Carl Slabicki, Head of Strategic Payment Solutions, BNY Mellon Treasury Services, explores the changing climate of US payments.

For a long time, banks in the US have competed primarily on price and service rather than as providers of payments solutions. But the payments and cash management space is now changing. New developments to existing payment rails, combined with the advent of new real-time solutions and overlay services are emerging, and organisations that are able to quickly adapt to the evolving payments landscape will be well placed to gain a significant market advantage.

As we enter this period of unprecedented disruption in the marketplace, the importance of expediting the journey from paper to digital transactions for payers and receivers is becoming increasingly clear; payments are faster, more streamlined and feature enhanced capabilities around validation, security and risk mitigation.

Certainly, in the current challenging environment, the continued investment in and implementation of digital solutions continues to highlight the timeliness of this initiative. Remote working has put a spotlight on the channels we choose to make payments, with the payments industry leaning more and more on a digital environment to stay connected and continue conducting efficient and timely business. So what changes are occurring, and how can organisations and their clients reap the rewards?

The payment system evolution

For over 45 years, the ACH network had been the core next-day batch settlements system in the US. But during its long tenure, the underlying ACH system – which is governed by the National Automated Clearing House Association (Nacha) – has continued to modernise and grow, with the latest figures showing an increase in transaction volumes of 8.1% year-on-year in Q4 2019. This growth has been driven by the increasing payment convenience brought about, in part, by the introduction of Same Day ACH (SDA), which from March 2020 has increased its transaction limit from US$25,000 to US$100,000 to help open up additional use cases for the market.

As we enter this period of unprecedented disruption in the marketplace, the importance of expediting the journey from paper to digital transactions for payers and receivers is becoming increasingly clear.

To meet that growing need, new payment rails are being introduced to replace legacy capabilities. For example, RTP® – the US’s real-time payments network – launched by The Clearing House in 2017, is providing real-time gross settlement on a 24/7/365 operating model. This is providing clients with greater speed, efficiency, convenience and transparency. What’s more, in a move that will further bolster the growth of faster payments in the US, the Federal Reserve has announced its intention to launch its real-time payments system, known as the FedNow^SM Service, in 2023 or 2024.

Improving security

Sitting right at the centre of the evolving US payments landscape is the move towards pre-validation services – foundational tools that are addressing security concerns that surround the entire payment process. Regardless of the payment channel being used – whether it’s ACH, Wire, RTP or other – the question remains: how do you know the payment or account data you have been provided for a transaction is correct and legitimate?

Indeed, the advent of new technologies that have enabled faster and more efficient payments sits at the intersection of another trend, namely the sophistication of fraud in the payment space. And, as people have settled into working from home environments, such security concerns have been further accentuated. The need to positively verify that an individual is authorised to transact on a paying or receiving account is, as a result, also becoming increasingly important.

It is for this reason that market leading banks are turning their attention to delivering solutions that enable real-time pre-validation – meaning the confirmation that a payee is the legitimate party occurs prior to a payment being sent. These solutions leverage a national shared database, such as the one maintained by fraud management and prevention service provider Early Warning Services, to validate the routing and account number, and verify the owner on the account, before the payment is sent. This increases security and risk mitigation, reduces fraud losses, and helps reduce the costs and processes associated with checks and other legacy payment systems.

Digitalising paper

Elsewhere, a host of overlay services are coming to the fore to address historical market challenges. For example, the migration from checks to electronic payments remains a significant pain point for cash managers. Though accepting and processing checks comes with a heightened risk of fraud and an array of manual processes, they continue to remain necessary as many businesses do not have the information required, or the technology interface needed, to send or request a payment digitally.

[ymal]

To address these issues, directories that allow payees to securely register their payment details and identities electronically are emerging, such as Zelle® in the US. Owned by a consortium of banks, the Zelle directory allows users to register identifiers, such as an email address or mobile phone number – referred to as “tokens” – which, following a thorough authentication process, can then be used to send and request electronic payments. Banks will then pull that authenticated token from the directory to find out the beneficiary’s bank, before using ACH or the card network to settle the payment. Going forward, Zelle, with the support of some of its member banks, including BNY Mellon, is working with The Clearing House to add RTP as an additional settlement mechanism. It is hoped that these capabilities will be implemented within the next year.

And while Zelle represents an effective way to securely send electronic payments to consumers and small businesses, there is also a demand for this in the business to business or vendor payments space. They too want to reduce the time and effort it takes to collect supplier banking account information, validate and keep it updated, as well as ultimately reduce or eliminate paper checks. This is increasingly achieved through settlement networks such as Paymode-X®, the largest business to business vendor payment network in the US, with over 400,000 members, processing over $200 billion in payments annually. It allows clients to convert vendor payments from paper (check) to ACH with electronic remittance, with the potential to earn revenue share on payables.

Adapting to the “new norm”

With the emergence of real-time payments, updated legacy rails and a new layer of overlay services, the US payments space is transitioning to an entirely new payments culture. Developments are moving quickly, with many banks looking to outsource their solutions to a trusted provider that already has the technology available – enabling them to swiftly go to market for a fraction of the cost.

As banks look to transform in this way, it is vital that they are able to provide clients with the options and capabilities they need to enable their businesses to run effectively and efficiently in the new faster payments environment. There is not a single, optimal channel that can solve every issue and meet all requirements – making it crucial that banks have a variety of tools in their arsenal, ready for instant deployment. The opportunity to provide improved, digital services to organizations, with greater levels of security, ease and efficiency has arrived. By working together to achieve ubiquity and interoperability, banks are developing the modern tools necessary for delivering a truly optimised payments experience.

The views expressed herein are those of the author only and may not reflect the views of BNY Mellon. This does not constitute Treasury Services advice, or any other business or legal advice, and it should not be relied upon as such.

