Connect with us

Business

Preparing for DORA compliance

Source: Finance Derivative

Fredrik Forslund, Vice President and General Manager International, Blancco

In January 2025, the Digital Operational Resilience Act (DORA) will come into force. This new European Union (EU) law is aimed at strengthening the cyber resilience of financial services organizations to help prevent any major IT disruptions in the future. Unlike the EU’s GDPR which added new requirements for businesses to ensure sufficient protection of personally identifiable information (PII), DORA focuses on the operational resilience of financial firms specifically, and their ability to withstand, respond to, and recover from cyber-attacks. Additionally, DORA regulates the third-party ICT service providers that financial entities use.

The entire financial services ecosystem will be impacted by DORA. Those that have not implemented the necessary changes to comply with it yet have very little time left to do so and run the risk of being fined up to 2% of their annual revenue. Every new regulation also brings its challenges and considerations for how to manage data and sensitive information. So, what should financial services organizations be paying close attention to both now and in the DORA era?

Straightening up posture

There’s no doubt that the Financial Services industry processes and stores some of the most sensitive information available. As a result, cybersecurity is a huge priority for many in this space. We’ve seen evidence with Mastercard’s acquisition of threat intelligence giant, Recorded Future earlier this year, along with the increasingly complex regulatory environment defining data privacy and security.

Yet one issue that still affects many financial services firms is the amount of data they store. While data is arguably the “lifeblood” of today’s businesses, storing too much of it creates more problems than it solves. It results in a wider attack surface and liability if there is a breach. When we spoke to banking and financial sector organizations around the world, we found that ‘data bloat’ remains a significant problem for the industry and this is only being exacerbated by the growth of the cloud. While starting digital transformation journeys is vital for maintaining a competitive edge, a worrying 67% of financial services professionals see the switch from analog to digital as increasing the amount of redundant, obsolete, or trivial (ROT) data collected.

To address this problem, organizations need to understand and comply with best practices for end-of-life (EOL) data disposal and recognize how this acts a foundational pillar of basic cyber hygiene. For example, it’s crucial organizations classify all data, so they know what data they hold and can determine when it reaches EOL. They also need to ensure this EOL data is properly sanitized and permanently erased – a process that will need to be approached differently in the cloud compared to on-premises. Not following data management best practices will ultimately lead to not only increased cybersecurity risk, but also could jeopardize compliance with GDPR and, in the not-too-distant future, DORA too.

Underlining third party risk

What does this new regulation really mean for organizations struggling with data management? One big focus of DORA is third-party risk and how businesses can control the chain of custody – not simply improving their own resilience but ensuring their supply chain remains secure at all times too.

Whenever a computer, hard-drive, server, or smart phone is changing hands (maybe a company is reselling, donating, or relocating equipment between different people) the chain of custody is not about the value of the asset but the sensitivity of the data that sits on it. In short, DORA will underscore third party risk analysis and interrogate whether financial services organizations are on top of how their IT assets are processed, how this processing is then audited, and who controls it to avoid human error and data loss.

DORA requirements include not just the identification and assessment of critical third-party service providers (assessing their criticality based on their impact on operations and the level of risk they may pose), but also the ongoing monitoring and oversight of these third parties (to ensue they comply with contractual requirements, manage risk and maintain resilience). Part of this will need to involve assessing their data security practices and should also include how they handle the EOL data. This means both erasing data when it reaches EOL, and securely decommissioning old assets that store this data. As part of a “vetting” process, organizations should be checking vendors can:

  • Comply with various sanitization standards for EOL processes, including newer standards such as IEEE 2883 and ISO 27040.
  • Provide EOL reporting to allow you to understand when and where data is erased.
  • Showcase practices are for sending assets outside of the organization for repair, maintenance, and disposition – along with process for how back-ups are maintained and erased.

Auditable and automated

Third-party asset and data management is only one part of the puzzle. DORA also puts extra pressure on financial organizations to audit and automate their own asset management processes as part of the ‘Risk Management’ and ‘Resilience Testing’ regulatory pillars. How they manage assets at EOL needs to be extremely well documented. For example, if an organization has 1,000 laptops that they’re planning to replace, it’s vital to create a detailed report about how and when those devices were properly sanitized. This means there’s no uncertainty on whether there could be a data leak in the case one of those laptops is lost or stolen.

