Commissioned by OneSpan
1 Executive Summary
The financial services industry faces a number of increasingly difficult challenges today. Organizations in this industry have often been at the forefront of adopting risk management strategies and tactics to survive and remain profitable. Eighty-four percent of bank executives reported that cybercrime is their top concern in 2018[1]. Cybercrime has evolved significantly, and financial institutions are on guard against a myriad of different kinds of cyber threats, including phishing, malware, insider fraud, transaction fraud, transaction skimming, account takeover fraud, and more. In the US alone, 134 incidents involving millions of consumers were reported against financial sector companies in 2017, and 84 were reported in only 1H2018[2]. New attacks are discovered daily; as a recent example, HSBC disclosed in October 2018 that an unspecified number of consumer accounts were compromised[3]. Earlier in 2018, Europol’s Joint Cybercrime Action Taskforce arrested 20 cybercriminals who had made €1M from harvesting user credentials via phishing emails[4].
Regulatory compliance is another top concern among banking executives. Banks and financial institutions operating in different regions around the world are subject to regulations in categories such as Know Your Customer (KYC) and Anti-Money Laundering (AML). Local variations exist, and banks must understand the differences and similarities and implement RegTech solutions accordingly. The finance industry in the European Union must comply with the General Data Protection Regulation (GDPR), which governs the use of personal data. The Regulatory Technical Specifications (RTS) of the Revised Payment Services Directive (PSD2) go into effect in the EU in September 2019. PSD2 will mandate Strong Customer Authentication (SCA) and exposure of core banking functions via APIs to Third Party Providers (TPPs). Similarly, financial services companies in New York must offer Multi-factor Authentication in accordance with New York’s Cybersecurity Regulation issued by the Department of Financial Services.
Finance has historically been one of the more up-to-date industries in terms of cybersecurity. For financial institutions, the risk of monetary loss due to fraud has always been a significant concern, even more so in the era of digital transformation. Thus, with the risk of loss due to cybercrime being an ever-present danger in the minds of finance managers, banks tend to update cybersecurity and identity management solutions vigilantly. In fact, banks typically invest 1-5% of annual revenue on these solutions. However, cybercriminals are constantly innovating, so their techniques and tools get more advanced. Those charged with protecting financial assets must likewise stay on top of developments to ensure that their defenses meet the risk mitigation goals of each particular financial enterprise.
Businesses in the financial industry usually have similar goals:
- Increase revenue
- Minimize fraud
- Avoid fines associated with regulatory non-compliance
To reach these goals, most financial institutions likewise have similar objectives:
- Simplify and enhance the consumer experience, to retain existing and attract new customers
- Improve the security posture across all layers to reduce the risk of fraud
- Achieve compliance with all relevant regulations within the jurisdictions in which they operate
In this paper, we will consider the threats and risks faced by the financial sector and dive into the game-changing regulations. We will also review historical and state-of-the-art IAM and cybersecurity technologies and practices, and discuss the features of OneSpan’s Intelligent Adaptive Authentication solution with regard to meeting the challenges in front of the finance sector today.