The recent global economic progress particularly in developing countries has brought with it increased financial inclusion for majority of the world’s populace; meaning more and more people are now banked compared to 10 years ago when the global recession hit the markets. As more people join the banking sector, the world economy in turn become entrenched into the globalization paradigm. The implication this has for the banking sector is to deal with the sophistication of the global economy which has brought with it new and sophisticated forms of banking security risks – with three of them rearing their ugly heads in 2016 and beyond. The three greatest banking security risks are 1. Cyberattacks, 2. Fraud. 3. Regulation.
If there is one thing that globalization demands, is that banks break regional barriers and at the same time become interconnected. That is, one bank must operate beyond national barriers and at the same time be able to operate as branch of another competing bank – no matter where the secondary bank is located in this global world. To achieve the two demands of globalization, banks have no choice but to utilize connectivity technologies. Connectivity however brings with it banking security risks that the banks must face head-on as they progress into the future of banking.
The immediate risk that connectivity poses to banking security is cyberattack. For banks to connect such that they can provide their services seamlessly beyond borders, or even maintain “branchless” banking solutions by deploying mobile banking either through SMS/USSD or smart Apps platforms; or even through the traditional Internet banking platforms, they need to access interconnectivity through Internet protocols; be it via Cloud or through VPN options.
The problem with Internet connectivity solutions is the increased incidences of cyberattacks. According to a study by PwC published at SAP.com, ” the number of security incidents across all industries rose by 38% in 2015. That’s the biggest increase in the 12 years since the global study was first published.” The increased cyber attacks haven’t spared the banking sector. For example six months ago we reported of how Qatar Bank that was at the centre stage of Chase Bank debacle had been hacked and customer information posted online via a Google drive document – a document that has since been pulled down. Good news is that, according to the PwC report, the financial sector detected “three percent fewer cyber attacks in 2015 than in the previous year, and their financial losses fell by 12% over the same period”.
Cyber criminals who target financial institutions take advantage of weak connectivity infrastructure, vulnerable personnel, and outdated technology devices and systems. The banking industry is for instance advised to take advantage of connectivity solutions like those offered by Internet Solutions to ensure that their connectivity infrastructure is secured against malicious attacks. In addition, the banking sector must continuously train their personnel on how to proactively and reactively deal with banking security incidents, as this approach was found to have played a great role in the reduction of the rate of cyberattacks in 2015.
Over the last year, at least three banks in Kenya have collapsed due to fraud. Sadly the Fraud that led to the collapse of Imperial Bank, Dubai Bank and Chase Bank were not the type of Fraud orchestrated by low level IT managers who tweak the banking systems in order to channel customer deposits to own accounts, but by top level management (directors), who took advantage of laxity in the banking laws to reward themselves unsecured loans that they had no intentions of repaying.
The fact that the collapsed banks had top level managers to blame doesn’t mean that the middle and low level managers don’t have ways to play around with the banking system in order to hit the get rich quick road. According to reports we have been receiving from several banking staff across the banking sector, IT managers have always found ways to defraud the banks to the tunes of millions per year. This is confirmed by a report by Business Daily that narrated how Kenyan banks lost Sh1.7bn to fraudsters in 3 months in 2010.
Over the years, banks have tried to put in place measures to safeguard against internal fraud, measures that have helped to reduce the incidences of reported incidents of internal fraud. These measures have however not eradicated the vice in totality, and as banks progress towards total financial inclusion, those concerned with banking security ought to ensure that the banking sector gains 100% trust from depositors.
3. Regulation as a measure to deal with banking security
It’s just the banks that worried about banking security risks – governments too are worried. In July this year the Central Bank of Kenya organized a workshop for select journalists and bloggers of which I was part. During the workshop, one of the items delivered was the situation of collapsed banks and what CBK was doing to ensure that such collapsed don’t occur in the future. I personally suggested to CBK to come up with a regulation that bars bank directors from borrowing from their own banks – and that from whatever other bank the directors were to borrow from, they should be subjected to the same terms and conditions of loans that any other ordinary borrower is subjected to.
Elsewhere, governments have come up with regulations that require banking personnel to be trained in specific banking security modules in order to deal with the increased incidences of internal fraud that takes advantage of banking security systems, including requiring the banks to hire Chief Security (tech) Officers to help deal with both hacking and fraud incidents.
As much as these regulations are well intended, Zafin.com listed Regulation as the second most important banking challenge in 2016, a challenge that was derived from the 2015 Banking Banana Skins by The Centre for the Study of Financial Innovation in New York, and PwC. In the overview of Regulation as banking security challenge, Zafin noted as follows:
While bankers recognize the need for tougher controls, concerns were raised about the volume and complexity of current regulation which were stated to eat into management time and overall industry margins. Bankers were also concerned about the impact of rising regulatory requirements on innovation and diversity, as well as their ability to compete effectively against smaller players who are not exposed to the same regulatory scrutiny.
When regulation is allowed to interfere with technology adoption and innovation, then to that extent regulation becomes a banking security risk. For instance regulations that eat up on bank’s profits margins means the banks may decide not to update their technology infrastructure as quickly as desired, and the latency period would be sufficient for the cyber criminals to find loopholes in the banking system worth exploiting.