By Ralf Ohlhausen, Business Development Director, PPRO Group
On 23 February, the European Banking Authority (EBA) announced its intention to outlaw ”screen scraping” in one of their Regulatory Technical Standards (RTS) complementing the revised Payment Services Directive (PSD2), set to come into force in January 2018. Screen scraping sounds sinister. In fact, it simply refers to the practice of automating any internet browsing interaction, in this case with a bank, using their existing, direct customer user interface (online banking) with the customer’s permission. Therefore, let me rather call it “permitted automated direct access”, which describes it better and is less derogative.
The EBA suggests that banks can deny this type of “direct access” through their front door, if they are providing another “indirect access” possibility via a new to be developed API at their back door. Customers, the argument goes, are being trained to enter their online banking credentials into third-party websites and banks do not have an adequate oversight of who is accessing their customers’ data.
Infantilising the consumer
The problem here is that we’re engaging with perception rather than dealing with substance. Consumers who share their login credentials with a PSD2-licensed fintech company are making an informed decision. They have complete control — and oversight — over who accesses that data. And that’s the crucial point: the consumer is in control, not the bank and not the fintech. And that’s exactly as it should be.
Of course, consumers must be protected against malicious “phishing attempts”, which is what the PSD2 security elements mentioned below are all about, but that applies to bank and fintech websites in the same way and also independently of using front or back doors.
Sharing login details between reputable financial services companies, subject to a competent financial regulator (for instance, the FCA in the UK or the BaFin in Germany) is perfectly secure. Such companies are regularly audited and must, by law, take all necessary technical, legal, and procedural steps to protect consumer data. This absolutely includes login details, but also includes the actual financial data itself. If they make a mistake, they are liable for providing restitution — so you can bet your bottom dollar that they are serious about not making mistakes.
As a matter of fact, the new General Data Protection Regulation (GDPR) stipulates that consumers shall be enabled to access all their data, retrieve it and share it – or not – depending on their explicit consent. The only feasible technology for achieving this is the permitted automated direct access of the consumer’s data via the very same interface they are using manually – and this does not just apply to banks, but also insurances, telecoms, social media sites and any other company storing data on behalf of their customers.
What’s more, European data-protection laws also demand proportionality in how data is collected and used. The customer’s consent only covers data strictly necessary to the job with which the he or she has tasked the company. In the US, there has been some concern that screen scraping might give financial-service companies ongoing access, allowing them to harvest a broad range of data from customer accounts. In Europe, this just isn’t possible.
To the contrary, PSD2 stipulates the use of Strong Customer Authentication (SCA) to disable the potential misuse of static login data by requiring a second factor, e.g. a one-time password, to authorise any particular transaction. It also stipulates that licensed fintechs have to properly identify themselves to the banks. The rumour that this would not be possible with direct access is simply not true – fake news! The certificate approach suggested by the RTS can be used equally well for direct or indirect access.
The danger in getting this wrong
Globally, fintech — particularly in the payments industry — is at a crucial stage in its development. E/M-commerce is booming. Volumes are expected to grow exponentially over the next few years. This is driving a rapidly growing demand for innovative online payment and financial products. So far, Europe has been one of the main beneficiaries of this development.
Two key planks of this success have been European fintech’s ability to innovate and its ability to provide a good customer experience. The ban on permitted direct access to customer data puts both at risk. If fintechs must always go through the bank’s back door API, they are essentially beholden to the banks, which could then “control the innovation” – that’s like letting the fox guard the henhouse. If the development of a bank’s API lags behind changes to the way its accounts are structured or the way its online banking works, then EU fintechs — and ultimately consumers — will be at a disadvantage.
At the same time, permitted direct access is the easiest and quickest way for a consumer to get started with a new financial provider. The vast majority of them are using this type of access today – including banks by the way! By forcing the consumer to take a more complicated route to sharing his or her data, the EBA would bring existing competition to a halt and make the customer experience less seamless. This will hurt not just such new providers, but also the conversion rates of many merchants.
The only way to motivate banks providing and sustaining an equally good – or even better – indirect (API) access than what they offer their customers directly is the following: leave the decision about which one to use to the consumer and their chosen fintech. Leaving it to the banks instead and then hoping for a level playing field by regulating and trying to enforce things like “functionality”, “availability” and “performance” levels of APIs will just create endless arguments and disputes between the parties, make the courts even busier and turn lawyers – not consumers – into the real beneficiaries of PSD2.
