Share with your friends

Owen Lewis and Mike Daughton in The Irish Times on innovation in payments, cyber security and the implications of the new regulations.

Financial firms raise bar on cyber security in arms race with criminals

String balance between safety and convenience is tough as new regulations come in. The new payments services directive opens up bank data to third party service providers. What does it mean for security?

 “Cyber security is a sector-neutral challenge. The focus of cybercriminals is on the ease by which they can generate revenue via manipulation of processes or the resale of valuable information assets,” says Mike Daughton, partner risk consulting at KPMG Ireland.

The threat they pose is increased both by the sophistication of modern cybercriminal groups and their use of start-up and online-only financial companies to redistribute and funnel their revenue gains.

“Organisations that do not meet the standards of Strong Customer Authentication (SCA) in the incoming Payment Services Directive (PSD2), or who have weak anti-money-laundering controls, create vulnerability in the overall chain,” he says.

Traditional attacks such as email phishing have already given way to new methods such as “formjacking”, attacks that allow a cybercriminal to intercept your banking information direct from the input on an e-commerce site.

According to the Symantec’s Internet Security Threat Report 2019, formjackers compromised 4,818 unique websites every month in 2018. Over the course of the year, Symantec blocked more than 3.7 million formjacking attempts. This equates to almost 74 per cent of compromise attacks.

“Financial services companies are enforcing more biometric authentication to meet the needs of SCA and to remove the formjacking threat, as username and password access becomes consigned to history,” says Daughton.

However, “the rise of artificial intelligence as an enabler for security has the flipside of providing the criminal with equivalency in the battle to secure assets – an example of this is the use of ‘deep fake’ software to replicate the patterns required by voice biometrics.”

Connectivity and transfers of customer data have increased as part of the open banking revolution and this is an area also targeted by criminals as they look for the “weakest in the herd” to attack.

“There is a significant role to be played by the competent national authorities, such as the National Cyber Security Centre and regulators to ensure that security by design, and indeed privacy by design, is considered across industry and that the lessons are shared to increase the overall baseline level of security and awareness,” says Daughton.

Group using mobile phones

Mobile phone is becoming the de-facto payment system

Customer experience is front and centre of the payments evolution as companies look for ways to make transacting for their products and services more seamless, according to Owen Lewis, who is working as part of the firm’s global payments team.

 “Changes in the payments sector, including real-time payments and security-enhancing data, are being driven largely by technology-savvy consumers and businesses demanding a full digital experience in their daily transactions,” he says.

“In theory consumers will be able to have much richer access to their total financial position and make use of innovative payment services in a secure and safe way,” he continues. “Traditional players have kept up with the pace of change largely driven by regulatory deadlines – the challenge now for the established banks is how to capitalise on this investment.”

 He expects to see three main areas of focus in the coming years – customer experience, product design, and infrastructure. “There will be a clear focus on delivering a superior customer experience and access to a range of bank-owned and third-party services, often to a targeted segment of potential customers, through aggregation and product targeting,” he says. “For business customers, this will include greater integration between financial services organisation and clients’ businesses through value added services such as accounting package integrations, data and analytics insights and active monitoring.”

On product design he sees companies becoming increasingly agile at designing and adapting products to meet the needs of individuals. “Product design will be complemented by a deep understanding of how the front-end platform algorithms work to ensure products remain highly recommended.”

Infrastructure developments will see the main players leveraging economies of scale and potential operating efficiencies. This will see back-end infrastructure providers to the banking industry providing the balance sheet and payments infrastructure that keeps the system operating.

European flag

Are you ready for the EU Payment Services Directive?

From September 14th next all banks in Ireland will be required to open their payments infrastructure and customer data assets to other payment organisations.

Lewis believes that smart use of data will become even more important in future. “While real-time payments and open banking are opportunities for financial services companies and their partners, there is also a growing threat of cyber-attacks, data breaches, and fraudulent activity, potentially outpacing and outsmarting today’s existing security capabilities”, he says.

 “On the tipping scale of function versus security, enhanced data capabilities will be critical to striking the right balance between improved customer experience and heighted safety and soundness of the financial system.”

How PSD2 will open up the old cash or card question

The interests of old banks and new disrupters are increasingly aligned. In Ireland the biggest payments innovation question is the same as it has been for years – cash or card?

To succeed, payments innovators have to be cost effective for merchants and have scale. Consumers however expect them to be free, yet regulatory protections such as Anti Money Laundering and Know Your Customer steps all add cost and friction to disrupters.

It won’t put a stop to their gallop however. Technology disruption is already quickly changing the banking landscape, “enabling new business models to emerge and in many cases lowering the barriers to entry for start-ups,” says Lewis.

“Fintechs are often focused on solving a specific issue that is seen as slow, difficult or costly for customers. Partnerships between start-ups and established banks can be mutually beneficial to both organisations in bringing these ideas to life and in doing so passing on this value to a bank’s customer base.”


Banking regulators are facilitating this. “Regulation has a key role to play, with opportunities for the regulatory bodies to stimulate innovation domestically through safe and collaborative sand-box environments enabling banking evolution,” he says.

Customer expectations are driving it. “At the point of sale, customers are looking for frictionless, safe and instant payment methods with flexible options on where and how to draw on credit or personal funds. (They) are becoming more aware of risks and are looking toward trusted brands to take care of speed and safety for them,” says Lewis.

This has changed the landscape in other ways too. Whereas at the earliest stages of fintech development, legacy banks and fintechs disrupters were posited as opponents, increasingly their interests are aligned.

“We are seeing the extended banking ecosystem collaborating to deliver better value for customers,” says Lewis.

“Competition between fintechs and established banks has not gone away but increasingly banks are partnering with and, or, sourcing capability from fintechs to maximise the value of innovation for customers.”

These articles appeared in The Irish Times and are reproduced here with their kind permission.