November 2017

CYBER SECURITY: When innovations carry a threat

Digital_threatSibos, the banking technology conference, gave as much weight to cyber security as it did to fintech this year. Nick Fitzpatrick reports.

Bruno Prigent, head of Societe Generale Securities Services (SGSS) is sitting next to his colleague Matthew Davey, head of business solutions at the same custodian bank. They are talking about fintech.

“We have 20 robots in our business but we will have about 70 at the end of the next year,” says Prigent.

He is referring to SGSS’s increasing use of technology for many functions, from reading faxes via optical character recognition to sending out invoices by robotic hand.

Custody banks such as SGSS are using fintech for a variety of tasks, many menial ones, but also tasks that drag certain fund processes into the 21st century. For example, Prigent talks about how the custody bank is using fintech to rewire the French transfer agency system so that asset managers can gain more information about their customers.

Transfer agency, the record-keeping of fund shareholders’ details, is inefficient in France when it comes to client information, says Prigent. The names and details of a fund’s investors are kept in omnibus accounts that do not give fund managers enough data. Yet recently, access to information about underlying clients has become more crucial for fund management firms due to regulations and banks’ increasingly common practice of selling funds from non-affiliated managers in a process known as open architecture.

“With open architecture, a fund manager has to have a better view of the client,” says Prigent, adding that SGSS’s solution rests on blockchain ‘distributed ledger technology’.

Prigent is at Sibos, an annual conference and exhibition of banking technology.

Sitting just metres away is a rival French custodian and asset servicer, BNP Paribas Securities Services (BNPPSS). This bank is also happy to talk about fintech. BNPPSS boasts a similar mixture of menial tasks and more intriguing projects involving the technology.

Transformational
The custody bank has taken a minority stake in a Parisian fintech firm called Fortia Financial Solutions and is developing Fortia’s Innova investment compliance platform, which is driven by artificial intelligence.

Jean Devambez, the bank’s head of business acceleration, digital transformation, says: “Once you have transferred investment compliance into artificial intelligence, you can go up the value chain to help asset managers with their pre-trade duties. It could reinvent the whole fund life-cycle.”

His colleague Philippe Ruault, head of digital transformation, talks of another project with a start-up fintech firm to better manage how fund managers report portfolio data to their insurance company clients. The aim is to take out the pressure of the strict position-reporting requirements under the Solvency II Directive by cutting down on the need for hundreds of agreements fund managers may have with insurers to provide monthly data.

Devambez adds that BNPPSS is now creating its own start-ups as well as taking stakes in independent firms.

One of these dedicated initiatives is a ‘digital directory’ of asset managers for smaller investors that is both social-media enabled and replete with tools for client relationship management.

Taking stakes in start-ups (something Prigent at SGSS says his business does not do, preferring instead to work with them) is potentially problematic, given that old French banks – or old British, American or German ones, for that matter – could potentially stifle the funky fintechs’ creativity.

So might market infrastructure providers, too – a view acknowledged by Luc Vantomme, head of innovation at Brussels-based provider Euroclear and his colleague Walter Verbeke, global head of strategic planning.

The governance of these relationships is important to maintain the fintech spirit, they say, citing Euroclear’s Collateral Highway offering and the FundSettle international order routing business as evidence of its own track record in innovation.

Problems solved
Euroclear, an international central securities despositary that is pivotal in the trade settlement process, invested in Taskize in 2015, just two years after the fintech firm was founded. It’s one of a number of fintech investments by the firm. “Taskize is a problem-solver,” says Vantomme. “It finds the person in Euroclear that a client needs to speak to to get an answer. It is agnostic to the person, so it does not matter if that person has left.”

This is due to an “active management of the directory”, described as the true fintech part of the machine.

Tasks that Taskize might ‘taskize’ include dealing with exceptions: the part of a process – such as settlement – that goes wrong and that technology had not adequately standardised previously.

Taskize does the 1% of jobs that other straight-through processing (STP) technology could not do, according to Vantomme and Verbeke.

“Even if you can get 99% in STP, the difference is the 1% which machines cannot do it. This is what Taskize does,” says Vantomme.

Under siege
From record-keeping carried out at the speed of light to letters posted bionically, networked applications are creating an Internet of Things within the funds industry.

Although the vast potential of fintech was on display at Sibos, which took place in Toronto this year, the threat presented to financial institutions from cyber attacks was high up the conference agenda too.

Two workshops simulated a cyber attack on a bank. Meanwhile a keynote speaker, Admiral Michelle Howard of the US Navy, related her experience of protecting ships from cyber attack.

Not just warships, in fact, but the whole country.

“Have we made the country vulnerable?” asked America’s first female admiral rhetorically.

The financial incentive for cyber attacks no longer applies just to criminal gangs. In a session called ‘Forces shaping the cyber threat landscape’, Will Carter, deputy director of the technology policy program at the Center for Strategic & International Studies, said North Korea has launched financially motivated attacks.

“If you are talking about a change that should make every financial institution terrified, that’s it,” he said.

Added to that, what were once nation-state capabilities are now available to criminals, since much of the software is open source.

So-called Internet of Things distributed denial of service (IoD DDoS) attacks should be banks’ biggest worry. One of these, Mirai botnet, closed down much of America’s internet, disrupted music-streaming services and affected Twitter and Netflix last year.

The Mirai botnet, largely made up of IoT devices such as video cameras, sent a huge amount of traffic to Dyn servers, a major part of internet infrastructure.

Banks are increasingly using services that take over and shut down servers from wherever an attack comes from, said Carter. But he also said IoT bots “have such scale, they overwhelm”.

Cyber defences
Computer ‘patches’, basically software designed to update computers or data, would not help in IoT DDoS attacks, Carter added. But finance houses can
take steps against cyber crime and several conference guests emphasised that an organisation’s people were more important than any technology at a bank’s disposal.

Cyber_attack_proceduresStaff training in ‘email hygiene’ is a more obvious strategy for the longer term. But people and processes become even more important in a live attack. During a cyber attack workshop essentially played out as a card game, one response to a live attack was to tell the PR department to prepare a press statement. Not obvious, perhaps, but the card with this instruction was worth a good few points in the game.

Speaking in a session about what market infrastructures can learn from each other about cyber-security crisis management, Vas Rajan, chief information security officer at CLS, said: “Involve PR [for a press statement]. I wouldn’t want to do it; I’d want a PR professional to do it.”

In another session, Chris Thompson, a cyber risk expert from Accenture, drew an analogy between cyber security and Formula 1 racing. There are two parts to an F1 competition:  the engineering, and the race. “The race is the procedure – and that is what the industry has to do more of,” he said.

Sibos’s banking tech community has a lot to be excited about as fintech powers on. But there is also much to fear and, as the conference made clear, fintech firms that are becoming asset management’s Internet of Things could provide a gateway for attackers if they are not careful.

As Admiral Howard said of her experience of dealing with naval contractors: “If they are not cyber protected, then I’m not.”

©2017 funds europe