The Monetary Authority of Singapore (MAS), in partnership with The Association Banks of Singapore (ABS), organized the inaugural Singapore FinTech Festival, which kicked off on the 14th November 2016. The week-long festival portrayed the future of a financial industry transformed by innovation and technology, saw close to 11,000 participants from more than 50 countries, and over 100 renowned executives, venture capitalists and market specialists and FinTech companies sharing global FinTech trends, latest technologies, market-ready and future solutions, financial regulations, and technology risk.
Exciting innovations showcased at the festival include improving customer experiences through biometrics authentication and secured e-KYC (know-your-customer), optimising efficiencies to financial institutions by solving the double spend problem using Blockchain, enhancing proactive fraud detection by training algorithms on dark data such as traders’ phone conversations, and adopting big data analytics for multi-jurisdiction financial regulatory reporting.
The current wave of innovations also holds the promise to deliver more sustainable financial inclusion – making financial services more available to unlock SME (small medium enterprises) potential and to serve the unbank – through mobile app designed to make banking simpler, and alternative funding channels such as peer-to-peer lending or equity crowdfunding.
Amongst the many benefits of these innovations is without a doubt the increased accessibility to banking solutions for customers across time zones and geographical regions. On the other hand, this 365x24x7 transact-anytime-anywhere convenience also allows cybercriminals with stolen banking credentials make fraud transactions with the same ease.
Online site redirection and mobile malware that intercepts out-of-band authentication such as texted verification codes had targeted Singapore banking customers and manipulated them into inadvertently disclosing confidential information. Late last year, a malicious software update for Whatsapp misled customers via a pop-up to divulge credit card details, after which the malware controlled the phone and intercepted the OTP sent via SMS to make fraudulent online transactions. While the reported infections were small, ABS (The Association of Banks in Singapore – comprising of 154 local and foreign banks) decided to issue the warning as it expects the growing numbers of mobile banking customers are attractive targets for cybercriminals.
“Criminals have been targeting computer users. But now, criminals have turned to targeting Android phone users as banks are pushing out more banking apps for user convenience,” said Mrs Ong-Ang Ai Boon, director of ABS. Some users lost up to several thousand dollars from multiple transactions, she added.
Bank employees are not immune to cyber attacks. Kaspersky lab highlighted a classic spear phishing attacked a Singapore bank using Adwind Remote Access Tool (RAT), a backdoor sold on a “threat as a service” basis. Impersonating an officer from another bank’s regulations department, an e-mail attached with a “money laundering report” hiding a malware, warned of a money laundering situation. Fortunately, the employee caught a typo, became suspicious and sounded alerts.
“Against the backdrop of an increased reliance on complex IT systems and operations in the financial sector is the heightened risk of cyber attacks and system disruptions,” according to MAS.
The reason behind why cybercriminals target this industry is obvious—not only do financial institutions manage large amounts of money, they also hold significant amounts of personal information about customers.
Singapore FinTech Festival
To respond to the increased cyber threats in the financial services sector, ABS and the Monetary Authority of Singapore (MAS) have embarked on several private-public partnership initiatives. The Singapore FinTech Festival which featured 3 distinct conferences is one such initiative.
In addition to the innovations presented in the Fintech Conference, 2 dedicated Conference and Forums – Tech Risk and Reg Tech (Regulatory Technology) – were also held to exchange views on the risks introduced by the innovations, IT security incidents and system failures, lessons learned and the need to be ready.
“Many technologies mitigate existing risks but may create new ones. The regulatory approach must seek to incentivise the risk mitigation aspects while restraining the new risks”, said Mr Ravi Menon, Managing Director of MAS in his Opening Remarks.
This need to focus on the balance of risks posed by new technologies or solutions is a consistent theme across the topics discussed at the panels across the three conferences, such as:
- “Block Chain & Distributed Ledgers”
- “Cloud Computing: Security & Scale in the New FinTech Era”
- “API – Recipe for Future Economy”
- “How do Financial Institutions Get Ahead of the Cyber Arms Race”
Blockchain & Distributed Ledgers (DLs)
“Discussion panel: Block Chain & Distributed Ledgers. From left: Tim Grant, CEO, R3 Lab and Research Center (Speaker-Moderator); Blythe Masters, CEO, Digital Assets Holdings; Sandra Ro, Chief Digital Officer, CME Group; Oliver Bussmann, FinTech Advisor, Former UBS Group Chief Information Officer”
Costly, and time consuming, cross border interbank payment is a big pain point in the existing financial system which is reliant on aging back office infrastructures in banks.
During the festival, Mr Menon announced MAS’s partnership with R3, a Blockchain technology company, and a consortium of financial institutions*, on a proof-of-concept project to conduct inter-bank payments using Blockchain technology.