Driving competition into Financial Services by banning direct access is like promoting electrical cars without allowing them on to public streets. Imagine where telecoms, electricity and railways competition would be today if incumbents had been allowed to keep their access infrastructure exclusively for themselves and lay new wires, powerlines and rail tracks for their competitors to use! Banks can always be a big step ahead if competition is forced to use their (API) back entrance instead of their shiny (online banking) front door.
Some banks will want to provide great APIs to attract many fintechs around them and create a whole ecosystem, similar to what Apple and Google achieved with their app stores. Some others – probably the majority I would guess – will prefer to do nothing and save their money and scarce tech resources for more burning problems. The remaining banks in-between will do the minimum to comply and the maximum to hinder the new competition knocking at their front or back door.
The new competitors will want to use APIs if they are good, because it’s easier than automating the direct access, but they will not want to use them if they are not so good, because it would lead to not so good services to their customers, which by the way are also the customers of that bank – not to be forgotten!
In November 2016, the European Commission established a Financial Technology Task Force, with the aim of helping fintech in the EU reach its full potential. 2017, we were told, was going to be the “year of fintech” in the EU. Potentially hamstringing EU fintechs with an anti-competitive rule is an odd way of showing it.
What should we be doing?
To really protect consumers, the EU needs to help them understand how to choose the right providers when buying financial services and to safeguard against the use of malicious ones. National authorities should rigorously enforce existing laws on data protection and information security, making an example of any company which fails to meet proper standards either in the collection or use of data. This would do what the misguided EBA ban on “screen scraping” aims to do, but cannot, without harming the growing EU fintech sector.
“Permitted automated direct access” should be recognized as one of the most important enablers for innovation and competition in general, and not just in the financial services industry. Therefore, governments, regulators and competition authorities should embrace it and focus on keeping it secure and efficient, rather than throwing it out with the bathwater.
To be fair, the European Parliament recognizes this already judging by a letter they wrote in October 2016. Amazing that the EBA chose to do the opposite, and I can only hope that the parliament will insist and prevail!
Properly nurtured and regulated, European fintech will continue to be a success story: an engine of growth and a job creator, at exactly the time such things are sorely needed. This isn’t the time to put that at risk, particularly not for the sake of excessive legislation that won’t achieve its stated aim.
Will covid-19 end the dominance of the big four?
By Campbell Shaw, Head of Bank Partnerships, Cardlytics
Across the country, we are readjusting to refreshed restrictions on our daily lives, as we continue to navigate the seemingly unnavigable waters of the coronavirus pandemic.
For all of us, the pandemic has made life anything but ‘normal’, and with social distancing here to stay, it will remain so for a long time yet. These paradigm shifts have impacted every aspect of life, including how we bank.
Focus is already turning to the role the big banks are playing through the pandemic, with experts fearing the economic downturn will only cement the position of the ‘big four’ traditional players.
But has the pandemic shaken the dominance of the big banks? Or has it simply confirmed their position?
Turning to tech
There’s no doubt that the pandemic has caused the big players to be challenged like never before on tech.
Classically slower to adapt to developments in the market, increased demand for online services and contactless payment systems have turbocharged the big banks’ need to act like a challenger.
And they have, agilely adapting to this new normal by updating systems and services to ensure customers’ safety and financial security come first.
Scale is staying power
In these new times, the power and influence of the big players has also been proven.
The big four have provided the lion’s share of the government-backed loans designed to help small and medium-sized businesses through the pandemic. It has also been the big four offering the majority of payment holidays for customers on their mortgages, debt and credit cards.
However, it’s important to note that their power to retain customers goes much deeper than their market share.
Our switching study, which looked at the reasons behind customer switching, found that even before the pandemic, despite nearly half (48%) of UK adults admitting they know they aren’t getting the best deal with their current bank, half have never switched their current account.
That’s often because of the value they can provide to their customers, through personalized service, offers and rewards that keeps customers engaged and invested in them. As brands increasingly look to
Focus on finances
As the world becomes a more financially insecure place, due to COVID-19, there’s been a marked shift towards more attention on finances, which has affected not only the business functions of banks but has impacted banking relationships with customers at their core.
From deals to savings, customers now more than ever are re-evaluating how they bank, and how they manage their money.
The impact on the big four is more pressure than ever to keep up with the best interest rates and deals. That can be difficult for a big, and often slower moving, organisation and could be a stumbling block for them in the months to come.
However, on the plus side, the big four can lean into their sophisticated loyalty schemes, using offers and deals from partner brands to demonstrate value to customers and build up their loyalty.
