Prioritising cybersecurity and fraud mitigation in the digital age

This is an excerpt from The Future of Digital Banking in North America 2024 report.

It’s worthwhile to note that, while embedded finance is opening the doors to more efficient and effective banking, the global interconnectedness and easy facilitation of cross-border payments also exposes new vulnerabilities. The complex web of distribution can be exploited by cybercriminals and leaves institutions susceptible to major financial, reputational and legal repercussions. In case of a successful attack, this interconnectedness can also start a dangerous domino effect which can cause widespread disruption and can threaten financial stability. One of the biggest challenges for banks and financial institutions will be to build multi-faceted cybersecurity strategies that go beyond business continuity and disaster recovery to ensure critical services can continue to be provided even when attacked.

In response to the growing risk, PwC have released an embedded finance risk framework that highlights five elements:

1. Interoperability: Risks associated with the interconnectedness of fundamental components: technology (i.e., APIs, microservices, private cloud) and operational resilience (incident response, disaster recovery).
2. Data containment: Data security, privacy, and control of fractional data use and ownership.
3. Complex partnerships: Risks stemming from the unique nature and complexity of embedded finance partnerships.
4. Vulnerable customers: Customer-specific concerns arising from partnerships between financially regulated and non-regulated institutions.
5. Distributed risk: The exponential increase in risk transfer within complex embedded finance ecosystems.

Additionally, effective incident reporting and information sharing is crucial in order to ensure effective policy response and promoting financial stability. The Financial Stability Board (FSB) this year released recommendations to achieve greater international convergence in cyber incident reporting, which will improve the way authorities manage incidents going forward.

The wider realm of banking faces similar, heightened security threats. As payments become increasingly digital, the need for robust cybersecurity measures for financial institutions and banks rises exponentially. While digital transformation offers countless opportunities and new market segments for firms, cybercriminals are developing complex new methods of defrauding and compromising data across the financial landscape. However, the risk is even more pronounced in North America compared to other regions. Verizon’s 2023 Data Breach Investigation report found that North America is the most targeted region, making up 70.45% of breaches reported worldwide. In comparison, Europe, the second-most targeted region, only makes up 19.93% of the total.

Mastercard’s CTO Ed McLaughlin noted that: “In today’s digital economy, we are more connected than ever, including the over five billion of us are who are connected on digital networks. But with this connection comes the need for trust, and cybercriminals aren’t backing down. According to the World Economic Forum (WEF), cybercrime is now the world’s third-largest economy coming in behind the United States and China, and the average cost of a single data breach has skyrocketed to $3.86 million. If faced with that type of loss, many organisations won’t be able to recover.”

The number and complexity of cyberthreats continues to grow, and arguably the biggest risk to a firm’s security remains human error. As social engineering attacks become increasingly sophisticated, employers need to emphasise the importance of cybersecurity awareness so that scams such as phishing can be identified by teams. Whether it’s clicking malicious links, connecting through unsecured networks or weak password and verification protocols, teams need to evolve their cybersecurity skills at the same rate as cyber criminals are evolving threats. This becomes apparent in the Verizon report, which found that 74% of successful data breaches involved the human element. Even more gravely, Gartner found that 69% of employees have knowingly not complied with their organisation’s cybersecurity guidance in the past 12 months and 74% of employees stated they were willing to bypass cybersecurity guidance if it helped them or their team achieve a business objective.

While most cybersecurity measures are designed around technology and systems, we will likely be seeing the tide change in the upcoming years. Garter predicts that, through 2027, 50% of CISOs will formally adopt humancentric design practices into their cybersecurity programs in order to mitigate the risk stemming from human error.

The legislative landscape of fraud mitigation

Financial fraud is following a similar pattern to cybercrime. Research by Juniper shows that online payment fraud is running rampant and is expected to exceed $48 billion globally in 2023. Similarly to cybercrime, North America proves to be the epicentre of financial crime as well, accounting for 42% of global fraud (compared to 26% for Western Europe). Online payment fraud is one of the most pervasive issues plaguing vendors, and merchant losses are expected to exceed $362 billion globally between 2023 and 2028.

The increased risk is primarily driven by sophisticated scam strategies as well as the use of AI for attacks, which is especially treacherous for SMEs that lack the resources for comprehensive customer analytics and anti-fraud strategies. Looking to the future, Juniper’s research additionally found that BNPL will pose a significant risk. It’s also worthwhile to note that the BNPL industry, especially in the US, still lacks oversight.

While the EU has recently agreed on a new Consumer Credit Directive in regard to short-term, interest-free loans, the US is yet to introduce regulatory proposals. However, US BNPL providers have come under scrutiny from federal and state regulators. Last year, the CFPB has issued a report that found that data harvesting and overextension of the BNPL industry have the potential to cause extensive consumer harm. Following these findings, the CFPB is expected to introduce regulation for the BNPL industry in the near future.

BNPL scrutiny is not the only regulatory change we can expect. In response to the events of spring 2023, US banking regulators unveiled proposals to enact the final Basel III standard for US banks, which would set stricter industry standards for measuring the risk of lending and trading activities. While details of the proposal are yet to be detailed, regulators announced rules that will apply to banks exceeding $100 billion in assets.

Likewise, Canadian banking regulator OSFI also announced the incorporation of the final Basel III banking reforms in the country, which will be fully effective from early 2024. Furthermore, OSFI has introduced a framework that requires Canadian-based banks and insurance companies to disclose their climate-related risks and exposure from 2024 onwards. The framework outlines, among others, the need for banks to be prepared to remain operations during climate-related disasters and requires them to include the impact of climate change on their liquidity risk profile.

Lastly, access to safe and comprehensive data is crucial for financial institutions. The upcoming introduction of ISO 20022 will help organisations send enhanced data in a richer, more structured format and help create a single common language for most payments globally.