(*Bank of America Merrill Lynch, The Bank of Tokyo-Mitsubishi UFJ, Ltd, Credit Suisse, DBS Bank Ltd, The Hongkong And Shanghai Banking Corporation Limited, JP Morgan, OCBC Bank, Singapore Exchange, United Overseas Bank and BCS Information Systems as a technology provider)
The project aims to address the cross-border interbank payment pain point through the decentralization and distribution of the software that records and validates payments to ensure an immutable record of transactions.
While new technologies intelligently used can help to reduce risk, in this example “decentralisation reduces concentration risk. A cyber attack cannot bring down the entire system because every player has a copy of the ledger,” Mr Meno also cautioned, in one of his earlier industry speech, that “contrary to what DLS advocates proclaim, it is not without risk and may even introduce new ones. The public DLS is susceptible to malwares being uploaded into the system. Blockchains are not hack-proof. And as all data are replicated to very node in the system, there is a risk of compromise of privacy.”
In fact, cryptocurrencies such as Bitcoin is underpinned by the BlockChain technology, and a recent hack of the Bitfinex where hackers were able to gain control over one piece of the private key and steal USD65million from the exchange, is a useful reminder to Blockchain proponents that security flaws around the design of the infrastructure will be exploited by hackers.
This issue and other potential risks that Blockchain & DLS pose such as money laundering and privacy protection were discussed at the “Block Chain & Distributed Ledgers” panel. Suggested preventive measures included permissioned networks to pre-identify and pre-approve participation, the need to design systems from the start with attack vector risks in mind, and stronger understanding of implementation choices were raised, in addition to the need for some form of regulation.
Cloud Computing, Application Program interfaces (APIs)
“Finance-as-a-Service API Playbook – ”APIs are the essential ‘plumbing’ – the pipes – that enable the connections and collaborations that foster innovation.”, said Mr Menon.
During the festival, he announced MAS’s aim to establish Singapore as a centre of excellence for APIs on financial services.
While most API users are legitimate, it is important to “be careful that you don’t have a bad actor”, said Suresh Kumar, Senior Executive Vice President and Chief Information at the “API – Recipe for Future Economy” discussion panel, and “ensure that only those who are authorized can assess your API”.
For example, an API is functionally secure and isolated until its receives the first request for information. The second it receives that request, however, it’s wide open. As such, security considerations such as password strength, session length, periodic re-authentication should form part of the early development requirements.
To assist the push into adopting API and raise awareness of potential risks, ABS-MAS jointly published the “Finance-as-a-Service API Playbook”. This guidance outlines standards for information security, data exchange and governance mechanisms, common and useful APIs that financial institutions could adopt.
“Discussion panel: Cloud Computing: Security & Scale in the New FinTech Era From Right: Sandip Gupta, Vice President, Cloud Business, Singtel (Speaker-Moderator) Tetsu Sato, President and CEO, NTT Data Asia Pacific and SVP, Head of Global Business Development, NTT Data Jeffrey DiMuro, Chief Security Architect, Salesforce Ann Johnson, Vice-President, Enterprise Cybersecurity Group, Microsoft Corporation”
Guidelines to Promote Secure Cloud Computing –
Cloud Computing is an enabler for a variety of FinTech innovations, and the evolution of Software-as-a-Service, Platform-as-a-Service, and Infrastructure-as-a-Service platforms has led to a massive amount of data and computing being handled off-site.
But its distinguishing features – such as multi-tenancy and data commingling – can potentially pose issues for data confidentiality and recoverability.
Not surprisingly, financial Institutions are expected to conduct the necessary due diligence and apply sound governance and risk management practices to address potential vulnerabilities arising from cloud adoption.
To assist financial institutions in these areas when entering into Cloud Outsourcing Arrangements, an implementation guide has been issued by ABS, touching on key controls such as Encryption, Tokenisation, Virtualised Environment Security, User Access Management and Segregation of Duties.
Cyber Arms Race?
In his remarks, Mr Menon said, “A smart financial centre must be a safe financial centre. As more financial services are delivered over the Internet, there will be growing security and privacy concerns from cyber threats. Users will have confidence in new technologies and innovative services only to the extent they have confidence in cyber security. Strengthening cyber security is therefore an important part of Singapore’s FinTech agenda”. In this area, other on-going MAS initiatives announced include:
-
“Ravi Menon, Managing Director, Monetary Authority of Singapore”
Payments – MAS to streamline the licensing of payments services, where some of the most visible FinTech innovations are happening, under a single, activity-based modular framework, including common standards for cyber security.
- Digital Financial Advice and Insurance (automated, algorithm-based digital advice on financial /investment services by robo-advisers) – MAS to set out proposals on the governance, supervision, and management of algorithms to ensure integrity and robustness in the delivery of the digital advice.
Drawing on key learning points from The Distributed Denial of Service (DDoS) attacks on StarHub’s Domain Name Servers just a month ago which struck on the heels of the attacks in the U.S. targeted at US-based Internet infrastructure provider Dyn, the panelists of “How do Financial Institutions Get Ahead of the Cyber Arms Race” stressed the continued need for telcos and financial institutions to collaborate and share information.
