A week or so ago I got an email from Yahoo! telling me I had best change my password (and, unhelpfully, my email address) as a result of their massive data breach. They wrote to advise me that this was because they take data security very seriously, which seemed a bit trite after the event.
It's fair to say that my confidence in the overall ability of firms to protect personal and sensitive data was a bit dented when, last week, Andrew Tyrie, the chair of the Commons Treasury Select Committee, wrote to the Financial Conduct Authority and the Prudential Regulation Authority to complain about banks' resilience to cyber attacks and the impact of business interruption and the loss of personal financial data. He said:
The proliferation of remote and online banking, including the use of biometric data for customer identification, may also be increasing the risk of unauthorised access to their accounts.
He demanded to know more about what was being done. In a busy period, just a few days earlier Which? made their super-complaint to the Payment Services Regulator about the lack of protection for unauthorised push payments and the FCA gave a speechon cybersecurity in which they talked about international cooperation and the new National Cyber Security Centre. The FCA also identified how firms should address risks through:
I act for a number of fintech companies and use and follow some innovative services. Personal finance managers like Bud, MoneyDashboard, MoneyBox and Cleo provide a more engaging service than my bank, which recently touted an upgrade to the secure messaging capabilities of its internet banking as an example of innovation.
For me, Tyrie missed the point because customers will shift towards services that consolidate accounts from multiple institutions and give them more intuitive, context-rich information than just their current balance. Online banking will not be how people interact with their bank.
As other firms become gateways, they will increasingly hold my sensitive personal financial information, process log-in credentials and initiate payments through traditional and novel channels (chat, Siri etc.). Still, a 'trust-gap' exists for many potential customers of thsese new services.
Fintech companies need to reassure the public by reference to 'bank grade security' but, to me, this seems to be a meaningless and increasingly dubious standard.
Without the compliance apparatus of the banks, fintech firms need to be bold about their security and smart about their resources. In this respect, I am encouraged by fragmentation solutions, such as has been developed by Payfont, that disperse tiny packets of encrypted data into the cloud. Companies like Zonefox can also police the insider threat. PSD2 and the Open Bank Project will also help because it will allow companies access to an individual's financial data without having to pretend to be the user.
Equally, new firms can make use of technologies that identify users through a myriad of factors, even if Mr Tyrie has doubts about biometrics (actually his doubts are about having biometrics hacked or cloned, given a user can't change them).
I recognise that there is a trade-off between security and convenience, that security costs money and that a totally secure system may be practically unusable. However, I look forward to greater transparency in financial services about the cyber threats and think that new companies can develop the services that shape the resilience of the system as a whole. If so, maybe I won't get any more of those dreaded emails....
Ps. you can check if your details have been part of a data breach at https://haveibeenpwned.com/