Andrew Durant, the head of the Forensic & Litigation Consulting team at FTI Consulting, offers Finance Monthly an analysis of the impending challenge to finance teams and advice on how they can overcome it.

 Fraud was already shaping up as a big issue for businesses in 2020 before the COVID crisis struck. For instance, the  Resilience Barometer 2020 research from my company, FTI Consulting (involving 2,000 senior executives) found that fraud was perceived as the number one financial crime, with 24% reporting being exposed to it.

This would mean that an enormous £28 billion was lost to fraud in 2019 alone by FTSE 350 businesses (based on an average loss on 5% of annual turnover - see 2018 ACFE Global Fraud Survey, Report to the Nations). Even at 1% of turnover, this would still be sizeable for victim businesses.

On top of this ongoing problem from fraud, in times of most global crises a spike in fraud typically follows. Sadly 2020 is going to be the worst year many of us will experience!

Why do more fraud cases appear after crises? A variety of reasons, such as an increased opportunity available to fraudsters with senior management teams rightly focused on other things, such as trying to keep their businesses afloat and their staff in jobs for a start.

 Fraud was already shaping up as a big issue for businesses in 2020 before the COVID crisis struck.

What they will not be thinking about is the enemy within. And, in my experience, that is where the greatest risk lies. It is human nature to believe that threats arise from unknown individuals outside an organisation. However, it is more likely to be a fellow employee who knows the financial controls (and the weaknesses in them) and that you trust implicitly.

Crafty fraudsters will see 2020 as a ripe opportunity to pounce. In the current “lockdown” with increased home working, with corresponding less people at work overseeing finance, security and operations, fraudsters will have more opportunity, with less scrutiny, more freedom and fewer questions asked.

What can finance directors and their teams do to reduce the escalating risk of fraud? Here are three areas that seem simple but can actually make a huge difference to preventing and detecting frauds:

1. Encourage whistle-blowers to step forward

Most frauds are detected by tip-offs from employees, especially those who are involved in finance and procurement.  Despite protections in place, whistle-blowers still fear that they will become the victim and either be exposed and/or lose their jobs. And, I don’t blame them.  In many cases I have investigated, the immediate reaction of the company tended to be “who is the whistle-blower” or “they must have an axe to grind”, not “we need to investigate these allegations immediately and prevent further loss”.

2. Use of temps and contract staff should be monitored carefully

If a member of the finance department become unwell or need to take time off to care for a relative, it may be tempting to backfill with temporary or contract staff. Companies should ensure that they do not drop their guard and carry out fewer checks than normal. Fraudsters have been known in the past to target finance teams that have a higher propensity to rely on contract or temp staff.

[ymal]

3. Be diligent in your transaction approval process

The lockdown now looks likely to continue in some form until at least September, so it is important that finance teams remain vigilant and check all transactions carefully, especially scrutinising carefully any:

• ’Urgent’ transaction requests – in a recent case this modus operandi was used to pay away $5 million to an offshore account;
• Transactions just below an authorisation limit especially if there are multiple payments to the same third party – if you spot this pattern, check back to the contract to see whether there are any “red flags” around the identity of the supplier, the tender process or the approval process ; and
• Journal entries that may be requested, particularly around month or other period ends. This is a frequent method to disguise transactions or to “boost” results.

Despite taking all the precautions listed above, organisations will still suffer fraud. Once discovered, taking the right steps quickly ensures a higher chance of recovering missing funds and a lower chance of losses continuing.

Do not make emotional or hasty decisions

Fraud involves a breach of trust and, therefore, as an employer you may feel betrayed by what has happened. As a result, you may be tempted to take immediate action which may ultimately compound the situation.

Therefore:

Keep an open mind

There may be a logical explanation for the discrepancy that may not be immediately obvious.

Discuss this with as few people as possible

You may be unwittingly tipping off someone involved in the fraud. If you do need to escalate or discuss your concerns, speak to the head of internal audit or legal department. Do not discuss it with a colleague, even if you trust them implicitly (see above regarding the enemy within).

Plan a course of action

The actions taken in the first hours and days after a suspect comes to light can ultimately affect the successful outcome of any action. As the finance director, you will likely have a fraud response plan in place. However, I wonder how many of them are collecting dust, probably also years out of date? Also ensure that senior management in each teams or location knows about the plan, have tested it (akin to a fire alarm, the plan needs to be tested to ensure everyone knows what to do and when).

Finally, I would advise finance directors and their teams not to ignore that “sixth sense”. If you start to feel uncomfortable about something, there is usually a reason.

A suitable title loan is one that is according to your needs and requirements. Borrowing against your car title is a non-traditional loan. When you start searching for the best place to get a car loan online, then you get thousands of results in a matter of seconds. Not every lender keeps your best interest in mind, and not every loan provider has the best terms. You should know how to find a suitable title loan by following some tips.

Always Check the Track Record

Some offers seem too good to be true when you start browsing the web about the best car title loans. You need to act like a careful buyer. Make sure you check reviews and ratings of a car title loan provider. Get an idea about the company by exploring its website, especially the “about us” page. Next, read online reviews about the company's services and offers. The more you read, the better you will know a company whether a loan company is legit or not. Try to make a deal with a company that has been rendering services for quite some time. For example, when a car title loan provider has served its customers for seven or more years, you can generally rely on its services. Also, check for the physical location and offices of a loan provider.

Know How Simple the Process Is

Every lender will share their contact details on their official website. All you need to do is to dial the customer care number and ask about the car title loan and its requirements. It would be best if you probed into this deal before you sign it. Try to know what kind of paperwork is involved in the process, how long it takes to get a car title loan, and what the terms and conditions are. If a company requires you to go through a hefty process that will continue for some weeks, you should look elsewhere. A car title loan is a secured loan where most lenders only take one or two days to process it. 

