10 Hidden Risks of Digital Financial Services {Fintech}

Financial technology firms (fintech) across the globe are using technology to build new innovative financial products which are enhancements or are smoothly bypassing some regulations. Fintech is making financial product/service delivery quicker and innovative. Ideas such as tap as you go, pay via device linked to your bank account etc are 1st generation fintech which are leveraging technology to eliminate mundane processes. Some banks worry that fintech’s will disrupt the banking industry in the way that downloads disrupted the music industry.

Let’s look at how fintech has created new sources of risks.

1. Core data vs distributed data systems. - Core banking systems are relational databases, managed and maintained at Bank’s servers with bank’s responsibility to maintain it’s integrity. Now with new technological innovations, concepts such as open banking, blockchain have experimented with existing core banking solutions, which results in data being stored in external nodes exposed to exploitation. However, fintech and banks have managed this via different encryption forms.
2. Paper data vis-a-vis digital data. - KYC is an expensive affair and regulators imposing penalties, robotic process automation, and machine learning were implemented by HSBC to significantly reduce the time it takes to verify the identity of potential clients. The technology was created for and is owned by HSBC and will be developed and marketed to banks and other financial services companies through a joint venture with an outsourcing company, EXL. However, this leads to a complete digital trail of KYC documents and a single point of compromise exposes digitally validated & stored data which can be interpreted by information systems.
3. High fraud exposure. – With automation and digitization due to fintech, less of data is stored in paper format and almost all data/currencies are stored virtually, we spend virtually, we buy shares virtually and we do transaction virtually. This digitization increases the risk of fraud and account takeovers leaving customers helpless. With users tend to keep passwords same/similar, one compromise can risk a customer’s other account-based relationships.
4. Regulatory Sanctions. – Fintech is very luring with the innovation it brings on table. Bankers and fintech tend to play a thin line with non-compliance to regulation, which may sometime end up bypassing a missing compliance link. Regulators on identification can apply sanctions or disallow the business case, which is an impact on the fintech firm’s license to play.
5. Cyber threat. – With technology leading the fintech arena, innovation is around new technology which hasn't been tested and exposes the fintech platform or its partner to cyber attacks. Fintech by nature is agile and with such high passion, developers tend to miss out on standard info-sec standards that a Bank may follow. As a result, you would see most of the fintech firms run bounty hunter campaigns to help them identify loopholes in their applications/platforms.
6. Uncontrolled data sharing. – Since, fin-tech are generally exposed to 3rd party applications and data is shared by banks and fintech to leverage potential of such application. For eg. passing users transactional data, social data and contact to a credit discovery engine. Global data privacy acts once implemented globally such as GDPR, would trigger a massive change in the business models of fintech.
7. Algo manipulation as a threat to insider fraud. - Algo trading is the buzzword for the last 4-5 years with market trading is a lot based on algos, similarly, credit approval using social scores is dynamic in nature and takes into account various parameters to gauge eligibility of an individual/corporation to qualify for a credit. Now, with systems in place and no human intervention, there are possibilities of algo change which is a single point of compromise may lead to massive impact in false positives.
8. Biometric, retina, facial scan exposes new-age risk exposures. - Hong Kong-based insurtech startup Wesurance Limited and Allied World Assurance Company partnered for selling travel insurance products through a mobile application. Insurance incorporates eKYC and facial recognition technology for faster and easier user verification, which is powered by TransUnion’s ID Vision solution. Users can take a photo of their HKID card followed by a “selfie” to accurately verify identity. This is the first insurance application featuring AI and eKYC capabilities in Hong Kong. Now, this product integrates multiple platforms and accesses bio-sensitive voice pattern which is transmitted across different info-systems for validation. Now, these bio-scans, if compromised, can easily impersonate an individual’s identity and may lead to account takeover risks.
9. Agile systems are not always secure. (open applications). - Banks are using data to analyze customers’ purchasing behavior and then give them tailored suggestions on their smartphone, anticipating their needs, and helping them save and invest money. To do this, information is accessed and stored at bank’s non-proprietary platforms, such as adobe analytics and Omniture on which banks have little control. These systems are built aggregating multiple service APIs and hence expanding the data access horizon. This exposes nodes to cyber threats or bugs that may corrupt information and have a cascading effect on fintech’s ability to service its customer.
10. High Speed of execution. – Fintech is all about speed, so is the risk associated with it. A couple of decades before, AML & fraud were identified, stopped and penalized since layering in system was via wire transfers and cheques, that took time. With fintech, not only execution has quickened, but money changes shape and form in seconds leaving complex trails via transactional algos. A dollar can change to 20 shares of a firm to share transfer in dinar to bitcoin purchase to layering in crypto world, remedied in rubbles using ripples.

The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the author's associated organization (s).