IBSi Blogs

For years, cybersecurity was considered a “check-the-box” discussion during the merger and acquisition (M&A) process. It was almost always examined to ensure there weren’t any glaring issues or major red flags—but due to limited time resources, or the ability to parse out qualitative responses during M&A from real performance, there wasn’t a great deal of importance placed on it.  Very few transactions would be prevented due to cybersecurity practices today, however, each M&A does require a financial business case created regardless. This may be as simple as assessing integration costs.

You are probably aware of the security breach at luxury retailers, Saks Fifth Avenue and Lord & Taylor, that compromised payment card information for over 5 million customers. As a result, Hudson’s Bay Company (HBC) who acquired Saks and brought the retail chain to Canada five years ago, suffered a 6.2% drop in shares the following day. Although HBC was able to quickly recover, history has shown that a lack of due diligence on cybersecurity during or after the acquisition process can be devastating to the acquiring organisation.

The reduction in the price of Yahoo, following the acquisition by Verizon is a clear demonstration of the business impact. Following the occurrence of two major Yahoo data breaches, Verizon announced in February 2017 that they have reached new acquisition terms. After slow progress of acquisition following the data breaches, Verizon lowered its purchase price for Yahoo by $350 million, down to $4.48 billion.

Up until recently, cybersecurity due diligence consisted of a set of questions that the acquiring firm presented to the target firm maybe an on-site visit or a phone call. Today, security is a boardroom issue, and the implications associated with it can seriously diminish the value of a future organisation, especially with regard to sensitive data and intellectual property. These have a direct impact on your ability to do business and as a result on the valuation of the deal (Yahoo lost 350M in purchase price value after disclosure).

Typically assessments carried out to measure cyber risk have been point-in-time assessments, such as audits, questionnaires, penetration tests and so on.  However, these only provide a snapshot in time of true security posture.  Businesses that rely on this type of reporting, especially during the M&A process should consider moving towards more continuous monitoring of the business they intend to acquire and also its third-party ecosystem in order to mitigate any risk that could flow into their organisation upon acquisition.

Luckily, there are security rating tools available that can help you understand the true cybersecurity posture of your acquisition. Security ratings are much like credit ratings in that they measure an organization’s security posture.  These are objective tools that deliver a standardised method of reporting risk to the board in a meaningful way.

Below is an information security due-diligence checklist, highlighting the four reasons you should consider using security ratings before, during, and after any merger or acquisition.

1. It saves you money in the immediate future.

You likely remember the newsworthy fiasco between Canadian-based TIO Networks and PayPal: the payment processing company was acquired by PayPal in July 2017 for $238 million. Just a few months following the acquisition, TIO Networks revealed that as many as 1.6 million of its customers may have had personal information stolen in a data breach.

Companies that conduct thorough due diligence of the security posture of acquisition targets using security ratings review historical security data and can use that information to better structure M&A deals. If their acquisition target has a long or constant history of security issues they may be able to negotiate a lower sale price to counteract potential cyber risks. More importantly, acquiring companies may also be able to help targets improve their security posture, thereby reducing the level of risk incurred as a result of the transaction.

2. It saves you money in the long term.

While some companies have been breached during a merger or acquisition transaction, others have been breached well after the deal has gone through. A prime example is TripAdvisor’s 2014 purchase of Viator, a tour-booking company. Just a few weeks after the completed transaction, Viator’s payment card service provider announced that unauthorised charges occurred on many of its customers’ credit cards. The breach affected 1.4 million users and led to a 4% drop in TripAdvisor’s stock price.

Security ratings can help. Security ratings are correlated to the likelihood of a breach, so if the rating of an acquisition target indicates they are at risk for a future cyberattack, that risk is inherited by the acquiring company as part of the deal.

