With the rise of Web3, the recent breakthrough in AI and the maturity stage reached by many fintechs competing with traditional banking service providers, there is no doubt that the future of finance is digital (both in B2B or B2C services). As financial players rely more heavily on ICT and use a high volume of data to provide their services, they also face new risks in an ever more interconnected digital environment. This raises the critical question of dealing with cybersecurity and new online fraud threats in the financial industry.
These topics are not new at all. Every diligent financial institution providing its services online is already mindful of protecting its ICT systems, the data it stores in relation to its customers and to make sure that the risk of a fraudulent use of its services is as low as possible. Nevertheless, the heavy reliance by financial institutions on the same providers (eg, cloud service providers) and the interconnection between platforms/environments (eg, API integration and communication) makes it critical to take a more consistent approach at industry level and to set minimum standards for everyone to abide by.
This effort is instrumental in preventing (as much as controlling) ICT security breaches from having a widespread impact (either because it is likely to compromise an essential element of the ICT infrastructure or because of the contamination effect that such breaches may have in a network of institutions). says that “Good examples of these threats would be ransomware scenarios – which may either paralyse critical infrastructures, preventing services from being provided to customers – or unauthorised data access and data leaks – likely to trigger loss of confidence in the ability of financial institutions to maintain the confidentiality, integrity and availability of their customer’s information.”
At the same time, customers themselves are more and more vulnerable to digital security threats and need to ensure they use online services in a secure way. This, of course, requires appropriate behaviours from the customer directly (by maintaining their log-in details, passwords and other security credentials confidential), but financial service providers are also required to substantially contribute to that effort. The strong customer authentication (SCA) standards under the Second Payment Services Directive (PSD2) demonstrates this perfectly: the industry needed to adapt the way it operates payment services and offers them to customers – by using two authentication factors when carrying out certain online operations – to efficiently reduce fraud in online payment transactions.
At the same time, customers themselves are more and more vulnerable to digital security threats and need to ensure they use online services in a secure way.
While the financial industry already treats cybersecurity as a priority and plays along with the current regulatory requirements to reduce attacks (including fraud) for customers using their services, the EU legislator still decided to make these considerations central in its digital financial strategy. In this context, the digital finance package issued in 2020 is coming to a first stage of maturity (with some critical texts voted by the EU legislator now entering their implementation phase) and is entering its second phase to further improve the competitiveness as well as the security of retail payments while aiming at generalising the concept of open finance.
In the sphere of digital operational resilience, the eponymous act (DORA) adopted in the very beginning of 2023 is due to bring much more granular standards in the way financial institutions (the whole spectrum, from banks to insurance companies, through investment managers and market infrastructure providers as well as crypto-asset services providers) manage their ICT risks, with strict governance requirements, new stress (penetration) tests requirements, reporting requirements and contractual requirements to be applied to relationships with ICT service providers.
As far as antifraud measures are concerned, the new proposal for improving PSD2 sets the tone with an increased liability for payment service providers to train their customers as well as their staff on existing fraud schemes and their evolution. Further transparency in payments information should also help payment users in identifying potential fraud schemes. The phenomenon of impersonation schemes is also taken into account, by strengthening the liability of PSPs to incentivise them to help their customers avoid becoming victim of fraudsters. In this context, data sharing between service providers is now encouraged to fight fraudsters and fraud schemes more efficiently. The same approach is prescribed in the proposal for a Financial Data Access regulation (FiDA) aiming at developing open finance solutions (beyond pure open banking).
Further transparency in payments information should also help payment users in identifying potential fraud schemes.
concludes that “It is currently too early to assess the efficiency of the measures taken by the EU legislator – as it will ultimately be for the financial industry to effectively implement them in a way that is fit for purpose. It, however, clearly shows that cybersecurity in financial services is at the heart of the EU’s digital finance strategy and that the pace of reforms will continue until the transition towards a new digital era in the EU is achieved as efficiently and safely as possible.”