive 2 (PSD2) open banking. For the UK market OBIE is purely a voluntary registration, despite what some banks or others would state.
The European Banking Authority RTS of Strong Customer Authentication and Common Secure Communications is very clear in that once a TPP has been approved/registered with their local National Competent Authority (NCA) and passported to the relevant NCA in the country of operation of the FI, then the FI cannot refuse access to the TPP unless they believe there to be fraudulent activity. If Envestnet Yodlee was registered with another countries NCA and then passported into the UK no UK FI can refuse it access.
Payment Service User Confidence
Matt states in the article that the current position of the FCA in not allowing aggregators to be AISPs will undermine confidence in open banking as “in the event of a data breach with an aggregator – consumers would not be able to hold that company liable.” This is wrong, Payment Service Users (consumers, small and medium enterprises etc.) would never have a relationship with an aggregator service. Their contractual relationship will be with the TPP, for whom they have given their “explicit consent” to access their account(s) and who is providing the service. It is thus the TPP who as the direct contractual relationship that would be held liable by the Payment Service User (PSU) in the event of any data breach either at the TPP or any of their suppliers. It is a bit like a retailer and a wholesaler, the PSU has a relationship to the retailer, in the event that there is a problem they go back to the retailer not the wholesaler. It is up to the retailer then to take the dispute up to the wholesaler. Further the aggregator is likely to be also affected by GDPR legislation around the data breach and face regulatory oversight from this perspective also.
I can fully understand why Envestnet Yodlee would like to be regulated as it would make their business model easier to run in the UK, but to state it is the biggest threat undermining open banking implies that the majority of TPPs will use aggregators such as Envestnet Yodlee to access FI data and not just integrate directly with them – something that I believe a great many TPPs will do. Thus, the impact of any non regulation of aggregators will be limited both by the number of TPPs using such services in the first place and the fact that they are covered by GDPR requirements already around protection of data.
The Real Big Threat to Open Banking
There are 9,000 plus FIs in Europe that need to be ready by March 14th 2019 for open market testing under mandatory PSD2 timescales. The biggest single threat to PSD2 open banking is simply the market will not be live and ready in time.
- To date there are still a number of countries that have not transposed PSD2 requirements into national law including Romania, Sain and Ideland.
- To date there are a number of NCAs who have not yet announced how they will register or approve TPPs, how they will hold the data and how they will communicate revocation.
Checking of TPPs identity and regulatory status is at the heart of PSD2 open banking.
When a PSU signs up to use a open banking service, they do not need to check that the service provider that they have provided “explicit consent” too, is regulated/approved, or indeed maybe a fraudulent, TPP; this is the job of the FI.
It is the job of the FI to check on the identity of the TPP and check their regulatory status, this is crucial to establishing the trust factor as part of the PSD2 open banking. As Matt stated “The data sharing aspect of Open Banking is already a primary concern for consumers – recent research by Accenture found that 85% of those asked said the fear of fraud would put them off sharing data, and 69% said they would not share financial data with businesses that were not banks.” This means that all FIs need to ensure that they only ever supply PSU data to approved/regulated TPPs. If they supply data to a TPP who is not, then they are in breach of PSD2.
With Konsentus providing the only real time, online, machine readable database currently for the market covering both TPP regulatory status and eIDAS identity checking, we believe the biggest threat to PSD2 open banking is ensuring the NCA databases are ready and that FIs understand the importance of checking on TPPs.
Hackers can now empty out ATMs remotely – what can banks do to stop this?
By Elida Policastro, Regional Vice President for Cybersecurity, Auriga
In 2010, the late Barnaby Jack famously exploited an ATM into dispensing dollar bills, without withdrawing it from a bank account using a debit card. Fast forward to the present day, and this technique that is now known as jackpotting, is emerging as a threat and is growing as an attack on financial services. Recently, a hacking group called BeagleBoyz in North Korea have caught the attention of several U.S. agencies, as they have been allegedly stealing money from international banks by using remote hacking methods such as jackpotting.
The reality behind jackpotting
Jackpotting is when cybercriminals will use malware to trick their targeted ATM machine into distributing cash. As this criminal method is relatively easy to commit, it is becoming a popular tool for cybercriminals, and this trend will sure continue in 2021, unless financial organisations implement policies to prevent this and protect consumers.
During this difficult time, when access to cash has never been more important to banking customers, it is imperative that banks give their customers reliable ATMs that work, 24/7, 365 days a year. However, due to the sensitive data that ATMs possess, such as credit card or PIN numbers, they have now become a profitable object for cybercriminals to manipulate. As cybercriminals have been evolving in their efforts of attacking the IP in ATM machines, we will definitely see more jackpotting stories emerge in the coming months, especially with the large return on investment.
