Big Data

SHARE

FOLLOW EBF

FOR MORE INFO CONTACT

Noemie Papp

Legal adviser

Consumer Affairs & Coordinator Digital issues

n.papp@ebf-fbe.eu

www.ebf-fbe.eu

DOWNLOAD

FOR MORE INFO CONTACT

Noemie Papp

Legal Adviser

Consumer Affairs & Coordinator Digital issues

n.papp@ebf-fbe.eu

www.ebf-fbe.eu

FIVE ACTIONS FOR THE FUTURE OF DIGITAL BANKING:

  • 1Boost digital inclusion by developing public-private partnerships between banks and public authorities.
  • 2Organise a full-fledged stakeholders debate on innovative payments and pan-EU solutions with consideration for costs and benefits for all stakeholders.
  • 3Promote a cybersecurity awareness campaign highlighting existing and new threats, making digital finance more secure and building trust.
  • 4Conduct a ‘fitness check’ on existing financial services legislation to adjust to the global market reality and to ensure consistency.
  • 5Conduct a joint assessment by both government and industry on opportunities and impact of crypto-technologies.

FOR MORE INFO CONTACT

Noemie Papp

Legal Adviser

Consumer Affairs & Coordinator Digital issues

n.papp@ebf-fbe.eu

www.ebf-fbe.eu

Cybersecurity

Cybersecurity

RECOMMENDATIONS

Cybersecurity

  • 1 Promote awareness campaign about existing and new threats. Making digital finance secure and building trust should be a common goal involving public and private actors.
  • 2 Enforce public-private partnerships cross-country and cross-industry: it is fundamental for setting up an operational cooperation to investigate and prevent future financial crimes in order to have a broad view of the phenomenon and to increase the effectiveness of cyber intelligence methods.
  • 3 Create a framework for cybersecurity monitoring to strengthen preventive measures and ensure an effective and a better coordinated response to cybercrime at EU level: the creation and maintenance of specific skills and expertise are essential to elaborate and correlate data correctly, as well as to select and draw out the relevant information on the attacks and the mechanisms used. Similarly, it would be relevant to analyse and report cyberincidents for notification and prevention purposes: changing the view from reporting to early warning through the extraction of key messages and “lessons learned” from information and incident sharing. Cybercriminals work more frequently under international coordination and management, with a well-structured segregation of duties, often spread across several countries.
  • 4 Encourage exchange of information via public-private partnerships cross-country and cross-industry platforms
  • 5 Promote coordination among coexistent initiatives and develop a one-stop-shop mechanism for incident notifications.

Cybersecurity

With a shift in activities from the more traditional IT supports to mobile applications with instant/contactless payments, the criminal activities are shifting as well. One constant in cybercrime is change.

According to the European Commission’s Special Eurobarometer 423 on Cyber security6 (February 2015): “Internet users in the EU remain very concerned about cybercrime. When asked how concerned they are about experiencing or being a victim of different types of cybercrime, Internet users are most likely to say they are concerned about identity theft (68%) and discovering malicious software on their device (66%). Internet users also express concern about being the victim of bank card or online banking fraud (63%)”. The Symantec report7 of 2015 mentions that targeting the real names, the ID numbers, the home addresses, the financial information and finally the date of birth are among the top five data breaches identified in the number of incidents in 2014.

The EU institutions broadly recognise cybersecurity as a key priority within the European Agenda for Security8 or within the Single Supervisory Mechanism9. Securing the data of its clients is one of the banks’ top priorities. For the banking sector, it is key in order to avoid undermining the confidence of the public in payment systems and infrastructures. Likewise, in the capacity of banks to protect the data of their customers, especially, when consumers have become highly sensitive to privacy issues.

Opportunities for banks and customers

Cybersecurity resilience is not something new for the banking sector. Its strong capacity to be resilient to cyberattacks is essentially based on the fact that banks realised at an early stage that security was fundamental for their customers and essential for delivering secure services. Based on the existing know-how this awareness allows the banking sector to increase trust among customers in the new innovative digital services it offers.

The banking sector benefits from an important infrastructure enabling a flow of secured information on the possible threats. Given this efficient infrastructure, banks can put in place appropriate countermeasures, and consequently, are well placed to secure the interest of their customers in the face of the global cybercrime phenomenon.

The European Banking Federation believes in the success of public–private partnerships to fight cybercrime and to prosecute perpetrators. In 2014, it signed a Memorandum of understanding (MoU) with Europol (EC3). In this agreement, both organisations exchange information and work on awareness of specific threats to the sector.

Security as top concern


What do customers see as the main concerns when using digital channels?

  • Security
    49%
  • Slow speed
    31%
  • Poor functionality
    26%
  • Difficult to use
    22%

What do customers want from their bank?

  • Enchanced security
    59%
  • Transaction tracking
    44%
  • Electronic signature and submission
    40%
  • Instant message support
    39%
  • Video support
    26%

Source: Ernst & Young Survey, 2014

Barriers to a successful cybersecurity system

TheCriminal modus operandi are becoming more and more sophisticated (phishing techniques and the spread of a multitude of banking malware variations/permutations). In 2013 a record number of breached data cases occurred in terms of identities exposed in the sector. The banking sector needs to adapt fast and continually. This implies costly investments.

Criminals act from countries in which judicial cooperation has traditionally been limited and consequently it is difficult to track them down or/and gather evidence to arrest them. It is therefore critical to enforce public-private partnerships in order to set-up an operational cooperation able to investigate online frauds and prevent future financial crimes. For this purpose, Europol launched in 2014 a joint cybercrime task force (J-CAT) dedicated to strengthening the fight against online crime across the world. The members share intelligence, align priorities and gather data on specific criminal themes from national repositories to propose targets for investigation. The J-CAT is trying to coordinate international investigations against major threats (with the underground fora and malware, including banking Trojans, among the top targets). Considering the risks, it is imperative to balance the need for privacy and security with new digital services according to the risk appetite.

The current Data Protection Directive and the future General Data Protection Regulation are restricting direct sharing of Indicators Of Compromises (IOCs) with personal information between banks. The EBF would advocate a more proactive and efficient way to share incidents between banks. Organised financial industry fora already exist which share IOCs but could be improved by being allowed to exchange IOCs with personal information. In addition, the EBF would like to see a one-stop-shop mechanism when a notification is requested, as currently banks have to notify several authorities in different countries at the same time. Aggregation of incidents in a single point of contact when they occur in several countries within the EU, and outside, needs to be fast and efficient from the legal point of view.

6 European Commission’s Special Eurobarometer 423 on Cyber security
7 Symantec internet security report ISTR20 report April 2015.
8 The “European Agenda on Security”, published by European Commission on April 28th 2015, identify cybersecurity as one of the main three priorities for European security, together with terrorism and serious and organised cross-border crime.
9 The cybercrime risk has been identified also by the Single Supervisory Mechanism (SSM) as a strategic topic, for its supervisory activity in 2015, and it has to be considered by banks when performing their operational and IT risk assessment.