Finance Monthly hears from Wayne Parslow, Executive Vice President for EMEA at Validity, as he explores what the financial services sector stands to gain from better handling of its data.
Financial firms face an increasingly complex minefield of regulations when it comes to handling data. The sector has so many acronyms that it’s often difficult for a layperson to wrap their head around them. Unfortunately, finance companies don’t fare that much better, and can be overwhelmed by seemingly infinite customer data management requirements.
Whether it’s ensuring appropriate customer data storage under GDPR or securing payments processes under PSD2 and PCI-DSS, there’s a host of regulatory pressures for managing the financial customer relationship chain.
Regulatory bodies are certainly not toothless when it comes to enforcing punitive measures, either. At the end of 2020, the ICO issued fines to both OSL Financial Consultancy Limited and Pownall Marketing Limited for misusing personal data.
Ensuring data held by finance firms is accurate, up to date and, equally importantly, used appropriately is a shared goal for both the regulator and financial institutions. However, with the pressures put on financial firms by the pandemic, there’s a good chance that data management best practice has taken a back seat in favour of ensuring business continuity.
This is a misstep, as the two key fundamentals of data – data quality and data governance – should be tied into the basic operations of a financial services firm. With strong data foundations, financial services firms will be in a far stronger position to navigate the upcoming uncertainty of a post-pandemic world.
Ensuring data held by finance firms is accurate, up to date and, equally importantly, used appropriately is a shared goal for both the regulator and financial institutions.
Having data quality and governance work in concert to support one another does not simply ensure regulatory compliance, though. The value of data for driving successful business outcomes has already been proven, and businesses which employ a data-driven strategy are growing 30% year-on-year. Higher data quality also delivers stronger customer relationships and greater engagement.
Data quality is not a once and done operation. For financial services in particular, it’s a complex, continuous network of processes and actions that must be continuously maintained as new data is collected, augmented and edited by the organisation.
First and foremost, a finance firm must take stock of the current state of its data. Given the rapid changes that have occurred over the past year, it’s essential to reassess data for accuracy, completeness, duplicates and inconsistencies. Firstly, data needs to be housed correctly so that it can be profiled accurately. Profiling their data enables financial organisations to ensure it is right for the business’s current needs, can be easily analysed and reported on, as well as being able to more easily check whether it is up to date.
A common barrier to data quality are duplicates. Many regulations require data to be up to date, and for customer data to be removed under certain circumstances (i.e. when a contract is terminated). Whilst a firm might believe it has done its due diligence under these circumstances, leaving duplicate data behind poses a significant compliance threat and risks inappropriate or even illegal communication. To have a consistent, complete view of its customer data, a financial firm must be proactive with the management of deduplication. It’s a simple yet effective process that can make a huge impact, but requires an investment in the appropriate tools.
Leaving duplicate data behind poses a significant compliance threat and risks inappropriate or even illegal communication.
The end user is typically identified as the weakest link in the security chain, and many breaches reported to the ICO stem from simple user error, whereby an employee downloads a confidential document to a laptop which is then lost or stolen, for example.
With the move to remote working last year, many businesses wisely took the step to upskill their now remote workforces with additional security best practice training to help mitigate the additional cybersecurity risks.
Organisations can take additional steps to ensure errors that create vulnerabilities, such as the laptop example above. Employees will often adopt methods that help them get their jobs done most efficiently, even if these deviate from security best practice. Standardising data is a crucial step to enabling it to move through the organisation in the correct, and secure, way – regardless of location.
For example, if finance needs to produce reports based on the outgoings of a few different international teams, putting best practice standards in place as basic as how titles and regions are entered means this can be completed more efficiently, easily and securely across the board.
Alongside profiling, deduplication and process standardisation, verification needs to be a top priority, and should take place as data is collected. Using external sources, both prospect and existing client data should be verified (provided, of course, that consent has been given for these external sources to be used in this way). Enriching data in this way ensures finance firms get a better ROI from marketing and sales.
Data is constantly changing, and a continuous monitoring regime is the only way to keep track as it waxes and wanes. A simple way to keep up with the health of your data as it changes is to set up dashboards and alerts that track data quality automatically.
[ymal]
That said, it’s not just about technology. There’s no getting away from it – a comprehensive cross-functional approach is needed to implement a successful data governance programme. For finance firms, team members must be subject matter experts who understand the complex industry standards and regulations and know what to do if they don’t. Many finance organisations will already have an executive level representative responsible for company-wide data management, such as Chief Data Officer (CDO).
A core aspect of a CDO’s responsibilities should be simplifying processes with the help of the right technologies. However, it’s unlikely there’s a single tool that will do everything a financial organisation needs, and every governance strategy should be bespoke for the organisation that will follow it. Companies should be aiming for a “data quality by design” mindset, where the checks and processes that ensure top-quality data is maintained become second nature.
Ilia Sotnikov, VP of Product Management at Netwrix, looks at the state of cybersecurity in financial services and the external factors that drive it forward in 2021.
The past year has required financial teams and organisations to review many of their technical processes, especially as employees were forced to work remotely almost overnight. Research shows that 30% of financial organisations feel they are now at greater cybersecurity risk now than they were pre-pandemic. The majority (64%) are concerned about both more frequent cyberattacks and the security gaps caused by remote work – but despite this increased concern about malicious activity, the most reported incidents for financial firms involved human errors.
As a result, 2021 will certainly see financial organisations reassessing their data security policies to be fit for purpose in a post-pandemic digital world. However, given the wide range of financial services emerging, financial organisations today are on very different security maturity levels. Some have consistent ongoing risk management, established processes and dedicated IT security teams. Others just expect IT operations to handle security as part-time assignment. Many financial organisations from the less technically mature side of the spectrum or still heavily rely on legacy systems simply don’t have internal motivation to adopt better security practices.
The good news is that moving into 2021, these organisations will be driven to increase security maturity by external factors: cyber insurance and privacy regulations. With 2021 bringing both new privacy laws and stricter enforcement of existing regulations to minimise the risk of incurring steep fines for compliance failures, businesses will turn to cyber insurance.
The bad news is those policies will come with their own security standards and requirements, such as regular risk assessment and effective detection and response capabilities.