3. It aids collaboration between the acquiring company and their target.

Since acquiring companies inherit the digital footprint of organisations they buy, security and risk departments at both organisations need to have a simple and effective way to collaborate and plan appropriate integration investment Here is how BitSight Security Ratings can help with this process:

• Acquiring organisations can invite any target company to take a look at their own digital infrastructure and security posture free of charge.
• Target companies can then use the platform to review their own digital infrastructure, including any owned IP addresses and domains. This is a very important step as many companies often own IP space they may not have accounted for. The acquiring organisation needs to know precisely what is being consolidated, because once the deal is finalised, the acquiring company has a much larger attack surface—so they must be aware if there are any infections or issues so they can monitor adequately going forward.

4. It gives you a competitive business advantage.

Today, cybersecurity is a business differentiator, and organisations who have a good security rating may use it as a selling point. For example, a highly-rated law firm would be considered more trustworthy. The same idea can be applied to acquisitions. Acquiring a company with a good security posture could be a strategic move, as it could either reinforce or enhance your company’s own security posture and strategy.

In a nutshell, using security ratings is a critical step to continuously monitor your acquisition before, during, and after an M&A deal. Without this real-time look at your target’s security posture and performance, you could end up acquiring vulnerabilities that could cause major damage if exploited.  Indeed analyst firm Gartner issued an M&A report earlier this year stating how important Cybersecurity is in the due diligence process.  Not only will this save your organisation money immediately but prevents future risk of financial losses, aiding your collaboration with the target company and improving your business prospects.  For more information, you can download this data sheet.

By Tom Turner, CEO, BitSight

In the midst of complex mergers and acquisitions negotiations, deals more often than not face unexpected developments that can cause significant delays.

Even the most common hurdles – such as misplaced documentation – can have a significant material impact on a business’ speed-to-market and share valuation. This is a key reason why it is time that those involved in M&A negotiations must embrace virtual deal room technologies.

Whether they are buy-side or sell-side, dealmakers need to take a holistic view of every single step of the process, from networking and idea generation, sourcing and marketing, to due diligence and integration planning.

Speed and efficiency through the deal lifecycle

Each of these processes takes up considerable man hours, pressuring M&A professionals amidst a challenging industry backdrop to adopt better, faster tools to ensure speed, efficiency and continuity throughout a deal’s entire lifecycle.

The financial services industry has been rapidly transformed by digitisation in recent years, with the British fintech boom a clear example of how this has impacted the sector. However, while trading floors are now almost entirely driven by algorithms, investment banking has remained wary of adopting these new streamlined, automated digital processes.

The truth is that many people within the investment banking industry simply feel as though it does not lend itself to automation, viewing success as reliant on the strength of personal relationships. The reality, however, is a fear that new processes could end up reducing the number of jobs available.

New tech means better deals and more jobs

Selecting the right technology has the ability to enhance investment bankers’ knowledge and capabilities, allowing them to become more efficient, competitive and therefore attract greater amounts of business.

Virtual deal room technology, to use one prime example, can change the way in which investment bankers go about the M&A process, through provisioning a safe space for parties to manage and store their critical information during negotiations.

Being able to provide this unique tool allows investment bankers to close deals faster rapidly, accelerating speed-to-market and maximising the transaction value for both buyers and sellers, all the while minimising security that can compromise a deal – i.e. information leaks and data hacks.

Easy online networking & speedier information flows

The old world perception of a well-connected investment banker, doing face-to-face deals with his personal network on the golf course or in the private members club is rapidly becoming an outdated myth when it comes to the reality of how the industry works in practice.

Clearly, it is impossible for an M&A professional to know every buyer in the market, which is why fast and efficient online networking is a key way in which they can transform the ways they identify potential buyers out there.

Additionally, there is still far too much of the investment banking workflow that takes place through cumbersome tools like Excel, PowerPoint and email. Such tools slow the deal-making process and, more worryingly, put sensitive data at high risk of unwanted disclosure.

There are a number of ways in which innovative technology can help improve this necessary flow of investment information – I have outlined three of them below:

1. Buyer Identification – Bankers typically spend years building relationships with potential buyers, both financial and strategic. Barring perhaps a handful of industries, it’s impossible for an M&A banker to really know every buyer in the market – especially when the market is now global. Online networking – the world’s biggest Rolodex – can bring the right people together at the right time to expand everyone’s opportunities.
2. Information flow– Much of the investment banking workflow still takes place through Excel, PowerPoint and email. Not only do these tools slow the deal-making process, but they can also put sensitive information at risk of unwanted disclosure. Sending, sharing and storing NDA files or the due diligence Q&A process on a secure electronic platform can massively improve efficiency and security.
3. Artificial Intelligence (AI) – Some banks are beginning to explore whether tasks like modelling can be more effectively handled by AI. Such tools can read, review and analyze vast amounts of information in mere minutes, thereby expediting knowledge-based activities to improve efficiency, accuracy and performance.

The three points above offers a snapshot of the key areas in which the investment banking industry is clearly ripe for technological process improvement.

Adopting these new technologies – particularly for the old-guard who have done the job ‘their own way’ for generations – is certainly going to take the initiative of a few early adopters to show success before the rest of the community crosses the chasm.

The bottom line is this: it’s no longer a matter of if these changes are necessary. It’s merely a matter of how long this digital transformation of the investment banking industry will take, and who will be leading the charge.

By Philip Whitchelo, VP for strategic business development, Intralinks

In the last few years, we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. One of the biggest reported attacks against financial organisations occurred in early 2016 when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.

Landscape

The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyber attacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.

With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.

Risk management lifecycle

The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.

In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.

In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.

Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way, you establish your organisation’s risk appetite.

To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.

Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.

To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.

Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.

Reporting at each stage is a core part of driving decision-making ineffective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.

Managing with risk transfer

Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cybersecurity standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyber attack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third-party vendor risk.

Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.

The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.

Long-term potential

This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of marketplace, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

By Tom Turner, CEO, BitSight

For many years Jeff Bezos’ online shop has had almost every conceivable item in its range.  Now apparently, Amazon wants to expand and offer some kind of current account or bank to its customers.

The offering will be aimed at young people and other consumers who do not currently have their own account. However, according to a report in the Wall Street Journal, the project is still at an early stage.

If true, does the move really have the potential to change the payment area in much the same way as they have in the literary market? What does the project mean for retailers and the payments industry, and where can the growth of Amazon lead to?

Will Amazon now become a bank?

Amazon does not want to become a financial institution in its own right; instead, the project is likely to be undertaken in partnership with established financial service providers. It is understood that US financial giant JPMorgan is currently in discussions with Amazon.

The reason for this approach is likely to be that if Amazon built its own banking division and applied for a banking license, the company would face much stricter regulations that could slow its aggressive growth in other markets. In any case, it is clear that retailers understand the benefits of having a strong payment service provider at their side who brings the necessary expertise and can quickly and easily integrate new payment methods into existing processes and systems.

Is this E-commerce expansion without limits?In the beginning, Amazon mainly sold books; it then offered CDs and DVDs to its customers.   Today, through Prime, customers are able to stream music, video and much more across smart devices.  Thanks to Alexa, its huge selection of online shops can be accessed by voice command and Amazon even wants to take control of the delivery of its packages.  This announcement hit the stock values of UPS and FedEx.  With Amazon Pay, the company has had its own payment service for a while but gained only moderate traction with other online stores. Here, it seems, the giant had reached its limits.  The company recently opened another lucrative online business with its cloud service, Amazon Web Services. The plan to offer bank accounts is just another link in a long chain of new business ideas. The direction of Amazon’s journey is not yet clear but it is likely that CEO Jeff Bezos is intent on continuing growth. Industry experts assume that in the long term, only one in ten online retailers will remain competitive with this current strategy.

How much influence does Amazon have in daily online commerce?Like Apple and Google, Amazon has been accused of being a “data octopus”. Since the introduction of language command assistants, the accusation is more topical than ever.   There is growing scepticism surrounding the opaqueness of what exactly Alexa stores and what happens to the recordings. Connected to a fully networked smart home, the digital ‘roommate’ could know a lot more and potentially share it: What time people get home? When do they turn off the lights? When do they go to bed? Are they looking into the fridge during the night? Worrying about the potential for very personal information being shared is likely to outweigh the positives of Alexa & co for most consumers.

With the new bank account function, Amazon would also have access to the financial data of its customers. Using this new data it would eventually prove very easy to determine a customer’s individual willingness to pay a certain price for a particular product and then offer it at exactly that price. However, we must bear in mind that nobody is forced to shop at Amazon and invite Alexa into their home. In addition, awareness of data protection is increasing amongst both individuals and Governments. In the future, customers will be increasingly concerned about whether they really want to give their personal data in such a concentrated way to a single provider. Payment service providers form an attractive way out, as they, for example, handle the credit card data on behalf of the merchants, sparing them compliance effort.

Final thoughts In the near future we will still buy our bread from the local bakery and it will not get delivered by an Amazon drone. Nevertheless, one thing is certain: retailers are faced with a harsh reality and online shops may soon cease to exist in their current form. Amazon and a comprehensive portfolio of payment methods will be the challenges for today’s online store owners, but with the right technology and consulting partners on their side, nobody has to worry about the future.  SIX has recognized the potential of Amazon and the dangers that can arise for the retail sector, and we are working on a wide range of solutions that should enable the merchant to keep up with Amazon.  Omni-channel, Conversational Commerce and Internet of Things are all geared to the new customer journey consisting of numerous touchpoints and the changing needs and expectations of consumers.

By Roger Niederer, Head Merchant Services at SIX Payment Services

Does anyone long for a return to more benign economic times? A time when a rise in the base rate simply led to immediate benefits for savers. Well, get prepared for a continued long wait, as last week’s decision from the Bank of England’s (BofE) signals anything but a move to more conventional times.

In fact, this rise, albeit small, has much wider knock-on effects than simply “what does this mean for my mortgage repayments”? Similarly, it obviously increases the costs for anyone trading the capital markets in terms of funding. Even with interest rates at historically low levels, some of the biggest players have been losing double digit millions in unrecovered failed funding costs. And with more hikes down the road, there are further implications of the BofE rate increase for the cost of trading.

As of last Thursday, the cost of the fail funding of trades in Sterling shot up 50%. Therefore, any trader looking to borrow say one million to finance a trade now faces an extra 0.25% per annum in funding costs. One of the main strategies traders use to minimise funding is by buying and selling for the same contractual settlement date. This means paying funds from the proceeds received from a transaction. Take the example of a trader selling Sainsbury’s stock in order to fund a purchase of Tesco shares, both for the same agreed settlement date. The trader expects the cash from Sainsbury’s trade in order to settle the Tesco transaction. There is just one small issue – he hasn’t received the money for his stake in Sainsbury’s. In this, let’s face it not untypical scenario, the only way to pay for the Tesco shares is to borrow the money. The trader in question, now has to take on an additional funding cost to borrow the funds to settle the Tesco trade. If the reason for the fail in the Sainsbury shares was due to the counterparty, it does not seem fair that they are forced to pay this additional cost does it?

Market sentiment

But hey, perhaps it doesn’t cost much? The cost will obviously vary based on the amount of cash open and the length it is outstanding but it could run into USD thousands per trade! And the major trading firms can have thousands of securities, FX, equity and commodity derivatives fails everyday. This may have been hidden because rates have been and are largely still at record lows. But the trend and market sentiment is now unmistakably upwards. However, this is only part of the problem.

There are costs and capital for market participants in the wide range of receivables on their balance sheet. These balances, at least the ones in Sterling, are now half a percent more expensive to fund. So the cost of failing to settle these transactions are now far more than they would have been before the hike. A bank is now at a distinct disadvantage, particularly if they do not have a way to identify, optimise and recover where they are incurring funding and capital costs through no fault of their own. Essentially, by having receivable items open while waiting for money to come in, it will be borrowing cash to cover itself. If a trade fails to settle for say five days, then that is a whole week of extra funding costs that a bank needs to cough up. And not being able to track additional funding costs due to the late settlements is not the only issue. Many banks are still not even identifying the direct cost impact of a trade actually failing. If a bank can’t work out the cost implications of not receiving funds when a trade fails, then how on earth can they identify whether or not they can claim money back from their counterparties?

Trying to work out the many effects of the BofE’s latest monetary policy decision is difficult, but like those with a variable mortgage, trading desks are impacted. Late settlement means higher funding and higher rates means the additional funding costs more. Preparing now to handle the trading cost impact of this small rise and the upwards trend is exactly what’s needed to ensure banks are ahead of the curve whenever the BofE or other countries decide to hike rates again in the future.

By Kerril Burke, CEO of Meritsoft

Having positive cash flow is a must for any business. Get it wrong and you put the existence of the entire organisation in jeopardy. Get it right, however and you open up a wealth of new opportunities for your company from unlocking new business deals to driving incremental revenue streams and fuelling investment.

Often, the blame for poor cash flow is laid firmly at the foot of traditional banks for not agreeing to extra lending rapidly enough. That can be a contributory factor, of course, but the real scourge is not keeping a tight rein on spending and not developing, or sticking to, accurate forecasts.

To ensure their cash flow remains healthy, businesses need a single point of visibility over all the money going in and out of their accounts. Without this, it will be difficult for them to make informed financial decisions or to plan ahead efficiently and effectively. However, enhanced cash flow visibility is not always easy to achieve.

Organisations typically make use of multiple different payment types from credit cards to cheques to bank transfers – and often have no clear overall picture, either at a snapshot level or historically, of all the transactions they are making. Often, they are using outdated methods of dealing with payments, expenses, invoicing and reporting, or, worse still, have no planned approach. All this slows down the ability for the business to react, to access revenues and redistribute in the event of unforeseen circumstances. It also offers little in terms of up-to-date analysis.

This is why integrated payment management or consolidation is critical to businesses that want real time visibility of their expenditure and the kind of insight into cash flow that drives long-term business success.

Empowered to Spend

The concept of integration is a familiar one, of course. Enterprise Resource Planning (ERP) systems have been around for decades now. ERP, and variations on the theme, is now a ubiquitous technology across large corporate enterprises and increasingly across SMBs also.

Yet at the same time as this enhanced level of control was being exerted on back-end processes, we also witnessed a counter trend where employees were armed with credit cards and cheque books and empowered to make significant business purchases.

This has clearly helped drive operational flexibility and business agility. But more important still, it has driven cash flow which remains key for any business today. So, more businesses will be looking to leverage lines of credit and tap into free funds for a period to help with cash management. This will make it even more vital that businesses have real time insight into all this activity.

The best way to achieve this is through a digital expenses platform and integrated payments tools, both of which should almost by default improve a business’s approach to how it manages cash flow. By having an immediate oversight through live reporting of all spending from business cards and invoice payments, as well as balances and credit limits across departments and individuals, organisations can foresee potential problems more quickly and react accordingly. At Fraedom, we provide this kind of technology to many of our customers across banking and financial services sectors.

Digital trail for reporting

This kind of approach also allows management to categorise spending and quickly see where costs are getting out of control or where they need to put in place cash flow targets to help ensure solvency. Cards can be cancelled or at least suspended quickly and easily, negating the need of having to go through to the issuing bank, while invoices can also be automated to streamline business payments. This enables business to keep hold of money longer and pay creditors faster.