Importantly, this isn’t just a matter for the IT team. Data sanitization is a C-level requirement. While organizations will be utilizing all number of solutions to protect their data, they will need to conclude at some point that this data is beyond retention. There needs to be an understanding around when data reaches end of life, and an automated replacement of assets when this occurs. Technology today allows for financial services firms in London to automate remote sanitization in Singapore, for example. The documents and certificates that make up the supporting audit trail in these situations means the steps taken as part of a firm’s overall cybersecurity policy can never be questioned.

Finally, in the case of resilience testing – a key part of DORA compliance – data sanitization again needs to be considered. Take a test of data-backups as an example. After the exercise, in which data will have travelled from A to B, organizations need to consider their processes for then removing this data. Once again, erasure is vital alongside a verifiable audit trail to prove data management best practice is front of mind.

A lot of companies preparing for DORA haven’t always thought about their data lifecycle. But the reality is that in less than six months, financial services organizations need to be compliant with all five critical pillars of this regulation. Minimizing data bloat internally, along with assessing and interrogating third parties, and relying on automation and auditing will be vital not only for DORA compliance, but also for improving overall security posture in a world defined by data.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Business

How the BPO sector is tackling the surge in fraud across US banking

Source: Finance Derivative

Hans Zachar, Group Chief Information Officer at Nutun

Fraud in the U.S. banking industry is on the rise, driven by the rapid shift towards digital banking by traditional banks coupled with the emergence of neobanks. This trend is not only increasing costs, but also eroding consumer trust and negatively impacting customer experience (CX). According to the latest annual LexisNexis® True Cost of Fraud™ Study: Financial Services and Lending Report — U.S. and Canada Edition, 63% of financial firms reported a fraud increase of at least 6% over the past year, with digital channels contributing to half of all fraud losses.

The study also highlighted the steep financial toll, revealing that for every dollar lost to fraud, North American financial institutions incur $4.41 in total costs. U.S. investment firms and credit lenders have seen the financial impact of fraud rise by 9% year-over-year. Alarmingly, 79% of respondents noted that fraud has also made it harder to earn consumer trust.

The fraudster’s playbook

With the wealth of personal customer data out there, fraudsters are becoming more adept at breaching security verification checks. For example, with customer data showing up in multiple breaches, fraudsters can collate data across sources to build a more complete picture of a person, placing them in a better position to answer knowledge-based authentication questions, often better than the individual.

Despite the increased awareness, there has been a recent shift in modus operandi where criminals impersonate the fraud department from a customer’s bank, asking them to share their one-time pin (OTP). They know your name, address, and credit card digits, and generate an SMS from the bank to get the OTP. With this information, they can access a customer’s account and engage in account origination and transactional fraud.

The situation is worse than ever, with the TransUnion State of Omnichannel Fraud Report for H2 2024 indicating that the sector experienced $3.2 billion in lender exposure to suspected synthetic identities for U.S. auto loans, credit cards, retail credit cards and personal loans at the end of June 2024, which was the highest level ever recorded.

How technology is reshaping fraud landscapes

Technology is aiding and abetting criminals, with artificial intelligence (AI) increasingly used to circumvent multi-factor authentication (MFA). For instance, fraudsters now create deepfakes across voice and video channels to pass biometric authentication. The 2023 Sumsub Identity Fraud Report, revealed a 10-fold increase in the number of deepfakes detected globally across all industries from 2022 to 2023, with a staggering 1740% deepfake surge in North America. The report identified AI-powered fraud, money-muling networks, fake IDs, account takeovers and forced verification as the top risks.

In this regard, Deloitte’s Center for Financial Services predicts that GenAI could enable fraud losses to reach $40 billion in the United States by 2027, up from $12.3 billion in 2023, representing a compound annual growth rate of 32%.

In response, banking institutions are combining a risk-based and data-driven approach to fraud management, leveraging the capabilities of cutting-edge technologies like AI, machine learning (ML) and biometric and behavior-based authentication methods. However, banks need to balance the cost of implementing more effective and stringent fraud risk mitigation and management without compromising customer service and CX. In this regard, many banks are investing in advanced technologies to monitor transactions in real-time and leverage more sophisticated processes to better understand risks at an individual transaction level on an account by better understanding flow and originating IP addresses.

With these insights, the bank can decide what to do with a transaction, either validating it, sending an automated SMS to confirm the action, or diverting the transaction to a customer call or contact center for authentication.

However, despite the technology that banks have in place, the volumes are causing backlogs in the contact centers, which is affecting CX and creating friction in the customer journey. Banks need the capabilities to interact with customers in more efficient and cost-effective ways to tackle the full volume of potentially fraudulent transactions. For these reasons, many banks and lenders are turning to the global Business Processing Outsourcing (BPO) sector to tap into readily available CX and security skills, expertise and technological capabilities.

The importance of BPO banking for financial institutions in the digital era

Banks need a BPO provider that not only has a comprehensive understanding of the financial sector, but also effectively manages costs by utilising the most efficient and budget-friendly methods to engage with customers, focusing on text and voice interactions. After a fraudulent transaction has occurred, banks require a robust system for managing disputes and supporting backend investigations. Banks must track transactions across different regions and time zones since there is no interbank switch available for fraud detection, often relying on human resources to compile transaction details and provide feedback to distressed customers.

To provide compassionate and empathetic support after a fraud case, it is essential to have well-trained agents equipped with real-time information who can guide affected customers through the entire process. A poor experience or a lack of care can significantly impact customer retention rates. However, establishing these capabilities and developing agent expertise within in-house contact centers can be expensive, especially as fraud incidents continue to rise.

Banks that discover a global BPO provider possessing a powerful combination of fraud detection technology, omnichannel engagement features, trained and experienced agents, and fraud investigators will gain significant advantages such as continuous monitoring and industry leading issue resolution. This approach achieves an equal balance between cost-effective and efficient fraud mitigation with high-quality customer service, while adhering to stringent data privacy and regulatory standards.

Continue Reading

Business

Using technology to safeguard against fraud this holiday season

Source: Finance Derivative

Tristan Prince, Product Director, Fraud & Financial Crime, Experian

The holiday season brings with it a surge in consumer spending, with UK shoppers expected to part with an impressive £28 billion this year. Unfortunately, this increased activity also draws the attention of cybercriminals looking to exploit vulnerabilities in security systems and personal data.

For financial institutions, the stakes have never been higher. With identity fraud on the rise and new regulations from the Payment Systems Regulator, there is a pressing need to ramp up fraud prevention measures. This season, businesses must leverage innovative technologies to protect their customers and ensure a safe shopping experience.

Fraud is on the rise

In recent years, the prevalence of fraud has reached new levels. Identity fraud alone has seen a 21% increase during the holiday season since 2021, with last year’s figures showing that 83% of all fraud cases were identity-related.

This alarming trend continues in 2024, with a 12.5% increase in identity fraud cases recorded in just the first half of the year. These statistics highlight a troubling reality: fraud is evolving, becoming more sophisticated and harder to detect.

Technology: the key to fighting fraud

Despite these challenges, financial institutions are not powerless. Advanced technology is playing a pivotal role in strengthening defences against fraud. From artificial intelligence (AI) to collaborative data networks, companies now have powerful tools at their disposal to outwit even the most determined criminals.

Artificial intelligence: a game-changer

AI has emerged as a cornerstone in modern fraud prevention strategies. By analyzing massive datasets in real time, AI can quickly identify unusual activity and potential fraud.

Here’s how AI is reshaping fraud detection:

  • Real-time monitoring
    AI systems continuously monitor transactions, instantly identifying irregular patterns that could indicate fraud. This allows institutions to intervene before any damage is done.
  • Behavioral insights
    By examining customer behaviour, AI can detect deviations from typical spending habits, such as unexpected purchases or login attempts from unusual locations. These insights not only help prevent fraud but also improve the experience for legitimate customers by reducing unnecessary disruptions.
  • Strengthened identity checks
    AI-powered tools verify customer identities by cross-referencing data from various sources, ensuring transactions are carried out by the right individuals while minimizing delays.

Data sharing: strength in unity

In addition to AI, collaborative data sharing between financial institutions is proving to be a powerful weapon against fraud. By pooling insights on fraudulent activities and suspicious trends, companies can create a unified front to tackle threats more effectively.

The benefits of data collaboration:

  • Broader visibility: Sharing information helps institutions detect fraud patterns that might otherwise go unnoticed within their own systems.
  • Faster action: Real-time data exchange ensures that when one company flags a suspicious transaction, others can respond immediately, preventing further attacks.

Holiday security: a shared responsibility

The fight against fraud is a continuous battle. Although technology has made significant inroads in preventing financial crime, fraudsters are constantly refining their methods. This requires financial institutions to remain agile and invest in the latest innovations.

Encouragingly, advancements in fraud prevention are already yielding results. For example, the financial services sector successfully blocked £710 million worth of unauthorized fraud in the first half of 2024, thanks to cutting-edge solutions like AI and data-sharing networks.

Making the holidays safe for everyone

As the festive season gets underway, businesses must prioritize the safety of their customers. Through strategic use of technology, financial institutions can outpace fraudsters and protect consumers during one of the busiest shopping periods of the year.

By embracing innovation, fostering collaboration, and maintaining vigilance, companies can ensure that shoppers feel secure, and the spirit of the season remains intact. Together, we can make this festive season safer for everyone.

Continue Reading

Business

The Evolution of AI in Trading: Building Smarter Partnerships Between Humans and Machines

In these uncertain times where what we are seeing is increasing and perhaps most importantly , unprecedented volatility in the financial markets, it is no surprise that the integration of AI in trading has become a focal point of industry discussion. Today, we’re witnessing a fundamental shift in how traders approach markets against the backdrop of an exponential growth in data complexity.

You get a sense that it’s the same story on trading desks worldwide. One can not deny that the sheer volume and velocity of market-moving information has now surpassed human cognitive capacity. All this means is that we’re at a critical inflection point.

If you look back, it’s clear that ever since the first algorithmic trading systems took seed, we’ve been moving toward this moment. But as with most things in financial technology, the reality is somewhat more nuanced.

The Reality of Real-Time Analysis

Initially, many believed AI would simply replace human traders. But yet perhaps what we need here is some perspective. It is my view that we can expect AI to augment rather than replace human decision-making in trading. Think of it like this – in this scenario, machines will help handle the heavy lifting of data processing and analysis while traders focus on final strategy.

Now, there’s a reason why leading trading houses are investing heavily in AI capabilities and it is simply because successful trading will increasingly rely on human-AI partnerships. At least that’s what our experience with the major trading institutions we work with indicates.

Risk Management in the AI Era

Let’s briefly look at risk management and AI’s capacity for processing vast amounts of market data is nothing short of remarkable. What we’ve found using our own systems in-house is that risk management becomes more proactive when powered by AI. Again and again, we have been seeing how machine learning models can identify potential risks before they materialise, helping a trader to make better trading decisions and spotting new opportunities which may otherwise not have surfaced.

So there it is. The keys to effective risk management lie in combining AI’s processing power with human judgment. And the good news is despite these technological advancements, it can not be overstated just how important human experience remains.

The Evolution of The Human-AI Partnership

In this light, as long as we rely on markets driven by human behaviour, we’ll need human insight. And so, defining what is classed as effective AI integration is becoming vital, as is helping traders to understand both AI’s capabilities and limitations.

From our point of view it has been fascinating to witness the different reactions to embedding AI capabilities in trading – from keen early-adopters willing to take a chance on something new all the way down to dinosaurs prefer to rely on traditional methods and will inevitably be left behind as the race for AI supremacy intensifies.

Increasingly, we’re seeing successful traders embrace AI as a partner rather than a replacement. At the end of the day, markets are complex adaptive systems and those who will win will be those who use AI to enhance human decision-making.

As for the future, one cannot argue against the fact that AI will play an increasingly important role in trading. Even that feels like an understatement.  Everywhere you look, trading firms are investing in AI capabilities – some far more quickly and deeply than others – and it’s without a doubt that this trend will continue exponentially.

Author Bio

Wilson Chan is the Founder of Permutable AI, a London-based fintech pioneering AI solutions for financial markets. With roots at Merrill Lynch and Bank of America, he bridges institutional trading expertise with cutting-edge technology. Their latest innovation, the Trading Co-Pilot, delivers real-time event-driven insights for traders, combining geopolitical, macroeconomic, and supply-side data.

Continue Reading

Copyright © 2021 Futures Parity.