Many financial organisations from the less technically mature side of the spectrum or still heavily rely on legacy systems simply don’t have internal motivation to adopt better security practices.
In 2020, many privacy-related bills were pushed down in priority due to more urgent tasks related to global pandemic. However, this isn’t an issue that will go away. Any British or European businesses that deal with local or international markets have to comply with GDPR – and with Twitter’s recent fine of approximately €500,000 for failing to promptly declare and properly document a data breach marking the first cross-border GDPR ruling, there will be a renewed vigour in the finance industry to ensure compliance. Furthermore, payments-related legislation such as PCI-DSS and PSD2 will face further strains given that a huge consequence of the pandemic has catalysing the move of payments becoming cashless.
This renewed focus on privacy laws require financial organisations to pay more attention to what data they have on hands, how they handle this data, and who is accessing it and why. Failing to document this or to follow documented policies can result in significant fines in case of consumer complaints or a data breach. This may force finance firms to adopt security and data governance practices they did not have in place this year.
The other driving factor for financial firms to revamp their data security measures is cyber insurance. The cyber insurance market is growing rapidly at an impressive 26% CAGR. This growth is fueled by the surge in cyberattacks and businesses seeking to offset their risks, and executives and board members recognising potential breaches or ransomware threats as business risks.
Finance companies are more likely to turn to insurance as an option to deal with the potential cost of these new risks. However, cyber insurance is not a “pay-and-forget” thing. To lower the risks that their customers will be breached, cyber insurance carriers are requiring them to comply with their own security standards, such as regular risk assessment and effective detection and response capabilities. This way, cyber insurance carriers contribute to the growth of security solutions that provide such functionalities. Finally, they force companies to cover security fundamentals and regularly reevaluate their IT risk programs and carrier’s policy changes to ensure adequate coverage, as insurance is not a panacea for a weak or inconsistent security programme.
[ymal]
It's safe to say that in the coming year, insurance and legislation will drive mass adoption on fundamental security practices for finance firms and teams. However, given the particular data pressures they face, financial services will be faced with a balancing act of meeting insurance criteria as well as complying with the regulatory standards themselves. While this may throw up some data management challenges, in the long run, it will certainly prove beneficial in helping financial services improve their cyber security posture.
Annie Button outlines the most common financial failures of SMEs and how they can be averted.
Running a business is tough, regardless of what sector you work in. But if you’re not careful where your finances are concerned, you could be making the situation harder than it needs to be. These are some of the common financial pitfalls that many businesses slip into and how to avoid them.
A business budget is vital for managing future expenses and controlling your finances. But so many businesses operate month to month without any plan for the business’s earnings.
To ensure that you’re not spending where you can’t afford to, or paying too much in one category, you should have a budget in place that is conservative – in other words, keep your income estimates on the low end of the scale and your expenses on the higher side, so that you’re not caught out at the end of the month.
As a business, you want to grow and scale up – it’s a sign that you’re doing well and, for most businesses, it’s the ultimate goal. But having too many people on the payroll too soon could mean you’re overspending where you can’t afford it. Many entrepreneurs find themselves in need of help and they hire too many people too fast, which causes problems where the budget is concerned.
A compromise to ensure you’re not doing everything yourself is to look into hiring people on a part-time basis or contractors. Freelancers are also an alternative that can help you save money without compromising on your business, as you will only be paying for the work they carry out rather than a full-time salary.
A compromise to ensure you’re not doing everything yourself is to look into hiring people on a part-time basis or contractors.
A cyber attack can impact your business in multiple ways, from its finances and operations to the reputation of your brand. Cybercrime can be incredibly costly to resolve, not just because of the remediation work required to clean up the system but also because of the reputational damage it can cause.
There’s also the issue of compliance and adhering to GDPR regulations that could mean your company is fined for failing to protect customer information.
It’s vital that you secure your network and make sure that staff have cyber awareness training, and by investing in proactive rather than reactive cybersecurity technologies. You should also enforce secure password policies across the business and use firewalls to protect data. It’s also a wise decision to back up your data regularly and have protocols in place should an attack occur.
A common mistake that can be detrimental to businesses is merging personal and private finances. It’s important to consider your business a completely separate entity from yourself from the start, as it can cause complications in the future if you don’t.
You should set up a separate bank account where all money earned from the business is paid into and any business expenses are paid out of. Likewise, if you require a credit card, ensure that your business has a separate one so that it’s easier to track payments.
Issues with cash flow can be a real problem, even for successful businesses, if payments aren’t managed properly. And while it’s nice to believe that everything will run smoothly from day one, chances are there will be unexpected events or emergencies in the future that require funds to keep the business afloat. 2020 has possibly reinforced this point even more for so many businesses.
[ymal]
To ensure you’re never in a difficult situation, it’s important to have money tucked away for such situations that you can lean on when times are tough, without having to resort to credit cards and loans. A good rule to follow is to assess what your basic responsibilities are and average out the cost, then put three months’ worth aside in a contingency fund.
There are so many potential risks when running a business and it’s all too easy to assume that your business won’t suffer if you cut a few corners. But ultimately, in order for your business to thrive and stay in good financial shape, it’s critical that you consider all eventualities and prepare for them accordingly, whether that’s having savings in place, protecting data from threats or being savvy about how you hire staff.
Rich Vibert, co-founder and CEO of Metomic, takes a look at the changes the UK financial sector will soon see and how banks can best prepare for them.
With headlines focused on the UK's plans to breach parts of the Brexit agreement, many key business discussions have fallen by the wayside. But, this begs the question: how are banks going to be protecting customer data? And, what data protection regulation is in place to govern this process as GDPR becomes inapplicable?
These are difficult questions to answer and require banks to unpick complex regulation and governmental disputes, before they can even start to implement the tools that will protect their customers.
Recent reports show that there’s room for improvement when it comes to the banks’ ability to secure data privacy. According to a Bitglass study, 62% of the data breached last year came from financial services, and with the increased risk brought by COVID-19, the prospect of what could happen to data collected and managed by banks is worrying. Furthermore, back in March, a report by Accenture showed that one-third of financial services organisations didn’t have the technical or personal resources to address privacy risks related to customer data. If these firms haven’t addressed this gap yet, they will simply not be prepared for Brexit and the risk that a potential last-minute change in regulations will pose.
