Retail banks are in a tough spot: They know digital transformation is necessary but face competing priorities and concerns about risk. After all, major changes traditionally come with unique risks: But what are those, exactly?
Working alongside our clients, we’ve seen common themes develop. To help equip other digital transformation leaders, we highlight three key threats to retail banks in 2019.
Open banking: The bad surprise in some APIs
Naturally, any area of banking with limited control invites risk. With open banking initiatives and open application program interfaces (APIs), customers enjoy greater convenience by sharing their data with other financial institutions and third parties. They can easily transfer funds, compare products and switch banks, among other things. Overall, this provides a better banking experience and allows customers and third parties to execute direct transactions without going through the bank.
But this creates a risk challenge for traditional banks still working to address these open standards. Banks tied to outdated processes and lagging legacy systems lack the means to prepare for, detect or respond to security threats open APIs may create. Aggregated transaction, balance and payments data are often housed in third-party providers’ infrastructure. Given the sheer multitude of providers and systems each uses to store and secure customer data, confidence in safety is low at best.
Then there’s the customer behavior surrounding these open standards, which banks also cannot control. For example, a customer may download and use a third-party app to manage his finances—which means letting the app access his account. As pointed out in an article by PTP, this creates a security gap. Unbeknownst to the customer, the third-party app may be malicious and use the customer’s permissions to steal his funds. An ill-equipped bank may fail to identify this activity as fraudulent.
Crowdfleecing: Money laundered through open investment
As the digital revolution marches forward, criminals continue to concoct increasingly complex, deceptive ways to commit fraud. Transaction platforms that never raised fraudulent suspicions before are now used to move money internationally—one clear example comes via crowdfunding. While the Jumpstart Our Business Startups Act of 2012 (JOBS) provided ample opportunities for growth companies to seek funds without a slew of regulations halting progress, it also provided a financial vehicle for bad actors on both sides of the crowdfunding equation—scammers, fake investors and terrorists among others.
Here’s how it works: The crowdfunding campaigns, public or private, are presented as legitimate business transactions, while illicit dealings occur behind the scenes. The JOBS Act’s looser regulations enable bad actors to integrate their nefarious activities into the financial system.
Let’s say a narcotics distributor with an enterprise entity sets up an illegal drug transaction. The distributor creates a crowdfunding campaign to support what look like “real” products from a legitimate business. A bad actor, posing as a potential stakeholder but who knows what’s really being offered, “invests” in the campaign. The exchange occurs and the distributor receives the funds, while the investor gets the products: narcotics. For appearance sake, the fake investor also receives equity, but this is of course part of the overall sham.
Similarly, crowdfunding can also fund terrorism. In this case, a seemingly legitimate company is installed as an honorable entity, such as a charity. Under the guise of lending aid to a worthy cause, participating investors in effect funnel money abroad to terrorist organizations. In the financial system, this would present itself as an acceptable set of transactions and not raise any concerns.
Legacy systems: The downsides of upgrades
The last threat concerns technology already within the bank: legacy systems. Beyond the cost of maintaining this burdensome tech— usually three-fourths of a bank’s IT spend, according to Celent research—they hinder progress to digital transformation. What’s more, modern capabilities require modern technology and workers adept in it. Meanwhile as senior knowledge workers retire, so do their skills and experience with legacy systems.
These systems were never designed to handle the complex applications and services of today’s digital landscape. For example, big data is a big ask for older mainframes not built to handle the sheer volume and types of structured and unstructured data points. They struggle to capture, store and analyze this data to the degree bank leaders require.
Banks typically patch or upgrade the system, but attempting to mimic the standard capabilities of modern, cloud-based infrastructure this way is costly and dangerous. For one thing, patching adds further complexity to an already convoluted tech ecosystem. This leads to increased maintenance costs and risk of system failure.
Many such stories have emerged the past few years. Notoriously, the Royal Bank of Scotland experienced a massive system failure in 2012 that left customers without bank services for weeks. Why? A failed upgrade to its batch processing system. And if that wasn’t bad enough, RBS experienced another failure the very next year. That left customers without key banking services on, of all days, Cyber Monday.
Additionally, the CEO of British bank TSB was forced to step down after migration issues during the switch from a legacy IT system. Customers reported lockouts from their accounts, while others gained unintentional access to strangers’ bank accounts.
These are just three risk examples but each presents significant threats to banks and their customers. Bank leaders will need to seek out machine learning solutions that safeguard their digital transformation efforts and protect their operations and customers. Secure, frictionless customer experience and transactions are the key.
Want more Banking Strategies? Sign up for our free newsletter!
Phong Q. Rock is senior vice president, Corporate Strategy & Global Business Development at Feedzai.