CategoriesIBSi Blogs Uncategorized

The Danish startup putting the killing blow into key encryption technology

Danish encryption specialist Sepior, founded in 2014, was started on the back of ground-breaking encryption projects and the support of the EU’s Horizon 2020 programme. In discussion with IBS Intelligence it revealed that it has lots more surprises up its Fairisle jumper

Sepior’s big break came with the EU’s Horizon 2020 initiative, an irony not lost on CEO Ahmet Tuncay – as we spoke to him, the chaos which is Brexit continues to engulf Europe.

Ahmet Tuncay, Sepior CEO said: “Yes, we’re a truly Danish company and found our footing within the Horizon programme, which deals mostly with small to medium enterprise projects or SMEs.  For companies with promising technologies, the EU economic commission provides grants for the ones they believe will become a commercial success.  But there’s a fairly high bar for them to grant you this money, you have to commit to specific milestones and strict targets.  The commitment our founders of the company made was: ‘If you give us these funds and support, we’re going to create economic activity within the EU, which means hiring people and growing the company’.

He continued: “Our obligation was really to take that money and create a piece of commercially viable technology.  At the early stages, specific use cases aren’t as important as the foundational technology and broad market appeal.   Once the foundation is created,  we wanted to be able to acquire institutional funding to go and build a business.  In the long term our obligation is to create jobs, insofar as the EU is concerned, but now we have commitments to our shareholders, so it’s not just jobs that matter today.”

Tuncay says: “If you just look at the size of the market for encryption key management, you’re not going to be impressed by the number, it’s only around a $1 billion market.  But if you take the same technology, repurpose it and, apply it to commercial asset exchanges, which is a $300 billion market, and find a way to participate in a revenue sharing opportunity, you’ve moved yourself from a $1 billion market to a $300 billion market. You then have to figure out how to extract your fair share from that activity.”

The numbers are certainly impressive if you consider the amount of dollars that brokers and exchanges collect in fees – it’s a vast amount – it’s certainly more than the $1 billion market for encryption key management.  It’s several hundred billion dollars, it is super lucrative and it’s a great market to be in because few companies are good enough to offer a differentiated service to capture new customers..

Tuncay says: “Our investors recognised that the big pain of cryptocurrency activity is that if you lose the coins, they’re gone forever.  So that turns up the need for novel security solutions more than ever.  The digital wallet containing the cryptocurrency assets must be hosted in trusted custody and the transactions involving the wallet must be protected against malicious or incompetent brokers and clients. The need for a higher level of security means having multiple signatures and multiple approvers, which obviously more secure than having just one.  When you have the multiple approvers using our ThresholdSig technology versus a MultiSig or multiple signature technologies, we can deliver very high levels of security and trust along with some operational benefits for the exchange, because the administration of the security policies involving adding people, removing people, replacing lost devices, and who can participate in those signatures, that’s all done off-chain and it’s simple.”

The alternative approach is to use MultiSig, which is all on-chain, so when you change the policies you have to broadcast the policy, telling everyone who the approvers and policies are, which is not really good for security. You may also have to reissue or generate new keys.  There is a lot of administrative bureaucracy that goes with that approach.  Until recently MultiSig has been the gold-standard for threshold cryptographic currencies but ThresholdSig provides an equal or higher level of security with a more flexible, lower administrative effort environment and also has some potential efficiencies to improve and reduce the size of the recorded transaction on the blockchain.  That means that the way the transactions occur, they’re recorded on the ledger, and with MultiSig, the blocks actually contain multiple signatures that have signed off on the transaction, which of course increases the block sizes.

Tuncay says: “With ThresholdSig there’s only one signature that goes on the ledger, so it actually reduces the amount of data on the ledger. It turns out these signatures are a substantial portion of the total transaction size.  So, there’s this kind of tertiary benefit that could end up being quite material, because it means that the blocks can contain more transactions. Blocks are typically fixed in size, so if the transactions are smaller you get more of them onto the chain.  In some of the currencies, like Bitcoin, it’s already hitting capacity on processing.  So, if you can have the highest level of security and smaller transaction sizes it’s going to maximise throughput.”

There is the hope that ThresholdSig transactions will also have lower transaction fees than MultiSig. ThresholdSig transactions appear as a single signature transaction on the blockchain. Historically, single signature transactions are the smallest in size, allowing for maximum transactions per block and typically have the lowest mining transaction fees. Our expectation is that the exchange could end up with lower transaction fees, with higher security and lower administrative overhead. So, there are some very compelling reasons why this technology is going to be relevant to a far wider audience than up to now.

Sepior’s investors were on the front edge of recognising threshold schemes, the cryptography approach with multiparty computation, and how that technology could bring real benefits in this use case.  As Tuncay says: “We’re focusing on the implementation around cryptocurrency exchanges and hot wallets, but this technology is applicable to a much wider range of applications.  So next month we’re going to be making some announcements around more blockchain generic solutions, to provide more privacy on private blockchains in general. There are a whole series of problems with using distributed ledger technology for business and one of these is scalability.  How do you support – for example, in the case of logistics tracking operations,  a container being loaded and shipped from a point in China to destination in Los Angeles? Sometimes there are 35 or 40 different parties involved in that transaction.  These parties don’t necessarily need to know everything on the blockchain.  Effectively all the transactions are on the chain.  So all parties that are participating in the chain can validate and see their own transactions but need not see the confidential data of other parties.  One strategy for this has been to create virtual blockchains called channels, which is used in Hyperledger fabric, but it’s use creates a messy scalability problem.

