Fraud costs the global economy $5.27 trillion annually. That’s more than the GDPs of the United Kingdom and France combined! The finance sector is particularly vulnerable. In the past year, the number of successful attacks has increased by nearly 40%, while the cost per attack has risen 12.8%.
This context sets the stage for one of FinTech’s biggest challenges and opportunities. FinTech makes it incredibly easy and convenient for people to send and receive money, open accounts, apply for credit and more. But cybercriminals leverage this accessibility to wreak havoc on customers and providers alike.
That’s why KYC (Know Your Customer) technologies must be part and parcel of a successful FinTech product offering. But achieving security goes further than that and must be a part of a comprehensive strategy. No matter whether you’re a challenger, incumbent, or a cross-sector looking to cash in on digital finance, now is the time to evaluate, define and refine your approach to security.
The problem with single access points
Let’s narrow our focus onto two primary actors in finance: challenger banks and financial data aggregators. Both shed light on the issues facing the industry as a whole.
Challenger banks – and to a lesser extent neobanks – are proving serious competition to incumbents. These digital-native financial institutions hold banking licenses, offer a wide variety of services, and can acquire massive amounts of users – all without a single physical branch. Revolut, Monzo, and N26 are just a handful of the prominent disruptors siphoning customers away from legacy banks.
Financial data aggregators are applications that enable you to add your bank account credential and view all your banking data in one place. Typically, they are powered by Open Banking APIs and allow you to consolidate all your financial flows in one place and track cash flow analysis. Mint and YNAB are two names the average consumer is likely familiar with, but this functionality has become widespread in the ecosystem.
While many of these apps only have read access for data, this data stream replete with personally identifiable information is in itself a vulnerability. And not all data aggregators are the same. Whereas Mint is a simple budgeting tool, others like Personal Capital also allow you to open checking, investing and other accounts.
Thus, whether it’s a challenger bank, a data aggregator or any other emerging FinTech technology, we need to pay attention to these use cases as they are more and more becoming the foundation of digital finance solutions. Many startup projects follow this simple framework:
- User open accounts with their apps
- Users can then connect existing accounts and transfer money into the new one.
In theory, a single point of contact to manage money is the consumer’s dream – and likewise full of opportunity for providers. But as much as everybody loves conveniences and lowered transaction costs, security must be factored into the equation. You must be able to answer definitely “yes” to these questions:
- Does your product follow modern security practices?
- What security protocols are in place?
- Can people trust their money to your solution? What about their data?
- How do you guarantee your users are who they claim to be?
Below, we’ve defined a simple checklist to help you identify what you need to create secure digital finance products.
Step 1: Password protection
In the past couple of decades, we’ve come so far in terms of security technologies. From biometrics and authenticators to hardware keys, security has never been so high-tech. But the humble password will continue to be the base layer of protection for the foreseeable future (albeit supplemented with other enhancements).
While decidedly simple, password authentication is simultaneously secure and convenient. The problem is that we are notoriously lazy with creating them. The average person has 100 online accounts, so it’s extremely common to recycle passwords. Worse yet, we have a bad habit of creating passwords that cybercriminals can easily crack. The result is that many of us are one data breach or brute-force attack away from having the plurality of digital accounts put at risk.
Check the chart below, and you’ll see just how quickly a hacker can get a hold of your password.
This goes back to fundamentals, but FinTech providers have to emphasize strong passwords. Ultimately they can do this by:
- Require strong passwords for accounts. The same chart above shows just how effective a good password can be.
- Limiting password entries: hackers cannot brute force accounts if they are limited to 5 attempts before temporary blocks and account verification questions are put in place. This must be a unified limit, though, across IP addresses so hackers can’t use botnet attacks to bypass IP restrictions.
- Enforcing 3-6 month password changes. The longer a password is in use, the likelier it has been exposed somewhere, especially if they recycle passwords.
- Partnering with a password manager provider. Password managers allow people to securely generate, manage and store highly complex passwords in a secure digital vault. You don’t need to offer your own but form partnerships with providers or at least provide basic education on the subject for your users. It’s a marketing win and reduces fraud.
Step 2: Two-Factor Authentication
Two-factor authentication has grown increasingly common in the past few years. Throughout the tech world, more providers are making it standard.
Two-factor authentication alone doesn’t guarantee safety, but it is a hugely valuable second line of defense, especially when combined with strong passwords.