[ymal]

Try to Meet Only Your Needs and Requirements

Don’t take a loan amount that you can’t afford to pay back. You are keeping your car as collateral; failure to repay the loan means losing it. Some lenders are ready to give you more money than you need, but no matter how mouth-watering the scheme is, you shouldn’t fall for it. If you are getting a low-interest deal when you pay in lump-sum, then don’t sign up for it unless you are sure that you can pay it back in a month or as per requirement. You should know that your vehicle will be seized by the lender if you cannot pay. According to a study, almost 20% of the borrowers who opt for a lump-sum type of car title loan end up having their cars repossessed. It is better to go for an instalment loan with your favourable terms so that you can pay the loan back conveniently.

Always Prioritise Your Safety and Privacy

The best place to get a car title loan is where you can enjoy the perks of information safety and privacy. Most of the time, you apply online for a title loan. You add your personal and financial information. Before you provide all such information to a company, make sure you can rely on its system.

Nowadays banking is closely interlinked with technology. It’s also no secret that digital banking is many people’s preferred method of interacting with their money. Changes to the way we bank over the last decade and our increasing reliability on digital platforms have led banks to change their business models. Controlling money through online services has created a seismic shift in the industry and those who haven’t adapted are struggling to stay relevant. Jean Van Vuuren, Regional VP for UK, Middle East and South Africa at Alfresco, examines how challenger banks have pushed the industry forwards.

Despite the introduction of challenger banks to the industry, many of us still rely on large, traditional banks to keep our hard-earned money safe. So how do these institutions take inspiration from the new emerging banks and put it into practice whilst keeping themselves relevant to a society that is increasingly reliant on technology? And what is next in the wave of digital transformation for financial institutions?

Using AI as part of the customer experience

Banks prioritising the customer experience has increased by leaps and bounds in the last 5-10 years, but it doesn’t just end with the launch of an app or the re-design of an online experience. The customer experience needs to be revisited regularly and continually play a core role in the adoption of the latest technology available.

For example, the future of AI in the banking world is very exciting and is completely transforming the customer experience. Voice banking, facial recognition and automated tellers can help create a completely personalised experience for each customer. Someone could walk into a high street bank, AI sensors at the door could use facial recognition to let the teller know who has arrived and they could automatically pull up all the information about their account without having to ask for their bank card or details.

The customer experience needs to be revisited regularly and continually play a core role in the adoption of the latest technology available.

As technology gets more sophisticated, this opens up possibilities for banks to focus on advising customers rather than spending time on transactions and processes.

Trusting the security of the cloud for confidential documents

The cloud has completely transformed the way in which we store information on our smartphones, computers and within the enterprise. However, as with any technology it comes with potential security risks. Trusting a third party with your data feels risky in most industries because you no longer feel in control of it, but banks are often trusted with our most precious data – not to mention our money. Therefore, maintaining confidentiality is of upmost importance to banks in order to maintain the trust of their customers.

Financial institutions should make sure that they are not relying on security embedded in cloud platforms to do the heavy lifting. Implementing governance services that provide security models, audit trails and regulate access – even internally, and confidently demonstrate that compliance is key for an industry with so much access to personal information. Whilst working in the cloud offers flexibility, it needs to be made secure with intelligent security classifications and automatic safeguarding of files and records as they are created.

This also brings up the issue of legacy platforms from a security and feasibility standpoint. Fund management companies find that legacy platforms are very expensive and not cloud ready. There is very little room for innovation and it is hard to adapt them to meet customer demands. Even if a fund management company has migrated to a Saas or Paas solution, quite often regulatory obligations and the potential dangers posed by hacking and data breaches mean that they sometimes go back to using an on-premises solution. Instead of backtracking, financial institutions should spend time to understand what the best cloud option for them would be and how they would implement it within the confines of governance and compliance.

[ymal]

Going paperless

Discussing going paperless in 2020 may seem like going back to the past, but for many financial institutions making the transition to fully paperless operations is still a work in progress. This is also a key area where challenger banks which have never had paper-based processes have an advantage, they don’t have to adapt simply because they were born paperless. There is also a new generation of consumers that embrace and often expect paperless banking.

While the fintech industry is intrinsically paperless, banks are still adapting to phase out paper support, but this transition should be an integral part of updating the customer experience. The paperless movement involves moving from simply depositing checks via smartphone to a complete digital experience from end-to-end.

Going paperless also provides an added layer of security in accordance with a rising tide of regulations and government mandates. With digital records, automated management processes allow companies to set up rules around metadata to file records, put security procedures around them and also deleting personal information within retention regulations.

Keeping pace with challenger banks who are born of today’s technology

In recent years, the introduction of technological advances such as digital ID verification, e-signature and risk analytics are transforming the way financial service providers interact with their customers. New challenger banks build whole systems in as few as two weeks and automate as much as possible.

By their very nature, challenger banks are pushing their competitors to be more agile and they are growing exponentially, something which the high-street banks had underestimated when they first entered the market. Created for the digital first generation, challenger banks won market share by putting customer-centric products at the heart of their business. They are also able to improve the product and the user experience quickly according to customer feedback.

Customers are flocking to the disruptors in the market who offer exciting functionality. Challenger banks providing customers with new online features, ones that let them take control of their finances, are thriving in the market. In the modern day, banks need to embrace new technologies and digitise processes to create a customer-oriented business and, ultimately, succeed in the market.

Cyber-attacks are the new normal, so CEOs are looking for ways to protect their businesses from emerging risks. From large corporations to small businesses, everyone is a potential target for hackers.

In 2020, the trend does not seem to be submerging. Hence, many are looking into a form of cyber insurance that would cover them if worse comes to worst.

The question presents itself: what is this insurance coverage, and what does it leave out? And, more importantly, what are its main pros and cons?

Cyber Insurance: What Does It Cover?

