The rise of fintech has been a game changer for traditional financial services players. As they strive to compete with each other and with emerging startups, they must constantly evolve to meet the expectations of younger, digitally-savvy customers. This means improving customer experience while also increasing security and authentication controls by using biometric, behavioral and location data. This will also allow them to personalize their offering, make transactions easier and quicker and get closer to the customer.
But not too close. As recent social media scandals demonstrate, there's a fine line between tailored, timely, relevant services and creepy `big brother' communications that invade one's privacy. Consumers - and regulators - are especially touchy about the selling of personal data to third parties without permission. The EU's General Data Protection Regulation (GDPR) carries the threat of massive fines for breaking rules relating to customer trust.
Digitization also has major implications for cyber security, as financial services organizations work with an increasing range of new and established technology firms. Take mobile banking, where huge amounts of information crosses from device to device, often involving multiple providers of apps and associated services. In the EU, for instance, the new Open Banking regulation (Payment Services Directive, or PSD2 for short) opens up consumers' banking transaction data to a host of third parties.
Everywhere you look, financial services companies are sharing data with hundreds, and possibly thousands, of third parties via APIs (application programming interfaces). KPMG's* Consumer Loss Barometer report, which surveys both consumers' and corporations' perceptions of digital trust, shows that financial services executives are especially concerned about cyber risks arising from the 'disappearing perimeter' around their organizations.
The Consumer Loss Barometer report suggests that financial services organizations are investing more in data security than their peers in other sectors. But it also indicates they're still lagging behind technology companies in engaging with the pace of digital transformation. In the journey to get closer to the business, many businesses have a centralized Chief Information Security Officer (CISO) with ultimate responsibility and oversight for all applications, testing for vulnerabilities and so on. However, in a world where new apps and updates are coming fast, I would argue that such a structure encourages the CISO to err on the cautious side, as she or he carries the can for any security breach or incident. This restricts the organization's ability to be agile - unlike technology competitors - who often operate under a lighter regulatory burden and have nimbler decision-making processes.
A preferable alternative would involve passing cyber risk to the Chief Risk Officer (CRO), who can take a more holistic view, frame risk tolerance in commercial terms, and make faster decisions in the wider interests of the business. The role of the CISO would then be to focus on what she or he is good at: protecting the perimeter; putting the tools and technology in place to meet whatever risk the business has agreed on. US regulators are pushing for this kind of model and other countries and regions may follow suit.
Moving to the cloud can also speed up development while maintaining security, as new patches can be rolled out quickly by the main providers to address any vulnerabilities - financial services organizations are now becoming more comfortable with this technology.
Another onerous cyber security task is vetting and onboarding third-party vendors and partners. Security assessments are notoriously long-winded and, in many cases, have become something of a tick-box exercise prone to error. For larger and more critical parties, such a process doesn't really help you understand the true risks to your business and leaves you very vulnerable to leaks or mis-use of data, which pleases neither customers nor regulators.
To overcome this, I advise outsourcing the collection of standard information - at least for medium- and low-risk parties. Then you can really focus your efforts on those larger, critical vendors where the stakes are much higher, visiting data centers and checking in greater detail how information is stored and used. Historically, banks and other financial institutions' brands have been built on a customer experience delivered through bricks and mortar retail outlets and face-to-face or telephone contact. Digitization takes all or most of this away and begs the question: how can you differentiate yourself?
The answer is by building trust through offering highly personalized, timely services, robust data security and a respect for privacy - all within a highly agile and responsive organization. The way you manage cyber risks - and the subsequent roles of the CISO and CRO - will have a major impact on achieving this goal.
*Throughout this blog, “we”, “KPMG”, “us” and “our” refer to the network of independent member firms operating under the KPMG name and affiliated with KPMG International or to one or more of these firms or to KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.