Engaging with purpose
The pandemic has seen many banks acting with a renewed sense of purpose. Banking has had to be more adaptable than ever before – fitting the needs of those who may be feeling financial stress or dealing with unprecedented challenges.
And showing a little heart can go a long way when it comes to increasing customer loyalty and boosting a bank’s reputation.
Over the last months, traditional banks have been quick to adapt their products and services, in response to the demands and challenges their customers have been face.
No doubt, continuing to build more meaningful, supportive and engaging customer relationships, whether it is online or on the newly reopened high-street, will be critical to banks’ dominance as we look to the future.
Bring on the challengers
However, with their meteoric rise ahead of lockdown, we must keep an eye on the challengers, who still have the potential to knock traditional players off their pedestal.
We found that more than three million people in the UK opened a current account with a new bank last year. Our research found that traditional banks made up well over half (69%) of the accounts UK adults switched from, while newer digital challenger banks such as Monzo, Starling Bank and Revolut made up 25% of current accounts switched to. And these fast moving, fast growing challengers may see further growth if traditional banks are stifled by the declining high-street.
What’s more, the high street could yet prove to be the Achilles heel of the bigger players, as shifting budgets and increasing overheads in the context of a more online banking experience could see more big players struggle with their physical presence, making way for the digital challengers to thrive.
So, while the dominant players may have the lead, they should still keep an eye on the challengers as we look ahead to the next, uncertain, six months.
To take the nation’s financial pulse, we must go digital
By Pete Bulley, Director of Product, Aire
The last six months have brought the precarious financial situation of many millions across the world into sharper focus than ever before. But while the figures may be unprecedented, the underlying problem is not a new one – and it requires serious attention as well as action from lenders to solve it.
Research commissioned by Aire in February found that eight out of ten adults in the UK would be unable to cover essential monthly spending should their income drop by 20%. Since then, Covid-19 has increased the number without employment by 730,000 people between July and March, and saw 9.6 million furloughed as part of the job retention scheme.
The figures change daily but here are a few of the most significant: one in six mortgage holders had opted to take a payment holiday by June. Lenders had granted almost a million credit card payment deferrals, provided 686,500 payment holidays on personal loans, and offered 27 million interest-free overdrafts.
The pressure is growing for lenders and with no clear return to normal in sight, we are unfortunately likely to see levels of financial distress increase exponentially as we head into winter. Recent changes to the job retention scheme are signalling the start of the withdrawal of government support.
The challenge for lenders
Lenders have been embracing digital channels for years. However, we see it usually prioritised at acquisition, with customer management neglected in favour of getting new customers through the door. Once inside, even the most established of lenders are likely to fall back on manual processes when it comes to managing existing customers.
It’s different for fintechs. Unburdened by legacy systems, they’ve been able to begin with digital to offer a new generation of consumers better, more intuitive service. Most often this is digitised, mobile and seamless, and it’s spreading across sectors. While established banks and service providers are catching up — offering mobile payments and on-the-go access to accounts — this part of their service is still lagging. Nowhere is this felt harder than in customer management.
Time for a digital solution in customer management
With digital moving higher up the agenda for lenders as a result of the pandemic, many still haven’t got their customer support properly in place to meet demand. Manual outreach is still relied upon which is both heavy on resource and on time.
Lenders are also grappling with regulation. While many recognise the moral responsibility they have for their customers, they are still blind to the new tools available to help them act effectively and at scale.
In 2015, the FCA released its Fair Treatment of Customers regulations requiring that ‘consumers are provided with clear information and are kept appropriately informed before, during and after the point of sale’.
But when the individual financial situation of customers is changing daily, never has this sentiment been more important (or more difficult) for lenders to adhere to. The problem is simple: the traditional credit scoring methods relied upon by lenders are no longer dynamic enough to spot sudden financial change.
The answer lies in better, and more scalable, personalised support. But to do this, lenders need rich, real-time insight so that lenders can act effectively, as the regulator demands. It needs to be done at scale and it needs to be done with the consumer experience in mind, with convenience and trust high on the agenda.
Placing the consumer at the heart of the response
To better understand a customer, inviting them into a branch or arranging a phone call may seem the most obvious solution. However, health concerns mean few people want to see their providers face-to-face, and fewer staff are in branches, not to mention the cost and time outlay by lenders this would require.
Call centres are not the answer either. Lack of trained capacity, cost and the perceived intrusiveness of calls are all barriers. We know from our own consumer research at Aire that customers are less likely to engage directly with their lenders on the phone when they feel payment demands will be made of them.
