FinTech: at the time of the digital revolution how well are the risks understood?
The FinTech phenomenon is on the rise around the world, and also in France where numerous start-ups are making their presence felt. In June 2015, the association France Fintech was created for the purpose of uniting and promoting the activities of the different players in this sector by putting them in touch with customers, investors, public authorities and the banking ecosystem.
A rapidly growing market
On the global scale, investments in the FinTech sector multiplied tenfold between 2010 and 2015 to reach $22 billion. The amount invested in 2016 is estimated to be $36 billion, with this substantial increase being due to the arrival of several major financial players wishing to secure their share in this very promising market.
In October 2015, the European Commission also adopted Directive PSD2, providing a legal framework promoting the use of innovative and disruptive solutions for banking and payment services. This new Directive has helped to change the definition of “payment institution” by making it more flexible and enabling new third parties to enter the market for banking services, which represents a real opportunity for the FinTech players.
This Directive has been in force since January 1st 2016 in all countries within the European Union and has substantially modified the role of these new entrants into the banking landscape. These new regulations require the banks to open up to these new entrants by developing APIs that allow the FinTech players to interact with their banking applications and have access to some customer data. This new context, seen initially as a threat by the traditional financial institutions, has turned into an opportunity for the banks that have speeded up their digitalization process.
In fact, the banking institutions’ digital transformation strategy has embraced this change and the big banks have not hesitated to create partnerships or acquire FinTech start-ups. Societe Generale, for example, which bought Fiduceo, and BNP that joined the project by Xavier Niel, Station F, the biggest campus of start-ups in the world, located in Paris. The disruption caused in the banking industry by FinTech is due to both the evolution and simplification of services to customers thanks to an improved user experience and greater flexibility, and to the new technologies which are becoming the medium for these innovative services.
Smartphones: Pillar of the FinTech companies
The way that FinTech companies have evolved over the past few years has been driven by two major factors that have been the catalyst for growth in the sector. On the one hand, the financial crisis in 2008: the markets collapsed and the big investment banks went under. Investors no longer trusted the big financial institutions that were losing money, and a certain number of them preferred to turn to the promising digital enterprises in Silicon Valley.
Second factor: 2008 was also the year in which the blockchain was created, and the year when smartphones appeared, following the revolution initiated by Apple in 2007 with the launch of the iPhone. As the solutions offered by the FinTech players were disruptive and based on flexibility and simplicity of use, their growth was further boosted by the widespread availability of smartphones, which have become an everyday necessity. The expansion of the FinTech sector was thus encouraged by the level of maturity attained by smartphones and the applications that they host, which in turn helped them to develop and provide their services directly to users.
The smartphone is also a major vector in the transformation of payment methods, generally agreed to be one of the areas most remodeled by the FinTech revolution. The smartphone is not only the device that provides access to the services, but is also becoming the means of payment with NFC chips, in the same way as a bank card. Applications such as Lydia also make it possible for users to transfer money to their contacts free-of-charge and without having to make the normal bank transfer.
From the very launch of Apple Pay on iPhone, vulnerabilities in the design of the function had led to a rate of 6% of fraudulent transactions in 2016 as it was possible to use any card, without the CVV number and without any verification of the user’s identity, to make payments.
However, the security of FinTech companies cannot simply rely on that of smartphones and it must take into account all the links in the chain: from the design of the service to the data center where the company hosts its infrastructures.
Control of technology and security of the devices: major risk factors
The programming, the infrastructures used and the user’s device are the keyelements that are critical to the reliability, robustness, security and integrity of a financial service. Each of them has inherent weaknesses that it is important to make secure by suitable means that satisfy both the relevant regulations and correspond to external and internal risks. The main weaknesses that have been identified for the elements that are essential to the services provided by FinTech companies are as follows:
As mentioned above, the majority of financial services offered by FinTech companies are accessible to users through their own devices (PCs, tablets, smartphones, etc.). The security of the transactions carried out depends therefore to a large extent on the level of security of the device that is used. In 2016, it became apparent that smartphones were, in just the same way as computers, a target for Trojan Horse type malware that attempts to retrieve the login information of users on the home pages of their online banks. This weakness, which is inherent to the operating system of smartphones, is generally detected when it is too late when it has already been exploited by the hackers. As for the FinTech companies, the solution they most often use to protect themselves against fraudulent operations, following the theft of an ID or password, is multiple factor authentication. This method, already widely used by businesses, is now increasingly widespread among private individuals when they log on to a sensitive online application. The second factor is generally a code sent by SMS or generated by a special application, or biometric authentication using fingerprint sensors embedded in smartphones. However, even a two factors identification along with a code sent by SMS can be ineffectual against a determined hacker who might be able to intercept the SMS if they have managed to compromise the smartphone beforehand.