In no particular order of importance, cyber insurance covers the following:

1.     Media Liability

Advertising your services can result in intellectual property infringement. Cover insurance covers its consequences (patent infringement not included). Do note that it covers both online and offline forms of advertising.

2.     Network Security

With information and privacy risks abound, you need to keep your bases covered against network security failure. It includes malware infection, business email compromise, cyber extortion demand, and ransomware.

If you have cyber insurance, you can recover first-party costs related to:

• IT forensics,
• data restoration,
• legal expenses,
• notifying your customers of the breach,
• public relations,
• identity restoration.

Cyber insurance covers against malware infection, business email compromise, cyber extortion demand, and ransomware.

3.     Errors and Omissions

If a cyber-attack hits you, you could find yourself no longer able to fulfill your contractual obligations. That leaves your customers hanging.

You won’t afford to focus on consulting, upkeep, and other services. Once there is a cyber incident, all your time and energy go toward addressing its repercussions and minimizing the damage.

Since your customers may not be as understanding as you’d like them to be, it makes sense to protect yourself by investing in cyber insurance.

4.     Network Business Interruption

Modern businesses tend to rely on advanced technology to remain operational. In the event of an incident, some form of interruption is imminent.

For instance, if your provider’s network goes down, you can’t recover expenses sustained as a result and lose profits as well. Think of system failures, unstable system patches, security failures, human error, and more.

5.     Privacy Liability

When a breach happens, it can expose the sensitive data of your customers that lies on your servers. As a result, your business could be held liable.

So if it comes to a class-action lawsuit, there will be legal fees to cover. Regulatory fines resulting from the likes of GDPR are another threat. It could bring your company to its knees. Without insurance, you could find yourself closing down the doors for good.

[ymal]

What is Left Out?

As comprehensive as it may be, do bear in mind that cyber insurance does not cover everything. For instance, losing value due to theft is not part of it. Nor does it cover the loss of potential profits in the future. It also doesn’t allow you to improve your existing internal technology systems or amass the funds to make security upgrades.

The Advantages of Cyber Insurance

To sum it up, these are pros of cyber insurance:

• Improved standard of security. The work done by insurance companies could improve and redefine security standards.
• Financial incentives to improve IT security. Better insurance coverage at lower rates could become a possibility.
• Greater executive awareness. Recognizing the scope of cyber risks and the severity of their consequences could pave the way for much-needed security initiatives.

The Disadvantages of Cyber Insurance

As with all things insurance-related, there are also some downsides to it:

• Smaller companies could stay behind. If a business operates with a more modest budget, they may not have the funds necessary for insurance. Compared to large corporations, they would have a disadvantage as a result.
• Increased burden of legislation. Lawmakers are not IT or cybersecurity experts. Their moves may not be accurate in addressing the risks involved.
• A false sense of security. After insuring themselves, businesses may not put in enough effort into developing policies and investing in their security.

If a business operates with a more modest budget, they may not have the funds necessary for insurance.

What are The Additional Measures to Take?

As you can see, there is no one-size-fits-all solution. You need to protect your business on multiple fronts.

• Update often. As soon as developers discover a program or OS vulnerability, they rush to release a security update for it. But if you don’t take the time to install it, it may not help you in time.
• Invest in cybersecurity solutions. For starters, you should protect your systems against malware infection by using antivirus software. But there are more solutions to aid you, including firewalls, VPNs, monitoring programs, and so on.
• Educate yourself and your employees on how to protect your business against digital threats. For instance, by knowing what a VPN is and how to use it, employees can protect sensitive data from being intercepted by hackers.

Conclusion

Cyber insurance remains an important consideration for every executive. The more your company depends on technology, the greater is its role. Once again, assessing the risks lies on your shoulders. Depending on the nature of your business, you stand to gain more than there is to lose.

Here David Orme, SVP at IDEX Biometrics ASA, discusses with Finance Monthly how Gen Z is set to chat the face of modern banking, as well as how banks can address fraud and security challenges and the role of biometrics in combatting fraud.

Consumers in Generation Z (those born after 1995) are the biggest market disrupters right now. They are predicted to make up 40% of all consumers by 2020, and will account for 32% of the global population overtaking millennials (31.5%, born between 1980-1994). As this generation’s spending power grows, they will change the consumer world in many ways.

Now, Generation Z looks set to transform the face of modern banking too. Our recent research into Generation Z’s attitudes towards banking and online security and biometrics found that nearly eight-in-ten (79%) 16-24-year olds think banks should do more to protect their customers from fraud.

Additionally, the youngest consumers in our study were 16-17-year olds, the target age for many new banking customers. Of this age group, a huge 95% think banks should be increasing fraud protection for their customers.

Why is Generation Z so concerned about fraud?

Having grown up around the threat of cybercrime, those in Generation Z are more aware of the risks of fraud than the more security-lax millennials (born between 1981 and 1994). Our research found that nearly three-quarters (74%) of 16-24-year olds believe it is too easy to find someone’s personal information online nowadays. Also, more than half (52%) of Generation Z are worried about someone stealing their identity.

I recently observed a focus group of 18-24-year olds to support our research and noticed a high level of awareness about banking and online security from the respondents. Interestingly, many of the young consumers showed they don’t just jump to install the latest banking apps simply because they are new or cool. They are thoughtful with their consumer decisions and assess how well services or technologies fit their security and financial needs first.

One respondent, Nikki, who is 24 and from London, stood out for rejecting mobile payment apps, the opposite of the perceived image of someone in Gen Z: “I only use my bank card to pay for things,” she said. “I deliberately keep my phone separate because I don’t want spending money to be too convenient.”

The security challenge

Like Nikki, many Generation Z consumers are more cautious while banking or shopping than retailers and banks often believe. The research shows that, far from being over-sharers of their personal information, more than three-quarters (76%) of Generation Z accept that it’s their responsibility to look after their data and keep their identity safe. In return, these consumers expect their banks and service providers to work just as hard to deliver a high level of protection for them.