Tuncay says: “If I were to generalise it further, while a blockchain is supposed to contain transactions that are immutable because everybody on the chain can validate them, the downside is that everybody on the chain can also see everything on the chain.  So how do you create an application like logistics tracking where there are 30 parties on the chain and you want every party to have a different view of it?  Our solution to this – and there are existing solutions which have proven to be unscalable, is based on access control policy that relies on encryption to make only the intended parts of the chain available to users based on their permissions.

“There is nothing magical about this, we’re just using our underlying key management system and fabric.  But once we make this available, it will also enable the creation of privacy-preserving chains that are massively scalable than what is possible today.  We think there’s value there, again this is something that we’re going to go and test out and we’re involved in activity with several large companies, to validate this.  We think that it’s worthwhile.:

Fundamentally Sepior is providing fine-grained control over who has visibility to what on the blockchain.  The key words here are ‘threshold cryptography’.  Sepior is pioneering and leading the industry in the field of threshold cryptography, to apply these key management concepts in a manner that’s more scalable and works in distributed environments with a high degree of efficiency.  Part of the threshold aspect, the threshold cryptography, in the case of a crypto wallet is that you might have four parties who are available to approve a transaction, but you might have a threshold that says if any three are available it will be accepted as a valid transaction.  Therefore, you can define a threshold so that if somebody loses their phone or their device gets hacked and we no longer want to trust it, it can be excluded but continue to transact and do business.

Tuncay says: “When you move into the blockchain application the threshold aspect is more around signing key availability and management. What we’ve done here is to take the key management function and distribute it using multi-party computation (MPC).  We’re able to distribute the key generation and management functions across multiple virtual servers, if you will, in the cloud, such that no individual server has a full key that could be hacked or stolen.  But collectively maybe two out of three of these virtual servers can provide keys for all the users that require access to the content on that blockchain.  This threshold aspect gives a high degree of availability, reliability and integrity of both the encryption and the availability of key management.”

For this Danish company, it looks like blockchain will be The Killing it deserves.

CategoriesIBSi Blogs Uncategorized

The rise of the KYC Utility: How to plan for success

Successful compliance and risk management programmes within financial institutions depend on effective Know Your Customer (KYC) processes yet most have found these processes to be increasingly onerous, both in terms of time and cost. 

This is further complicated by an ever-changing and progressively stringent regulatory landscape. As a result, consortiums of banks, governments and vendors have explored the possibility of reducing costs and improving customer service through the establishment of industry-wide KYC processors or Utilities, with the intended aim of standardising KYC processes.

The latest region to look into adopting this approach is the Nordics, following a series of high-profile money laundering cases there. Leading banks DNB Bank, Danske Bank, Nordea Bank AB, Svenska Handelsbanken and Skandinaviska Enskilda Banken banded together in May last year to announce their intention to develop “an efficient, common, secure and cost-effective Nordic KYC infrastructure” called Nordic KYC Utility.

If designed and executed properly, the potential benefits of a shared infrastructure are clear to see, not least raising KYC compliance standards across the financial industry as a whole. However, there are challenges, as demonstrated by the Monetary Authority of Singapore shelving its plans for a centralised Utility late last year due to spiralling costs. Here, we look at what the objectives of a Utility and the key factors to be considered to ensure success.

Objectives of a shared KYC Utility

First and foremost, a Utility should provide benefits to ALL its stakeholders – from the participating banks and their customers to regulatory authorities.

For banks, the Utility should streamline KYC and customer onboarding, reduce costs and enhance KYC standards and auditability. Meanwhile, their end customers should benefit from a smoother customer onboarding journey and reduced friction.

From the perspective of the regulators, the primary objective of a successful Utility should be to raise confidence – among themselves and society as a whole – that banks are working to the highest KYC standards to more effectively combat financial crime, money laundering and terrorist financing.

Considerations for success when designing and implementing a Utility

The failure of the Singapore KYC Utility has highlighted areas of caution to be considered in other jurisdictions. In a report published by the Association of Banks in Singapore (ABS) after the project halted, it was revealed that “the overall margins at a systemic level did not allow for a viable business case in a projected term, and the proposed solution was going to cost more than the savings that banks would get out of it.” So, what can be learnt?

Approach the project with a thorough understanding of participant needs

It’s important to recognise that, despite all the participants operating under the same legislative and compliance regulations, their interpretations and – importantly – risk appetite will vary immensely. It is therefore crucial to establish a deep level of understanding of the needs of each participant in terms of existing KYC processes, risk methodologies, data and technology requirements.

The reality is one size never fits all. Participating institutions may vary significantly in their need to access various specific sources or adapt certain processes by jurisdiction or customer type based on their established compliance policies. This places extra demand on the Utility operator to select and deploy highly configurable best-of-breed technology, data and processes in the early stages.

Build design with flexibility at front of mind

The report highlights the importance of the core design, stating that “significant priority was given to design choices which represented a highly ambitious ideal” and that “more agility in governing the interaction between design and cost could have helped”. This emphasises the need for flexibility and adaptability, since initial requirements often evolve and so an agile approach and design thinking are essential to ensure the Utility truly delivers value based on the actual needs of the participating parties.

