Walking the security tightrope in APAC 25 November 2021
Shaibal Saha is the Asia Pacific Digital Trust Leader at IBM. Efma’s Kevin Spangenberg spoke with Shaibal about the unique security environment in the region.
Efma: In Europe/U.S. (the west), people can often be myopic in how they view the financial services industry. Could you talk about some of the digital and security trends in your region and where companies/ banks might be ahead of their western counterparts?
Shaibal: I think the most important trend we are seeing across different regions in Asia is around digital banks. Banks are coming out of their regular establishment and trying to become modern banks, where they are more visible and right in front of the customer in some digital form. It’s not just about being a mobile bank, it's more to do with the kind of functions they provide to customers.
Everything being digital raises more challenges like how do you onboard customers digitally? How do you verify the customers? One of the biggest challenges for banks was passwords. Everyone has to remember passwords, passwords have the risk of compromise and banks have used MFA in the form of hardware tokens however today banks are trying replace hardware tokens, they are moving to soft tokens that are built into the mobile banking app itself to make it easier for everyone involved.
Other than this, what we also see is the banks are expanding their business model. Now they are no more just doing savings and loans. But they are coming up with new business models. Payment APIs for example that provide a frictionless checkout experience. Instead of going through traditional ways of payments, how can they expose payment APIs for a third party to consume? This enables them to reach new customers without having to establish a prior banking relationship.
Third party integration is growing. If there is a fintech that provides a very niche capability or service which can benefit my bank customers, how can I bring that onto my platform and expose that to my customers? The whole idea is to have digital engagement with customers, banks want to make things simple. They want to make it convenient for users, but at the same time they need to manage the risk, because the more they collaborate on services and the more they open new digital services, the more they are exposed. This opens up the possibility of threats and data leakage and that's something that worries banks and they need to get the right balance between convenience and managing the risk.
Efma: What are some of the main security trends in the APAC region? Is there a movement toward Single Sign On, Multifactor Authentication, or even password-less in APAC as there is in Europe/U.S.?
Shaibal: To give an example of one of the banks which we have been working with. The bank has different brands that provide different kinds of services. One of the big challenges they had was every time a customer wants to get a specific service, they would have to register. They create a user ID and password. Then they do the same thing again and again. Now, the problem was it was becoming very challenging for customers. From an experience perspective certainly, but at the same time for the bank because they were not getting connected insights into who was using what service and losing potential insights for cross selling and upselling.
It is all about the omnichannel experience. How can I provide an omnichannel experience across different brands and services; across all the channels? We want to make sure the overall user experience is maintained at all times.
The other area we see is an authentication perspective. Banks are now trying to do away with passwords because passwords are the biggest culprits. They get compromised, and that involves identity theft and account takeovers. So banks are utilizing the user’s device as another factor. The mobile phone is registered as a device. A unique device fingerprint is created which can uniquely identify that user. The customer may be coming in from multiple devices, so each of them will have a unique device fingerprint so that when the customer comes in, you know that this is a trusted user coming in from a trusted device rather than just relying on the password. Some banks are taking it a notch further where they are monitoring user behavioral biometrics to determine the users along with device fingerprinting. Behavioral biometrics include how a user uses and interacts with their devices and channel.
What we are seeing is a movement toward invisible/zero context. Beyond the device, we can also use other contexts like the user’s location, their behavior, their activities and all these contexts are used in a seamless and invisible manner to determine the trustworthiness of the user.
Efma: Are there regional differences in FiServ compliance demands in APAC? What challenges and opportunities do these present?
Shaibal: It is a big region and different countries are at different levels of maturity. And the demographics are also very different. You look at countries like Singapore and Hong Kong where you will find regulations that are quite mature. Additionally, regulators are continually refreshing them to meet the market demands and technology advancements.
However, there are then countries for example in ASEAN region where regulations are still maturing, and evolving fast. There, I would say the banks still have a lot of grey areas with respect to cybersecurity in which they operate.
The other trend which we are seeing revolves around this whole collaboration and convergence piece. It’s open banking regulations, where in Europe it is known as PSD2. Here, we are seeing a lot of regulators that are in the process of developing regulations around open banking. Predominantly, they're trying to create regulations in terms of how data can be shared openly with the right level of security. Customer data privacy is a major consideration in those cases.
As banks seek to be more collaborative and open themselves up, especially given the competition from fintech and unique financial services provides like BNPL, wallets, etc. in this part of the world. Any bank who is early can have the advantage of actually working with regulators to kind of shape what open banking regulations might look like in that particular country. This gives them a lot of opportunity to experiment first, fail fast, and learn new things from a security point of view.
Efma: Culturally, do financial services customers in APAC have different or unique expectations and needs? Could you provide a couple of examples?
Shaibal: When we deal with markets like India or Indonesia with such big populations, the requirement for customers there is very different. They want everything to be fast because they're catering to catering to millions and millions of customers. They want to make sure that when you implement security, the way it is implemented is not blocking many transactions. In those scenarios, they want to ensure that a solution is deployed in the most efficient manner so that performance along with security is not compromised at all.
Whereas when you think about customers in Australia or Singapore, where there is a pressure from a performance perspective, obviously, but then it is very different from what we see in India or Indonesia. Here the importance is on functionality and regulatory pressure. How can I make the system even better in terms of decision making with policies that are preventing fraud, protect consumer privacy, etc.?
In all of the markets there's a lot of competition and banks today are trying to be more agile and nimble and introduce unique services first in the market, so when we engage with them, we do security in agile but layered manner where we create a foundation and a platform-based approach and then we start bringing in new capabilities and features to strengthen the security posture keeping in mind regulatory requirements and customer experience.
Efma: How is identity and authentication viewed differently across the various regions? Is trust more inherent and assumed in different regions compared to others?
Shaibal: One thing which we are seeing across financial institutions is the emphasis around the experience part. We want to make sure that their services provided in a most optimized way right where they have the omnichannel experience and when we think about the omnichannel experience it's all about the user. Banks are not just dealing with customers, they're also dealing with partners. They're dealing with third parties. They're also dealing with employees and contractors, so obviously there is a lot they have to do with the user’s identity.
The user experience is the most important thing banks want to make it seamless. Banks want to make it passwordless so that users can still interact with my services easily rather than a multi-gated approach right now. But security challenges are growing. With Covid, the amount of phishing attacks and the amount of malware attacks, especially on mobile devices, has gone up exponentially.
Regulations are growing around open banking, collaboration, information sharing, and privacy. So, these are the many things that banks have to juggle in trying to make sure they address the convenience side while also implementing the right level of security.
So, we see many banks going through identity and access management transformations with seamless authentication, better assurance, risk and fraud management are becoming major initiatives for the banks to balance the omnichannel experience across user communities and; also efficiently and effectively manage risk and prevent fraud for the bank and users and be compliant at the same time. These transformations are under the umbrella of Consumer Identity and Access Management (CIAM) which banks across the region are embarking on.
To go deeper on all things cybersecurity and how to bridge the gap between security and experience, you can watch IBM present next week at EfmaLIVE Inspire Change. Register for the event now!