Financial Technology

Topic 11

Introduction
• Security mechanisms and control systems have been used for
centuries
• Increased use of IT has had lead to new security considerations
• Makes it easier to monitor and track activities
• Can detect and act upon security exceptions more quickly when they occur
• Increases the number of entry points that must be guarded
• Adds to complexity of processes
• Higher likelihood of design flaws and execution failures
Concepts
• Authentication
• Verifying the identity of customers and counterparties
• Examples
• Manual techniques
• Photo ID
• Passbook
• Credit card
• Signature
• Electronic techniques
• Username-password
• PINs
• Digital certificates

Concepts
• Authorization
• Rights to perform specific functions or access information
• Manual techniques
• Access lists
• Joint-signatory control rules
• “Permission to discuss” notation on accounts
• Electronic techniques
• Role-based permissions
• Access entitlement restrictions
Concepts
• Authorization
• Approaches for managing access
• Access control lists are good when
• There is a large number of roles and entitlements
• New roles and entitlement types are expected to be added in the future

Concepts
• Authorization
• Approaches for managing access
• Access matrices are
• Simpler and faster to process
• Less flexible
Concepts
• Confidentiality
• Restricting access to private or secret information
• Manual techniques
• Need-to-know access controls
• Locked filing cabinets
• Opaque envelopes
• Electronic techniques
• Data encryption
• Data access restrictions

Concepts
• Nonrepudiation
• Ensuring customers or counterparties cannot refute transactions
• Manual techniques
• Signatures and initialing
• Witnesses
• Electronic techniques
• Digital signatures
• Trusted third-party verification
Concepts
• Accountability – i.e. audit trails
• Support investigation of and forensics for cybersecurity events
• Help determine
• What happened
• When it happened
• Who was involved
• Should be write-only to prevent tampering

Common Threats and Attack Vectors

• Malware Attacks
• Software that is used to damage or gain access to computer systems
• Common types of malware
• Keyloggers and spyware
• Backdoors
• Command and control/botnets
• Password dumpers
• Ransomware attacks have increased dramatically in recent years
Common Threats and Attack Vectors
• Social Engineering Attacks
• Mislead the victim into doing something that they would not normally do
• Compromise their own security or someone else’s security
• Phishing has been a popular channel for social engineering attacks
• Phishing is often used to trick the email recipients into infecting their
computers with malware

Common Threats and Attack Vectors

• Hacking Attacks
• Often exploit vulnerabilities in external systems to gain access to internal
computer systems
• Often, spear phishing attacks are used to deliver malware
• Then the malware is used to create an outbound connection to provide
access to hackers
Common Threats and Attack Vectors
• Denial-of-service Attacks
• Disable online services provided by banks, e.g. Internet banking
• Flood a system that is connected to the Internet with requests or other
network traffic
• Overload the affected system and impede its availability to process legitimate
requests
• Distributed DoS (DDoS) attacks emanate from many different computers on
the Internet
• Enables a greater volume of requests to be generated

Common Threats and Attack Vectors

• Exploitable Vulnerabilities
• Most of the cyberattacks rely on exploiting security vulnerabilities in
• Software applications
• Web browsers
• Operating systems
• Firmware
• Exploitable devices include
• Workstations
• Servers
• Network routers and other devices
• Printers
• Mobile devices
• Regular patching is the main defense against the exploitation of software
vulnerabilities
Cybersecurity Framework
• Provides a standard way for thinking about and
communicating cybersecurity risk and mitigation
approaches
• Provides a well-defined structure for
• Assessing existing capabilities
• Identifying target states
• Prioritizing actions that will reduce cybersecurity risk
• Example: National Institute of Standards and
Technology (NIST) Cybersecurity Framework

Identify Protect Detect Repond Recover

Cybersecurity Framework
• Identification
• Identify potential risks to relevant assets
• Data
• IT systems
• Operational processes
• Need awareness of all the things that are potentially at risk, i.e. asset
management
• Track the current state of
• Every networked device
• Software that is installed and running on those devices
• Information stored on those devices
• Who has access to those devices
• A prerequisite for risk analysis and mitigation
Cybersecurity Framework
• Security Risk Analysis and Mitigation Planning
• The resources to available to counter security threats are
limited by time and budget
• It is critical that security resources are applied most
effectively