We are also seeing the rise of multi-factor authentication, one-time passwords and authenticator tools. These are better because they enable access only from certain trusted devices that users can easily set up. Without it, users have to go to support to restore access.
We’re even seeing this in payments with technologies like 3D secure for Visa and Mastercard, which brings this heightened security to merchant transactions.
What about Biometrics?
We all use biometrics – either facial scan or fingerprint ID – to unlock our phones, and they are a very secure way to protect accounts. With tools like Apple Pay, for example, you can use your face or even voice to authorize payments.
It’s important to note that biometrics or any single security measure by itself is bullet-proof. But used in combination with another, they can greatly diminish the risk of attacks.
Step 3: Enhanced KYC Technologies
This is really where things are headed. Strong passwords, 2FA and other security tools like VPNs are a step in the right direction. But we’ve reached the innovation moment in FinTech where it’s time for better KYC technologies to be put into place.
In the digital finance world, many of us have our eyes on blockchain. FinTech blockchain applications are disrupting what KYC/AML can do. With it, providers can quickly validate user information, know the ultimate owner, eliminate duplicate transactions, and ensure no single point of failure.
Further, the blockchain can provide details on the source of funds and provide ongoing monitoring while storing data tagged to each customer’s unique identification number.
This, along with AI-powered solutions, cloud-based API technology and emerging digital identification technologies, will be the real game-changers for growing trust and security in the ecosystem. In addition to blockchain, centralized anti-fraud monitoring is another tool that’s rising in importance.
These systems know where users’ most frequent sign-in locations, track previously completed transaction information, check security settings, and general information about the purchase. Based on this information, the system dynamically decides which barriers and checks are needed to complete the transaction.
For example, if you try to make a purchase on the same website for the third time in a day, then the site can request from you a one-time password sent to your telephone number. Another example could be to ensure you’re aware of a recurring charge by sending an occasional message to confirm these transactions legitimately come from the consumer.
The impact of the EU Payment Services Directive
While regulations often trundle along at a snail’s pace, we’ve finally seen some process with the coming into effect of the Payment Services Directive 2 (PSD2) and providers better take notice! The sequel is even better than the original. PSD2 takes a tougher stance on protecting customers while creating a more integrated and streamlined European payments market.
Central to this is the Strong Customer Authentication requirement that aims to reduce fraud by making online payments more secure. In short, to accept payments and meet requirements, providers must build additional authentication into their checkout process. Likewise, they must customers must provide identity verification through two of the three methods seen below:
- Something the customer knows like a password or PIN
- Something the customer has like a phone or hardware token
- Something the customer is like a fingerprint or facial scan
For providers, this definitely means more work for them to improve their infrastructure but it’s a great way of improving the ecosystem as a whole.
While PSD2 isn’t a global mechanism, it’s impact will be similar to the EU’s General Data Protection Regulation (GDPR) which has forced more transparency about how site owners use user data and deploy cookies even outside of Europe because of its extraterritorial effect (if you have site visitors from Europe, you must comply with it). The same is true for PSD2.
The good news is that regulations are quickly catching up. With that, digital finance providers better catch up before a data breach and failure in compliance costs them millions or billions of dollars.
Secure by design: an opportunity too good to miss
Ensuring security in FinTech isn’t just a cost for organization to bear. Moving the core threat of fraud to your business, these technologies form the foundation of excellent user-centric digital finance.
With KYC, you can identify risk as early as possible but also leverage it as a strategic tool to deliver your competitive advantage. The benefits only extend here. With it, you can free your compliance professionals to do higher value-add tasks instead of repetitive, identity verification and conflict resolutions.
Harness the power of emerging technologies to build trust and ensure your products deliver lower costs, streamlined operations and the excellent user experience your clients deserve. This is the true power of what CX can do to transform digital finance.
Lisa Veretennikova is Product Manager at Star with over 5-years of experience in technology consulting, startups and FinTech. Before joining Star, Liza completed a successful Fintech global product re-launch and re-branding that reached over 3 million customers in the EEA, APAC and US markets. As a member of Star’s FinTech team, she provides industry expertise and helps customers around the world better understand the ecosystem and find new opportunities to streamline product growth.
As Director of Strategy and Insight at Star, Ed Adamson harnesses his hybrid background to combine design execution with creative strategy and innovation, translating insight complexity into tech-driven opportunities in Digital Finance.
For 20+ years, he has guided global leaders across Financial Services, Healthcare and Consumer Goods sectors, empowering them to embrace business challenges as strategic openings to deliver market value across many touchpoints.