After investing two years of work to become compliant with the General Data Protection Regulation (GDPR), banks are understandably unwilling to start again. At present, once we are out of the EU, UK organisations will need to comply with regulation that is yet to exist. Thankfully, there is a large chance that the UK will incorporate GDPR principles into its own law, but uncertainty and confusion still remains. And should new local measures be implemented, banks will need to move quickly to become compliant.
After investing two years of work to become compliant with the General Data Protection Regulation (GDPR), banks are understandably unwilling to start again.
When it comes to data transfers with other European countries the rules will become stricter, adding extra layers of complexity for financial institutions.
As we stand, the UK government has already declared its willingness to reach an adequacy agreement, to maintain a free flow of data between the two regions. However, given the turbulent relationship with the EU, the agreement on such a deal is by no means a given.
Financial organisations also need to prepare for the possibility of a no-deal Brexit, with speculation that this could see companies sending their data to the EU next year and simply not getting it back. For businesses which heavily rely on constant transfers of sensitive data such as bank accounts and income, this is simply not acceptable. Unpicking the mess will require the investment of time and funds that many businesses can ill-afford.
While a potential headache for financial institutions, the UK’s lack of reassurance when it comes to post-Brexit data protection is even more detrimental to its own citizens. The government’s current track record for safeguarding people’s data leaves much to be desired. The recent admission that the UK track and trace system wasn’t GDPR compliant is just one example that has eroded citizens’ trust. The systematic disregard for data privacy has not gone unnoticed either. 75% of consumers report being concerned with the safety of the information they share with organisations, according to IDEX Biometrics. This has to be addressed if banks are going to survive and ensure that that customer trust is maintained.
While the future of data regulation in this country remains in flux, we know that privacy and data protection is top of mind for consumers. To maintain the trust and loyalty of their customers, financial services organisations must think ahead and be prepared for any outcome, specifically at a technical level. But many organisations will be concerned about where to begin and how to navigate this journey.
[ymal]
Thankfully, financial institutions can tackle this challenge without exorbitant costs but they will need a change of mindset. They must put customer data at the centre of their strategy and embrace technology that will help them put privacy first.
But this means having a clear understanding of what is happening to customer data at all times. There are simple mechanisms that can be put in place to deliver this level of control and visibility. These include automating compliance and embedding data protection rules into the IT infrastructure. Solutions such as these can be cost effective and have the potential to save thousands of hours in auditing and developing data management processes. What’s more, they will give businesses the right foundation for protecting data, whatever the regulatory outcome of Brexit.
While the future of data protection rules in the UK are still being negotiated, the financial services firms that embrace a privacy-first approach starting now will be better prepared for any outcome in the Brexit negotiations.
Going forward, collaboration with the EU is vital to prevent a scenario where data transfers are blocked. We need to work closely with our European counterparts to create a data privacy framework that's protective of UK citizens without being restrictive to our businesses. Only time will tell, but with the respect and protection of our data is in the hands of governments and businesses, data privacy can no longer be treated as an afterthought. If banks act now, and protect against the inevitable, the ultimate benefit will be earning their most important asset: their customers’ trust.
Helena Schwenk, Market Intelligence Manager at Exasol, explains how banks can use data and analytics to capture customer loyalty.
Driving customer loyalty has always been an important initiative for financial institutions, but COVID-19’s profound impact on the world has fundamentally changed how financial services companies now view loyalty. As more and more interactions shift online to virtual channels; customer behaviour changes as economic constraints hit home; approaches to risk change; and digital sales and services accelerate – the value of progressive data strategy and culture is all the more crucial.
As McKinsey’s recent report highlights, as revenue growth and customer relationships come under pressure, banks will need to rethink their revenue drivers, looking for new product launch opportunities, as well as reorienting offerings toward an advisory and protection focus. Advanced analytics can help identify those relevant niches of prudent growth.
However, the high prevalence of data silos and the unprecedented growth in data volumes severely impacts financial institutions’ ability to rise to this challenge efficiently. And with IDC conservatively predicting a 26% CAGR data growth in financial services organisations between 2018-2025, there are no signs that managing data is going to get any easier.
The financial services sector was already extremely data-intense due its the large number of customer touchpoints and the lasting legacy of COVID-19 will see this expand even further. Beating this challenge will require financial institutions to focus on turning their quantity and quality of their data into governed and operationalised data. To gain competitive advantage and win the fight in driving customer loyalty, financial services firms need to eradicate their data silos and start benefiting from real-time business decision making.
Beating this challenge will require financial institutions to focus on turning their quantity and quality of their data into governed and operationalised data.
Defining a data analytics strategy is crucial for financial services organisations to increase customer loyalty and deliver a better customer experience. A solid data strategy holds the key to uncovering invaluable insights that can help improve business operations, new products and services and, crucially, customer lifetime value — allowing organisations to understand and measure loyalty.
In addition, a robust data strategy will help organisations keep a sharper eye on customer retention, using data to actively identify clients at risk of attrition, by using behavioural analytics, and then generating individual customer action plans tailored to each client’s specific needs.
In our survey of senior financial sector decision-makers, 80% confirmed that customer loyalty is a key priority, given that consumer-facing aspects of financial services generate revenue and are a critical differentiator. And, according to Bain & Co., increasing customer retention rates by 5% can increase profits by anywhere from 25% to 95%.
But increasing customer retention and improving loyalty is not easy. There are ongoing challenges to earn and maintain. For example, 54% of our survey respondents believe that customers have higher expectations of financial services experiences and 42% agree that digital disruptors that support new digital experiences, offerings and alternative business models, are encroaching on their customer base.
At the same time, regulation is a concern too, with 41% saying PSD2 and GDPR are impacting their ability to develop and improve customer loyalty initiatives.
Despite all these challenges, the business impact of poor customer loyalty – such as lost opportunities for customer engagement and advocacy (45%), higher levels of customer churn (45%) and lost revenue-generating opportunities (42%) – is too important to ignore. Given that it costs five times more to acquire a new customer than sell to an existing one — gambling on customer loyalty in today's highly competitive environment is a big risk to take.