A good model for such co-operation among banks in the US is the Financial Services – Information Sharing and Analysis Centre, or FS-ISAC (the global financial industry’s go-to resource for cyber threat intelligence analysis and sharing). In this regard, FS-ISAC will be setting up in Singapore the industry body’s only cyber intelligence centre in the Asia-Pacific region, to help Singapore’s financial industry better monitor cyber threats and provide better intelligence support.
From the first ATMs to mobile banking and the latest in biometrics, technology has been a key enabler for the financial industry, and a source of competitive advantage. As its importance grows, so have the risks.
The 3rd Quarter 2016 Systemic Barometer survey conducted by DTCC (Depositary and Trust Clearing Corporation – the financial services centralized clearing house for more than 50 exchanges and equity platforms) acknowledged the risks posed by the US election and Brexit to the global financial system. But there was a consensus view that Cyber Risk remain the top overall risk, due to the interconnectedness of global markets. “A cyber attack against a key market participant could precipitate systemic risk and de-stabilize markets”, said one respondent.
The week-long Singapore FinTech Festival drew to a successful close with over-subscribed attendance at the conferences, workshops, and innovation lab crawls across the island. As some of these technologies evolve and mature over time, weaving a proactive cyber risk management culture into the designs at early stages would help build users’ confidence and hence broad adoption of these new technologies. Alongside the collaborations and information sharing themes underscoring some of the cyber risk defense approaches, we would no doubt continue to see more of these positive engagements and partnerships between the public and private sectors to ensure the sustainability and viability of these innovations.
Jane Lo has more than 15 years of experience in enterprise-wide risk management and writes on risk themes relevant in the financial services sector. She started her career in Canada after graduating from Electrical and Computer Engineering studies, and worked in the City of London for 10 years consulting for Corporates and Banks, before relocating back to Singapore 6 years ago. Outside of work, she is a marathon runner and enjoys spending time with friends and family.
Some highlights from the Singapore FinTech Festival
ANZ-IBM NUS (National University of Singapore) Financial Innovation Challenge
The Festival kicked off with the island-wide Innovation Lab Crawl, where more than 20 innovation labs demonstrating their solutions and offering visitors a glimpse into the future of finance.
“At the IBM Watson Innovation Studio in Marina Bay Financial Centre, the winning team of the ANZ-NUS Financial Services Innovation Challenge – Team Finnovation – presented their winning solution. The challenge, organised by ANZ and the National University of Singapore Business Analytics Centre, with IBM, Thomson Reuters and GitHub as supporting partners, explored how emerging technologies – such as blockchain, cognitive analytics and APIs – bring innovation to Trade and Supply chain solutions.”
One of the pain points in Trade Finance is documentation fraud, which Team Finnovation addressed through the matching of ships’ live location against trade finance documentation. Using Thomson Reuters, APIs and data analytics, the solution delivered was not only commercially applicable but also implementable immediately.
The Association of Banks in Singapore (ABS)- Monetary Authority of Singapore (MAS)- Israel Study Trip
The Standing Committees on Cyber Security (SCCS) was set up by ABS in 2013, to share cyber intelligence within the financial services industry and to promote greater situational awareness. One of the joint ABS (SCCS) -MAS initiatives was the Penetration Testing Guidelines developed in 2015. In addition to the classic financial risks (interest rate, FX or credit risks) which are regularly subject to industry-wide stress tests by MAS, this guideline also highlights the need to raise the quality of PTs as well as awareness of the risk vulnerabilities.
Another private-public initiative is the one-week trip earlier this year to Tel Aviv and Jersusalem with the objectives of, among others, to learn how banks can further improve cyber resiliency and fraud management with Israeli thought leadership in cyber security.
One example is the adoption of bio-behavioral technology. As users interact more frequently with their mobiles to assess financial solutions, instead of relying on biometrics such as fingers, attributable parameters such as swipe speed, finger pressure will prove to be useful to robustly verify user identity.
Singapore IDA (Infocomm Development Authority of Singapore) accredited Mobile Security Innovations
In addition to the well-known online security headaches such as hackable passwords, costly 2FAs or inconvenient hardware tokens, weaknesses in mobile operating systems mean that mobile apps and tokens need extra protection against attacks.
Established in 2011, V-Key, a Singapore-based company accredited by IDA, addressed this problem via a virtual secure element (V-OS), which secures the apps in the event of a mobile hack, by using encryption and a sandboxed middleware with security mechanisms such as binary code morphing, anti-reverse engineering, Trojan detection mechanisms, device checks, and techniques to respond to attempted tampering.
“Our goal is to deliver a simple, yet powerful and intelligent security solution that improves users’ confidence and experience in today’s mobile apps-driven world,” said Mr Benjamin Mah, CEO of V-Key.
