Financial technology (fintech) is a prominent topic for the banking and financial services industry worldwide. Although its disruptive and innovative technologies provide banking services to populations who never before had access and easier investment and loan processing for others, enterprises implementing fintech need to address the new risk factors that are associated with this solution.
Enterprises that implement fintech face cybersecurity risk from integration issues such as compatibility and legacy technologies. Integration of fintech with traditional banking systems may raise concerns regarding data privacy. Fintech enterprises collect large volumes of customer data, including sensitive personal information, making them ripe targets for hackers.
Fintech brings easy access to core banking activities to people who could not access these services previously. These new bank customers have little or no previous awareness of cybersecurity risk and, therefore, may be more exposed to hackers.
Fintech offers easily accessible services through application programming interfaces (APIs) exclusively developed for banks to access the fintech platforms, which is called API banking. The use of open APIs enables third-party developers to build applications and services around the needs of banks, which is called open banking.
The complexities and technical dependencies that exist between various technologies integrated in a fintech ecosystem have made it a very ripe target for hackers. Fintech implementation interfaces with banks, financial service providers and fintech firms, which increases cybersecurity risk as data elements travel through these interfaces.
Fintech-Triggered Cybersecurity Risk
- Third-Party Security Risk: When banks establish formal relationships with fintech service providers to leverage their services, banks take on third-party security risk such as data leakage, service failures, litigation and reputational damage. Banks should consider the fintech-relationship-related risk in their third-party risk management assessment.
- Malware Attacks: Hackers targeting the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system are getting more sophisticated. The SWIFT system is used by banks and financial services organizations worldwide to securely transfer information about financial transactions. The sophistication level of malware is demonstrated by recent cyberattacks on the SWIFT/automated teller machine (ATM) infrastructure of the second-largest bank in India. A recent report illustrates that easily exploitable vulnerabilities are prevalent in banks, and hackers take advantage of these vulnerabilities by launching malware attacks.
- Data Leakages: Financial data such as payment card information and user credentials are vulnerable to data-leakage attacks when banks venture into fintech partnerships with third-party fintech firms. Automated systems that interface with fintech service providers are particularly vulnerable to sensitive financial data leaks.
- Data Integrity Risk: Mobile devices play a predominant role in fintech banking services. If mobile devices without strong encryption algorithms are used for fintech services, integrity issues regarding the financial data that are communicated over the cluster of fintech interfaces may result. Researchers found that the integrity of data that are gathered from fintech applications such as mobile money applications varied dramatically across their samples.
- Cloud Environment Security Risk: Cloud computing is one of the major enablers of a fintech ecosystem. Payment gateways, digital wallets and secure online payments are some of the niche cloud computing services provided in a fintech ecosystem. For example, making payments is very easy and fast through cloud computing. Maintaining the confidentiality and security of financial information is critical to banks and financial services. Lack of adequate cloud security measures can result in compromise and corruption of this sensitive information.
- Application Security Risk: Fintech implementation is driven by various banking systems that need to access financial profiles of banking customers to perform real-time transactions. Applications are always preferable attack vectors due to the vulnerabilities that are hidden in their design and code. IT leaders who are planning to implement fintech need to ensure that foolproof application security measures are implemented to protect the customer data that reside in the various banking systems that will get connected with a fintech platform. Design that is driven by OWASP guidelines, code reviews and penetration testing needs to be performed during fintech integration.
- Digital Identity Risk: Introduction of technology-driven banking using mobile devices with one-time passwords (OTPs) and security codes creates the risk of digital identities of banking customers being misused. Most fintech applications are web applications or services where mobile devices work as front end. So banks and financial services organizations need to revisit their electronic banking security architecture to address these risk factors before planning for fintech implementation.
- Legacy Banking Systems Are Risk Factors for Fintech Implementation: Globally, banks are struggling to develop and implement new technologies rapidly in response to their underperforming and outdated, non-patched core banking systems, which are vulnerable to various kinds of cyberattacks. While fintech integration will happen with such legacy systems, the fintech platforms will also become preferable targets for hackers. Banks aspiring to get into fintech need to prioritize refreshing their core banking systems.
- Money Laundering Risk: Unlike traditional banking systems, fintech-driven banks are more likely to be used for money laundering activities because fintech often uses cryptocurrency for financial transactions. Cryptocurrencies are one of the integral elements of a fintech ecosystem that is not formally regulated based on any global standards and regulations. Use of nonregulated cryptocurrencies can result in illegal money laundering and terrorism funding. Identifying the beneficiary in any fintech-enabled transactions is not possible due to fintech’s pseudonymous nature, which can be a significant support to money laundering operations.
- Block Chain Risk: Blockchain platforms are used as part of the fintech ecosystem of many enterprises. Although blockchain is very efficient and quickly executes transactions, the following significant concerns about the security of blockchain-based transactions in a fintech ecosystem can cause risk to the ecosystem:
- Blockchain can be hacked like any other platform/protocol. If someone chooses to save their bitcoin and private keys on an Internet-connected device, they can be stolen. After private keys are stolen, secure blockchain architecture and encryption features are of no concern to hackers.
- Blockchain can be infected by malware. Researchers have demonstrated that botnets have the ability to send messages utilizing the bitcoin network. The Fujacks trojan, a botnet backdoor, has successfully proven that it can remotely control infected computers that are nodes in a blockchain, collect information, and install other malware or tools into the blockchain.
- Banks have concerns about transaction confidentiality, securing private keys and the strength of cryptographic algorithms that are used in blockchain-based transactions.
- Any blockchain transaction is dependent on trust between two or more parties. Most people use bitcoins at exchanges and trust that the exchange will look after them. Many money exchange firms are not fully regulated entities. They cannot offer assurance on the transfer of digital currencies.
The increasing number of interfaces in fintech implementation will continue to increase the opportunities for cybersecurity risk. If hackers are successful in their efforts to compromise the fintech platform, the confidence of banking customers in the technology-driven fintech platform banking model may be reduced, which will slow the growth of the fintech industry.
Our team of IT Risk Assurance & Advisory experts can help uncover cybersecurity risk and create a plan to address any concerns. Contact us below to get started.