If lenders want reliable, actionable insight that serves both their needs (and their customers) they need to look to digital.
Asking the person who knows best – the borrower
So if the opportunity lies in gathering information directly from the consumer – the solution rests with first-party data. The reasons we pioneer this approach at Aire are clear: firstly, it provides a truly holistic view of each customer to the lender, a richer picture that covers areas that traditional credit scoring often misses, including employment status and savings levels. Secondly, it offers consumers the opportunity to engage directly in the process, finally shifting the balance in credit scoring into the hands of the individual.
With the right product behind it, this can be achieved seamlessly and at scale by lenders. Pulse from Aire provides a link delivered by SMS or email to customers, encouraging them to engage with Aire’s Interactive Virtual Interview (IVI). The information gathered from the consumer is then validated by Aire to provide the genuinely holistic view of a consumer that lenders require, delivering insights that include risk of financial difficulty, validated disposable income and a measure of engagement.
No lengthy or intrusive phone calls. No manual outreach or large call centre requirements. And best of all, lenders can get started in just days and they save up to £60 a customer.
Too good to be true?
This still leaves questions. How can you trust data provided directly from consumers? What about AI bias – are the results fair? And can lenders and customers alike trust it?
To look at first-party misbehaviour or ‘gaming’, sophisticated machine-learning algorithms are used to validate responses for accuracy. Essentially, they measure responses against existing contextual data and check its plausibility.
Aire also looks at how the IVI process is completed. By looking at how people complete the interview, not just what they say, we can spot with a high degree of accuracy if people are trying to game the system.
AI bias – the system creating unfair outcomes – is tackled through governance and culture. In working towards our vision of a world where finance is truly free from bias or prejudice, we invest heavily in constructing the best model governance systems we can at Aire to ensure our models are analysed systematically before being put into use.
This process has undergone rigorous improvements to ensure our outputs are compliant by regulatory standards and also align with our own company principles on data and ethics.
That leaves the issue of encouraging consumers to be confident when speaking to financial institutions online. Part of the solution is developing a better customer experience. If the purpose of this digital engagement is to gather more information on a particular borrower, the route the borrower takes should be personal and reactive to the information they submit. The outcome and potential gain should be clear.
The right technology at the right time?
What is clear is that in Covid-19, and the resulting financial shockwaves, lenders face an unprecedented challenge in customer management. In innovative new data in the form of first-party data, harnessed ethically, they may just have an unprecedented solution.
The Future of Software Supply Chain Security: A focus on open source management
By Emile Monette, Director of Value Chain Security at Synopsys
Software Supply Chain Security: change is needed
Attacks on the Software Supply Chain (SSC) have increased exponentially, fueled at least in part by the widespread adoption of open source software, as well as organisations’ insufficient knowledge of their software content and resultant limited ability to conduct robust risk management. As a result, the SSC remains an inviting target for would-be attackers. It has become clear that changes in how we collectively secure our supply chains are required to raise the cost, and lower the impact, of attacks on the SSC.
A report by Atlantic Council found that “115 instances, going back a decade, of publicly reported attacks on the SSC or disclosure of high-impact vulnerabilities likely to be exploited” in cyber-attacks were implemented by affecting aspects of the SSC. The report highlights a number of alarming trends in the security of the SSC, including a rise in the hijacking of software updates, attacks by state actors, and open source compromises.
This article explores the use of open source software – a primary foundation of almost all modern software – due to its growing prominence, and more importantly, its associated security risks. Poorly managed open source software exposes the user to a number of security risks as it provides affordable vectors to potential attackers allowing them to launch attacks on a variety of entities—including governments, multinational corporations, and even the small to medium-sized companies that comprise the global technology supply chain, individual consumers, and every other user of technology.
The risks of open source software for supply chain security
The 2020 Open Source Security and Risk Analysis (OSSRA) report states that “If your organisation builds or simply uses software, you can assume that software will contain open source. Whether you are a member of an IT, development, operations, or security team, if you don’t have policies in place for identifying and patching known issues with the open source components you’re using, you’re not doing your job.”
Open source code now creates the basic infrastructure of most commercial software which supports enterprise systems and networks, thus providing the foundation of almost every software application used across all industries worldwide. Therefore, the need to identify, track and manage open source code components and libraries has risen tremendously.
License identification, patching vulnerabilities and introducing policies addressing outdated open source packages are now all crucial for responsible open source use. However, the use of open source software itself is not the issue. Because many software engineers ‘reuse’ code components when they are creating software (this is in fact a widely acknowledged best practice for software engineering), the risk of those components becoming out of date has grown. It is the use of unpatched and otherwise poorly managed open source software that is really what is putting organizations at risk.