Potential Known
Threats Vulnerabilities

Source: Duran, R. E.,

Vital Financial Services Technology,
Resources Cengage Learning Asia, 2018

Cybersecurity Framework
▪ Security Risk Analysis and Mitigation Planning
• People’s cognitive
biases can skew their
perception of risk
• It is best to use a
formal risk
assessment
methodology to
avoid biases
Cybersecurity Framework
• Security risk analysis
• Generates a list of potential risks and their overall
severity rating
• Ranks the list by severity
• Continues evaluating only the risks with the highest
ratings

Cybersecurity Framework
• Security risk analysis
• Analyze mitigation steps and their costs for top risks
• Produce a cost-benefit estimate
• Use to decide how best to allocate available resources
Cybersecurity Framework
• Protection
• Aim to prevent security incidents by implementing safeguards for critical
infrastructure and data
• Where prevention is not possible, protective measures will be designed to
limit impact
• Access control is a key means for protecting information assets and IT systems
• Physical
• Logical

Cybersecurity Framework
• Protective
technologies
for
information
security
Cybersecurity Framework
• Detection
• Helps minimize the damage in case of cybersecurity events
• Involves monitoring for unexpected events and anomalies
• Investigating potential security events can be time consuming
• Need to minimize false positives

Cybersecurity Framework
• Detection
• Aim to identify when fraud and security breaches occur
• Manual techniques
• Reconciliation
• Transactional audits
• Surveillance
• Electronic techniques
• Reconciliation
• Event monitoring and correlation
• Statistical analysis
Cybersecurity Framework
• Estimated cost of recovering from a security breach versus
how quickly it was discovered
$1,200,000 Source: Duran, R. E.,
Financial Services Technology,
Cengage Learning Asia, 2018

$1,000,000

$800,000

$600,000

$400,000

$200,000

$0
Near real time Within a day Over a week

Cybersecurity Framework
• Response
• Goal is to minimize the impact of an incident
• Response effort should begin long before any security incident occurs by
developing an incident response plan
• Incident response plans typically provide high-level guidance
• Need to interpreted in context of the specific event
• Identify what information needs to be captured and documented to provide
record of the incident and the response activities
Cybersecurity Framework
• Recovery
• Planning for and implementing steps to restore services to normal operation,
after a cybersecurity incident
• Assess
• Which IT systems could be potentially impaired by a cyberattack
• What steps would be required to restore those systems
• Important to estimate and consider the time and effort required for recovery

Security Operations
• Management and execution of security- related procedures
• Manual technique examples:
• Issuance of access cards
• Process audits
• Electronic technique examples:
• Granting access system functions
• Digital certificate generation and distribution
Security Operations
• Common functions
• Controlling access to information and system functions
• Managing signature records and digital certificates
• Investigating incidents and vetting of staff
• Identifying new potential threats
• Ensuring that procedures and polices are
• Adapting security procedures and policies where necessary
• Performing audits and reviews
• Training

Business Opportunities
• Provision of “secure” services
• Physical safety deposit boxes
• Virtual safety deposit boxes
• Leverage fraud detection capabilities
• Monitor corporate customers’ account activity for irregular or suspicious
patterns
Business Challenges
• Assessing the scale and scope of potential losses
• Deciding what costs should be borne to prevent them
• Indirect attacks on banks
• Hacking merchants’ point of sale terminals and databases
• Phishing scams targeted at end customers
• Weakness in outsource service providers’ security
• Educating bank business managers about cybersecurity, given all of its
complexities and technical nature

Process Considerations
• Security weaknesses may occur across functional or process
boundaries
• Explicit consideration and specification of security requirements is
critical
• Dealing with security superficially during requirements analysis and
design can lead to
• Major security concerns being identified during testing or deployment
• High cost and time delay to reengineer the solution to address newly
identified security concerns
Process Considerations
• Example of security requirements analysis

Architecture Considerations
• Layered security
• A.k.a.: defense in depth
• Multiple security layers ensure that no single point of failure will compromise
security
• Preferably, different types of security barriers are combined
• Example: to help prevent SQL injection attacks
• Layer 1: check for punctuation symbols
• Layer 2: verify no SQL commands
• Layer 3: do not interpret SQL, use stored procedures
Architecture Considerations
• Security tradeoffs and cost/benefit analysis
• The most secure IT system is one that that no one has access
to
• Not practical
• Security managers must work with architects and business
managers to find the optimal balance
• Have constructive discussions, not standoffs
• There is no universal security architecture
• Tradeoffs vary by institution and solution