The manufacturers are therefore working on making their mobile devices secure, and have even made it a priority with regular security updates for the purpose of covering the vulnerabilities that are detected. Every weakness discovered in the operating system of a device receives widespread media coverage and could have a significant impact on sales in this very competitive market, in which the customer’s growing awareness of security can influence the final purchase decision. The most recent smartphones are, therefore, generally considered to be less vulnerable than an aging laptop.
The case of the mutualized investor-led capital fund The DAO , based on the blockchain “Ethereum”, a network that uses a cryptographic currency, is an interesting example to illustrate how a programming error can lead to a substantial financial loss. In this case, an error present in the code that made it possible to carry out false transactions resulted in the embezzlement of $50 million belonging to the various “shareholders” in The DAO.
This risk of hacking using a flaw in the programming is omnipresent for businesses seeking to develop applications and other web services. It is, however, possible to limit the risks arising from these programming errors by carrying out audits on the source codes and using vulnerability scanners on the applications.
In 2016, the researcher Vincent Haupert in hacking the mobile application of the German 100% online neo-bank N26 , not by compromising the smartphone but based on weaknesses in the application architecture. He was able to take full control and carry out illicit transactions. Following his discovery, the bank launched “Bug Bounty” campaign, an operation designed to reward people who report security breaches. Many companies, like the GAFA, but also of a more modest size, have already resorted to this type of campaign to detect potential weaknesses in their products.
FinTech companies therefore need to put security at the heart of their preoccupations when developing their services by integrating it in the design stage. All the more so because the financial sector is a prime target for hackers seeking to exploit any weaknesses they can identify in order to misappropriate large sums. As FinTech businesses tend to grow very quickly, the race for growth sometimes receives more attention than product security.
But the Cloud is not infallible. For example, on February 28, 2016, thousands of websites and web applications belonging to various large companies, including Apple and all over the world, became inaccessible following a failure of the Amazon cloud.
The choice of IaaS and PaaS Cloud services providers is therefore important for businesses like the FinTech companies that supply sensitive services. The latter are subject to a large number of banking regulations, such as the PCI DSS for the protection of account information, or European regulations such as the General Regulation on Data Protection (GRDP) which will come into effect in May 2018, and expose businesses to some very dissuasive financial sanctions (up to 4% of global revenue).
Companies must therefore be certain that the level of security and the related processes put in place by their suppliers comply with the regulations that cover them. At end-2016, in an attempt to help companies outsource their infrastructures, the French data protection agency ANSSI published a standard to be used to certify trustworthy providers of Cloud services with the Franco-German label: European Secure Cloud.
In the more specific context of FinTech companies, ANSSI has also invited itself to the table to contribute its recommendations. ANSSI has become a partner of the FinTech Forum created by the French financial markets regulator (AMF) and prudential and resolution control authority (ACPR). The purpose of this forum is to encourage the emergence of these new financial sector players by assessing the risks and opportunities associated with their development.
National agencies, fully aware of the challenges posed by the transformation of the financial sector, are working towards creating greater transparency in companies regarding their overall ecosystem, and also on cyber security.
Risks that are indeed difficult to cover for FinTech companies
So, the cyber risks that are omnipresent for any business are all the more critical for FinTech companies. Viral infections and cryptolockers, attacks on web applications, and Distributed Denial of Service (DDoS) attacks, to mention but the most commonplace, can just as well affect devices, as applications and infrastructures, as discussed above.
The fight against these risks, inevitable for a business whose applications are exposed on the Internet, requires specific security skills and the putting in place of incident response plans in order to ensure the integrity and quality of their services. To respond to these challenges, banks have considerable resources, such as teams that are responsible for the continuous supervision of digital infrastructures, and they invest several tens of millions of euros every year simply to be able to guarantee their cyber security. As things stand, FinTech companies are not always able to put in place comparable financial and human resources. However, their advantage lies in their agility and the modernity and lack of obsolescence of their infrastructures, making it possible to implement effective security measures more quickly and at a lower cost. Furthermore, the increasingly close cooperation between the big traditional players and the FinTech companies means that they can benefit from the formers’ maturity in terms of security, with the crux being to strike a balance between security and flexibility, one of the success factors of the FinTech companies.