Ultimately, it was the cost of integrating an inflexible solution into a bank’s established compliance processes that proved to be the Singapore Utility’s primary downfall. The ABS report noted that the banks are “all at various stages of sophistication and evolution in terms of client data systems and KYC workflow systems”, and acknowledged that integration costs would account for over a third of the project costs. Therefore, ensuring there is flexibility in the design and technology used to build a Utility is critical in managing costs and ensuring participants realise maximum value today and into the future.

A Utility simply won’t work if its infrastructure is not future proof from advancements in regulation, technology or user experience expectations. For instance, here at encompass we recently launched global biometric identify verification (IDV), and this is the type of feature that Utility participants may well want to use in the future, so the infrastructure has to got to be able to adapt for this.

Are Utilities the way forward?

Given the amount of time and money financial firms currently spend on KYC and customer onboarding, it isn’t surprising that the Utility concept is gaining such traction. While there are certainly questions that remain to be answered – such as whether one Utility can realistically meet all the requirements of multiple, diverse institutions – the arguments in favour are certainly persuasive.

Industry pundits have debated the likely success of a regional KYC Utility and time will tell whether the proposed Nordic KYC Utility will achieve its desired outcomes. However, it is an encouraging move by the main Nordic banks to up the ante in the fight against financial crime, and rebuild their standing in the eyes of both regulators and customers. With a high level of engagement among key stakeholders, there shouldn’t be any reason why the project does not succeed, should it stay true to its primary objectives and understand that design thinking based on inherent flexibility is absolutely critical.

By Wayne Johnson, Co-Founder and CEO at encompass corporation

CategoriesIBSi Blogs Uncategorized

How will AI change the face of banking?

Research firm IDC is predicting banks worldwide will spend more than $4bn on Artificial Intelligence (AI) in 2018. If we factor in PwC’s Sizing the Prize report to understand the broader trend for global business, it seems AI could add a further $15.7 trillion to the global economy by 2030. Undoubtedly AI will lead to a significant change in the way banking operates, but let’s consider what that might look like.

By Dr Giles Nelson, CTO Financial Services, MarkLogic

Firstly, think about customer relationship management in retail banking. Most traditional banks still have a largely transactional relationship with their customers, providing deposit and payment services. But consider for a moment the information that a bank typically holds about an individual – their financial history gives a unique insight into a customer’s commitments, preferences and desires. By using AI techniques to analyse this treasure-trove of information, banks can deliver suggestions to tailored financial products and, indeed, other consumer products.

This kind of personalisation has begun with the introduction of chatbots in banking. AI is enhancing customer relationships by using natural language as a way in which customers can interact and ask questions and promises better customer satisfaction and lower call centre costs.

Fraud and anti-money laundering (AML) are also perennial issues. AI techniques, particularly using machine learning, are used today in these areas, and their use will only increase as models and databases of source information get more sophisticated. This is also a constantly evolving area as anti-fraud staff battle with bad actors who are also employing the latest technologies. With richer datasets and more advanced AI techniques, this will only get better, leading to less financial loss and less annoying false positives. With the right data of past and current transactions, the typical behaviour of customers can be learnt, and anomalies detected. Transactions can then be stopped, perhaps even before they have occurred, or confirmation from the customer requested before the transaction can proceed.

Last but not least is AI’s impact on trading technology. Much investment over the last 10-15 years has gone into making automated trading systems, whether trading equities, FX or derivatives, faster and more responsive to changes in the market. AI techniques, such as neural network machine learning systems, have also been used for some time. As AI tools and the data available to them become more sophisticated and richer, so these systems will get better.  Better at spotting opportunities to trade, and better at spotting the occasional examples of abusive behaviour.

Tackling a fractured data landscape

This is all seemingly beneficial and promises a lot, but here’s the rub. AI thrives on lots of data. To make AI useful, data from different parts of an organisation need to be accessible so the AI systems can use it. Data sitting in remote technology silos may be vital to a particular application, but if it isn’t easily accessible it may as well not exist. What’s more, that data has got to be well organised too – there is no area of technology where the aphorism ‘garbage in garbage out’ can be applied more strongly than with AI.

Furthermore, the data systems underpinning AI need to be agile enough to deal with new challenges quickly. Businesses cannot afford to spend months waiting for the right data to become available before launching new services – by then the competition will likely have an edge.

So, having the right data technology foundations is critical to delivering the process of AI, but a lot of banking organisations today don’t have this and are dealing today with a fractured data landscape.

The path to data-driven decision-making

Data silos are an undoubted issue together with the rigidity of most conventional data management systems. If financial organisations can go beyond this – delivering a holistic view of their data together with the agile data models that can evolve easily as business requirements change – then they can become truly data-driven. Competitive advantage will come from how smartly that data can be accessed and deployed.

More personalisation of retail services will occur, and banks will have the opportunity to strengthen their customer relationships and become more valued partners with end customers rather than just providing commoditised banking services. This will enable banks to provide services traditionally only targeted at the wealthy through private banking, to a much bigger segment of their customer base. Similarly, risk, fraud and money laundering should all ultimately reduced with the greater insights that AI can bring, making the whole financial system safer.

As with any new generation of technology, change can be both positive and negative, but one of the most scrutinised areas of disruption is the jobs market. With the introduction of AI, jobs will also change, and that’s the key point. One of the main purposes of any new technology is to make people more productive and to get ‘up the value stack’. This will need a willingness on behalf of people to embrace and, indeed shape, new AI-powered tools.