Solution Considerations
• A number of security best practices have been defined and
documented
• Should be incorporated into design process
• Example: Open Web Application Security Project (OWASP)
• Provides guidance and tools for implementing secure web applications
Solution Considerations
• Security concerns for solutions have been affected by
• White labeling
• Creates exposure to other parties’ security risks
• Outsourcing/offshoring
• Exposes financial institutions to new personnel and system environment risks
• Dependent on the security provided by the service provider
• New channels
• Their security robustness may be relatively immature
• Expansion into new geographies
• Relative level of security varies from country to country
• Disincentives provided by legal prosecution will be less effective where the rule of
law is not strong

Fallibility of Security Systems

• The illusion of security
• Many measures provide psychological comfort
• Security measures help prevent breaches, but they cannot completely
eliminate them
• Excessive security can create systems that are difficult to use
• Security may be bypassed
• Example: writing down passwords that are too difficult to remember
Fallibility of Security Systems
• It is best to go with well-understood and proven approaches to
security
• Trying to invent new security systems is usually a recipe for disaster
• Architectural considerations related resilience and robustness are
integral to security design
• The expectation should be that vulnerabilities will persist and
eventually be exploited
• Response and recovery plans for security breaches and fraud
incidents must be considered
• Reactions are best thought through in advance, rather than in panic situations

Operational & Compliance Risk

Management
Introduction
• Operational risk: “the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events”
• Compliance risk: “the losses or reputational damage that a financial
institution may incur from failing to comply with laws, regulations,
rules, and codes of conduct applicable to its activities”

Introduction
• Operational and compliance risk is managed through
the design of processes and business practices
• Risks are identified and mitigating controls are put in
place to address them
• Controls increase the cost of processing and the
complexity of processes
• IT can be used to implement mitigating controls and
monitor of operations and compliance
• Technology can also be a source of operational and
compliance risk
Operational Risk
• The Basel II framework classifies operational risk losses into seven
event types:
• internal fraud
• external fraud
• employment practices and workplace safety
• products and business practices
• damage to physical assets
• business disruption and system failure
• execution, delivery, and process management

Operational Risk
▪ This chapter will focus on four areas of
operational risk

Business Execution,
Internal Fraud External Fraud Disruption and Delivery
System Failures Management
& Process

Unauthorised Systems
Theft and Fraud IT Systems
Activity Security

Transaction
Customer Intake
Source: Duran, R. E., Capture, Monitoring and Vendors and
Financial Services Technology, and
Execution and Reporting Suppliers
Cengage Learning Asia, 2018 Documentation
Maintenance
Operational Risk
• Types and Sources of Operational Risk
• Unauthorized activity
• Unauthorized activities, e.g. “rogue traders”
• Intentional mismarking of positions to hide losses
• Exception-based monitoring can help identify inconsistencies and
inaccuracies that result from unauthorized activities
• Knowing that effective monitoring is in place can provide strong disincentive
for unauthorized activity

Operational Risk
• Types and Sources of Operational Risk
• Theft and fraud
• A major source of operational risk for financial institutions
• Insiders are able to more easily bypass controls that protect against theft and fraud
• 75% of fraud is perpetrated or facilitated by insiders
• Customer information that has been leaked through data breaches enables external
fraud via account takeovers and identity theft
Operational Risk
▪ Motivations for fraud
For personal financial
gain and greed

Eager/”Because I can”

Organizational culture
driven

Meet targets/hide
losses to receive bonus

Meet budgets/hide
losses to retain job

Meet targets/hide
losses to protect the
company
Source: Duran, R. E.,
Financial Services Technology,
Cengage Learning Asia, 2018
Other

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Operational Risk
• Types and Sources of Operational Risk
• Theft and fraud
• Technology-based attacks have become an increasingly common avenue for fraud
• Technology has made it easier for fraudsters to attack financial institutions remotely,
often from foreign nations
• Technology is used to implement many of the controls that are used to prevent fraud
• Technology helps detect exceptions and anomalies that can be symptoms of fraudulent
activity
Operational Risk
• Types and Sources of Operational Risk
• IT systems security
• Operational risk related to hackers
• Denial of service attacks
• Malware that is designed to erase information or render IT systems unusable
• Fraud risks related to hackers
• Issuing falsified payment instructions
• Sabotaging IT systems that have direct access to cash, e.g. ATMs
• Stealing customer contact and account information

