Business
WHAT SECURITY LESSONS CAN THE WORLD OF TRADITIONAL FINANCE TEACH CRYPTOCURRENCY FIRMS?

Source: Finance Derivative
By Michael Magrath, VP Global Regulations and Standards
Cryptocurrency has had a whirlwind of a year. The growth in popularity of currencies like Bitcoin and Ethereum saw valuations skyrocket, whilst government crackdowns in countries including China and Turkey – and even Tweets by Elon Musk – caused them to fall just as dramatically.
Meanwhile, financial institutions have bought and sold cryptoassets in vast quantities, mainstream consumer payment providers have started offering digital assets to their customers, and Bitcoin has even become legal tender in El Salvador.
However, these exciting developments have been punctuated by regular reports of significant cyberattacks on crypto exchanges and custodians. Research shows that $1.9 billion worth of cryptocurrency was stolen by hackers in 2020. And just last month, hackers successfully targeted Japanese blockchain-based platform Poly Network and extracted more than $600 million in Ethereum and Binance coins, as well as the stablecoin, USD Coin (USDC) tokens.
The crypto regulation challenge
Since the invention of crypto, regulation has lagged behind technological advancements in the space. Nonetheless, crypto continues to edge its way into the financial mainstream. Unlike cryptocurrency firms, banks and other traditional financial institutions are required to comply with complex and demanding security standards. These ensure that they’re equipped with the necessary resources and skills to continually adapt to the rapidly shifting cyber threat landscape.
Despite huge efforts from global regulators and international monetary organisations to effectively build frameworks for the secure, safe exchange and storage of crypto assets, the crypto space remains very underregulated. This can be attributed in part to the breakneck pace of innovation in the industry, which makes it nearly impossible for policymakers to ensure that consumers are protected.
Recently, Gary Gensler, US Securities and Exchange Commission chief, urged crypto trading platforms to register with his organisation on the grounds that many cryptocurrencies qualify as securities. He warned that, for the crypto market to still be relevant in ten years, firms would have to start operating within a public policy framework.
Today, many central banks are now working on releasing their own digital currency. These public currencies referred as Central Bank Digital Currencies (CBDC) will compete with private currencies like bitcoin and others. While this is an ongoing process, industry bodies and governments alike are seeking to establish regulations and guidance to ensure fair competition.
Lessons must be learned
Any technological innovation inevitably carries with it a degree of cyber security risk. Cryptocurrency is no different in this regard. Every new way to trade, store or monetise digital assets opens a new channel for hackers to exploit. It’s like when Apple releases an updated version of its operating system – a stream of security updates inevitably follows, as developers plug potential exploits and vulnerabilities. The difference is that most crypto firms have nowhere near the research and development resources of a major financial institution or tech giant.
All this doesn’t mean that the battle is lost, and crypto firms are condemned to a future of frequent cyberattacks. Instead, there are a series of practical, achievable steps that firms can take to protect themselves. Let’s examine the recent Coinbase hack. Though a disaster for the 68 million users at risk of losing their assets, by traditional finance standards, the cause of the breach was extremely simple – and therefore relatively easy to guard against in future. According to experts, the attack was a “SIM swap”, where hackers compromise victims’ mobile phone numbers and use these to authenticate themselves as a valid account holder.