Although new challenger banks, such as Monzo and Starling, are growing rapidly among young consumers, that doesn’t mean Generation Z trust them more when it comes to security than the high street giants. Michael, a 19-year-old student from London also in the focus group, summed up the care with which Generation Z approach digital banks: “I feel the online banks have to push up their security because there’s no physical presence,” he said. “So they’ve got to be more secure to be on top of their game.”

Although new challenger banks, such as Monzo and Starling, are growing rapidly among young consumers, that doesn’t mean Generation Z trust them more when it comes to security than the high street giants.

Our study also reveals a wider lack of confidence in all banks, as only half of Generation Z shoppers (54%) are certain that their bank would refund them any losses if someone fraudulently accessed their bank account and stole any amount of money. The new generation of banking customers expect greater security and responsibility from high street banks, which in turn is driving their consumer choices.

The biometric banking solution

The findings also show that Generation Z wants to see banks adopting new technology to combat card and online fraud. Nearly two-thirds of them (62%) think all banks should offer biometric payment cards to help reduce fraud.

Additionally, nearly half (45%) of Generation Z can’t believe credit and debit cards don’t already use biometrics for payment and ID security. Again, this is even higher among 16-17-year olds, with nearly two-thirds (63%) of them expecting banks to already use biometrics for payment card security. As high street banks often thrive on signing-up new customers while they are young, appealing to this new generation of consumers is vital for the industry.

[ymal]

Therefore, financial institutions must now add biometric technology to the payment card market to attract young and potentially loyal customers. In fact, nearly half of those in Generation Z (46%) would choose a bank that offered biometric payment cards over one that didn’t.

Most importantly, Generation Z consumers are willing to pay for added security as two-in-five (43%) would expect to pay a little more for a biometric payment card, with a third (33%) willing to pay between £3-5 per month for it.

Banks need to act now

While many traditional banks have been slow to respond to the needs of Generation Z customers, it’s important for the success and future of the financial industry that they don’t ignore the demands of this generation of customers any longer. Unless high street banks act now to address the security concerns of those in Generation Z, they’ll soon be overtaken by fintechs and digital challengers who can innovate faster.

It is apparent under 24s expect to be using new, secure biometric technology today for increased payment security and convenience. Banks must now introduce innovative biometric payment cards to attract young customers, protect users from fraud and build trust with the consumers of tomorrow.

Generation Z growing concerns

Having grown up around the threat of cybercrime, those in Generation Z appear to be more aware of the risks of fraud than millennials (born between 1981 and 1994). Our research found that nearly three-quarters (74%) of 16-24-year olds believe it is too easy to find someone’s personal information online nowadays. On top of that, more than half (52%) of Generation Z are worried about someone stealing their identity.

While observing a focus group of 18-24-year olds held to support our research, I noticed a high level of awareness about banking and online security from the respondents. Many of the young consumers showed that they don’t just install the latest banking apps simply because they are new or cool. They are considered with their consumer decisions and assess how well services or technologies fit their security and financial needs, prior to acting.

One respondent, Nikki, who is 24 and from London, stood out for rejecting mobile payment apps, the opposite of the perceived image of someone in Gen Z: “I only use my bank card to pay for things,” she said. “I deliberately keep my phone separate because I don’t want spending money to be too convenient.”

Do banks still have our trust?

Like Nikki, many Generation Z consumers are more cautious while banking or shopping than retailers and banks may realise. Our research shows that, far from being over-sharers of their personal information, more than three-quarters (76%) of Generation Z accept that it’s their responsibility to look after their data and keep their identity safe. In return, these consumers expect their banks and service providers to work just as hard to deliver a high level of protection for them.

Although new challenger banks, such as Monzo and Starling, are growing rapidly among young consumers, that doesn’t mean Generation Z trust them more when it comes to security than the high street giants.

Although new challenger banks, such as Monzo and Starling, are growing rapidly among young consumers, that doesn’t mean Generation Z trust them more when it comes to security than the high street giants. Michael, a 19-year-old student from London also in the focus group, summed up the care with which Generation Z approach digital banks: “I feel the online banks have to push up their security because there’s no physical presence”, he said. “So they’ve got to be more secure to be on top of their game.”

Our study also reveals a wider lack of confidence in all banks, as only half of Generation Z shoppers (54%) are certain that their bank would refund them any losses if someone fraudulently accessed their bank account and stole any amount of money. The new generation of banking customers want to see even greater security and responsibility from high street banks, which in turn is driving their consumer choices.

 A modern solution for a digital world

The findings also show that Generation Z wants to see banks adopting new technology to combat card and online fraud. Nearly two-thirds of them (62%) think all banks should offer biometric payment cards to help reduce fraud.

Additionally, nearly half (45%) of Generation Z can’t believe credit and debit cards don’t already use biometrics for payment and ID security. Again, this is even higher among 16-17-year olds, with nearly two-thirds (63%) of them expecting banks to already use biometrics for payment card security. As high street banks often thrive on signing-up new customers while they are young, appealing to this new generation of consumers is vital for the industry.

Therefore, financial institutions must now add biometric technology to the payment card market to attract young customers and grow loyalty with them. In fact, nearly half of those in Generation Z (46%) would choose a bank that offered biometric payment cards over one that didn’t.

Most importantly, Generation Z consumers are willing to pay for added security as two-in-five (43%) would expect to pay a little more for a biometric payment card, with a third (33%) willing to pay between £3-5 per month for it.

The time to act is now

As Generation Z will soon create a large proportion of banks’ customer bases, it is imperative for the prosperity of the banking industry that these security needs are not ignored. If high street banks remain slow to respond to the demands of Generation Z and fail to address its security concerns, they will soon be surpassed by digital challengers who are able to revolutionise the system faster.