Operational Risk
• Types and Sources of Operational Risk
• IT systems resilience
• Failures and disruptions can occur at many different levels:
• Hardware
• Software
• Networks and telecommunications
• Power
• Redundancy of IT systems and communications mitigates the risk of failures
• Redundancy of skills and knowledge across operational staff is also necessary
Operational Risk
• Types and Sources of Operational Risk
• Information mismanagement
• Examples:
• “Fat fingering” data entry, e.g. adding an extra zero
• Data updated in one system but not another
• Stale reference data, e.g. SWIFT bank identifier codes
• Failed transfer of batch file inputs used for processing
• When designing IT solutions, it is important to think about the types of operational risk
that could arise related to information management
• Design and build in safeguards to help avoid that risk

Operational Risk
• Types and Sources of Operational Risk
• Vendor and supplier risk
• Dependencies on vendors and suppliers can lead to operational risk
• A potential outage at a service provider is an operational risk for the bank
• Recent technology trends can increase operational risk
• Third-party hosting, i.e. cloud-based services
• Use of remotely accessed third-party components via application programming interfaces
(API)
• Well-designed service level agreements and performance monitoring help mitigate
vendor risk
Operational Risk
• Operational Risk Measurement and Capital Allocation
• Basel II approaches for capital allocation to offset potential losses due to
operational risk
• Basic Indicator Approach
• Standardized Approach
• Advanced Measurement Approach
• Range from very simple to very complex
• Trend is moving to use Standardized Approach for all institutions

Compliance Risk
• Regulatory Objectives
• Common goals
• Protecting depositors and consumers
• Maintaining financial stability
• Ensuring that the financial system is efficient
• Protection of depositor funds from bank failures is a key concern
• Ensure that banks do not take excessive risks
• An efficient payment system underpins the banking services and the financial
markets
• Banking and other financial services should be provided at competitive prices
and high quality
Compliance Risk
• Regulatory Objectives
• Regulatory bodies in USA
• Several different government agencies that provide oversight
• Federal Reserve (Fed)
• Office of the Comptroller of the Currency (OCC)
• Federal Deposit Insurance Corporation (FDIC)
• Consumer Financial Protection Bureau (CFPB)
• State regulators oversee state-charted banks
• US banks that operate in foreign countries will also be supervised
by regulators in those jurisdictions
• Industry bodies may also regulate and supervise banks’ activities,
i.e. Visa and Mastercard

Compliance Risk
▪ Consumer complaints about financial institutions (CFPB)
Source: Duran, R. E.,
Consumer loan Financial Services Technology,
Cengage Learning Asia, 2018
5%
Other
7%

Credit reporting
Credit card 22%
12%

Bank account
or service Mortgage
12% 21%

Debt collection
21%
Compliance Risk
• Types of Laws of Regulatory Guidance
• Vendor management
• Banks rely on third-party service providers to execute business processes and implement
IT systems
• From a regulatory perspective, third parties need to be factored into banks’ risk planning
and must be effectively managed
• Vendor management programs define roles, responsibilities, procedures, and reporting
mechanisms for overseeing and managing the vendor relationship
• Banks face the challenge of having limited visibility into their vendors’ technology
operations and infrastructure

Compliance Risk
• Technology Solution Considerations
• Regulation of Payments in USA
• A wide range of laws and regulatory guidance apply to payments, examples:
• Processing of cheques: Uniform Commercial Code (UCC) and Expedited Funds Availability Act
(EFAA),
• Credit card payments: CARD act and PCI DSS
• Automated clearing house (ACH) payments: NACHA operating rules, UCC, Regulation E, and
Code of Federal Regulations
• All payments must comply with the Bank Secrecy Act
• Anti-money laundering (AML) compliance is a major area of concern for banks
Compliance Risk
• Technology Solution Considerations
• Trade reporting (a capital markets example)
• Implemented after the GFC to provide visibility into risks presented by use of OTC
derivatives
• Details of OTC derivatives trades must be reported to sanctioned trade repositories
• Each national jurisdiction has different requirements as to
• What asset classes need to be reported
• Which trade details needs to be reported
• The timeliness of reporting required
• Which market participants need to report