AI has the power to transform the banking sector, but only with the right data infrastructure. Banks should be acting now to ensure they have the right tools in place to make the most of the data at their disposal.

CategoriesIBSi Blogs Uncategorized

Technology banks should embrace to better serve their business customers

Kevin Day CEO of HPD Software

Kevin Day, CEO of HPD Software, a provider of technology that facilitates banks’ ability to provide asset-based finance, outlines the technologies banks should be considering to ensure that they are able to attract and retain the fastest growing SMEs as clients. They should embrace automation, offering integrated invoice finance platforms, upgrading mobile banking applications, introducing biometrics, and tapping into the vast potential of the blockchain.

In recent years, technology has fundamentally changed how the financial services industry operates. Fast-paced innovation in the FinTech sector has meant that SMEs should benefit from the cutting-edge technologies that are being developed when it comes to managing their everyday banking requirements. Yet many business customers are instead turning to more nimble digitally-driven platforms as traditional lenders have been slow to embrace such technology. This is beginning to change, however, as FinTech is starting to become integrated into the growth strategies of traditional lenders and other financial services providers that had previously taken a less tech-focused approach to the way they did business.

Mobile payments

Mobile payments may be old news for retail customers, but, in business banking it is now starting to catch up. In November 2018, Barclays became the UK’s first high street bank to launch a mobile invoicing application for its SME clients, which aims to reduce overhead costs and speeds up the payment cycle.

A recent report found that 80 per cent of businesses surveyed wanted time-saving measures to improve efficiency, with 56 per cent stating that these resources have a significant impact on their business and positively affect their decision to use what’s on offer by a financial institution. [1]Mainstream banks control 68 percent of the SME market share, so naturally technological innovation, like online and mobile banking, is playing a role in their continued dominance of the sector.

Biometrics

When it comes to business banking, online security is a concern that towers above the rest. Extending this functionality from a consumer platform into corporate banking has the potential to make payments and account management more seamless and secure. HSBC was the first to introduce biometric face, voice and fingerprint recognition for corporate clients in May 2018, and with its HSBCnet banking app, with single amounts of up to US$1 billion authorised on their platform, efficient, streamlined security is paramount. Biometrics has the potential to become significant for banks providing invoice factoring and other forms of asset finance, to authenticate the transfer of assets and to increase security around access to invoice finance platforms.

Blockchain

For such a tightly regulated industry, banks have historically been sceptical of whether blockchain technology is secure enough, but that attitude has shifted dramatically in very recent years. A recent Deloitte global survey finds that 43% of senior executives believe integrating and deploying blockchain to be one of their top-five strategic priorities.[2] Recent developments suggest blockchain technology is very quickly making the jump from niche application to mass market appeal, with growing consensus it will fundamentally change the way we think about asset financing and how banks and financial institutions operate.

We can see the benefit of blockchain in smart contracts – self-executing contracts on the blockchain, and in security – where transactions are immutable due to the decentralised nature of the distributed ledger. Among the areas where blockchain could be most beneficial for banks, is in their services for their asset based finance clients, as it can improve trade financing by keeping all stages of the process, including letters of credit and import/export authorisation, on the blockchain, which helps optimise settlement times, adds transparency, and lowers transaction costs.

Assed based finance tech priorities – automation and integrated platforms

The technology options available for banks are vast, and there are some which top the list, with digital, integrated, intelligent platforms being one of them. One of the areas poised to adopt technological innovation, where they can provide benefits for both banks and their business customers, is in facilitating asset-based finance.

ABF management software functionality and transaction streamlining have been transformed in recent years – the technology is now able to update collateral values as clients generate invoices in their day to day business, thus reducing the lead-time between raising an invoice and receiving funding. Banks should consider such platforms to automate and streamline data capture requirements and more efficiently deliver a seamless financing product to their business customers. Platforms such as our own HPD LendScape automates and streamlines data capture, offers real-time risk management, and provides insights and analytics into reporting.

As blockchain gains traction to support the business and trade transaction flows, there is an opportunity to connect ABF into the process; greater granularity and enhanced data quality can only help banks to provide enhanced funding into supply chains.

Outlook

Though mainstream banks initially appeared slow to react to the rapid changes, and adopt innovation with less agility then many alternative FinTech providers, they will likely remain their corporate clients’ main source of finance. However, clients will expect easy to use, fast and secure digitalised services as an integral part of the package or they will look elsewhere. Many major banks are acquiring FinTechs to take advantage of technical innovation and bring it to the mass market; we are starting to see the banking world rollout these technologies for the benefit of their business clients. If major banks want to stay ahead of the more nimble digital challengers, and retain and gain some of the fasted growing SMEs, they need to stay on top of the technology innovation game.

[1] https://www.pymnts.com/news/b2b-payments/2016/sme-mobile-banking-correlation-business-growth-performance/

[2] https://www.americanbanker.com/slideshow/the-many-ways-banks-are-using-blockchain

CategoriesIBSi Blogs Uncategorized

How can banks compete with the tech disruptors?

Digital disruption in the banking industry is something that’s gradually been gathering pace in recent years, but it’s about to get much more prevalent. Enter the GAFAMs. Google, Apple, Facebook, Amazon and Microsoft – the big five global tech companies that have made their presence known by expanding their customer offering and disrupting multiple industries in recent years. In the world of finance, Amazon has just made headlines following the announcement it’s investing in a digital insurer, while Facebook has secured an electronic money license in Ireland.