It has become increasingly clear that under 24-year-olds are now expecting to be using innovative and secure biometric technology for improved payment security and convenience. Banks now hold the responsibility to make this change as soon as possible. The introduction of new biometric payment cards will entice younger customers, protect users from fraud and encourage continued faith in consumer banking.

But as the attack surface expands with the growing use of social media and external digital platforms, many FinServ security teams are blind to a new wave of digital threats outside the firewall.

Here Anthony Perridge, VP International at ThreatQuotient, discusses how all businesses need to fully understand the threats they can face on social media and how to prevent them, and specifically how FS’s can protect their institutions online.

More than three billion people around the world use social media each month, with 90% of those users accessing their chosen platforms via mobile devices. While, historically, financial services (FinServ) institutions discouraged the use of social media, it has become a channel that can no longer be ignored.

FinServ institutions are widely recognised as leaders in cybersecurity, employing layers of defence and highly skilled security experts to protect their organisations. But as the attack surface expands with the growing use of social media and external digital platforms, many FinServ security teams are blind to a new wave of digital threats outside the firewall.

Social media is a morass of information flooding the Internet with billions of posts per day that comprise text, images, hashtags and different types of syntax. It is as broad as it is deep and requires an equally broad and deep combination of defences to identify and mitigate the risk it presents.

Understanding prevalent social media threats

Analysis of prevalent social media risks shows the breadth and depth of these types of attacks. A deeper understanding of how bad actors are using social media and digital platforms for malicious purposes is extremely valuable as FinServ institutions strive to strengthen their defense-in-depth architectures and mitigate risk to their institutions, brands, employees and customers.

To gain visibility, reduce risk and automate protection, leaders in the financial industry are expanding their threat models to include these threat vectors. They are embracing a data-driven approach that uses automation and machine learning to keep pace with these persistent and continuously evolving threats, automatically finding fraudulent accounts, spear phishing attacks, customer scams, exposed personally identifiable information (PII), account takeovers and more.

[ymal]

They are aggregating this data into a central repository so that their threat intelligence teams can trace attacks back to malicious profiles, posts, comments or pages, as well as pivot between these different social media objects for context. Network security teams can block their users from accessing malicious social objects to help prevent attacks, and incident response teams can compare their organisation’s telemetry of incidents with known indicators of compromise to mitigate damage.

Employee education is also a critical component of standard defences. Raising awareness of these threats through regular training and instituting policies to improve social media security hygiene with respect to company and personal accounts goes a long way to preventing these attacks in the first place.

A Checklist for Financial Institutions

This checklist that encompasses people, process and technology will go a long way toward helping FS teams better protect their institutions, brands, employees and customers.

1. IDENTIFY the institution’s social media and digital footprint, including accounts for the company, brands, locations, executives and key individuals.
2. OBTAIN “Verified Accounts” for company and brand accounts on social media. This provides assurance to customers that they are interacting with legitimate accounts and prevents impersonators from usurping a “Verified Account.”
3. ENABLE two-factor authentication for social media accounts to deter hijacking and include corporate and brand social media accounts in IT password policy requirements.
4. MONITOR for spoofed and impersonator accounts and, when malicious, arrange for takedown
5. IDENTIFY scams, fraud, money-flipping and more by monitoring for corporate and brand social media pages.
6. MONITOR for signs of corporate and executive social media account hijacking. Early warning indicators are important to protecting the organisation’s brand.
7. DEPLOY employee training and policies on social media security hygiene.
8. INCORPORATE a social media and digital threat feed into a threat intelligence platform as part of an overall defense-in-depth approach. This allows teams to ingest, correlate and take action faster on attacks made against their institution via social media.

Here Jake Holloway, Chief Product Officer for Rizikon Assurance at Crossword Cybersecurity PLC, explains why Supplier Assurance Frameworks are becoming more-and-more essential in the new world of operational resilience.

More recently, the introduction of SMF24 under the Senior Managers and Certification Regime has put the ownership of resilience firmly in the boardroom.  Those in the new SMF24 role need to have complete visibility of the operational risks that might exist not only in the organisation, but also within its own supply chains and partnerships.  As we have seen with recent IT outages and high-profile cyber security incidents, it is not always the institution itself that is at fault, but it is them that faces the critical attention of their customers, the media and the regulators.

A new era of supplier risk management for the financial sector

In order to manage risk and build healthy supply chains in the financial sector, the right supplier assurance processes need to be in place.  This could be seen as a challenge for procurement teams and the supplier onboarding process, but it reaches much further, with risk assessments needed across areas as diverse as anti-money laundering, the Modern Slavery Act, Health & Safety, GDPR and cyber security to name but a few.

Each of these areas impacts institutions in different ways, and indeed may require specialist expertise to assess the risks.  Cyber security is a great example, where a weakness such as an unpatched VoIP phone or laptop, may be exploited in one supplier to reach back into the financial institutions themselves.

Normally, supplier assurance and procurement teams would stay well away from such technical and complex areas.  For instance, with cyber security, where supplier due diligence requires a cyber security assessment, it’s happily handed over to specialists – whether internal or external.  Any reports, risk acceptance or remediation activities are left with the specialists while supplier assurance teams focus on the core of financial risk, insurance cover, regulatory standards, governance and so on.

[ymal]

Building a Supplier Assurance Framework

Institutions need a different approach to reduce risks associated with suppliers, vendors and other third parties.  One that combines the supplier assurance and procurement team’s approach based on good practice, controls, evidence of governance and commitments to improvement, with the deeper technical understanding of other teams.  Supplier assurance and procurement teams have a far greater role to play in this than they may imagine through the implementation of a Supplier Assurance Framework.

A good framework, starts with the need for supplier assurance and other departments to gain an improved understanding about each other’s domains, objectives and responsibilities.  A starting point is for them to jointly develop Supplier Impact criteria that systematically assess how much inherent risk every supplier or third party may have in that departments sphere.