For many years, SIM swap fraud was a method commonly used by malicious actors to gain access to the bank accounts of unsuspecting consumers. As a result, financial institutions moved away from using text messages as a form of authentication. Utilising text messages for multi-factor authentication (MFA) often puts the onus of protecting customer data on mobile network operators, whose systems are not designed to withstand such attacks. This is the security equivalent of locking the Mona Lisa away in a self-storage unit, rather than the Louvre.
The U.S. Federal Financial Institutions Examination Council (FFIEC) appropriately notes in its updated Guidance Authentication and Access to Financial Institution Services and Systems that not all MFA solutions offer equal usability and security pointing out that “certain MFA factors may be susceptible to ‘Man in the Middle’ (MIM) attacks, such as when a hacker intercepts a one-time security code sent to a customer.” This is true as NIST uses this example in its Digital Identity Guidelines: Authentication and Lifecycle Management (Special Publication 800-63B). In July 2020, NIST published Special Publication 800-63: Digital Identity Guidelines FAQs reminding readers that SMS-OTP is a “restricted” authenticator.
Instead, most major banks now use Mobile PUSH notifications for MFA, verifying customer identities using a secure mobile app. These apps often employ the latest ID verification technologies – such as AI, biometrics and liveness detection – to ensure that access can only be gained by a genuine account holder. Looking forward, crypto firms urgently need to re-examine their user authentication practices, using these technologies to stem the flow of authentication-based hacks.
Implementing user verification policies
Unlike online banking fraud or card identity theft, it’s extremely difficult for crypto firms to mitigate the effects of a hack. This is because cryptocurrency transactions are irreversible and can only be refunded by the recipient. So, once a hack happens, funds are usually lost forever. This makes preventing hacks from occurring in the first place even more important.
What’s more, crypto networks typically rely on pseudo anonymity, where users are identified only by a string of random letters and numbers known as an address. This makes it very difficult to identify the perpetrators behind a hack and bring them to justice. Plus, since networks are decentralised and trustless, there is no way to identify transactions subsequently made with stolen cryptocurrency.
By contrast, traditional banks have for many years been subjected to stringent Know Your Customer regulations, designed to prevent money laundering. In 2019, the Financial Action Task Force (FATF) adopted strict AML/CTF requirements on Virtual Asset Service Providers (VASPs), which include crypto exchanges. In its latest draft to revise its 2019 requirements, it states, “regardless of the nature of the relationship or transaction, countries should ensure that VASPs have in place effective procedures to identify and verify, on a risk basis, the identity of a customer, including when establishing business relations with that customer; where VASPs may have suspicions of ML/TF (money laundering/terrorist financing), regardless of any exemption of thresholds; and where they have doubts about the veracity or adequacy of previously obtained identification data.”
There’s no doubt that crypto firms need to take security more seriously. The risks of not doing so are enormous. On the one hand, every successful hack chips away at already shaky consumer trust. On the other, there’s the very real possibility of inspiring the ire of regulators, who have the power to impose draconian regulation that would stifle the growth of this nascent industry.
When it comes to security, crypto firms can learn a lot from their older, more established peers in the world of traditional finance. If they are to build and maintain the credibility needed to become trusted, mainstream providers of financial services, they need to avoid repeating past mistakes made by banks and financial institutions. It’s now up to crypto firms to take advantage of the wealth of security resources available to them.
You may like
Business
Empowering banks to protect consumers: The impact of the APP Fraud mandate