[ymal]
That said, in a heavily regulated industry with a wave of tech-disruptors, keeping customers happy and loyal is no mean feat. But driving a deeper understanding of customer lifetime value and measuring the loyalty of customers is possible. The good news is that almost all organisations (97%) use predictive analytics as part of their customer insights and loyalty initiatives, with three fifths (62%) using it as a key part. 65% also agree that data analytics enables them to offer personalisation and predict customers’ future behaviour.
Overall use of data analytics is maturing in financial services compared to other industries; 96% of the people we surveyed were very positive about their firm’s data strategy and how it is communicated for the workforce to implement. Although 48% did admit it could be improved.
This consistent need to improve is backed by McKinsey. Its survey of banks saw half saying that while analytics was a strategic theme, it was a struggle to connect the high-level analytics strategy into an orchestrated and targeted selection and prioritisation of use cases.
Revolut is one disruptor bank showing the world what a thriving data-driven organisation looks like. By reducing the time it takes to analyse data across its large datasets and several data sources, it has reached incredible levels of granular personalisation for its 13 million global users.
Within a year, the data volumes at Revolut had increased 20-fold and it was an ongoing challenge to maintain approximately 800 dashboards and 100,000 SQL queries across the organisation every day. To suit its demands and its hybrid cloud environment it needed a flexible data analytics platform.
An in-memory data analytics database was the answer. Acting as a central data repository, tasks such as queries and reports can be completed in seconds instead of hours, saving time across multiple business departments. This has meant improved decision-making processes, where query time rates are now 100 times faster than the previous solution according to the company’s data scientists.
Revolut can explore customer demographics, online and mobile transfers, payments data, debit card statements, and transaction and point of sale data. As a result, it’s been able to define tens of thousands of micro-segmentations in its customer base and build ‘next product to purchase’ models that increase sales and customer retention.
The 2 million users of the Revolut app also benefit as the company can now analyse large datasets spanning several sources – driving customer experiences and satisfaction.
Revolut can explore customer demographics, online and mobile transfers, payments data, debit card statements, and transaction and point of sale data.
Every employee has access to the real-time “single source of truth” central repository with an open-source business intelligence (BI) tool and self-service access, not just the data scientists. And critical key performance indicators (KPIs) for every team are based on this data, meaning everyone across the business has an understanding of the company’s goals, industry trends and insights, and are empowered to act upon it.
A progressive data strategy that optimises the collection, integration and management of data so that users are empowered to make and take informed actions, is a clear route to creating competitive advantage for financial services organisations.
Whether you’re a longstanding brand or challenger bank, the key to success is the same – you need to provide your services in a timely, simple and satisfying way for customers. Whether you store your data in the cloud, on-premise, or a hybrid, the right analytics database is central to understanding your customers better than ever before. By using data to predict and detect customer trends you will improve their experience and get the payback of increased loyalty, which is even more essential in a post-COVID world.
Martin Landless, Vice President for Europe at LogRhythm, explains how financial services can keep pace with outside threats.
It is more than possible to remain at the forefront of the digitalisation of the industry and to keep secure, but to do so relies upon focusing on a confluence of people, process and technology. Through this holistic focus, a culture of cybersecurity can be created that protects the important institutions through which it is fostered.
Simply put, cybersecurity is now an integral element of financial services. After all, assets and interactions have moved online. However, in the face of a cyberattack, a company can be subject to a costly halting of operations, a colossal hit to consumer confidence and a General Data Protection Regulation (GDPR) fine from which it might never recover. This is especially true throughout the COVID-19 pandemic, where, according to the National Cyber Security Centre (NCSC), cyberattacks are reaching fever pitch.
By their very nature given the sensitivity of the data they manage, financial services organisations must have a mature security operation in place to deal with the threat actors they attract. The maturity of a security operation can be measured by two important variables: mean time to detect (MTTD) threats and MTTR (mean time to respond) to them.
Reducing MTTD and MTTR is crucial and can be achieved through technological solutions which allow for the automation of workflows; this frees up the vital time of security teams to focus their attention where it is most needed. This is especially important in an industry facing a stark skills shortage, with the UK Government finding that 48% of businesses have a cybersecurity skills gap in 2020. Visibility is another salient variable, as cybersecurity teams must be able to immediately see shifts in behaviour in the network to recognise imminent threats as they arise.
Simply put, cybersecurity is now an integral element of financial services.
However, although technological innovation in the security response is a foundation of an effective culture of cybersecurity, this alone will not guarantee safety from attack.
It is upon the CISO and their security teams to make sure cybersecurity takes important precedence in the minds of all who work at an organisation – after all, it takes one employee falling victim to a phishing email to compromise a business. At the board level, CISOs must ensure that executives understand the challenges security teams encounter as an organisation navigates business dynamics.
As with all things, communication is vital in this pursuit. An aspect of this is in quantifying to the board the benefits and return on investment an effective security posture can entail. One method that a CISO can use to create a high trust environment is through partnering a member of the board with the security team.
This partner can articulate perspective to the team from a purely business standpoint, allowing the team to produce intelligence to the overall board that exhibits the business value of the security operation centre’s (SOC’s) methods and goals. This collaborative approach will encourage the understanding security teams have for business goals and the board’s understanding of security necessity.
One common event that may be viewed in a different manner by the board and security teams is when an organisation encounters business growth. Although such growth may represent that a business is in robust health, it also facilitates multiple avenues through which a company can come under cyberattack.
[ymal]
For a start, cybercriminals keep close watch of business news and will be aware of a company’s raised profile. In the event of new staff, through partnerships or increased employment, security teams must make sure each new employee is vetted and safely added to the system. In the case of acquisitions, security teams too must effectively monitor new structures that are added to the network, and third-party connections with whom they are not yet familiar. Indeed, a Gartner study earlier this year identified third-party cybersecurity risk as a key concern for half of legal and compliance leaders.
