No matter the type of FinTech product or venture, secure digital finance solutions form the bedrock of any scalable idea. The reason for this is readily apparent: FinTechs exclusively deal with people’s money and most sensitive data. And the repercussions of even one data breach or hack are lethal to companies, let alone the clients they affect. One survey by PricewaterhouseCoopers (PwC), one of the “big four” multinational accounting firms that works in cybersecurity, found that 87% of consumers are ready to walk away and take their business elsewhere if, or when, a data breach occurs.
This highlights the high priority of finance technology security that must become standard within the digital products, new or old, developed by banks, startups or anyone working within FinTech. With experience in developing everything from blockchain applications and IoT services to FinTech builders and digital ventures, the experts at Star have compiled below the must-know tips and trends for any cybersecurity strategy in finance products.
Essential FinTech cybersecurity strategies
The finance sector is particularly vulnerable to cybersecurity breaches – with fraud costing the global economy $5.1 trillion annually. If cybercrime were measured as a country, it would be the third-largest economy in the world after the US and China. And in the past year, just in the US, the average number of successful attacks has increased by roughly 15%, while the cost per attack has risen between 6.7% and 9.9%.
While cybercrime clearly poses a growing challenge, this context sets the stage for FinTech’s biggest opportunity: KYC, or Know Your Customer, technologies.
FinTech makes it incredibly easy and convenient for people to send and receive money, open accounts, apply for credit and more, but cybercriminals leverage this accessibility to wreak havoc on customers and providers alike. That’s why KYC tech must always be part and parcel of a successful FinTech product offering. But achieving security goes further than that and must be a part of a comprehensive strategy. No matter whether you’re a challenger, incumbent, or a cross-sector looking to cash in on digital finance, now is the time to evaluate, define and refine your approach to cybersecurity in FinTech.
The new reality of FinTech security issues
Let’s narrow our focus onto two primary actors in finance: challenger banks and financial data aggregators. Both shed light on the issues facing the FinTech industry as a whole.
Challenger banks – and to a lesser extent neobanks – are proving serious competition to incumbents. These digital-native financial institutions hold banking licenses, offer a wide variety of services and can acquire massive amounts of users – all without a single physical branch. Revolut, Monzo, and N26 are just a handful of the prominent disruptors siphoning customers away from legacy banks.
Financial data aggregators are applications that enable you to add your bank account credentials and view all your banking data in one place, consolidate your financial flows, and track cash flow analysis – and these are typically powered by Open Banking APIs. Mint and YNAB are two names the average consumer is likely familiar with, but this functionality has become widespread in the ecosystem.
While many of these apps only have read access for data, this data stream – replete with personally identifiable information – is a huge vulnerability. And not all data aggregators are the same. Whereas Mint is a simple budgeting tool, others like Personal Capital also allow you to open checking, investing and a variety of accounts.
Thus, whether it’s a challenger bank, a data aggregator or any other emerging FinTech technology, we need to pay attention to these use cases as they are more and more becoming the foundation of digital finance solutions.
Now, many startup projects also follow this simple framework:
- Users open accounts with their apps
- Users can then connect existing accounts and transfer money into new ones
In theory, a single point of contact to manage money is the consumer’s dream – and likewise full of opportunities for providers. But as much as everybody loves conveniences and lowered transaction costs, FinTech security requirements must be factored into the equation. You must be able to answer definitely “yes” to these questions:
- Does your product follow modern security practices?
- What security protocols are in place?
- Can people trust their money to your solution? What about their data?
- How do you guarantee your users are who they claim to be?
Below, we’ve defined a simple checklist to help you identify what you need to create secure digital finance products.
Three steps for delivering secure FinTech products
Step 1: Password protection – the key to any FinTech cybersecurity strategy
In the past couple of decades, FinTech products have come so far in terms of security technologies. From biometrics and authenticators to hardware keys, cybersecurity across the FinTech sector has never been so advanced. But the humble password will continue to be the base layer of protection for the foreseeable future (albeit supplemented with other enhancements).
While decidedly simple, password authentication within financial services is simultaneously secure and convenient. The problem is that passwords for payment services are notoriously repetitive. The average person has 100 online accounts, so it’s extremely common to recycle passwords. Worse yet, users have a bad habit of creating passwords that cybercriminals can easily crack. The result is that many people are one data breach or brute-force attack away from having a plurality of digital accounts put at risk.
Check the chart below, and you’ll see just how quickly a hacker can get a hold of your password.
Now, how can FinTech providers protect passwords?
This goes back to fundamentals, but FinTech providers have to emphasize strong passwords. Ultimately they can do this by:
- Requiring strong passwords for accounts. The same chart above shows just how effective a good password can be.
- Limiting password entries: hackers cannot brute force accounts if they are limited to 5 attempts before temporary blocks and account verification questions are put in place. This must be a unified limit, though, across IP addresses so hackers can’t use botnet attacks to bypass IP restrictions.
- Enforcing 3-6 month password changes. The longer a password is in use, the likelier it has been exposed somewhere, especially if it’s a recycle password.
- Partnering with a password manager provider. Password managers allow people to securely generate, manage and store highly complex passwords in a secure digital vault. You don’t need to offer your own passwords but form partnerships with providers or at least provide basic education on the subject for your users. It’s a marketing win and reduces fraud.
