After more than 800 years of banking, we seem to be witnessing the emergence of a completely new industry for the last 15 years, with new technological advances made through Internet-related technologies leading the financial industry and its users to a new ubiquitous digital financial World.
From mobile Internet, self-learning artificial intelligence (AI), robotics, big data, analytics, self-driving vehicles to the Internet of Things (IoT), we are just at the beginning of a paradigm shift with an increasingly digital, 24-hour connected society.
Established financial institutions are historically considered as the most resistant industries to disruption by technology, but they have been driven by the need to look at new technology and partnering solutions if they want to keep up with this new financial society.
The possible paradox
The exponential growth of Fintech (the industry achieved already a scale of projected 2.2 trillion dollars of managed wealth by 2020) is creating an ample security risk concern, as it pushes commonly offline and time-consuming financial processes to be tucked into new ones, interconnected, online and processed in milliseconds.
Financial institutions are basically trying to quickly transform their traditional businesses into digital-focused, cloud-based, and device-ready ones by migrating their services to something with a low-capital-cost operation, a focus on data capture, a change from human-to-algorithms based service, regulatory arbitrage and a focus on transferring risk-management to customers. This is a huge change that usually takes years but now, due to market and customer pressure, is demanded to be performed in months and commonly through outsourcing to speed up the process.
This combination of factors naturally raises security risk discussions and concerns within professionals. How prudent are Governments and financial institutions in this entire change process? Are they really thinking about the risks involved? We had the Fintech revolution to avoid another Financial Crisis that was fuelled by lack of transparency, speed and lack of regulation. How are we now?
The 3 vector view: Human Capital, Regulation and Technology
The Human Capital Security Risk
A Fintech professional is expected to be something of a combination between traditional Finance, Internet Technology and Financial Regulation. Strangely, although empirically banks have some of these combined professionals in their internal IT staff, it is still uncommon to name these departments or professionals (Fintech Department and Fintechers). The result is that HR departments in Fintech, are strongly looking for these all-in-one Fintech Professionals with technological, financial and (hopefully) regulatory skills in the market.
Although, it seems to be no problem to find pure technology-based professionals, as software developers aren’t in core different in Fintech from other software based industries. However, to find new technology developers with Core Banking Experience, or similar financial knowledge, is much harder. This can be a risk the future of Fintech developments, as every developer with this knowledge gap will require close supervision from someone with the necessary business knowledge. Otherwise, situations regarding wrong stochastic or financial models, missing or corrupted financial data, missing or insufficient financial-related privacy and security implementations are more likely to occur.
As for the financial based professionals (FBPs), with the rise of the Fintech industry in recent times, the natural result was a big change in the traditional financial sectors with a wide spread off layoffs, hitting Europe and other major markets. Big reference institutions, such as Commerzbank, Deutsche Bank, Bank of America and Citibank, have taken the lead on reducing their human capital already or are intending to cut down their hiring by several to tens of thousands of people. This raise in the offer of FPBs would seem to be a simple answer and a perfect match of the needs of the fast growing Fintech industry.
The Regulation Security Risk
The regulation of Financial Institutions is crucial, especially after the devastating effects of the Financial Crisis. Regulators act based on a risk approach, so they would rather look closer at banks and other big FIs than young Fintechs (especially in the early stages of projects). Therefore, Fintechs tend to respond to regulatory compliance as late as possible, which raises concerns about the security of services and private data.
In the future of fintech security, regulatory authorities face the challenge to be flexible enough to allow new fintech companies to emerge at lower costs in order to not slow down or harm existing and emerging markets, while still be as effective as they are currently. Banks and FIs must be extremely demanding in their fintech outsourcing requirements from Fintechs in every stage as well, as they are the first line of regulation enforcement and the last point of responsibility.
The Technology Security Risk
Among financial institutions, Banks have been struggling to research, develop, assimilate and apply new technologies rapidly in response to their under-performing and outdated Core Banking Systems (CBS), which barely supports current key processes. With renewed pressure to tamp down costs, open the bank to API services and adjust to volatile conditions, fintech institutions currently have little confidence in their CBS to respond to regulatory requirements, clients as well as managing risk and keep up with technology. Fintech’s ambitious entrepreneurs, look for job-creation-seeking Governments, innovative technologies and high tech consumer demand markets.
Considered like a modern age gold rush, global investment in Fintech already surpasses $111 billion and is paving the way for new and bold organizations that can induce a much-needed financial innovation in financial services. Yet strangely there seems to be little direct discussion about whether the pressure on the Fintech industry has the required response from the perspective of technology security, regarding the near future.
Big technology firms and young Fintechs experience thousands of security attacks per year with a portion of those being serious and successful. However, they are still pressured and requested to widen their range of services and to grow rapidly, especially by governments, investors and the market. These young companies (on average with less than 10 years of existence) aren’t expected to possess the technological knowledge and experience of the Internet oriented Big Techs industry players. Yet, they are requested to deal with increasingly huge amounts of personal data and wealth. On another view, Fintechs typically do not always pass through the same internal bank IT department technology restrictions and tests (and if so, they tend to do it at a later stage) as these imply costs that are usually not supported at the beginning of their projects.
The question is whether these young technology firms can really safely handle these amounts of financial and personal data like the GAFAs do, especially when the industry witnesses an ever-increasing number of service channels, business offers and an even higher number of cyber-attacks.
Lastly, as more systems become connected, run by different entities, schemas, documentation and ways of working, the higher the risk of cyber vulnerabilities. A common source of such weaknesses includes the API interfaces between systems. Because two systems are not designed at the same time by the same developers, compatibility often poses issues and challenges in security, especially given the limitations of legacy technology.
The future of fintech will require security
Fintechs are deliberately and rapidly exposing their services and wealth to their intentions to innovate, to lower costs, fund new businesses and take risks. Contradictorily the industry is expecting them to be safer and more prudent than before. The result is an enormous amount of financial data being transferred to or passed by young Fintech companies based on young professionals that don’t have the empirical experience of traditional banks or the technological know-how of big ecommerce players.
Although there has been an increasing number of security issues and losses within the industry, this fintech innovation speed doesn’t seem to slow down. This scenario entails security challenges for the near future which continue in many cases to be either underestimated, misjudged or ignored. The future of Security in Fintech starts today with the discussion of these matters in all platforms possible and must be in the front row of decisions from Governments, Financial Institutions and Fintechs.