Key to this issue is the question of security budgets, and it is here board-level support is important. Traditional security budgets are often determined in advance and follow two common pricing models used by security vendors. These are the user-based model and capacity-based model; in the face of growth, both are fixed, and may leave security teams making difficult decisions as to where they safeguard their organisations.
Executives should instead employ a subscription-based model that offers the guarantee of scalable security at a determined rate; this will greatly alleviate the stress felt by security teams in what often should be an exciting time for an entire organisation.
Changing security budgets to better facilitate the work of SOCs represents a culture of cybersecurity being put into practice. Technological solutions are provided based on an understanding between security teams and the board on what is needed, allowing for better performance in MTTR and MTTD.
As Covid-19 has forced unprecedented circumstances and a wave of cybercrime upon security teams, it is as incumbent as ever for a culture of cybersecurity to be fostered within financial services organisations. Simply refusing increased digitalisation as a means for security will see companies become obsolete in important areas such as customer experience, where their competitors will be innovating. Instead, a holistic approach encompassing people, process and technology will be vital to forging a secure path forward in the financial services industry.
Over the past few months, the pandemic has accelerated the transition to a fully digital world. We are seeing more e-commerce and online offerings to help us socially distance. From ordering groceries online to signing up for online gym classes and communicating with friends and family, our digital presence has increased significantly. Unfortunately, this growing digital presence leads to a rise in cyber-attacks, too, and more specifically, fraud. Joe Bloemendaal, Head of Strategy at Mitek, explains further below.
Fraud cases were predicted to be on the rise even before the mass lockdown. According to Juniper Research, online payment fraud for businesses in e-commerce, banking services, money transfer and airline ticketing were suspected to lose over $200 billion to online payment fraud between 2020 and 2024. The recent growth in digital services and accounts, and advanced technology like AI, is further driving the frequency of these fraudulent activities.
With easy access to an abundance of consumer data, advanced computational power and tools, it is becoming easier for cyber-criminals to completely take over legitimate accounts. So, how can we stay protected against these attacks? The first step is to understand what these cyber-criminals are after and this is often easy to overlook. Social media allows people to stay connected, but it also exposes a large amount of personal information, making people’s digital identity readily accessible to hackers. At every corner, hackers are lurking behind the screen trying to trick banks by stealing people’s details in order to access their hard-earned savings or turning to other methods of phishing scams.
Thankfully, with the help of unique identifiers and usage-patterns, it is possible to verify the digital identity and verify a user – making sure that they are who they claim to be when participating in any online or digital interaction. For financial services institutions to stop fraud in its track, they need to begin with understanding how to protect this digital identity.
A digital identity can be defined as “a body of information about an individual or organisation that exists online.” But the reality is that not many understand what really makes up a digital identity, and so cannot protect it. Is it our social media profile? Our credit score or history? Is it contained within a biometric passport?
A digital identity can be defined as “a body of information about an individual or organisation that exists online.”
This confusion means many are also concerned about the level of access a digital identity exposes to potential fraudsters. Once a hacker has our personal details, how much of ‘us’ can they really access? In the US, we found that 76% of consumers are extremely or very concerned about the possibility of having their personal information stolen online when using digital identities; but 60% feel powerless to protect their identity in the digital world.
This is mainly because many trust in their old methods and devices for security control – passwords, security questions, and digital signatures. But as modern security techniques evolve, these methods are no longer able to protect us on their own.
More advanced and secure methods of identity verification mirror modern social media habits. Most of us are familiar with taking selfies. Now, technology can match that selfie to an ID document such as a driving licence, turning a social behaviour into a verifiable form of digital identification. A simple, secure process enables people to gain access to a variety of e-commerce and digital banking services, without a long and friction filled ‘in-person’ process.
Even in the case of a compromised photo ID or stolen wallet, we can re-verify our digital credentials once we have our paperwork back in order – and restore a digital profile to full health.
But this doesn’t address the question of who is responsible for our digital identity – who will protect the long-term health and protection of our digital ‘twin’?
Historically, governments have proven to be poor custodians of their citizens’ data, given the loss of 25 million tax records, including payroll information, in the not-so-distant past. Some of the world’s biggest companies are not immune either, being held responsible for countless data breaches over the years.
As such, some believe citizens should be responsible for their own digital identities, making them ‘self-sovereign’. The ambition is to free our own personal information from existing databases and prevent companies from storing it every time we access new goods or services. Data controls such as GDPR and CCPA are a start – policing and regulating how companies use, control, and protect data.
[ymal]
However, ‘self-sovereign’ identities could only become mainstream if governments relinquish their sole responsibility for issuing and storing our identity information. It will also require new technologies, such as blockchain, to gain traction and be trusted. A cultural shift will be paramount, too.
Some suggest that instead of the rise of ‘self-sovereign’ identities, we’ll see some of the industry’s biggest players emerge instead. We’re already used to verifying our identities through Google and Facebook, using them to speed up registrations or access new services. Could those tech giants become our digital identity guardians?
Or would we rather entrust our digital identities to financial companies such as Visa or Mastercard, who have been looking after our financial transactions for decades, historically taking on the risk for us, and are now able to process disputes and stop unauthorised withdrawal of funds even faster?
It’s clear that taking good care of one’s digital identity is a fine balance between trust and control. Security is also a personal thing, and what is right for one may not suit another. One thing is for certain: identity is the essence of the human being, so guardianship should be hard-earned.
Both businesses and individuals have a part to play when protecting our digital twin. With the help of digital identity verification and cybersecurity protection technologies, we can make self-sovereign identities a reality - if that’s what the people want.
Compliance is a must-do activity, not a nice-to-have. According to Colin Bristow, Customer Advisory Manager at SAS, it is essential that companies extract maximum value from compliance processes, reducing the possibility of it being considered a cost centre.
Technological innovation can help to lift some of the compliance burden. The level of technology you can realistically implement depends on how advanced the organisation is to start with. One company’s moonshot could be another’s business as usual. Assessing the starting point is just as important as considering the benefits and end goal.
This is the question that the burgeoning RegTech (regulatory technology) industry is seeking to answer. AI is typically at the forefront. RegTech partly focuses on improving the efficiency and effectiveness of existing processes. As part of that improvement, organizations are using AI, machine learning and robotic process automation (RPA) to smooth the integration and processes between new RegTech solutions, existing legacy compliance solutions and legacy platforms.
