Ray is a Certified Information Systems Auditor (CISA) and our lead consultant in JOS Cyber Security Practice. He provides advisory service on security strategy planning, industry standards and regulatory compliance including NIST, SWIFT, HKMA C-RAF, HKIA GL20 etc. Ray has helped and worked closely with CISOs and IT leaders from multinational financial institutes and global companies in various business natures.
Virtual banks VS Traditional banks: The opportunities, risks and security posture
This is an exciting time for Hong Kong’s Fintech community. With eight challenger banks received their virtual banking licenses earlier this year, innovative digital banking services are arriving Hong Kong.
Virtual banks (VBs) are expected to bring new dynamics to Hong Kong’s traditional bricks-and-mortar banking sector and enable the city to align with other Asia market’s Fintech development. At the same time, they are also introducing nascent services that are offered only through the Internet.
With the upcoming debut of VB services, we explore the opportunities, the risk and security practices in Hong Kong’s virtual banking landscape.
Research shows Hong Kong banking customers are ready for new banking services. According to a study from Wavestone, 86% of Hong Kong population expects their banks to expand offerings beyond the typical banking services.
Virtual banks are going to do exactly that. One of the major characteristics in VBs is the absence of physical branches, meaning a more cost-effective operation with lower rental expenses and staff cost. Thus, VBs are expected to offer lower fees and faster services, like quick and easy loans, to the traditionally under-served younger customers and SMEs.
While financial inclusion is a big part, more importantly VBs are expected to take advantage of their technical agility to develop data-centric and hyper-personalised banking services.
Unlike traditional banks, VBs are starting with brand new technology stack. Without legacy systems or infrastructure to limit their speed to market or innovation, VBs are expected to spark the development of open banking services.
The concept of open banking takes advantage of an open application programming interface (API) architecture to enable software developers, both within and outside the banks, to quickly build innovative digital banking services. To compete with these upcoming challenger banks, some traditional banks have launched their open banking services. One example is HSBC’s smart finance assistant, which allow corporate customers to link their bank transactions from multiple accounts with Xero’s online accounting platform for improving cash flow visibility and reducing manual bookkeeping.
The excitement of new digital services also come with higher cybersecurity risk. This is particularly true in the banking sector. Hong Kong Institute of Bankers chief executive Carrie Leung said the banking sector was found 300% more likely to face cyberattack than any other sector.
Cyberattacks are not limited to traditional banks that are expanding their digital offerings. Both VBs and traditional banks—offering data-centric banking services with operations that heavily rely on the Internet—are equally vulnerable to cyberattacks.
One could argue VBs face a higher risk of operation destruction, as they operate entirely on the Internet. Different from traditional banks, where physical outlets and other offline channels could continue to serve customers during network downtime, VBs may risk severe service obstruction under the same circumstances.
Nevertheless, both VB operators and the Hong Kong Monetary Authority (HKMA) are determined to mitigate the cyber security risk.
Addressing cybersecurity risk in the banking sector, HKMA launched the Cybersecurity Fortification Initiative (CFI) in 2016. All banks, including the upcoming VBs, are required to comply with the Cyber Resilience Assessment Framework (C-RAF). Although not all VBs are classified as high risk, HKMA applies the Advanced Maturity level of C-RAF to these challenger banks.
Meeting HKMA’s C-RAF Advanced maturity level could be a daunting task. Under the assessment guideline, more stringent requirements like real-time vulnerabilities detection and the use of automation to monitor security logs, are entailed. The challenges often lie on the interpretation of the requirements, putting them into practice and documenting them for auditing.
Among 200 traditional banks in Hong Kong, less than 20 have achieved such level of maturity, meaning VBs are among the top 10% of banks with the most advanced cyber resilience in the city.
In addition to the local regulatory compliance, VBs are also required to comply with other global standards in order to support cross-border or wire transfer services. Virtual banks equipped with SWIFT code are required to comply with rules and regulations from the associated regulatory organisations. Achieving certification or membership of these bodies are indicators that the VBs are in line with the international security standards.
Virtual banks are also cashless and paperless. Monthly statements, electronic bill payments, and remote deposits notification are all sent and processed through encrypted connections. This prevents unauthorized access to personal information. Less paper-based operations leads to less physical cash required to be handled and kept safe from criminals.
Although VBs also have their own vulnerabilities, their focus in using technology bring them into a better position to deal with cybersecurity issues.
Most conventional banks have been operating for years, if not decades. Introducing the latest security technologies in their legacy core banking systems are often complicated and time-consuming. Meanwhile, VBs built with the latest IT architecture are much easier and faster to take advantage of the latest security technologies to protect their core banking systems.
The core banking systems and business processes in the conventional banks were also built before the Internet era. These systems often run in silos, operate in heterogeneous environment and non-interoperable. All IT professionals from the banking sector have painful stories to share about integrating these legacy systems with new digital services or executing technology refresh.
Traditional banks that rely on security appliance also face similar challenges. Most security appliances have a life expectancy of 3-5 years. But new vulnerabilities and attacks are discovered daily, these appliances can only rely on software updates and patches to enable continuous protection. This is one of the reasons that traditional banks struggle to tackle the latest cybersecurity attacks.
Operating without technology legacy, VBs are free from these considerations and able to adopt a digital approach to drive new services. They can also take advantage of cloud computing and latest infrastructure technologies to enable real-time detection, automate incident response and zero-day protection.
With the local VBs launching their services in the next few months, the market will started to question their service offerings, business models and security measures. But if technology are being the core and all the security steps are followed, there is no reason for VBs to be less secure than the traditional banks.
As the competition between traditional banks and challenger banks intensifies, those that deliver customer-centric services and enforce trust in the market will be winner of the Fintech era.
Click to view more: