There is no doubt, the way we bank has evolved significantly in the last 20 years. Gone are the traditional methods and we are now firmly in the digital age, propelled by technological advancements. We’ve seen a shift from traditional to digital banking, mobile banking, digital only banks, blockchain and crypto currencies.
PYMTS recently reported that there appeared to be an innovation and regulation gap; The regulators are now awake,” Thredd CEO Jim McCarthy told PYMNTS in June. “Too many people are focused on the ‘as a service’ part — but have ‘minored’ in the banking part, if at all.”
Regulators are now requiring banks to implement more sophisticated monitoring systems to detect and report suspicious activities, especially given the rise in cyber-enabled financial crimes.
However, whilst the innovation and regulation gap appears to be getting addressed, this has created significant challenges with cyber risk and regulatory compliance.
What are the Cyber risk challenges for Banking now?
The attack surface has increased: With use of mobile banking apps, online portals, and APIs, banks and their customers are now vulnerable to multiple potential ways that a hacker can exploit them. These cyber risks include phishing attacks, ransomware, identity theft, and sophisticated fraud schemes.
Complexities have rapidly increased in cyber security measures: Advanced cyber security is now needed and Banks must implement robust cyber security measures, including multi-factor authentication, encryption and intrusion detection systems. However, as services become more complex, so too do the security challenges.
3rd Party Risk: Supply chains create vulnerabilities and especially with FinTech partnerships and cloud services, which have introduced additional cyber risks. A breach in one of these services can compromise the entire banking ecosystem. With the Digital Operational Resilience Act coming into force in January 2025, much of the focus is within the 3rd Party risk. One of our recent blogs dives into the impact of the 3rd party focus in DORA. But this focus will certainly ensure that the banking industry is robust in their cyber security measures of 3rd parties.
Regulatory Compliance challenges just accelerated
Regulatory oversight on digital banking: Regulatory bodies are ensuring that digital banking is secure for customers so Banks need to somehow stay abreast of regulatory changes. The Digital Operational Resilience Act addresses concerns that technological advances have presented.
Data Protection regulations that are stricter: GDPR certainly focuses the mind of how organisations handle data so banks must ensure that data is moved, stored and held securely.
Anti-Money Laundering (AML) and Know Your Customer (KYC) Requirements: With the rise of online and mobile banking, AML and KYC processes have had to adapt to digital environments. This includes the use of biometric verification, AI-driven identity checks, and real-time transaction monitoring. Regulators require banks to implement more sophisticated monitoring systems to detect and report suspicious activities, especially given the rise in cyber-enabled financial crimes.
Operational Resilience: The Digital Operational Resilience Act (DORA) again addresses the need for banks to be resilient in the event of a cyber attack. In particular banks will be required to not just pen test but perform Threat Led Penetration Testing (TLPT) which require a focus on regular more frequent, deeper testing than they have performed before.
PYMTS also commented that “Regulatory orders and regulatory scrutiny have taken a front seat in the industry. We’ve gone through a bunch of these cycles over the last 23 years, but this regulatory environment is back to where the bank sponsorship [model] is getting tighter and more difficult.
At the same time, bank and FinTech partnerships are becoming more and more crucial — especially when applied to enhancing customer experiences, expanding market reach and improving operational efficiency within the financial services sector.”
What Technology should the Finance Industry be looking at?
To effectively cope with regulatory change and cyber risks, financial institutions must adopt certain technology to remain compliant and protect about the ever-evolving cyber threats. These would include:
Continuous Compliance Automation (CCA) or Continuous Controls Monitoring (CCM): Whilst some may argue there are distinct differences between CCA and CCM – essentially these are minimal. Continuous controls monitoring focuses on monitoring continuously, the effectiveness of controls whilst Continuous Compliance Automation focuses on maintaining compliance with regulatory requirements in real-time, reducing the need for manual intervention. CCM can achieve this too – so whilst both technologies are worth a look, it’s important to see how CCM can achieve both cyber security monitoring and continuous compliance.
Other cyber security solutions: Zero Trust Architecture, Advanced Threat Detection and Encryption and data masking are all essential tools in the finance institutions armoury.
Artificial Intelligence (AI): CCM actually uses AI, but Ai can be utilised for predictive analysis and fraud detection.
Identity and Access management (IAM): Multifactor Authentication and User Behaviour Analytics means that multiple processes have to be completed to access sensitive areas and UBA can monitor behaviours effectively.
Banks appear to be embracing technology to resolve the regulatory compliance gaps and this is going to be a necessary step in order to keep up with the growing demands that they will face to ensure they are cyber secure and operationally resilient.