Risk management and fintech compliance
As new innovations are being developed, those responsible for risk management and IT security are facing increasingly critical issues. Managing these issues can become an opportunity for improvement and growth.
In 2016, Carolyn Wilkins, Senior Deputy Governor of the Bank of Canada, stated: “While it is important to filter out the hype surrounding fintech, I am convinced that it could have a net positive impact on the financial system, provided the risks are adequately managed.”
The cyberattack on Equifax in 2017 was a reminder that, when it comes to ensuring that risks and sensitive data are “adequately managed”, nothing can be taken for granted.
Banks are vulnerable to cyberattack as well. In 2018, India’s Cosmos Bank fell victim to a new type of attack: hackers installed malware onto its ATMS and were able to siphon off the equivalent of $13.5 million in just two hours.
Closer to home that same year, hackers stole financial information concerning 90,000 clients of BMO and Simplii Financial, a subsidiary of CIBC. Also in 2018, the Senate of Canada sounded the alarm on the state of cybersecurity: “While banks have the knowledge and experience in combatting cyber security attacks, (…) the recent cyber attacks on the Bank of Montreal and Simplii Financial, a subsidiary of Canadian Imperial Bank of Canada, show that even those companies that are highly regulated and have arguably the best cyber security defences against attacks, have their weaknesses.” There has even been talk of a crisis of confidence between institutions and their clients.
As an indication that the risks are evolving at the same pace as innovations, data theft and cyberattacks are not only making headlines daily, they are reported to be among the five most likely global threats in 2019, according to a report by the World Economic Forum (WEF).
At a time when institutions are more closely interconnected than ever and interoperability among payment services is becoming a regulatory standard in a growing number of jurisdictions, risk management and financial technology (fintech) compliance must become a top priority for organizations. As mobile banking transactions become the norm, and as the level of interconnectedness among services and organizations intensifies and the number of potential failures rises, “what matters to one provider matters to all as large cases of fraud, for example, affect not just consumer trust in one provider but in the market and promise of digital financial inclusion as a whole.”
Two examples of technology risk
With regard to digital financial services, technology risk signifies a technical failure that prevents a transaction from being carried out or an objective from being met. Examples include payments, wire transfers, withdrawals, deposits, purchases or transfers. This failure can be caused by a bug, a defect in the software design that opens the door to a cyberattack, or a failure of communication systems or devices (apps, software, platforms, networks, terminals) enabling a transaction to be completed.Application programming interfaces (APIs).
1. APIs are the “bricks and mortar” that make up the foundation of the digital economy. As they allow various programs and systems to interact and share data, the protection and confidentiality of the data exchanged are critical. Since banking products and services are increasingly becoming digital products and services, there are now “aggregators” to help consumers centralize the management of different accounts using a single mobile app. It is estimated that some 3 million Canadians use at least one financial aggregator service. APIs are central to this innovation. As the number of cyberattacks per year is reaching double digits, it’s hardly surprising that attacks through vulnerable APIs are expected to become the leading cause of data leaks. In a report released in 2018, the Canadian Centre for Cyber Security noted that “stealing personal and financial information is lucrative for cybercriminals and is very likely to increase.” A word of advice: Lock the mobile device that contains your financial applications. If your device is stolen, access to your accounts will at least be protected
2. Cloud computing
Banks are among the largest investors in cloud-based solutions to manage their online and mobile platforms. While these solutions are becoming unavoidable, there are inherent risks related to how they operate, with regard to both the protection of personal information and the security of data and transactions. Once an institution migrates its operations to the cloud, depending on the level of service it adopts (IaaS, SaaS, PaaS), it agrees to give up full or at least partial control over its operations, its property, and the sound management, accessibility and continuity of its data and client information, among other things. In 2009, a hacker succeeded in installing a command module on Amazon’s cloud service, infecting 4 million computers. A decade later, cloud-based solutions continue to be the target of choice, and there are no signs of the trend reversing.
In its 2016 High Performance Security Report, Accenture revealed that Canadian organizations are among those that invest the least in cybersecurity. Even more worrisome, “only 28% of organizations would invest the extra cash in efforts that would directly affect their bottom lines, such as mitigating against financial losses.And only 17% would invest in cybersecurity training.”
A sign that this is a hot-button issue, but one that continues to be underestimated, we have shifted from talking about cybersecurity to cyber resilience: “The exploding phenomenon of externalized systems and data, as well as the proliferation of incidents impacting those services, must lead businesses to adopt cyber resilience.”
An opportunity to stand out
The various players involved in financial services at companies of all sizes and financial institutions, be they end users, intermediaries or suppliers, have never before faced such a combination of regulatory, economic and technological issues.
Thanks to our experience managing large-scale projects in the private, public and parapublic sectors, at Cofomo we have the expertise and a reputation you can count on. With regard to the issues addressed above, we can guide you in three ways:
1. Development of software, applications and application programming interfaces (APIs) enabling you to offer high-quality (i.e. robust, powerful, secure and user-friendly) solutions to your clients.
2. Implementation of a technology risk management strategy based on standards such as ISO 31000 – Risk management,which provides “principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector.” When applied to digital financial services, our approach entails quickly pinpointing technology risks and determining how they could affect the rollout of your solutions and how you can manage them appropriately.
3. Guidance in implementing a compliance management plan in accordance with regulatory requirements. As you may recall, the Guideline on Information and Communications Technology Risk Management published by the Autorité des marchés financiers (AMF) came into effect on June 1, 2019. “With respect to the legal requirement of institutions to follow sound and prudent management practices, the AMF expects each institution to have developed strategies, policies and procedures based on its nature, size, complexity and risk profile.”
Now more than ever, managing risk and compliance will play a decisive role in value creation and the way in which innovation drives your organization to new heights in terms of growth and profitability. In September 2017, Cofomo qualified as a partner of choice in cloud computing for the Quebec government’s public sector. Looking for a trusted partner? Contact us.