Each supplier can then be measured against these criteria, and their supplier impact level established.  A different approach for each level of impact should be agreed jointly and completely standardised across the organisation. For example, for suppliers with a Very High impact, the supplier should be expected to demonstrate a high level of internal controls.  For cyber security, for example, this should take the shape of obtaining or working to achieve high standards such as ISO27001, IASME Governance or NIST.  This means it’s the supplier’s responsibility to show a serious level of control rather than the hard-pressed cyber security team’s responsibility to dive into hundreds of hours of audit work.  It also has the benefit of being easy for a non-cyber specialist to determine if the standard is present or not.

Where a technical assessment is needed, such as a penetration test or at least a “pen test” report from a credible third party, then the supplier assurance team can be responsible for managing that this takes place – handing over the responsibility to the cyber teams or external testers where needed.  This ‘management of risk’ role cannot be handed over though, as tempting as it is when the talk gets incomprehensibly technical.

The approach at each level of supplier impact should also contain the ongoing levels of compliance required in order to maintain good risk management.  Again, the supplier assurance team can timetable these ongoing reviews and focus on the governance of third-party risk – whether cyber, continuity, financial or regulatory.

Total risk visibility for the SMF24 role

What really helps is that the different teams involved in supplier risk start to use shared information systems to record and visualise supplier risks.  We have seen users creating really impressive supplier scorecards showing a combined view of financial, cyber, GDPR, slavery and other risks all on one simple chart for each supplier.  For the person in the SMF24 role, this creates a shared understanding of the totality of risk from each supplier and helps specialist teams, such as IT, and the supplier assurance team understand how their worlds fit together.

The SMF24 role completely changes the emphasis on operations from management to proactive resilience, but to achieve that the right supplier assurance framework, processes and technology need to be in place that give the boardroom the visibility it needs to control, manage and measure their exposure.

Goode Intelligence predicts more than 1.9 billion bank customers worldwide will use biometrics by the end of 2020 as a means of making payment authentication more secure and convenient. They also predict that by 2023, there will be 579m biometric cards in circulation. The UK could have a significant role to play in this adoption, with Natwest announcing earlier this month its trial of a biometric fingerprint credit card, making it the first UK bank to do so.

There are some obvious, immediate benefits to biometric authentication. Consumers can authenticate purchases above the current £30 contactless limit without having to enter their PIN, using only their fingerprint instead. For retailers, not only would this reduce queue times but also help facilitate more secure transactions, technologically and visually, as merchants will be able to witness the cardholder authenticating the transaction, which is currently not the case with a stolen card.

Cost factor

When chip and PIN were first introduced back in 2000, a similar cost comparison was made between using a magstripe card and a chip card. In the industry at the time, the discussion about the difference in price revolved around the business case to include a lot of additional data stored on the chip cards, such as medical information and driver’s licence information. In the end, it was determined that the cost of that particular chip was too expensive. What we have now is the cheapest chip they could mass produce; a win-win in the eyes of issuers.

When it comes to adding biometric functionality to a card, the significant cost to produce is obvious to even those not privy to the intricacies of card issuance.

When it comes to adding biometric functionality to a card, the significant cost to produce is obvious to even those not privy to the intricacies of card issuance.

Some commentators on this have suggested that some costs could be borne by the cardholder in the form of an annual fee or a set-up fee for a biometric card. However, this could have a negative impact on getting consumers to use biometric authentication.

As is the way with any new technology, there is inevitably going to be initial resistance to cost. But this must be balanced with considerations for, say, the reduction in fraud.

Questions on security

In the case of Natwest’s biometric card, consumers have to go into a Natwest branch and register their thumbprint on a reader, which may seem like an innocuous part of the process but actually raises issues around mass adoption. You cannot have a solution where you’re asking individuals to go to a branch to register a thumbprint; it’s not inclusive to those without access to a branch, especially when bank branches are closing at a rate of knots. The alternative would be a mobile solution, but this again raises issues of accessibility.

The whole idea of using biometrics to authenticate payment raises questions around security, beyond the obvious ways it helps facilitate secure transactions. The human thumbprint is not a physical image. It’s encrypted. When you hear of a data compromise in the news, most cardholders are told to reset their password. But when you’re doing biometrics and you’re using something which is unique to you - like a fingerprint -- if that data is compromised, what’s the backup? You’ve ultimately only got 10 options unless you start using your toes!

Like any new tech, biometrics generates a lot of buzz and excitement. Whilst it is a fascinating new development in our industry, let’s take a steady approach that ensures we cover all eventualities. Once we open the pandora’s box of mass adoption, it will be very difficult to close it.

Authored by Nick Fisher, European Projects Manager at JCB International (Europe).

According to  Simon Hill, Head of Legal & Compliance at Certes Networks, this is mostly due to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches. 

Additionally, no bank or financial services organisation wants to face the consequences of a data breach. This is demonstrated by the fallout of numerous data breaches in the industry over the years - from Capital One in 2019, to Equifax in 2016 and Tesco Bank in 2017. In the case of the Capital One data breach, a hacker was able to gain access to 100 million Capital One credit card applications and accounts. This included 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. Additionally, an undisclosed number of people's names, addresses, credit scores, credit limits, balances and other information dating back to 2015 was involved, according to the bank and the US Department of Justice.

What’s more, the damages of these data breaches are not only reputational, but also financial. As a result of Equifax’s data breach, the organisation reached an agreement to pay at least $575 million and up to $700 million to compensate those whose personal data was exposed. In 2016 Tesco Bank was fined £16.4 million by the Financial Conduct Authority (FCA) over its "largely avoidable" cyber-attack that saw criminals steal over £2 million from 34 accounts. This clearly shows that these consequences can arise no matter how ‘large’ or ‘small’ a data breach may seem; companies that do not encrypt their data adequately enough to safeguard it will be penalised.