Banks beware. PSD2 has allowed GAFAMs to access customer data with their permission and use it to provide innovative solutions to their needs and the issues they face when it comes to banking. The GAFAMs have enviable digital prowess and knowledge, not to mention near-limitless funds. Combine this with data-rich customer insight and they could easily change the face of banking forever. So how will this affect the industry as it stands?

 Could challenger banks be the underdog?

Challenger banks have been quietly but effectively shaking things up in the industry, in particular looking at ways customers interact with their bank and providing a more seamless, convenient alternative. The initial Open Banking fears that challenger banks would immediately start stealing vast amounts of market share from high-street banks have been quashed for now, but they have certainly raised standards across the board when it comes to providing a slick customer experience.

So much so that Paul Riseborough, CCO of Metro Bank has stated that it will take a while before Open Banking starts to get exciting, with real innovation approaching in “about three to five years’ time”. In contrast however, PwC revealed last year in some research that 88 per cent of the financial industry is worried they will lose revenue to disruptive innovators. While there is uncertainty regarding challenger banks, it’s more likely that GAFAMs will have more power and influence when it comes to innovation and changing how customers engage with the banking industry.

 Finance and tech crossing over

The lines of relationships between financial organisations and technology platforms are becoming increasingly blurred, as China’s WeChat app has proven. Launched in 2011 with an initial concept similar to that of WhatsApp, it has since evolved into a much broader service that allows its one billion users around the world to do everything from ordering a taxi to arranging a doctors appointment, but also money transfers and other banking transactions.

Given that the GAFAMs are all heavily tech-led, if they were to establish a presence in the financial industry and introduce a similar all-encompassing product, retail banks face a further risk of falling behind in customer engagement and losing market share.

 Investing wisely

Amidst the uncertainty and potential threats brought about by GAFAMs, there is opportunity for banks to improve their innovation strategies using information they already have on their customers. McKinsey recently said in a report that banks may be at an advantage compared to the industry’s disruptors, as “customers would not find it attractive to provide third parties access to their data or accounts.” If banks can harness their data in the correct way before the tech goliaths come into view, they could strengthen their customer retention.

RBS is staying ahead of the curve as it announced earlier this year that it plans to launch a digital-only bank to complete with existing challenger banks such as Monzo and Starling. On a more international scale, a survey by PwC shows that 84 per cent of Indonesian banks are likely to invest in technology transformation over the next 18 months.

Partnerships and collaboration are also key and fast-becoming a growing trend. Software developers are being encouraged to use existing APIs to build platforms that allow financial organisations to improve both the internal and customer-facing elements of their businesses. Avaloq is a good example; its developer portal aimed at freelancers, fintechs and large banks currently has more than 1,000 developers collaborating and sharing insight with the global financial sector to drive innovation. For retail banks, it’s certainly worth taking advantage of the tech and insight on offer from external parties.

 Going above and beyond

The disruptors and challengers which have already made a mark on the financial services industry have done so by going above and beyond the perceived limits of retail banking. It’s something that retail banks need to take a step back and look at to learn from.

Many are already making strides, such as a group of big banks including Bank of America, Citi and Wells Fargo reacting to newcomer Venmo marking its territory on instant transfers. They’ve partnered with P2P payments app Zelle to integrate directly with their own apps.

Instant transferring follows a wider trend of convenience that consumers have come expect from all industries. Banks can go even further by looking at non-banking services which ensure they are making more a positive impact on their customers’ lives. Whether it be the introduction of lifestyle benefits such as high-street discounts, or helping customers to simplify their monthly bills, offering add-ons that increase convenience or reward the customer is likely to make them want to stay. In fact, our ‘Connected Customer’ report shows businesses that offer three or more additional products have considerably higher customer engagement scores, resulting in customers staying longer and spending more.

 Planning ahead

With PSD2 and Open Banking making an impact, it’s all change in the banking industry and as GAFAMs enter the market, banks and fintechs need to plan ahead to maintain their presence and stay relevant to customers.

Innovation and collaboration are the two key ingredients to improve their offering and position. The introduction of GAFAMs and other new players is a healthy addition to the financial sector, as it drives positive change and competition, while customers will reap the benefits.

By Karen Wheeler, Vice President and Country Manager UK, Affinion

 

 

CategoriesIBSi Blogs Uncategorized

Four Reasons to Use Security Ratings Before Your Next Acquisition

Tom Taylor

For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but due to limited time resources, or the ability to parse out qualitative responses during M&A from real performance, there wasn’t a great deal of importance placed on it.  Very few transactions would be prevented due to cybersecurity practices today, however, each M&A does require a financial business case created regardless. This may be as simple as assessing integration costs.

You are probably aware of the security breach at luxury retailers, Saks Fifth Avenue and Lord & Taylor, that compromised payment card information for over 5 million customers. As a result, Hudson’s Bay Company (HBC) who acquired Saks and brought the retail chain to Canada five years ago, suffered a 6.2% drop in shares the following day. Although HBC was able to quickly recover, history has shown that a lack of due diligence on cybersecurity during or after the acquisition process can be devastating to the acquiring organisation.

The reduction in the price of Yahoo, following the acquisition by Verizon is a clear demonstration of the business impact. Following the occurrence of two major Yahoo data breaches, Verizon announced in February 2017 that they have reached new acquisition terms. After slow progress of acquisition following the data breaches, Verizon lowered its purchase price for Yahoo by $350 million, down to $4.48 billion.

Up until recently, cybersecurity due diligence consisted of a set of questions that the acquiring firm presented to the target firm maybe an on-site visit or a phone call. Today, security is a boardroom issue, and the implications associated with it can seriously diminish the value of a future organisation, especially with regard to sensitive data and intellectual property. These have a direct impact on your ability to do business and as a result on the valuation of the deal (Yahoo lost 350M in purchase price value after disclosure).

Typically assessments carried out to measure cyber risk have been point-in-time assessments, such as audits, questionnaires, penetration tests and so on.  However, these only provide a snapshot in time of true security posture.  Businesses that rely on this type of reporting, especially during the M&A process should consider moving towards more continuous monitoring of the business they intend to acquire and also its third-party ecosystem in order to mitigate any risk that could flow into their organisation upon acquisition.

Luckily, there are security rating tools available that can help you understand the true cybersecurity posture of your acquisition. Security ratings are much like credit ratings in that they measure an organization’s security posture.  These are objective tools that deliver a standardised method of reporting risk to the board in a meaningful way.

Below is an information security due-diligence checklist, highlighting the four reasons you should consider using security ratings before, during, and after any merger or acquisition.

  1. It saves you money in the immediate future.

You likely remember the newsworthy fiasco between Canadian-based TIO Networks and PayPal: the payment processing company was acquired by PayPal in July 2017 for $238 million. Just a few months following the acquisition, TIO Networks revealed that as many as 1.6 million of its customers may have had personal information stolen in a data breach.

Companies that conduct thorough due diligence of the security posture of acquisition targets using security ratings review historical security data and can use that information to better structure M&A deals. If their acquisition target has a long or constant history of security issues they may be able to negotiate a lower sale price to counteract potential cyber risks. More importantly, acquiring companies may also be able to help targets improve their security posture, thereby reducing the level of risk incurred as a result of the transaction.

  1. It saves you money in the long term.

While some companies have been breached during a merger or acquisition transaction, others have been breached well after the deal has gone through. A prime example is TripAdvisor’s 2014 purchase of Viator, a tour-booking company. Just a few weeks after the completed transaction, Viator’s payment card service provider announced that unauthorised charges occurred on many of its customers’ credit cards. The breach affected 1.4 million users and led to a 4% drop in TripAdvisor’s stock price.

Security ratings can help. Security ratings are correlated to the likelihood of a breach, so if the rating of an acquisition target indicates they are at risk for a future cyberattack, that risk is inherited by the acquiring company as part of the deal.

  1. It aids collaboration between the acquiring company and their target.

Since acquiring companies inherit the digital footprint of organisations they buy, security and risk departments at both organisations need to have a simple and effective way to collaborate and plan appropriate integration investment Here is how BitSight Security Ratings can help with this process:

  • Acquiring organisations can invite any target company to take a look at their own digital infrastructure and security posture free of charge.
  • Target companies can then use the platform to review their own digital infrastructure, including any owned IP addresses and domains. This is a very important step as many companies often own IP space they may not have accounted for. The acquiring organisation needs to know precisely what is being consolidated, because once the deal is finalised, the acquiring company has a much larger attack surface—so they must be aware if there are any infections or issues so they can monitor adequately going forward.
  1. It gives you a competitive business advantage.

Today, cybersecurity is a business differentiator, and organisations who have a good security rating may use it as a selling point. For example, a highly-rated law firm would be considered more trustworthy. The same idea can be applied to acquisitions. Acquiring a company with a good security posture could be a strategic move, as it could either reinforce or enhance your company’s own security posture and strategy.

In a nutshell, using security ratings is a critical step to continuously monitor your acquisition before, during, and after an M&A deal. Without this real-time look at your target’s security posture and performance, you could end up acquiring vulnerabilities that could cause major damage if exploited.  Indeed analyst firm Gartner issued an M&A report earlier this year stating how important Cybersecurity is in the due diligence process.  Not only will this save your organisation money immediately but prevents future risk of financial losses, aiding your collaboration with the target company and improving your business prospects.  For more information, you can download this data sheet.

By Tom Turner, CEO, BitSight

CategoriesIBSi Blogs Uncategorized

Why it’s time for mergers and acquisitions to embrace digital transformation

Philip Whitchelo, VP for strategic business development, Intralinks

In the midst of complex mergers and acquisitions negotiations, deals more often than not face unexpected developments that can cause significant delays.

Even the most common hurdles – such as misplaced documentation – can have a significant material impact on a business’ speed-to-market and share valuation. This is a key reason why it is time that those involved in M&A negotiations must embrace virtual deal room technologies.

Whether they are buy-side or sell-side, dealmakers need to take a holistic view of every single step of the process, from networking and idea generation, sourcing and marketing, to due diligence and integration planning.

Speed and efficiency through the deal lifecycle

Each of these processes takes up considerable man hours, pressuring M&A professionals amidst a challenging industry backdrop to adopt better, faster tools to ensure speed, efficiency and continuity throughout a deal’s entire lifecycle.

The financial services industry has been rapidly transformed by digitisation in recent years, with the British fintech boom a clear example of how this has impacted the sector. However, while trading floors are now almost entirely driven by algorithms, investment banking has remained wary of adopting these new streamlined, automated digital processes.

The truth is that many people within the investment banking industry simply feel as though it does not lend itself to automation, viewing success as reliant on the strength of personal relationships. The reality, however, is a fear that new processes could end up reducing the number of jobs available.

New tech means better deals and more jobs

Selecting the right technology has the ability to enhance investment bankers’ knowledge and capabilities, allowing them to become more efficient, competitive and therefore attract greater amounts of business.

Virtual deal room technology, to use one prime example, can change the way in which investment bankers go about the M&A process, through provisioning a safe space for parties to manage and store their critical information during negotiations.

Being able to provide this unique tool allows investment bankers to close deals faster rapidly, accelerating speed-to-market and maximising the transaction value for both buyers and sellers, all the while minimising security that can compromise a deal – i.e. information leaks and data hacks.

Easy online networking & speedier information flows

The old world perception of a well-connected investment banker, doing face-to-face deals with his personal network on the golf course or in the private members club is rapidly becoming an outdated myth when it comes to the reality of how the industry works in practice.

Clearly, it is impossible for an M&A professional to know every buyer in the market, which is why fast and efficient online networking is a key way in which they can transform the ways they identify potential buyers out there.

Additionally, there is still far too much of the investment banking workflow that takes place through cumbersome tools like Excel, PowerPoint and email. Such tools slow the deal-making process and, more worryingly, put sensitive data at high risk of unwanted disclosure.

There are a number of ways in which innovative technology can help improve this necessary flow of investment information – I have outlined three of them below:

  1. Buyer Identification – Bankers typically spend years building relationships with potential buyers, both financial and strategic. Barring perhaps a handful of industries, it’s impossible for an M&A banker to really know every buyer in the market – especially when the market is now global. Online networking – the world’s biggest Rolodex – can bring the right people together at the right time to expand everyone’s opportunities.
  2. Information flow– Much of the investment banking workflow still takes place through Excel, PowerPoint and email. Not only do these tools slow the deal-making process, but they can also put sensitive information at risk of unwanted disclosure. Sending, sharing and storing NDA files or the due diligence Q&A process on a secure electronic platform can massively improve efficiency and security.
  3. Artificial Intelligence (AI) – Some banks are beginning to explore whether tasks like modelling can be more effectively handled by AI. Such tools can read, review and analyze vast amounts of information in mere minutes, thereby expediting knowledge-based activities to improve efficiency, accuracy and performance.

The three points above offers a snapshot of the key areas in which the investment banking industry is clearly ripe for technological process improvement.

Adopting these new technologies – particularly for the old-guard who have done the job ‘their own way’ for generations – is certainly going to take the initiative of a few early adopters to show success before the rest of the community crosses the chasm.

The bottom line is this: it’s no longer a matter of if these changes are necessary. It’s merely a matter of how long this digital transformation of the investment banking industry will take, and who will be leading the charge.

By Philip Whitchelo, VP for strategic business development, Intralinks

 

CategoriesIBSi Blogs Uncategorized

The Need for Effective Third-Party Risk Management in Financial Services

In the last few years, we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. One of the biggest reported attacks against financial organisations occurred in early 2016 when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.

Landscape

The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyber attacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.

With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.

Risk management lifecycle

The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.

In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.

In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.

Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way, you establish your organisation’s risk appetite.

To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.

Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.

To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.

Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.

Reporting at each stage is a core part of driving decision-making ineffective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.

Managing with risk transfer

Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cybersecurity standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyber attack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third-party vendor risk.

Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.

The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.

Long-term potential

This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of marketplace, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

By Tom Turner, CEO, BitSight

 

CategoriesIBSi Blogs Uncategorized

From bookstore to bank – is it Amazon almighty?

Roger Niederer, Head Merchant Services at SIX Payment Services

For many years Jeff Bezos’ online shop has had almost every conceivable item in its range.  Now apparently, Amazon wants to expand and offer some kind of current account or bank to its customers.

The offering will be aimed at young people and other consumers who do not currently have their own account. However, according to a report in the Wall Street Journal, the project is still at an early stage.

If true, does the move really have the potential to change the payment area in much the same way as they have in the literary market? What does the project mean for retailers and the payments industry, and where can the growth of Amazon lead to?

Will Amazon now become a bank?

Amazon does not want to become a financial institution in its own right; instead, the project is likely to be undertaken in partnership with established financial service providers. It is understood that US financial giant JPMorgan is currently in discussions with Amazon.

The reason for this approach is likely to be that if Amazon built its own banking division and applied for a banking license, the company would face much stricter regulations that could slow its aggressive growth in other markets. In any case, it is clear that retailers understand the benefits of having a strong payment service provider at their side who brings the necessary expertise and can quickly and easily integrate new payment methods into existing processes and systems.

Is this E-commerce expansion without limits?In the beginning, Amazon mainly sold books; it then offered CDs and DVDs to its customers.   Today, through Prime, customers are able to stream music, video and much more across smart devices.  Thanks to Alexa, its huge selection of online shops can be accessed by voice command and Amazon even wants to take control of the delivery of its packages.  This announcement hit the stock values of UPS and FedEx.  With Amazon Pay, the company has had its own payment service for a while but gained only moderate traction with other online stores. Here, it seems, the giant had reached its limits.  The company recently opened another lucrative online business with its cloud service, Amazon Web Services. The plan to offer bank accounts is just another link in a long chain of new business ideas. The direction of Amazon’s journey is not yet clear but it is likely that CEO Jeff Bezos is intent on continuing growth. Industry experts assume that in the long term, only one in ten online retailers will remain competitive with this current strategy.