Source: Finance Derivative
Thara Brooks, Market Specialist, Fraud, Financial Crime & Compliance at FIS
On the 7th October last year, the APP (Authorised Push Payment) fraud reimbursement mandate came into effect in the UK. The mandate aims to protect consumers, but it has already come under immense scrutiny, receiving both support and criticism from all market sectors. But what does it mean for banks and their customers?
Fraud has become a growing concern for the UK banking system and its consumers. According to the ICAEW, the total value of UK fraud stood at £2.3bn in 2023, a 104% increase since 2022, with estimates that the evolution of AI will lead to even bigger challenges. As the IMF points out, greater digitalisation brings greater vulnerabilities, at a time when half of UK consumers are already “obsessed” with checking their banking apps and balances.
These concerns have contributed to the implementation of the PSR’s (Payment Systems Regulator) APP fraud mandate, which was implemented to reimburse the victims of APP fraud. APP fraud occurs when somebody is tricked into authorising a payment from their own bank account. Unlike more traditional fraud, such as payments made from a stolen bank card, APP fraud previously fell outside the scope of conventional fraud protection, as the transaction is technically “authorised” by the victim.
The £85,000 Debate: A controversial adjustment
The regulatory framework for the APP fraud mandate was initially introduced in May 2022. The maximum level of mandatory reimbursement was originally set at £415,000 per claim. The PSR significantly reduced the maximum reimbursement value to £85,000 when the mandate came into effect, however, causing widespread controversy.
According to the PSR, the updated cap will see over 99% of claims (by volume) being covered, with an October review highlighting just 18 instances of people being scammed for more than £415,000, and 411 instances of more than £85,000, from a total of over 250,000 cases throughout 2023. “Almost all high value scams are made up of multiple smaller transactions,” the PSR explains, “reducing the effectiveness of transaction limits as a tool to manage exposure.”
The reduced cap makes a big difference on multiple levels. For financial institutions and payment service providers (PSPs), the lower limit means they’re less exposed to high-value claims. The reduced exposure to unlimited high-value claims has the potential to lower compliance and operational costs, while the £85,000 cap aligns with the Financial Services Compensation Scheme (FSCS) threshold, creating broader consistency across financial redress schemes.
There are naturally downsides to the lower limit, with critics highlighting significant financial shortfalls for victims of high-value fraud. The lower cap may reduce public confidence in the financial system’s ability to protect against fraud, particularly for those handling large sums of money, while small businesses, many of which often deal with large transaction amounts, may find the cap insufficient to cover losses.
The impact on PSPs and their customers
With PSPs responsible for APP fraud reimbursement, institutions need to take the next step when it comes to fraud detection and prevention to minimise exposure to claims within the £85,000 cap. Customers of all types are likely to benefit from more robust security as a result.
The Financial Conduct Authority’s (FCA’s) recommendations include strengthening controls during onboarding, improving transaction monitoring to detect suspicious activity, and optimising reporting mechanisms to enable swift action. Such controls are largely in line with the PSR’s own recommendations, with the institution setting out a number of steps in its final policy statement in December 2023 to mitigate APP scam risks.
These include setting appropriate transaction limits, improving ‘know your customer’ controls, strengthening transaction-monitoring systems and stopping or freezing payments that PSPs consider to be suspicious for further investigation.
All these measures will invariably improve consumer experience, increasing customers’ confidence to transact online safely, as well as giving them peace of mind with quicker reimbursement in case things go awry.
Going beyond the APP fraud mandate
If the PSR’s mandate can steer financial institutions towards implementing more robust security practices, it can only be a good thing. It’s not the only tool that’s shaping the financial security landscape, however.
In October 2024, the UK government introduced new legislation granting banks enhanced powers to combat fraud. An optional £100 excess on fraud claims has been introduced to encourage customer caution and combat moral hazards, while the Treasury has strengthened prevention measures by handing out new powers to high street banks to delay and investigate payments suspected of being fraudulent by 3 days. The extended processing time for suspicious payments may lead to delays in legitimate transactions, making transparent communication and robust safeguards essential to maintain consumer trust.
Further collaborative efforts, such as Meta’s partnership with UK banks through the Fraud Intelligence Reciprocal Exchange (FIRE) program, can also aid the fight against fraud. Thanks to direct intelligence sharing between financial institutions and the world’s biggest social media platform, FIRE enhances the detection and removal of fraudulent accounts across platforms such as Facebook and Instagram, not only disrupting scam operations, but also fostering a safer digital environment for users. The early stages of the pilot have led to action against thousands of scammer-operated accounts, with approximately 20,000 accounts removed based on shared data.
Additionally, education and awareness are crucial measures to protect consumers against APP fraud. Several high street banks have upgraded their banking channels to share timely content about the signs of potential scams, with increased public awareness helping consumers identify and avoid fraudulent schemes.
Improvements in policing strategies are also significantly contributing to the mitigation of APP fraud. Specialized fraud units within police forces have enhanced the precision and efficiency of investigations. The City of London Police and the National Fraud Intelligence Bureau are upgrading the technology for Action Fraud, providing victims with a more accessible and customer-friendly service. Collaborative efforts among police, banks, and telecommunications firms, exemplified by the work of the Dedicated Card and Payment Crime Unit (DCPCU), have enabled the swift exchange of information, facilitating the prompt apprehension of scammers.
How AI is expected to change the landscape
The coming months will be critical in assessing these changes, as institutions, businesses and the UK government work together to shape security against fraud in the ever-changing world of finance.
While fraud is a terrifyingly big business, it’s only likely to increase with the evolution of AI, making it even more critical that such changes are effective. According to PwC, “There is a real risk that hard-fought improvements in fraud defences could be undone if the right measures are not put in place to defend against fraud in an AI-enabled world.”
Chatbots can be used as part of phishing scams, for example, and AI systems can already read text and reproduce sampled voices, making it possible to send messages from “relatives” whose voices have been spoofed in a similar manner to deepfakes.
Along with other innovations, tools and collaborations, however, the APP fraud mandate, UK legislation and FIRE can all contribute towards redressing such technological advances. Together, this can give financial institutions a much-needed boost in the fight against fraud, providing a more secure future for customers.
Business
After the tax deadline: Next steps for accountancy firms