Why look to AI for help? Recent regulations, such as GDPR or PSD2, are handed down in the form of large and extremely dense documentation (the UK government’s guidance document for GDPR alone is 201 pages). Identifying the appropriate actions mandated by these lengthy documents requires a great deal of cross-referencing, prior knowledge of historical organisational actions, and knowledge of the relevant organisational systems and processes. What’s more, several regulations attract fines or corrective actions if not applied properly (like the infamous "4% of company turnover" penalty attached to GDPR).
In short, the practical application of regulations currently relies on human interpretation and subsequent deployment of a solution, with heavy penalties for noncompliance. This is where AI can help, reducing the workload involved and improving accuracy. Here are three key examples of how AI can help companies turn compliance into a value-added activity.
Following the deployment of compliance processes, there is often residual risk. This can be as a result of unforseen gaps in compliance processes, or unexpected occurrences that become apparent when operating at scale.
That’s partly because there are usually a lot of steps and processes to be carried out during the data collation stage of compliance programmes. RPA can help reduce administrative load associated with these processes that include a high degree of repetition – for example, copying data from one system to another. AI can then help process cross-organisational documentation, combining internal and external sources and appropriately matching where necessary.
AI can also help to reduce companies’ risk of noncompliance with, for example, privacy regulations. Furthermore, using AI techniques, organisations can automate transforming and enhancing data. Intelligent automation allows companies to carry out processes with a higher degree of accuracy.
Inefficient processes can also hinder compliance. For example, automated systems that detect suspicious transactions for anti-money laundering (AML) processes are sometimes not always as accurate as they could be. A recent report highlighted that 95% of flagged transactions are closed in the first stage of review. Effectively, investigators spend most of their day looking at poor quality cases.
Use of an AI hybrid approach to detection ensures there are fewer, higher quality alerts produced. Furthermore, it is possible to risk-rank cases which are flagged for investigation, speeding up the interaction and relegating lower-risk transactions. Although AI forms an underlying principle across most modern detection systems, maintenance is key to managing effective performance.
AI can also be used to bolster AML and fraud measures more widely. For example, applying AI to techniques such as text mining, anomaly detection and advanced analytics can improve trade finance monitoring. This, in turn, can improve the regularity for document review and consignment checking, improving the validation rates of materials as they cross borders.
[ymal]
Compliance never stands still. Businesses have to contend with a constantly evolving landscape, potentially across several regions. AI can help to optimise the processing of these regulations and the actions they require, helping companies keep up to date. Companies that need to effectively comply with several differing regulations require a wide range of understanding across all parts of the business. The size, complexity and legacy systems of the business can be significant obstacles.
To mitigate this risk, companies can use natural language processing (NLP) to automate aspects of regulatory review, identifying appropriate changes contained in the regulation and then relaying potential impacts to the appropriate departments. For example, AI could help geographically diverse companies determine whether changes in the UK have an impact on their Singapore office.
It’s important to note at this point that AI and RegTech are not expected to widely replace humans. We are seeing early AI entries in the RegTech space, but they’re primarily helping with lower-hanging fruit and repetitive tasks. AI is primarily enhancing the work humans do, making them more effective in their roles.
AI does not come without some considerations, however. There is a great deal of focus and scrutiny on associated possible bias in AI deployments. Other discussions are exploring the transparency and governance of applications and questions around who owns generated IP. As a result, it’s essential that AI works closely with humans, enhancing activities and balancing an appropriate level of manual oversight.
AI is augmenting compliance practices by providing faster document review, deeper fraud prevention measures and greater contextual insight. It is also reducing noise in high-transaction environments and lightening the documentary burden on staff. From the start of the regulatory review to the end of the compliance process, AI holds part of the overall solution to a more efficient and valuable compliance function.
Here Craig Naylor-Smith, Managing Director of Parseq, explains why financial services businesses cannot afford to stay complacent with the prospect of GDPR fines lurking over their shoulder.
In July, the Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m following a cyber-attack that exposed the details of almost 500,000 customers – the first fine to be publicly announced under the GDPR. The very next day, the ICO announced a second prospective fine of £99.2m against Marriott International following its own hack.
For those in the financial services (FS) sector, the ICO’s actions will have been a reminder of the consequences GDPR non-compliance can bring. Under the legislation, businesses can be fined the equivalent of up to €20m, or four per cent of their global turnover, whichever is greater.
The wealth of personal data held by FS firms of course means that the sector will be under particular scrutiny from both the regulator and the wider public. Yet, our own research has shown that many in the sector have struggled to handle a rise in personal data access requests from their customers and employees in the year since GDPR came into force – a situation that could put them at risk of feeling the ICO’s sting.
Under the GDPR, individuals can submit data access requests to receive a copy of personal data organisations hold on them and information on factors such as why their data is being used. They can also request that their personal data be erased. In most cases, organisations must respond within just one month.
Our research – conducted just after the GDPR’s first anniversary – found that more than two thirds (68%) of UK FS companies have seen a rise in data access requests in the year since the GDPR’s introduction in May 2018.
Of these, almost nine in ten (85%) had faced challenges in effectively responding, citing cost (57%) and complexity (48%) as their primary barriers.
Alongside these factors, more than a third (35%) pointed to a reliance on paper documentation as an obstacle.
With this in mind, a potentially effective solution for the sector as it addresses its compliance challenges could be found in greater digitisation – ensuring that the paper documents they hold containing personal data are digitally accessible.
[ymal]
The FS sector has always been quick to adapt to consumer demand for digital solutions and capitalise on the opportunities that digital technologies can offer.
The FS sector has always been quick to adapt to consumer demand for digital solutions and capitalise on the opportunities that digital technologies can offer.
Despite this, we found that only five per cent of financial services businesses had digitised all of the paper documentation they held in the year after GDPR’s introduction – a situation that hasn’t improved from the 12 months before. When asked why not, our respondents most commonly cited complexity (39%) and a lack of time (37%).
While these issues are understandable, they should be carefully considered in relation to the benefits that digitisation could offer.
Digitisation can help firms more quickly access personal data as and when it’s needed, helping to boost overall response time – an important factor given the GDPR’s time constraints. Meanwhile, investing in technologies such as automated scanning and data capture systems can help reduce time spent on administration, freeing-up valuable staff resources for other tasks.
And there are options to sidestep the issue of complexity. At Parseq, we deploy cutting-edge technologies such as optical character recognition and Robotic Process Automation (RPA) to digitise 25 million paper documents every year for our clients. This can help them build secure, searchable online archives of their documentation, enabling them to be on the front foot when it comes to quickly accessing and managing their documentation while offloading complexity to us, and offering savings in terms of cost and time.
GDPR is now firmly bedded-in, and the UK’s FS businesses must act to ensure that they are fully able to comply. Reducing a reliance on paper documentation through digitisation can help them more effectively respond to data access requests, ultimately reducing the risk of incurring the ICO’s wrath and being slapped with a heavy fine.
Most sectors are having to comply with said rules and conform to industry trends, thus evolving based on the limitations regulations have imposed on them. According to Aravind Srimoolanathan, Senior Research Analyst - Aerospace, Defence & Security at Frost & Sullivan, this is particularly applicable in the biometrics sector, as it progresses in line with regulation presenting increasing opportunities for biometrics to excel in a security driven data world.
The Swedish data protection authorities (DPA) recently levied the first fine of approximately $20,000 to a high school which ran trials of facial recognition technology among a group of students to monitor their attendance. The school authorities argue that the program had the consent of the students, though that did not soften the stance of the regulator. The European data protection board citing the ‘imbalance’ between the data subject and the controller of data. Canvassing the multiple opinions floating on the web1, Frost & Sullivan notes multiple cases of violations reported in Bulgaria and Austria post the incident in Sweden. The regulatory breaches have led to similar fines levied by the respective local data protection agencies tasked to enforce GDPR. Have the flood gates opened? Will this drown the Biometric market? Probably not, but it does raise significant concerns which need to be assessed and responded, to continue bringing the associated benefits of Biometric technologies to business and security operations.
General Data Protection Regulation (GDPR) is designed for the protection of personal data. GDPR emphasises on a person’s right to protect their personal data, irrespective of whether the data are processed within or outside the EU. Any data that could be linked to a person is subsumed into the definition of “personal data”. The regulation comprises of several articles and clauses which require compliance by all forms of agency - public, private or individual, that processes personal and sensitive data of clients, companies or other individuals. The regulations not only addresses data protection and privacy of individual citizens of European Union (EU) and European Economic Area (EEA) but also data transfer outside EU and EEA.
[ymal]
In summary- data is expected to be stored, managed, and shared in an individual-centric approach rather than a collateral approach.
The challenges in managing identity in the modern world through conventional methods such as ID cards and PINs/ passwords are failing to address efficiency, accuracy and security requirements. The exponential demand for biometric-based ID management and access control systems drives the need to overcome such challenges. Biometric technologies (yes, facial recognition is one of them) curtail unauthorised physical and cyber access preventing identity fraud, enhance public safety, and drive seamless and efficient processes ensuring higher safety, convenience, and profits.
The Sweden High School case indicates the extent of GDPR is not just limited to giant corporations such as British Airways but also smaller public and private entities ‘mishandling’ data and hence violating the dictates of the GDPR regulations.
Frost & Sullivan’s collation of perspectives and insights from across the industry indicates that biometric technologies will replace conventional methods of Identity and Access Management in the years to come, not a case of if but when. Continued enforcement of data regulations would drive proper use case definition and regulatory compliance, but for this the suppliers and operators of these technologies need to create compliant secure by design solutions and processes. The first step is ensuring secure operations of the systems, and second is to design robust and verifiable processes for the associated data generated. Thirdly, defining the application of harvested data within the ethos of GDPR and related governance.
In the short-term though, with a surge in biometric technologies adoption, Frost & Sullivan anticipates we will witness an uptick in number of GDPR violation cases, due to partial and/or improper understanding of data privacy regulations. Though there is a risk that the hefty fines may slow down the pace of widespread adoption of biometric technologies, Frost & Sullivan proposed three-step strategy will drive healthy demand. Organisations that are digitally transforming their businesses for enhanced process efficiencies as part of their digital strategy would need to realign strategies to comply with general data protection regulations.
Biometric technologies are gaining infamous popularity with the data breaches, privacy concerns and unethical commercialisation of the associated data. GDPR, the Achilles heel as it may prove to be for the Biometric market, does not necessarily need to be – instead, the principles of GDPR can itself become the value proposition of the future biometric technologies.
1 http://www.enforcementtracker.com/ 2 https://www.infosecurity-magazine.com/news/gdpr-spurs-700-increase-data/
Many thought it was too good to be true, but was it? Below Karen Wheeler, Vice President and Country Manager UK at Affinion, gives Finance Monthly the rundown.
YouGov research highlights that 72% of UK adults haven’t heard of Open Banking and according to PwC, only 18% of consumers are currently aware of what it means for them. However, that doesn’t mean the changes aren’t filtering through.
The story so far
The Open Banking Implementation Entity (OBIE) reports there are now 100 regulated providers, of which 17 Third Party Providers (TPPs) are now using Open Banking in the UK. Open Banking technology was used 17.5 million times in November 2018, up from 13.9 million in October and 6.5million in September, with Application Programming Interface (API) calls now having a success rate of 97.7%.
One of the earliest examples was Yolt, by ING Bank. It showcases a customer’s accounts in one place so they can see their spending clearly and budget more effectively. Similarly, Chip aims to help people save more intentionally. Customers give read-only access to their current account and then sophisticated algorithms calculate how much a customer can afford to save, and puts it away automatically into an account with Barclays every few days.
High Street banks have certainly taken inspiration from fintechs. For example, HSBC released an app last year enabling customers to see their current account as well as online savings, mortgages, loans and cards held with any other bank. The app also groups customers’ total spending across 30 categories including grocery shopping and utilities, making it a really helpful budgeting tool.