How much influence does Amazon have in daily online commerce?Like Apple and Google, Amazon has been accused of being a “data octopus”. Since the introduction of language command assistants, the accusation is more topical than ever.   There is growing scepticism surrounding the opaqueness of what exactly Alexa stores and what happens to the recordings. Connected to a fully networked smart home, the digital ‘roommate’ could know a lot more and potentially share it: What time people get home? When do they turn off the lights? When do they go to bed? Are they looking into the fridge during the night? Worrying about the potential for very personal information being shared is likely to outweigh the positives of Alexa & co for most consumers.

With the new bank account function, Amazon would also have access to the financial data of its customers. Using this new data it would eventually prove very easy to determine a customer’s individual willingness to pay a certain price for a particular product and then offer it at exactly that price. However, we must bear in mind that nobody is forced to shop at Amazon and invite Alexa into their home. In addition, awareness of data protection is increasing amongst both individuals and Governments. In the future, customers will be increasingly concerned about whether they really want to give their personal data in such a concentrated way to a single provider. Payment service providers form an attractive way out, as they, for example, handle the credit card data on behalf of the merchants, sparing them compliance effort.

Final thoughts In the near future we will still buy our bread from the local bakery and it will not get delivered by an Amazon drone. Nevertheless, one thing is certain: retailers are faced with a harsh reality and online shops may soon cease to exist in their current form. Amazon and a comprehensive portfolio of payment methods will be the challenges for today’s online store owners, but with the right technology and consulting partners on their side, nobody has to worry about the future.  SIX has recognized the potential of Amazon and the dangers that can arise for the retail sector, and we are working on a wide range of solutions that should enable the merchant to keep up with Amazon.  Omni-channel, Conversational Commerce and Internet of Things are all geared to the new customer journey consisting of numerous touchpoints and the changing needs and expectations of consumers.

By Roger Niederer, Head Merchant Services at SIX Payment Services

CategoriesIBSi Blogs Uncategorized

BofE rate rise: the unintended trading cost consequences for banks

Kerril Burke, CEO of Meritsoft

Does anyone long for a return to more benign economic times? A time when a rise in the base rate simply led to immediate benefits for savers. Well, get prepared for a continued long wait, as last week’s decision from the Bank of England’s (BofE) signals anything but a move to more conventional times.

In fact, this rise, albeit small, has much wider knock-on effects than simply “what does this mean for my mortgage repayments”? Similarly, it obviously increases the costs for anyone trading the capital markets in terms of funding. Even with interest rates at historically low levels, some of the biggest players have been losing double digit millions in unrecovered failed funding costs. And with more hikes down the road, there are further implications of the BofE rate increase for the cost of trading.

As of last Thursday, the cost of the fail funding of trades in Sterling shot up 50%. Therefore, any trader looking to borrow say one million to finance a trade now faces an extra 0.25% per annum in funding costs. One of the main strategies traders use to minimise funding is by buying and selling for the same contractual settlement date. This means paying funds from the proceeds received from a transaction. Take the example of a trader selling Sainsbury’s stock in order to fund a purchase of Tesco shares, both for the same agreed settlement date. The trader expects the cash from Sainsbury’s trade in order to settle the Tesco transaction. There is just one small issue – he hasn’t received the money for his stake in Sainsbury’s. In this, let’s face it not untypical scenario, the only way to pay for the Tesco shares is to borrow the money. The trader in question, now has to take on an additional funding cost to borrow the funds to settle the Tesco trade. If the reason for the fail in the Sainsbury shares was due to the counterparty, it does not seem fair that they are forced to pay this additional cost does it?

Market sentiment

But hey, perhaps it doesn’t cost much? The cost will obviously vary based on the amount of cash open and the length it is outstanding but it could run into USD thousands per trade! And the major trading firms can have thousands of securities, FX, equity and commodity derivatives fails everyday. This may have been hidden because rates have been and are largely still at record lows. But the trend and market sentiment is now unmistakably upwards. However, this is only part of the problem.

There are costs and capital for market participants in the wide range of receivables on their balance sheet. These balances, at least the ones in Sterling, are now half a percent more expensive to fund. So the cost of failing to settle these transactions are now far more than they would have been before the hike. A bank is now at a distinct disadvantage, particularly if they do not have a way to identify, optimise and recover where they are incurring funding and capital costs through no fault of their own. Essentially, by having receivable items open while waiting for money to come in, it will be borrowing cash to cover itself. If a trade fails to settle for say five days, then that is a whole week of extra funding costs that a bank needs to cough up. And not being able to track additional funding costs due to the late settlements is not the only issue. Many banks are still not even identifying the direct cost impact of a trade actually failing. If a bank can’t work out the cost implications of not receiving funds when a trade fails, then how on earth can they identify whether or not they can claim money back from their counterparties?

Trying to work out the many effects of the BofE’s latest monetary policy decision is difficult, but like those with a variable mortgage, trading desks are impacted. Late settlement means higher funding and higher rates means the additional funding costs more. Preparing now to handle the trading cost impact of this small rise and the upwards trend is exactly what’s needed to ensure banks are ahead of the curve whenever the BofE or other countries decide to hike rates again in the future.

By Kerril Burke, CEO of Meritsoft

 

Call for support

1800 - 123 456 78
info@example.com

Follow us

44 Shirley Ave. West Chicago, IL 60185, USA

Follow us

LinkedIn
Twitter
YouTube