Source: Finance Derivative
By Cameron Ford, UK General Manager of Silverfin
For many accountancy firms, tax season has ended. Now, leaders have a chance to reflect on their firm’s performance, how their people are feeling after the busiest period of the year, and consider how they might optimise people, processes and technology for the future.
As a former CFO with experience in senior accountancy roles across multiple firms, I know first-hand the challenges the year-end crunch presents. The intense weeks and months leading up to HMRC deadlines put immense pressure on infrastructure, exposing the limitations of legacy systems and the bottlenecks caused by manual workflows.
The post-busy-season presents a valuable opportunity to reassess and prepare for the next one. It’s also a time for firms to reflect on evolving client needs and proactively take action to deliver improved future outcomes. Firms should also evaluate whether their current technology is alleviating pressure during peak periods – or adding to the strain.
The risk of inaction
We are living in an era of profound technological change and fast-paced innovation. Firms that fail to evolve with the times will be left behind as more flexible and adaptive competitors race forward. The risk for slow movers is not just reduced competitiveness – its industry consolidation locking them out altogether.
For today’s leaders, the choice is no longer whether to transform – but which technologies to adopt. Accountancy firms now have access to an extensive array of powerful solutions. Data analytics tools are delivering insights to power better decision-making. Automation is streamlining workflows, reducing errors and freeing up valuable time to focus on strategic tasks. And the demand for fast, secure access to accurate and timely data is only growing.
Yet, as accountancy technology matures, new challenges are emerging that extend beyond traditional tech solutions as regulators become increasingly zealous. In the UK alone, two-thirds of current business taxes were introduced in the past decade, according to Thomson Reuters. That’s 13 out of 19 business taxes. The sheer pace of regulatory innovation demonstrates the need for accountancy firms to be agile and capable of transforming at speed, as their clients face an ever evolving and intricate tax landscape.
Future success depends on equipping firms with the ability to meet the demands of both customers and regulators, striking a balance that not only satisfies current expectations but also lays the groundwork for evolving future requirements.
Growing complexity
Corporate tax management illustrates the complex nature of today’s accounting landscape. Changing regulations, new post-Brexit tax requirements and global initiatives – such as the Organisation for Economic Cooperation and Development’s (OECD) Pillar Two, which introduces a global minimum corporate tax rate of 15% – are placing unprecedented demands on tax and accounting professionals.
The most effective response is to adopt specialised software that is designed to manage compliance and evolving regulatory requirements. While adopting new technology can seem daunting, it should be seen as an opportunity, not an obstacle. Yes, there may be initial friction and deployment challenges during the early stages of transformation, but these are temporary. As firms adapt to new tools and workflows, they unlock significant benefits – including streamlined processes, improved accuracy, and the ability to stay ahead of future changes in an increasingly dynamic tax environment.
AI transformation
AI is rapidly emerging as a game-changing technology for many industries, including accountancy. It’s true value lies in acting as a partner and collaborator, taking on the heavy lifting of repetitive manual tasks, freeing up valuable hours so accountants have more time to focus on building stronger client relationships.
To be effective, AI relies on accurate real-time financial data that is easily accessed and stored in a standardised format. But before even considering training a model, firms must solve their lingering data issues. With multiple bookkeeping and large volumes of inconsistent and duplicated data, firms often struggle to extract meaningful insights.
Resolving these issues requires integrating data from various bookkeeping systems using techniques such as cloud syncs and AI enrichment tools. Data must also be stored in a unified format, properly catalogued and free from duplication to maximise its value.
By deploying AI on a foundation of clean, reliable and up-to-date data, accountancy firms can enhance their performance during peak seasons and better manage the pressures of increased demand. Plus, digital transformation and the deployment of advanced accountancy and compliance software also put firms in a stronger position to respond to new complexities and challenges that will inevitably emerge in this dynamic marketplace.
Peak season may be over, but now it’s time to plan for the next one, anticipating customer needs and proactively adapting to shifting demands.
Business
Future-proofing financial services investment