Step 2: Two-factor authentication in FinTech
Two-factor authentication (2FA) has grown increasingly common in the past few years – especially throughout the finance technology securities world. In terms of building user trust, 2FA has come to define the backbone of any of today’s best banking solutions because it offers supplemental levels of finance technology security to protect any transaction from becoming compromised.
FinTech products are also seeing the rise of multi-factor authentication, one-time passwords (OTP) and authenticator tools. These can be helpful because they enable access only from certain trusted devices that users can easily set up. And, without it, users have to go to support to restore access. Yet one big issue that experts are finding with 2FA is that these methods typically rely on cell phone numbers and SMS messages. Gaining access to a phone number is not as difficult as one might think – and hackers have devised a number of specific ways to accomplish this. These include infecting a smartphone with malware and intercepting the OTP SMS message through the phone’s internet connection or even impersonating the target to get the user’s phone number transferred by contacting the telecom service provider directly.
Starting now, FinTech cybersecurity strategies need to start seriously considering far more secure alternatives to SMS as the primary form of 2FA. Some better methods include:
- GPS authentication: this option allows banks or other payment providers to utilize mobile GPS data gained via their apps to assess whether a transaction aligns with the location of the user’s mobile device.
- IP authentication: this method only allows logins from known IP addresses, confirmed on a vendor’s database, and blocks access to IPs that are suspected of being malicious.
- Software authentication: With the use of token codes created through mobile applications like Google Authenticator, this form is beneficial for FinTechs and users because it doesn't rely on the phone network for authentication.
- Hardware authentication: this is similar to the previous method, but instead of an app it uses a physical device which, along with a password, creates a unique and temporary code that enables the user to gain access to a system. However, these devices have been known to get lost or stolen, making it difficult for users to access their accounts at any point.
What about biometric authentication?
We all use biometrics – either facial scan or fingerprint ID – to unlock our phones, and they are a very secure way to protect accounts. With tools like Apple Pay, for example, you can use your face or even voice to authorize payments.
It’s important to note that biometrics or any single security measure by itself isn’t bullet-proof. But used in combination with another, they can greatly diminish the risk of attacks. We’re even seeing this method in secure payment solutions with technologies like 3D secure for Visa and Mastercard, which brings this heightened security to merchant transactions.
Step 3: Enhanced KYC technologies
This is really where things are headed. Strong passwords, 2FA and other financial security services like VPNs are a step in the right direction. But we’ve reached the innovation moment in FinTech where it’s time for better KYC technologies to be put into place.
In the digital finance world, many of us have our eyes on blockchain. FinTech blockchain applications are disrupting what KYC/AML can do. With it, providers can quickly validate user information, know the ultimate owner, eliminate duplicate transactions and ensure no single point of failure.
Further, the blockchain can provide details on the source of funds and ongoing monitoring while storing data tagged to each customer’s unique identification number.
This, along with AI-powered solutions, cloud-based API technology and emerging digital identification technologies, will be the real game-changer for growing trust and security in the FinTech ecosystem. In addition to blockchain, centralized anti-fraud monitoring is another tool that’s rising in importance.
These systems know users’ most frequent sign-in locations, track previously completed transaction information, check security settings and general information about the purchase. Based on this information, the system dynamically decides which barriers and checks are needed to complete the transaction.
For example, if you try to make a purchase on the same website for the third time in a day, then the site can request from you a one-time password sent to your telephone number. Another example could be to ensure you’re aware of a recurring charge by sending an occasional message to confirm these transactions legitimately come from the consumer.
We translated Monavate’s digital finance expertise into a breakthrough FinTech product.
Secure payments & the impact of the EU Payment Services Directive 2
While regulations often trundle along at a snail’s pace, we’ve finally seen some process with the coming into effect of the Payment Services Directive 2 (PSD2) and providers better take notice! The sequel is even better than the original. PSD2 takes a tougher stance on protecting customers while creating a more integrated and streamlined European payments market.
Central to this is the Strong Customer Authentication requirement that aims to reduce fraud by making online payments more secure. In short, to accept payments and meet FinTech security requirements, providers must build additional authentication into their checkout process. Likewise, customers must provide identity verification through two of the three methods seen below:
- Something the customer knows like a password or PIN
- Something the customer has like a phone or hardware token
- Something the customer is like a fingerprint or facial scan
For FinTech providers, this definitely means more work for them to improve their infrastructure but it’s a great way of improving the ecosystem as a whole.
While PSD2 isn’t a global mechanism, its impact will be similar to the EU’s General Data Protection Regulation (GDPR) which has forced more transparency about how site owners use user data and deploy cookies even outside of Europe because of its extraterritorial effect (if you have site visitors from Europe, you must comply with it). The same is true for PSD2.
The good news is that regulations are quickly catching up. With that, digital finance providers better catch up before a data breach and failure in compliance costs them millions or billions of dollars.
Secure payment solutions by design: an opportunity too good to miss
Ensuring security in FinTech isn’t just a cost for organizations to bear. Moving the core threat of fraud to your business, these technologies form the foundation of excellent user-centric digital finance.
With KYC, you can identify risk as early as possible but also leverage it as a strategic tool to deliver your competitive advantage. The benefits only extend here. With it, you can free your compliance professionals to do higher value-add tasks instead of repetitive, identity verification and conflict resolutions.
Harness the power of emerging technologies to build trust in FinTech and ensure your products deliver lower costs, streamlined operations and the excellent user experience your clients deserve. This is the true power of what CX can do to transform digital finance.