How criminals exploit the vulnerabilities found in ATMs
Since ATMs are both physically accessible and found in remote locations with little to no surveillance, this gives an opportunity for criminals to carry out jackpotting, especially with the software vulnerabilities that may exist in many ATMs.
ATM machines have been easily manipulated due to the outdated and unpatched operating systems that they run on. If banks wanted to resolve this issue and update these systems, it would take large amounts of time and money to do so. However, some banks do not have such resource and because of this, cybercriminals take advantage by penetrating the software layers in ATMs and exploiting the hardware to dispense cash.
How can banks tackle this?
As the sector has a complex technical architecture, banking organisations will have to make sure that they have control over the transactions that take place, and this includes the management of security when it comes to communication between various actors. When financial organisations are reviewing their ATM infrastructure, they will also need to protect their most vulnerable capabilities within their cybersecurity. Banks, for example, can encrypt the channels on the message authentication, in the event bad actors try to tamper with their communications.
Because ATM networks need to be available 24/7, banks not only, need to implement greater protection over their systems, but they need to do so with a holistic approach. One action that banks can take is to implement a centralised security solution that protects, monitors and controls their various ATM networks. This way banks can control their entire infrastructure from one location, stopping fraudulent activities or malware attempts on vulnerable ATMs.
Another way for banks to reduce the risk of jackpotting attacks is to update their ATM hardware and software. To do this, they will need to closely monitor and regularly review their machines in order to spot any emerging risks.
What the future holds for the banking industry
As confirmed by the warnings from the U.S. agencies, jackpotting remains a very serious threat for financial organisations. Evidence has also emerged, which shows hackers are becoming more innovative in their tactics. It was reported last year, for example, that hackers stole details of propriety operating systems for ATMs that can be used to form new jackpotting methods.
The emergence of jackpotting highlights the need for banks to actively work to protect their customers’ personal information and critical systems now and for the foreseeable future. In order to stay secure and reduce the risk of attacks, they will need to put in place the aforementioned solutions, which include updating their ATM hardware and software as well as closely monitoring and regularly reviewing their ATMs. As cybercriminals continue to become more innovative in their ways of attacking the machines, the issues mentioned will only continue to rise if they are not addressed. Although the method of jackpotting requires little action from cybercriminals, if financial organisations can implement a layered defence to their ATM security, they can stop themselves from becoming another victim to this type of attack in the future.
SoftBank Vision Fund set for new portfolio champion with Coupang IPO
By Sam Nussey and Joyce Lee
TOKYO/SEOUL (Reuters) – SoftBank’s $100 billion Vision Fund is poised to have a new number-one asset in its portfolio with the upcoming floatation of top South Korean e-tailer Coupang, furthering a turnaround that has seen the fund yo-yo from huge losses to record profit.
The $50 billion target valuation that Reuters reported this month would likely see the decade-old firm surpass recently listed U.S. food deliverer DoorDash Inc on a roster of assets that also includes stakes in TikTok parent ByteDance and ride-hailers Grab and Didi.
The Vision Fund built up its 37% stake in Coupang for $2.7 billion, mostly at an $8.7 billion post-money valuation, a person familiar with the matter said. The fund is not expected to sell shares in the initial public offering (IPO) that Coupang filed for in New York, the person said, declining to be identified as the information was not public.
SoftBank Group Corp and Coupang declined to comment.
Achieving a $50 billion valuation would add to good news for the fund which is bouncing back from an annual loss in March. This month, it announced record quarterly profit, driven by the listings of DoorDash and home seller Opendoor Technologies Inc and share price rise of ride-hailer Uber Technologies Inc.
The fund has written big cheques for late-stage startups to fuel rapid growth, with two-thirds of the value of its portfolio concentrated in 10 assets including Coupang.
The 10 include 25% of British chip designer Arm – to be sold to Nvidia Corp pending regulatory approval – but not stakes in high-profile stumbles like office-sharing firm WeWork.
The fund’s largest assets include its 22% stake in DoorDash, whose share price has doubled since the firm’s December IPO, sending its market capitalisation to $65 billion.
FACTBOX: Vision Fund’s investment hit parade
SoftBank initially invested in Coupang in 2015, adding it to a stable of e-commerce hits that included 25% of China’s Alibaba Group Holding Ltd, before placing it under the fund.
The e-tailer has grown rapidly during stay-home policies while the COVID-19 pandemic has forced other portfolio firms like Indian hotel chain Oyo to scramble to preserve cash.
Analysts see Coupang’s $50 billion valuation as feasible given its first-mover status and as it expands beyond replacing brick-and-mortar retail with a rising number of online channels.
It is the biggest e-tailer in South Korea that directly handles inventory, with 2020 purchases at about 21.7 trillion won ($19.62 billion), showed data from WiseApp.
“The market’s assessment isn’t exaggerated,” said analyst Park Eun-kyung at Samsung Securities. “Coupang’s market leadership is a premium factor.”