Source: Finance Derivative
Adrian Ah-Chin-Kow, Global Commercial Director at leading software escrow company, Escode, discusses how the financial services sector can prepare for the increasing investment ahead of the government’s industrial growth strategy, Invest 2035, ensuring resilience against technological risks.
The UK’s proposed Invest 2035 strategy sets a bold vision: to elevate the UK as a global leader in high-growth sectors. Financial services are at the heart of this roadmap, tasked with driving innovation, sustainability, and competitiveness. But as we look towards the future, it’s critical that the sector strikes a careful balance between embracing strategic investments and maintaining operational resilience in the face of an increasingly complex technological risk landscape.
The digital transformation currently underway in financial services is set to accelerate even further as organisations adopt new technologies like artificial intelligence, blockchain, and cloud computing. These innovations hold immense potential for growth and efficiency, but they also introduce new layers of vulnerability. For financial services to thrive in this environment, firms need to ensure their technology infrastructure is resilient, reliable, and capable of withstanding disruption.
Growing risks in a digital-first world
As government and industry push forward with initiatives to digitise the financial services ecosystem, the sector is becoming more dependent on technology than ever before. With this reliance comes the inevitable rise of new risks—risks that can threaten operations, customer trust, and even the stability of markets.
We’ve seen first-hand the consequences of technology disruptions in this space. When key software providers experience outages or security breaches, the ripple effect can be significant, disrupting not just the companies involved but entire networks of financial institutions that depend on those systems. The impacts of such disruptions, particularly in a sector where reliability is paramount, can extend beyond the immediate downtime, eroding investor confidence and creating long-term reputational damage.
In a world that is becoming more interconnected by the day, it’s crucial that financial services organisations are prepared for these challenges. Protecting against technology failures and ensuring business continuity must be top priorities for any firm that wants to remain competitive in the years to come.
Operational resilience: The foundation of future growth
The ability to withstand and recover from disruption is at the core of what will define successful financial services firms in the future. Operational resilience is no longer just a regulatory requirement—it’s a business imperative that builds trust with investors, customers, and stakeholders. The strategies needed to build this resilience are varied, but there are a few critical components every organisation should consider.
- Software Escrow: As financial institutions increasingly depend on digital tools, software escrow becomes a fundamental safeguard. We know how crucial escrow agreements are for protecting access to essential tools. If a provider fails or encounters insolvency, escrow ensures that critical software and intellectual property (IP) are held securely by a third party, ready to be released to the firm. In a sector where continuous access to technology is crucial, this arrangement offers peace of mind, ensuring core operations are protected from unexpected interruptions.
- Stress-testing and Business Continuity: Regular stress-testing and comprehensive business continuity plans are essential components of any resilience strategy. By simulating disruptions, firms can identify weaknesses in their operations and put in place measures to address them. Continuity planning ensures that businesses can continue to operate, even under extreme circumstances, helping to mitigate the impacts of unanticipated events and minimise disruption to clients and markets.
- Collaborative Resilience Standards: The interconnectivity of today’s financial ecosystem demands industry-wide standards. We’ve seen collaboration across both the private sector and with government initiatives become increasingly important. The UK’s Invest 2035 strategy offers an excellent foundation for fostering these partnerships, helping to establish resilience as a shared priority across the sector. We’re already seeing frameworks like the EU’s Digital Operational Resilience Act (DORA) lead the way in embedding resilience into the financial services supply chain. This kind of regulatory guidance helps institutions understand how to manage risks effectively, reducing overreliance on third-party providers and ensuring that firms can respond quickly to disruptions.
Collectively, these strategies reinforce the importance of being proactive rather than reactive when it comes to risk management. Operational resilience isn’t just about surviving the next crisis—it’s about building a foundation for long-term stability and growth in a rapidly changing environment.
Resilience as the key to securing Invest 2035
As we move towards Invest 2035, operational resilience will be the cornerstone of success. The financial services sector plays a pivotal role in driving economic growth and innovation, and its ability to adapt and respond to disruption will be key to maintaining the UK’s competitiveness on the global stage.
Embracing proactive resilience measures is the key to future success. By incorporating solutions like software escrow, stress-testing, and government-backed collaboration into their operational strategies, financial institutions can secure the UK’s position as a competitive, reliable investment hub.
Looking to the future, the ability to navigate these risks while maintaining operational integrity will determine whether financial services can continue to be the engine of economic growth in the UK. With the right safeguards in place, the sector can not only meet the goals of Invest 2035 but also build a reputation as a safe and dependable destination for global investment.

Empowering banks to protect consumers: The impact of the APP Fraud mandate

After the tax deadline: Next steps for accountancy firms

Future-proofing financial services investment

Future-proofing the workforce for AI innovations with continuous learning

Stealthy Malware: How Does it Work and How Should Enterprises Mitigate It?