On top of this, the increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a trade-off between meeting customer expectations and meeting cyber security compliance requirements. Banks and financial services organisations can utilise technology to the fullest extent while still protecting data and avoiding the unthinkable repercussions of a data breach.

The balancing act 

To achieve this balance, banks and financial services organisations need to take greater measures to control their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. When stringent policies are generated and deployed, it enables greater insight into applications communicating in and across the networks. New tools are now available to enforce these policies, not only impacting the application’s workload and behaviour, but the overall success of the system access.

Conclusion 

Banks and financial services organisations should not have to worry about keeping data secure and protected when it is entirely possible to do so. Adopting new ways to look at how organisations define policies through micro-segmentation and separating workloads by regulations, is one example of how to keep data more secure. Also, ensuring policies define only those users who have a critical need to see the data limits network vulnerabilities. And lastly, a robust key management system that is automated whereby keys are rotated frequently, can also help to safeguard system access and strengthen the organisation’s security posture.

Despite this shift however, the payment card is very much still alive with six-in-ten (60%) UK consumers stating they would not give up their debit card in favour of mobile payments. In fact, a further three quarters (75%) of UK consumers are concerned about the UK becoming a cardless society, where they no longer have access to a physical debit card and can only rely on mobile payments.

Here David Orme, SVP of IDEX Biometrics ASA at IDEX Biometrics ASA, explores the realities of payments preferences in the UK and what financial institutions must do to ensure that we experience a seamless transitions towards becoming a cashless society.

Do you remember coins? When was the last time you actually carried around a pocketful of pennies to pay for something? Given the rapid growth of contactless transactions, mobile payment apps and online shopping, it was probably quite a while ago now. Advancing banking technology, means we are fast moving towards a cashless society. In the UK, cash payments fell behind card transactions for the first time in 2017, while Sweden expects to become the first country in the world to go fully cashless, thanks to a country-specific payment app.

However, despite being hailed as the solution to end our use of cash and cards, mobile payment apps haven’t reached anywhere near the expected level of public adoption in the UK. By 2018, only 13% of the UK population was using mobile payments, due to the majority of the population generally preferring the ease and familiarity of contactless cards.

This is supported by our recent research at IDEX Biometrics ASA, which reveals that six-in-ten (60%) UK consumers would not give up their debit card in favour of mobile payments. In fact, a further three quarters (75%) of UK consumers are concerned about the UK becoming a cardless society, where they no longer have access to a physical debit card and can only rely on mobile payments.

Clearly, the payment card has become a strong part of our daily routine. So much so that, almost two-in-five (37%) of UK consumers stated that as long as they have access to a debit or credit card, the thought of a cashless society wouldn’t bother them. Interestingly, this number even rose to over half (52%) of 25-34-year-olds.

Given this strong evidence that consumers are still loyal to the payment card, it seems that the banking industry is focusing on the growth of the wrong payment technology. As we move towards a cashless world, the future of payments may not be in smartphone apps after all.

A smooth transition

There is a clear generational divide when it comes to the acceptance of digital payments. While over half (53%) of 18-24-year olds believe they already live a mostly cashless life, that number plummets to only 19% of those over the age of 55. Similarly, while four-in-ten (38%) of those aged 25-34 believe cash is now obsolete, only 9% of over 55s agree.

In fact, half (50%) of those aged over 55 are continuing to use cash to buy small-ticket items. Young people, however, are so tied to their card that two-in-five (40%) of those aged 25-34 say they won’t shop anywhere that doesn’t accept cards.

One of the greatest concerns surrounding a cashless society is the potential for inequality. Consumers shouldn’t be locked out of the banking system because they are less familiar with new payment methods or have limited access to digital devices. To keep our economy fair and inclusive, our payments system must stay accessible to all. Therefore, as we approach a cashless society, the UK Government and banking sector should reconsider the cashless transition. Instead of the focus on mobile payment apps, banks and financial institutions must adopt payment card technology that is convenient, secure and reliable for consumers of all ages, particularly older generations who still rely on cash.

[ymal]

Holding on to security

Consumers are also dismissing mobile payment apps thanks to rising security worries around the new technology and the potential for misuse of mobile payments. Over two-thirds (68%) of respondents still feel more secure using their bank card than a mobile phone to make a payment, while almost three-in-five (58%) fear that if they lost their mobile phone, people would be able to access their bank accounts.

In contrast, half (50%) of respondents say that having their debit card gives them a sense of security. Significantly, four-in-ten (41%) consumers would trust the use of their fingerprint to authenticate payments from their bank card more than a PIN.

Given these concerns, it is evident that payment technology needs to be more secure. It’s time for banks to adopt cards with biometric fingerprint authentication, which can’t be misused without the owner’s fingerprint, even if stolen or lost. Incorporating this advanced biometric technology into payment cards would enhance authentication for transactions and provide all consumers with a safer payment process that offers more reassurance than PINs or apps currently provide.

Futureproofing the payments industry

Although the idea of a cashless society holds many benefits, 55% of consumers actually think a cashless society will be inconvenient. Whether from lack of technology awareness or security concerns, consumers are still fearful of the day when they have to rely on mobile apps to access their money and pay for goods. Given this fear, the financial industry needs to work quickly to enhance payment cards by utilising biometric technology to secure payment authentication, before cash becomes extinct.

Payment cards that provide the convenience of contactless payments with the added security of fingerprint authentication are the key to a seamless transition into a fully cashless society. Such cards will prevent misuse and card fraud, while allowing fast, convenient, secure and direct access to our bank accounts, bringing much-needed reassurance to UK consumers.

UK consumers have made their feelings clear; they are just not willing to give up their payment cards. In a cashless society, cards will still be leading the way – we must future proof them for the next generation of payments now.