($1 = 1,106.1800 won)
(Reporting by Sam Nussey in Tokyo and Joyce Lee in Seoul; Editing by Christopher Cushing)
Five things to look out for in HSBC strategy update
By Alun John
HONG KONG (Reuters) – HSBC Holdings PLC will update its “transformation” plan announced a year ago on Tuesday, when the Asia-focussed lender also reports annual results.
As part of its latest strategy, the bank said in February last year it would shrink its investment banking operations and revamp its businesses in the United States and Europe resulting in 35,000 jobs being cut.
HSBC’s pretax profits for 2020 is expected to fall 38% to $8.3 billion, according to analysts’ estimates compiled by the bank, because of the impact of the COVID-19 pandemic.
Here are five key things to look out for in the new plan to revive its growth —
1. How will HSBC boost fee income?
The bank has promised details of its plans to make more money from the fees it earns from selling products to customers than it does by pocketing the difference between the interest rates it offers savers and charges borrowers.
This could involve selling more products to wealth management clients, charging corporate clients in different ways, and maybe even charging retail clients for basic banking services.
2. What do the plans to double down on China and Asia mean?
HSBC intends to refocus resources from elsewhere on what it calls its “high returning Asia business”, but investors want to know what this means in practice for markets and business lines.
Politics could make this harder. HSBC has been attacked by British lawmakers for assisting Hong Kong police with investigations into pro-democracy activists, including freezing some bank accounts.
CEO Noel Quinn said last month the bank had to comply with police requests and he could not “cherry-pick which laws to follow”.
3. Will HSBC resume paying a dividend?
HSBC has not announced a dividend since the third quarter of 2019, on instructions from the Bank of England. This angered retail investors in Hong Kong who tried unsuccessfully to have the policy changed.
The regulator has since lifted the ban, and British rival Barclays said Thursday it would pay a dividend of one pence a share. However, despite beating analyst expectations with its 2020 results, Barclays shares fell as a vague outlook without profit targets left investors underwhelmed.
HSBC investors will be looking beyond the day’s numbers for concrete commitments towards improved returns and a more positive outlook for key economies.
4. How will HSBC shrink its U.S. and European footprint?
HSBC’s French high street banking operations are up for sale, but it has had trouble finding a buyer.
The market is due an update on whether HSBC has managed to find a buyer on terms it will accept, or whether it will seek to wind the business down more gradually.
HSBC will also give details of how it will accelerate its existing efforts to shrink assets, staff and branches in the U.S., which accounted for 0.5% of the group’s pre-tax profit in the first half of last year.
5. More job cuts on the way?
HSBC employed 307,000 people at the end of 2010. The bank’s management said last year it was aiming to reduce the headcount of 235,000 closer to 200,000 by 2023. Investors want to know whether the new plan will mean deeper cuts. Nearly every new strategy launched by HSBC in the past decade has resulted in fewer people being employed by the bank.
(Reporting by Alun John; Editing by Sumeet Chatterjee & Shri Navaratnam)
Retailers need to deliver better rewards to ensure customer loyalty
62% feel retailers need to improve the ways they reward consumers for shopping with them 55% believe that loyalty programmes...
Australia says no further Facebook, Google amendments as final vote nears
By Colin Packham CANBERRA (Reuters) – Australia will not alter legislation that would make Facebook and Alphabet Inc’s Google pay...
GSK and Sanofi start with new COVID-19 vaccine study after setback
By Pushkala Aripaka and Matthias Blamont (Reuters) – GlaxoSmithKline and Sanofi on Monday said they had started a new clinical...
Optimising and Securing Device Management in a Corporate Environment
By Nadav Avni, Marketing Director at Radix Technologies The proliferation of digital devices used in every organisation has only grown...
Don’t ignore “lockdown fatigue”, UK watchdog tells finance bosses
By Huw Jones LONDON (Reuters) – Staff at financial firms in Britain are suffering from “lockdown fatigue” and their bosses...
The pandemic has changed consumer behaviour and retailers need to adapt
By Mary Keane-Dawson, Group CEO of TAKUMI It’s no secret that the retail industry has been badly hit by the pandemic,...
2021: A year of digital enablement
By Peter O’Halloran, Vice President, Global Digital Commerce, Fiserv In 2021, digital innovation will continue to accelerate, allowing businesses to...
5 Trends Driving the Future of Customer Service in 2021 and Beyond
By Matt McConnell, CEO of Intradiem 2020 ignited radical shifts for contact centre operations with the move to a remote...
World shares sink as bond yields, commodities surge
By Ritvik Carvalho LONDON (Reuters) – World shares sank on Monday as expectations for faster economic growth and inflation battered...
UK regulators need global ‘competitiveness’ remit, says UK Finance body
By Huw Jones LONDON (Reuters) – Keeping the City of London competitive should be an “across the board” objective for...