Fintech and cybersecurity

As financial technologies (fintech) become more sophisticated and automation rises, the potential for cyber threats to compromise IT infrastructures grows. Data is shared more widely and with greater speed, creating unprecedented challenges in protecting the integrity of financial information.¹

In 2016, cyber criminals took advantage of insecure messaging endpoints in SWIFT, the international money system that banks use to move money between themselves, to install malware that prevented the flagging of fraudulent transactions, and used this opportunity to withdraw USD 101 million from Bangladesh Bank.²

To avoid similar incidents in the future, businesses and regulators are moving to develop the necessary expertise to mitigate the potential systemic risk associated with fintech.

Understanding the impact

Businesses and regulators are moving to develop the necessary expertise to mitigate the potential systemic risk associated with fintech

Richard Wilson, a partner with PwC Canada's cybersecurity and privacy practice, says: “Business and public sector leaders need to better understand the full range of impacts a cybersecurity breach can have on their organizations. Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public."³

While the cybersecurity risks associated with financial technologies are complex, there are three broad trends for regulators and market participants to consider: 

1. The inclusion of technology firms as members of payment systems
2. The rise of inexperienced startups entering the financial services sector
3. The lack of regulatory expertise in the security auditing of open source software

New PSPs on the block

The Bank of England has announced sweeping plans to embrace fintech, aiming to expand access to central bank money for non-bank payment service providers (PSPs).⁴ Allowing non-bank PSPs more direct access to the UK's Real Time Gross Settlement Systems (RTGS) is one measure designed to support innovation and competition.

In addition, as a result of technological breakthroughs that have enabled secure new transaction methods, banks in the US and Canada are collaborating with giants such as Apple and Google. As consumers become accustomed to the convenience of mobile payments, new transaction methods may further increase exposure to cyber threats and the growing number of potential attack vectors available to hackers adds to the complexity of crafting effective regulatory oversight. ⁵

Keeping up with innovation

Another key cybersecurity challenge for regulators and financial service providers is the rapid rise of entrants to the sector. According to KPMG and CB Insights, a research and financial data analysis firm, the volume of venture capital deals centered on fintech has steadily increased year over year, from 560 in 2013 to 807 in 2015. ⁶ 

With regulatory requirements strengthening across all markets, these entrants will have to adapt fast to ever-evolving compliance obligations. Within the span of a few years, the European Union's introduction of the General Data Protection Regulation (GDPR) and the Revised Directive on Payment Services broaden compliance requirements for financial service providers of all sizes.⁷ For example, GDPR includes a duty on firms to regularly assess their cybersecurity measures. Such new requirements should help protect against cyber threats. Implementing them, however, may be challenging for small or less experienced firms.

Open source code concerns

The availability of open source software is a significant factor in the rapid emergence of new fintech players. Unlike proprietary code that companies develop in-house and carefully guard, open source code is freely available. As it can be viewed, copied and modified by anyone, developers can rapidly create new applications by combining code from similar projects that already exist.

The availability of open source software is a significant factor in the rapid emergence of new fintech players

In the US, the Commodity Futures Trading Commission (CFTC) has implemented regulations to ensure that algorithmic trading source code, whether open or proprietary, is made available for auditing.⁸ While the CFTC maintains a focus on derivatives trading, the legislation could serve as a useful precedent in shaping future disclosure requirements for new sector entrants providing fintech solutions, as well as laying down a path other supervisory authorities across the globe may want to follow.

For now, asset managers and financial service providers must continue to take precautions to ensure that their operational risk is minimized and sufficient protections against cyber-attacks are in place until regulators can further embed the necessary comprehensive frameworks and standards required to ensure the security of data within the fintech sphere.

Sources

1. Deloitte (December 2015) Automate this: The business leader's guide to robotic and intelligent automation
2. The Financial Times (April 26, 2016) Cyber thieves target bank systems after Bangladesh heist
3. PwC Canada (January 13, 2016) Cybersecurity Incidents In Canada Increased by 160% Year Over year According to PwC Canada's 2016 Global State of Information Security Survey
4. Bank of England (September 2016) A new RTGS service for the United Kingdom: safeguarding stability, enabling innovation
5. Symantec (April 2016) Internet Security Threat Report Volume 21
6. KPMG and CB Insights (August 17, 2016) The Pulse of Fintech, Q2 2016
7. EY (November 2015) The world of financial instruments is more complex. Time to implement change. Capital markets reform: MiFID II
8. The US Commodity Futures Trading Commission (November 4, 2016) Fact Sheet - Supplemental Notice of Proposed Rulemaking on Regulation Automated Trading