The 2020 OSSRA report also reveals a variety of worrying statistics regarding SSC security. For example, according to the report, it takes organisations an unacceptably long time to mitigate known vulnerabilities, with 2020 being the first year that the Heartbleed vulnerability was not found in any commercial software analyzed for the OSSRA report. This is six years after the first public disclosure of Heartbleed – plenty of time for even the least sophisticated attackers to take advantage of the known and publicly reported vulnerability.
The report also found that 91% of the investigated codebases contained components that were over four years out of date or had no developments made in the last two years, putting these components at a higher risk of vulnerabilities. Additionally, vulnerabilities found in the audited codebases had an average age of almost 4 ½ years, with 19% of vulnerabilities being over 10 years old, and the oldest vulnerability being a whopping 22 years old. Therefore, it is clear that open source users are not adequately defending themselves against open source enabled cyberattacks. This is especially concerning as 99% of the codebases analyzed in the OSSRA report contained open source software, with 75% of these containing at least one vulnerability, and 49% containing high-risk vulnerabilities.
Mitigating open source security risks
In order to mitigate security risks when using open source components, one must know what software you’re using, and which exploits impact its vulnerabilities. One way to do this is to obtain a comprehensive bill of materials from your suppliers (also known as a “build list” or a “software bill of materials” or “SBOM”). Ideally, the SBOM should contain all the open source components, as well as the versions used, the download locations for all projects and dependencies, the libraries which the code calls to, and the libraries that those dependencies link to.
Creating and communicating policies
Modern applications contain an abundance of open source components with possible security, code quality and licensing issues. Over time, even the best of these open source components will age (and newly discovered vulnerabilities will be identified in the codebase), which will result in them at best losing intended functionality, and at worst exposing the user to cyber exploitation.
Organizations should ensure their policies address updating, licensing, vulnerability management and other risks that the use of open source can create. Clear policies outlining introduction and documentation of new open source components can improve the control of what enters the codebase and that it complies with the policies.
Prioritizing open source security efforts
Organisations should prioritise open source vulnerability mitigation efforts in relation to CVSS (Common Vulnerability Scoring System) scores and CWE (Common Weakness Enumeration) information, along with information about the availability of exploits, paying careful attention to the full life cycle of the open source component, instead of only focusing on what happens on “day zero.” Patch priorities should also be in-line with the business importance of the asset patched, the risk of exploitation and the criticality of the asset. Similarly, organizations must consider using sources outside of the CVSS and CWE information, many of which provide early notification of vulnerabilities, and in particular, choosing one that delivers technical details, upgrade and patch guidance, as well as security insights. Lastly, it is important for organisations to monitor for new threats for the entire time their applications remain in service.
Will covid-19 end the dominance of the big four?
By Campbell Shaw, Head of Bank Partnerships, Cardlytics Across the country, we are readjusting to refreshed restrictions on our daily...
Why cybercriminals have ‘Gone Vishing’ during the COVID-19 Pandemic
More than 215,000 vishing attempts in the last year alone As new coronavirus restrictions look set to confine much of...
Risk Mitigation vs. Risk Avoidance: Why FIs Need to Maintain Risk Appetite and Not Place All Bets on De-Risking
De-risking aims to protect financial institutions from the increasing pressures placed by regulators and threats, associated with clients operating in...
Using AI to identify public sector fraud
When it comes to audits in the public sector, both accountability and transparency are essential. Not only is the public...
Five golden rules of recruitment
Former investment banker and entrepreneur, Connie Nam, discusses five ways in which basing your recruitment process around understanding a candidate’s...
Using data analytics to improve SME cash flow and treasury management
The pressure facing SMEs this year is widely known, and they are looking for ways to improve their cash flow...
Why dependency on SMS OTPs should not be the universal solution
By Chris Stephens, Head of Banking Solutions at Callsign In our day-to-day lives, SMS one-time passwords, also known as OTPs, have...
The chosen one
By Jesse Swash, Co-Founder Design by Structure. The lessons for the future lie in the past. The same truths still hold. This time...
How PR can help franchise businesses emerge stronger from 2020
By Mimi Brown, Head of Entrepreneurs & Business at The PHA Group A second wave of coronavirus is gathering pace...
Cash and digital payments – a balancing act to aid financial inclusion
By Matthew Jackson, Head of Partner Development, EMEA at PPRO The cashless debate is one that continues to spark both conversation...