Moreover, digitally transforming business expenses and payments, encompassing everything from receipt capture through to automated payments and invoicing, means there will always be a digital trail that can be collated and reported on quickly and easily. This also means that at any moment in time, management can use fresh data to accurately forecast cash flow, which in turn helps eliminate nasty surprises and should also lead to fewer business failures.

The ongoing digitisation of systems is also likely to result over the long term in greater take-up of emerging trends in artificial intelligence and analytics-driven technologies. In turn, this will help organisations more accurately predict their future spend, thereby giving them early insight into potential upcoming cash flow issues and enabling them to look ahead into what may be happening in the market moving forwards.

It’s another example of how technology can play an important role in helping businesses gain more insight into their cash flow and better manage their cash in general. If they get that right, they are likely to access new investment opportunities; drive competitive edge and survive and thrive both today and long into the future.

by Russell Bennett, chief technology officer, Fraedom

Personal identification numbers (PINs) are everywhere. These numeric versions of the password have been at the heart of data security for decades, but time moves on and it is becoming evident that the PIN is no longer fit for purpose. It is too insecure and is leaving consumers exposed to fraud. 

Why bin the PIN?

In a world that is increasingly reliant on technology to complete even the most security-sensitive tasks, PIN usage is ludicrously insecure. People do silly things with their PINs; they write them down (often on the back of the very card they are supposed to protect), share them and use predictable number combinations (such as birth or wedding dates) that can easily be discovered via social media or other means. And this is entirely understandable: PINs must be both memorable and obscure, unforgettable to the owner but difficult for others to work out. This puts PIN users — all of us, basically — between the proverbial rock and a hard place.

Previous research has shown that when people were asked about their bank card usage, more than half (53%) shared their PIN with another person, 34% of those who used a PIN for more than one application used the same PIN for all of them and more than a third (34%) of respondents used their banking PIN for unrelated purposes, such as voicemail codes and internet passwords, as well. In the same study, not only survey respondents but also leaked and aggregated PIN data from other sources revealed that the use of dates as PINs is astonishingly common¹.

But if the PIN has had its day, what are we going to replace it with?

Biometrics

Biometrics may seem to be the obvious response to this problem: fingerprint sensors, iris recognition and voice recognition have all been rolled out in various contexts, including financial services, over the past decade or so and have worked extremely well. In fact, wherever security is absolutely crucial, you are almost certain to find a biometric sensor — passports, government ID and telephone banking are all applications in which biometric authentication has proven highly successful.

However, PINs are used to authenticate any credit or debit card transaction, and therein lies the problem. For biometric authentication to work, there has to be a correct (reference) version of the voice, iris or fingerprint stored, and this requires a sensor.

It is one thing to build a sensor into a smartphone or door lock, but quite another to attach it to a flexible plastic payment card. Add to that the fact that cards are routinely left in handbags or pockets and used day in and day out, and it becomes clear why the search for a flexible, lightweight, but resilient, fingerprint sensor that is also straightforward enough for the general public to use, has been the holy grail of payment card security for quite some time.

Another key advantage of fingerprint sensors for payment cards is that the security data is much less easy to hack, particularly from remote locations, than is the case with PINs. Not only are fingerprints very difficult to forge, once registered they are only recorded on the card and not kept in a central data repository in the way that PINs often are – making them inaccessible to anyone who is not physically present with the card. In short, they cannot be ‘hacked’.

Your newly flexible friend

Fortunately, the long-held ambition to add biometrics to cashless transactions has now been achieved, with the production and trials of an extremely thin, flexible and durable fingerprint sensor suitable for use with payment cards. The level of technology that has been developed behind the sensor makes it very straightforward for the user to record their fingerprint; the reference fingerprint can easily be uploaded to the card by the user, at home, and once that is done they can use the card over existing secure payment infrastructures — including both chip and ID and contactless card readers — in the usual way.

Once it is registered and in use, the resolution of the sensor and the quality of image handling is so great that it can recognise prints from wet or dry fingers and knows the difference between the fingerprint and image ‘noise’ (smears, smudging etc.) that is often found alongside fingerprints. The result is a very flexible, durable sensor that provides fast and accurate authentication.

