How to manage risk in fintech

TL:DR: Digital transformation promises to help deliver financial services to the unbanked in the ASEAN region. However, fintech comes with its own set of cybersecurity and regulatory risks. At the Singapore Fintech Festival 2018, experts gave tips on how to manage both categories of risk to ensure that the financial sector remains secure and trustworthy.

Imagine receiving your salary in cash and keeping it under your bed, or in some other ‘secure’ location in your home. While almost unthinkable in Singapore, this may well be the reality in many ASEAN member states. By some estimates, half of the adult population in ASEAN remains unbanked.

Digital transformation could help increase people’s access to financial services. However, going digital is not without risk, given the current climate of rampant hacking and data privacy intrusions.

“The more digital you go, the wider the range of risk you open yourself up to as a company,” said Ms Staci Warden, executive director, global markets development, Milken Institute, at the Singapore Fintech Festival 2018. She was moderating a panel titled ‘Digital Transformation: It’s a Risky Business’, and was joined by Mr Kris Canekeratne, chairman and CEO of IT services company Virtusa Corporation; and Mr Rohit Ghai, president of network security company RSA.

Balancing convenience and cybersecurity

When it comes to thinking about the risks associated with digital transformation, Mr Ghai advised companies to start with securing their data supply and distribution networks.

“Data is the currency of the economy… What you need to do is classify your data and decide what types of data require special and deliberate actions on the part of your company’s risk and cybersecurity professionals. [The objective is] not just to protect that data, but to make sure that it does not get compromised as it flows through the system,” he said.

However, Mr Canekeratne cautioned against erecting too many cybersecurity barriers to the extent that consumers become annoyed by cumbersome authentication protocols. “When it comes to security, we believe it needs to be part of the [operational] environment, but never debilitating the customer’s experience,” he said.

Mr Ghai thus suggested a tiered framework of cybersecurity. “We believe you can measure the amount of risk associated with every online transaction, and based on that level of risk, step up or down the level of friction imposed [on transactions] so you don’t get in the [customer’s] way,” he said.

For example, if a customer tries to access his or her bank account on a foreign device, at a different time and location, the financial service provider must recognise these signs as an escalated level of risk. Heightened cybersecurity measures must then be imposed to prevent online fraud, Mr Ghai added.

Shoring up weak links

To execute such a nuanced cybersecurity strategy, the speakers agreed that artificial intelligence (AI) would be a gamechanger in the fintech industry. Rather than monitor online transactions manually for suspicious activity, machine learning could be used to recognise patterns in customer behaviour and automatically toggle cybersecurity measures.

Nonetheless, Mr Ghai noted that since “the bad guys have all the same tools as we [the good guys] do”, assuming that technology alone will be a panacea is wishful thinking. People—whether they be employees or clients—are often the weakest link in an organisation’s cybersecurity posture. Hence, as financial institutions go digital, educating stakeholders about online “hygiene” will be crucial to keeping the fintech industry trustworthy and reliable, he said.

Last but not least, the speakers emphasised the need for financial institutions to pay attention to regulatory risk in addition to cyber risk. Fintech companies failing to adhere to the rules put forth by regulators such as the Monetary Authority of Singapore and the Cybersecurity Agency of Singapore could incur hefty fines or even have their employees face imprisonment.

“As your new products and services become more digital in nature, you are now accountable for making sure that they cannot be compromised, weaponised or used for malicious purposes,” said Mr Ghai.