Skip to main content

The future of the fintech will require security, not just innovation

(Image credit: Flickr /

The UK’s fintech sector is booming. Despite Brexit related uncertainty, it hasn’t stopped investors ploughing $16bn into the UK fintech market in the first half of 2018 alone. These investments in the UK surpassed those made by both of the world’s financial power houses, the US and China. It remains Europe’s main hub for financial technology start-ups, providing over 60,000 jobs and contributing around $7 billion annually to the economy.

As the jewel in the UK economy, investors recognise the need to capitalise on their relentless push to innovate, disrupt and democratise away from old, entrenched ways of doing business. With the arrival of the open banking regulation, banks and fintechs are also under pressure to innovate at pace and provide customers with personalised on-demand services. From blockchain to AI, crypto-currency to peer-to-peer lending, the sheer range of new ideas originating in the banking industry is exciting. But the continued success of the UK fintech market, will rely on the investment organisations place on security. 

Championing the cloud

In an ultra-competitive market, traditional high-street banks are scrambling to pursue digital transformation projects to become more agile in the face of aggressive time-to-market, fierce competition for customers and changing business models shifting from product-centric to customer-centric. But whether it’s an old banking giant or a new challenger bank, it is cloud computing that provides the foundation of the modern era of banking.

For IT leaders the cloud is crucial as it supports the rapid, continuous development of application-based services, enabling firms to react quickly to market demand with innovative new offerings. The scalability and elasticity supports a more agile business and empowers fintech firms to be more efficient, doing more with less.

Initial hesitancy with adopting more cloud-based solutions, owing to concerns over the leakage of financial sensitive data, is now seeing a decisive shift towards the cloud, owing to the rise of challenger banks such as Monzo, Revoult and Sterling. Recently, the Royal Bank of Scotland trialled two standalone digital banks under its NatWest brand, to launch online only offerings to compete with challenger banks. Again, it is the cloud’s ability to support users anytime, anywhere, on any device that is vital for a mobile, app-driven world.

From a regulatory perspective, cloud technology has helped banks and fintechs achieve compliance in the era of GDPR. The new regulations enable customers to contact organisations to access their personal data and have this removed if required. The traditional server infrastructure in banking is often cumbersome, making it far more difficult to access customer data. By using the cloud, banks can quickly locate and address some the data breaches and questionable handling of customer data that has been seen in recent times.

API security is key

But this innovation must not come at the expense of security. The evolving technology and regulatory landscape have meant that cloud technologies must have security baked at its core.

Financial services must also not overlook the security risk associated with the creation of banking apps in the open banking environment – in particular, API security. As developers within banks and fintech companies use APIs to connect technologies (most commonly apps, but also platforms and systems), they create new digital banking innovations and remove barriers to allow more efficient, simpler ways to kickstart innovative programs.

But while the value of inter-connected applications is undeniable, there are also significant risks. APIs provide open connections between platforms, a failure to protect these connections will provide hackers with the opportunity to attack API services with both stolen or invalid credentials. It is essential that developers and security teams within these organisations pay close attention to securing APIs.

To illustrate this, if you visualise opening a door, you want to make sure only the right people (or in this case, apps) have the correct keys. You can do this by specifying the conditions under which actions are taken, giving you precise and confident control over your APIs. Additionally, integrating and identifying contextual factors such as IP addresses, geolocation, and device identification can increase security and reduce credential-based attacks.

Be vigilant to internal threats

With the boom in online banking and mobile apps, identity access management (IAM) becomes essential for securing financial services. External threats such as hackers are most commonly associated with identity theft and fraud, but too often internal threats are neglected. Banks and fintechs must realise the cybersecurity risk associated with their employees. Both human error and malicious intent could lead to damaging data loss/theft. Mistakes made by staff accounted for 62 per cent of all breach incidents reported to UK the Information Commissioner’s Office (ICO), according to research from 2016 (opens in new tab).

Staff could be tricked into clicking on convincing-looking phishing links designed to harvest their credentials. Malicious insiders are even harder to spot as they will do their best to cover their tracks. Some may even take data with them to a competitor when they leave. The 2018 Insider Threat Report (opens in new tab) estimates that 90 per cent of global organisations feel vulnerable to insider-related risk. The main contributing factors highlighted by IT leaders are too many employees with excessive access privileges (37 per cent), and an increasing number of devices with access to sensitive data (36 per cent). For financial services companies, these problems are particularly acute.

The answer lies in changing the way companies regulate IAM so employees only have access to systems, apps and platforms they need, and that access is granted in a secure manner. A vital starting point is moving away from relying on passwords alone and use risk-based multi-factor authentication on all of infrastructure. Adopt stronger authentication policies that ensure employees have access to only the information they need to do their work.

Security and innovation breed success

In the battle to dominate the market share in the modern era of banking, players in the financial services industry realise they must be agile, collaborative and scalable. They are under pressure to innovate at pace to appeal to a customer base that no longer cares for blind banking loyalty. But banks and fintechs cannot neglect cybersecurity risks at the expense of innovation.

The rise of digital banking means consumers are placing more personal data and information in the hands of these companies. Cybersecurity, in particular internal access management, becomes a key driver in attracting and retaining customers new and old. To stand a chance of remaining successful in the future banking market, financial services companies must ensure IAM policies are thorough, while guaranteeing API security. Any lapses here will cost a company dearly.

Jesper Frederiksen, GM EMEA, Okta (opens in new tab)
Flickr / (opens in new tab)

Jesper Frederiksen, Okta’s GM for EMEA, spent four years prior to Okta with DocuSign, leading the company’s expansion across EMEA as VP and GM. Before that, Jesper held leadership roles at Parallels, Symantec, Google and NetIQ.