The PIN is dead, long live the sensor

Trials of payment cards using fingerprint sensor technology are now complete or underway in multiple markets, including Bulgaria, the US, Mexico, Cyprus, Japan, the Middle East and South Africa. Financial giants including Visa and Mastercard have already expressed their commitment to biometric cards with fingerprint sensors, and some are set to begin roll-out from the latter half of2018. Mastercard, in particular, has specified remote enrollment as a ‘must have’ on its biometric cards, not only for user convenience but also as means to ensure that biometrics replace the PIN swiftly, easily and in large volumes².

And so, with the biometric card revolution now well underway, it is time to say farewell to the PIN (if customers can still remember it t, that is) and look forward to an upsurge in biometric payment card adoption in the very near future. Our financial futures, it seems, are at our fingertips.

By Dave Orme, SVP, IDEX Biometrics

References

1 Bonneau J, Preibusch S and Anderson R. A birthday present every eleven wallets? The security of customer-chosen banking PINs: https://www.cl.cam.ac.uk/~rja14/Papers/BPA12-FC-banking_pin_security.pdf

2 Mastercard announces remote enrolment on biometric credit cards: https://mobileidworld.com/mastercard-remote-enrollment-biometric-credit-cards-905021/

I began this three-part series on 871(m) by quoting one of America’s most famed political characters and Founding Father, Benjamin Franklin. In order to round this series off in the same fashion, I’ll turn to another American political figure, this time: Abraham Lincoln. He was once quoted as saying “you cannot escape the responsibility of tomorrow by evading it today”, which I think quite accurately summarises the mantra that banks should be taking when it comes to 871(m), Transaction Tax processing and looking to the future.

So where do we stand currently with 871(m)? Banks must comply with the first part in the here and now and although the second part may still be under review, there’s absolutely no indication that the rule will be dropped in totality. I stand by what I said in the first blog – if banks are to wait until the full outcome of the review, they will only open themselves up to a plethora of problems later on. Banks do not want a repeat of five years ago, when they decided to implement tactical solutions for the French and Italian Transaction Taxes.

Of paramount importance for preparing for a post-871(m) world is that banks have software in place that can assist in facilitating a flexible ‘rules-based’ workflow solution which can easily adapt to changing legislation. From our extensive investigation of the intricacies of this, and other regulations which are on the increase, we found that due to the complexities of all, it makes little sense for firms to have multiple interfaces with the same derivatives and trading systems going to siloed tax solutions e.g. an FTT system in one place and an “871m machine” or system in another place.

It, therefore, makes much sense to feed it all into one solution and processing engine, rather than having a whole host of separate systems and trying to interface them all, which leads ultimately to more static, more cost and more fails (i.e. transactions). By taking a centralised or utility approach, banks are also in a good position to deal with even more potential incoming Transaction Taxes which is key in preparing for the future.

A resourcing and knowledge challenge

Alongside the need to assess which systems will be best placed or built to cope with 871(m), there are significant amounts of data that need to be pulled together, including dividends and trades across many different instrument types, potentially creating large integration projects for in-house teams. Place these needs against the backdrop of other current in-house IT initiatives that banks are aiming to achieve regulatory compliance with, and it becomes an even more complex resourcing and knowledge challenge.

Unfortunately, 871(m) is just one of many tax headaches facing banks, and more are certain to crop up further down the track. This is why taking a ‘future-proofing’ mentality is key here. Platforms and technology need to be fit to cope with other incoming regulations, so banks need to look at who can help them overcome these compliance headaches and who can demonstrate that they truly understand the needs and will provide “safety in numbers” when the regulator “comes knocking”.

871(m) won’t simply disappear by not thinking about it now. It’s the banks’ responsibility to prepare for the tax world of tomorrow, today.

By Daniel Carpenter, head of regulation at Meritsoft