Technology has long been central to financial services in the UK – from the first ATM nearly 50 years ago, through the Big Bang in 1986, right up to the move by the Financial Conduct Authority (FCA) to launch its Innovation Hub. In the last ten years, devices such as smartphones have changed the way financial services consumers and suppliers interact. A phone used to be a phone, but now it's a new financial services and personal payments channel, allowing video and image banking, interactive financial promotions, and payments facilitation. The next decade will see not only the demographic of technologically savvy consumers broaden, but also further advances in terms of the sophistication of virtual services, data processing in the cloud, wearable technology and remote access.
Technology and risk
These ongoing developments represent tremendous opportunity, but also risk. In a reportpublished in June 2014, cybercrime is said to cost the global economy £266 billion, affecting more than 800 million people a year, removing 15 to 20 per cent of the value created by the internet. While the figures are hard to determine, there is no doubt that cybercrime represents a real concern to businesses and consumers. Seeing Sony held to ransom under threat of cyber attack cannot be comfortable viewing for the CEOs of businesses that hold significant amounts of sensitive consumer financial data.
The regulatory mindset
Regulatory attitudes are clear from a series of financial crime and data security related papers published by the Financial Services Authority (FSA) and the FCA since 2006, such as the FCA's 11 September 2014 Paper TR14/15 Mobile Banking and Payments Thematic Review Feedback, which states that "The potential for increasingly sophisticated fraud attacks means it is important that firms continue to invest in implementing strong security measures for consumers". The process of considering security measures is not something that should be tacked on to product or service development at the last minute; it needs to be inherent to this process and form a conscious part of the core design. It is incumbent on firms to think laterally – and look ahead – in identifying risks and ensuring that there is room in the product budget and objectives to implement strong security accordingly.
Regulated financial and payments firms are required to have appropriate governance arrangements and systems and controls in place to manage risk and this includes minimising any threat to data security. The FCA will want to be satisfied that a firm's resources and business arrangements are appropriately geared towards ensuring it can operate soundly. The FCA is under a statutory obligation to reduce the risk of financial crime in its sector and, in turn (and independent of their anti-money laundering obligations), licenced firms are also required to detect, prevent and deter financial crime.
As part of the proposed new accountability provisions, senior managers will be required to take responsibility for all aspects of their business, which includes the functioning and security of the technology integral to the effective functioning of the UK's financial systems. Although not directly related to cyber security, in November 2014, the FCA and the Prudential Regulation Authority (PRA) fined the RBS Group nearly £60m for IT issues. The FCA was deeply concerned by the actual and potential consumer disruption and, while most firms are not subject to dual oversight, it shows how the PRA will view IT incidents as having the potential to have an adverse effect on the safety and soundness of a firm and the PRA's statutory objectives.
Thinking outside the box
The UK works closely with international regulatory initiatives. At a European level, for example, the European Banking Authority (EBA) and the European Central Bank (ECB) have issued guidelines and recommendations regarding the security of internet payments. Given the pace of technological change, the FCA and ECB rules and guidelines are not prescriptive as to the precise security standards firms should adopt. It is down to firms to assess and weigh risks and take proportionate steps to ensure security. However, this flexibility does not equate to a licence to adopt lighter security; in financial services the cyber risks are generally high and a proportionate response will, therefore, be to implement a high standard of security. Some aspects of European law are beginning to be more prescriptive, with ongoing consultations around the revised Payment Services Directive looking to hard wire 'strong authentication' methods into payment services.
Solutions to cybercrime come in various shapes and guises. Overall, governance is important and firms must have effective procedures to identify, manage, monitor and report any risks to which they might be exposed. This should be backed up by a range of measures, e.g. strong authentication based on a proportionate combination of factors such as customer knowledge (e.g. passwords), possession (e.g. phone or chip and PIN) and inherence (e.g. fingerprint); technical IT driven security measures; customer education; monitoring access to customer data; data back-up and BCP; key-logging devices; remote device access controls; relevant suspicious activity monitoring, physical site security; disposal of customer data and due diligence and clarity of responsibility for security across the transaction chain.
Personal data security
Added to the regulatory mix, in assessing the level of protection needed, firms need to be mindful of data protection legislation (e.g. the EU Directive and the UK's Data Protection Act 1998), which requires firms holding personal data to have appropriate technical and organisational measures in place to protect against unauthorised or unlawful processing of personal data, as well as against accidental loss or destruction of, or damage to, personal data.
The FCA takes personal data security breaches seriously and has sanctioned firms; importantly, it has a firmer bite than the UK's Information Commissioner. For example, in August 2010, theFSA fined Zurich Insurance Plc £3.25 m after it failed to take reasonable care to ensure that it had effective systems and controls in place to manage the risks relating confidential customer information security that arose out of its outsourcing arrangement with another Zurich company in South Africa.
What does it mean practically?
The legal framework needs to be set alongside industry and practical guidance that IT and compliance departments ought to refer to when setting requirements and establishing good practice for their firm. You might want to refer to various papers that are publicly available to understand the commercial application of the requirements, for example:
- The European Banking Authority's Final Guidelines on the Security of Internet Payments, 19 December 2014
- The Article 29 Working Party opinion (WP224) on the application of the E-Privacy Directive (2002/58/EC) to device fingerprinting, 25 November 2014
- Information Security Forum's 2014 Standard of Good Practice for Information Security
- HM Government's Cyber Essentials Scheme, June 2014
- International Standard Organisation Guidance (e.g. ISO/IEC 27001:2013)
- European Central Bank, Recommendations for the security of internet payments, January 2013; and
- Publically Available Standards (PAS) 555.
Added to this, the Department for Business, Innovation & Skills (BIS) has recently issued a brief guide for non-executive directors to assist them with their discussions with their fellow board members and executives. In the paper Cyber security: balancing risk and reward with confidence - guidance for non-executive directors (10 December 2014) , BIS sets out some key questions that could be used to shape management information and metrics requested and discussion points, which is useful in the context of the increased focus on senior level accountability in the financial services sector. And if you think about recent commercial costs for Sony, why wouldn't you want to have that kind of internal discussion?
Public opinion is very important in terms of pulling firms forwards and, generally, consumers seem to welcome UK firms improving security methods through biometrics (i.e. using human physiological features (e.g. fingerprint, veins, or retina)). The government and the regulators will need to ensure that large sections of society, unable or unwilling to move in this direction, are not excluded. Brave new world or Orwellian? Either way, biometrics seems to fit the public and regulatory zeitgeist.