Perhaps, most advanced of all, Starling Bank allows customers access to its “Marketplace” where they can choose from a range of products and services that can be integrated with their account. The offering currently includes digital mortgage broker Habito, digital pension provider PensionBee, travel insurer Kasko, as well as external integrations such as Moneybox, Yoyo Wallet, Yolt, EMMA and MoneyHub.
Open Banking and GDPR
One key question is whether Open Banking puts the needs of financial services companies over those of the consumer. There is a general cynicism regarding the real reasons for encouraging Open Banking and this is exacerbated when most customers aren’t seeing the benefits.
Also, there is confusion caused by the apparent conflict of interest between Open Banking and GDPR.
In this day and age, do consumers really want more organisations to have access to their data? Can they trust the banks? According to PwC, 48% of retail banking customers cite security as their biggest concern with Open Banking and this is a significant barrier to overcome.
The way forward
It’s hard to overcome cynicism and doubt. Perhaps, once customers begin to enjoy the positives, they will be less sceptical about Open Banking, leading to more opportunities to build longer term customer engagement. For example, if products help them avoid going into debt or nudge them when new mortgage rates are on offer, they will see that banks are using the technology to support wise financial management rather than just serve their own marketing purposes.
It’s also hard to change entrenched consumer habits. To encourage consumers to get in the habit of comparing and switching, financial organisations must create truly compelling propositions. They need to focus on delivering intuitive, useful digital products which make a real difference to customers’ daily lives.
They also need to demonstrate how seriously they take their role in the fight against cybercrime while educating the consumer about how Open Banking works and how to protect their data. For example, many may not realise that one of the key tenets of Open Banking is security. Open Banking uses rigorously tested software and security systems and is stringently regulated by the FCA.
Placing the customer at the centre of their finances and giving them complete control directly increases competition and brings a myriad of everyday benefits to the customer. There is huge opportunity for traditional banks, fintechs and disruptors to use Open Banking to pioneer new products that build longer term customer engagement. However, the current priority is communicating the huge advantages and opportunities that Open Banking brings while reiterating that their data will remain secure.
This is according to Henry Umney, CEO of ClusterSeven, as he offers his views on the regulatory and risk management trends in the banking and financial services industry for 2019.
Brexit will confound banks in 2019, whatever the outcome
The UK’s departure from the EU at the end of March will continue to have a significant impact on the banking, insurance and asset management sectors throughout 2019, almost regardless of the nature of the final departure. Brexit uncertainty is presently forcing banks to implement their most stringent contingency plans, in terms of re-locating critical business services, processes, and in extremis, specific roles and personnel. To this end, division of data, processes and responsibility need to be managed carefully to ensure these changes are executed smoothly, efficiently and with full auditability. Further complexity is provided by the UK’s Prudential Regulatory Authority’s (PRA) announcement that institutions will be able to continue to trade as branches of their head office, rather than as a (more capital intensive) subsidiary post-Brexit. This, alongside the European Banking Authority’s (EBA) recent announcement that it sees ‘back to back trading’ between the City of London and the EU as beneficial, suggests that there is a willingness to find a modus vivendi that allows complex cross-border transactions and business processes to continue as normal, almost regardless of the final Brexit outcome.
This complex, conflicted environment will place a premium on understanding how disparate business processes and applications, including how end user supported processes (e.g. using spreadsheet-based applications) are configured, allowing institutions to respond quickly to new developments – and potentially even reversing previous decisions about re-locating people, roles and business units.
Regulators and auditors will demand mature model risk management
In the US, the momentum for a mature approach to model risk management will gather further pace as government frameworks including SR 11 7, CCAR/DFAST stress testing and CECL, for example, are more closely scrutinised and audited by regulators. Increasingly these governance frameworks are being extended to include the tools that feed the models and there is recognition of the significance of the spreadsheets and other end user supported applications to the models covered by these frameworks.
This approach to sophisticated model risk management will find favour with European regulators too, a trend that is already in motion with regulations such as TRIM and SS3/18. This is fundamentally driven by regulators’ collective objective of demanding visibility of critical models and enhancing the operational resilience of financial institutions. Effective data management, including that stored in spreadsheet-based and other end user supported applications, is central to these frameworks.
To meet the excellence in data governance and auditability as demanded by the regulators in the UK and US, financial institutions will be forced to apply the same level of controls to their end user supported application environment – as they apply to their broader corporate IT environment. This reflects that spreadsheets are often the ‘go to’ tool in developing a broad range of business and financial models.
The transition away from LIBOR will present a major operational challenge
Due to the enormity of the transition from LIBOR (London Interbank Offered Rate) to alternative reference rates (e.g. SOFR, Reformed SONIA SARON, TONAR), financial institutions will begin adjusting their processes and systems, in preparation for the switch to new reference rates by the end of 2021. The clock is ticking.
With a parallel universe of spreadsheets connected to enterprise systems such as risk, accounting models and a plethora of non-financial contracts, financial institutions will need to ensure that the relevant changes are also accurately reflected in the spreadsheet-based processes. Given the broad range of potential alternatives to LIBOR, it seems possible that multiple replacements may be in use in different jurisdictions. There will be a premium on being able to identify transactions and contracts quickly and efficiently, and applying the appropriate reference rate, quickly, efficiently – and again with full transparency and auditability.
GDPR has the hallmarks of expanding into a global framework, its compliance will need to be in organisations’ DNA
GDPR has all the makings of becoming a global standard. Already, California is taking the lead with the California Consumer Privacy Act (CCPA), which comes into force in 2020. Other US states are also considering similar regulations to protect the rights of their residents.
With a fine of $1.6 billion levied on Facebook this year, the EU has clearly demonstrated that it means business. In 2019, organisations will have to shift their GDPR focus to ‘sustainable compliance’. They will realise that inventorying IT systems for GDPR-relevant and sensitive data was merely a good first step to meet the compliance requirements on 25 May 2018. GDPR compliance will need to part of their DNA – requiring it to be a ‘business as usual’ activity. With unstructured confidential data (e.g. personal details of clients and employees) often residing in spreadsheets, visibility alongside continuous monitoring, controls and stringent attestation of information will be essential to meeting GDPR demands such as the right to be forgotten and data portability. Automated spreadsheet management will become critical to sustaining GDPR compliance.