One of the key trends in the Southeast Asian banking sector is the growing adoption of digital banking and the entry of new providers from nonbanking and tech backgrounds. Driving this adoption is evolving customer expectations and enhanced digital penetration, combined with the desire to serve the underbanked segments of society. But with that growth come an increase in security risks for digital banks and their customers alike.
Why digital banking is growing in Southeast Asia
According to a report by the Boston Consulting Group (BCG), published in December 2020, “the COVID-19 pandemic has accelerated this trend, as enforced digital transitions have embedded a more immediate impetus for change. These drivers will see Southeast Asia’s digital banking opportunity expanding significantly in coming years, reflecting a trend which has seen over 200 new digital banks established globally over the last decade.”
The rise of digital banking in Southeast Asia is part of a global trend. The BCG report highlights that “there has been a 190% increase in the number of [what it calls] Digital Challenger Banks since 2015, initially spurred by pioneering changes in regulation in the UK and Japan.” As a result, 45% of digital banks are now based in the Europe and Middle East (EMEA) region, 35% in the Americas, and 20% in the APAC region.
In Southeast Asia, Singapore is ushering the region into a digital banking future. While its rival Hong Kong had granted eight digital banking licenses last year, the Monetary Authority of Singapore (MAS) awarded digital banking licenses to four new entities in Singapore in December 2020. Malaysia and the Philippines are also reported to be readying the guidelines for issuing digital banking licenses in their respective countries.
The security risks and challenges of digital banks
The main security challenges include consumer protection and cybersecurity breaches.
The very nature of digital banks—mostly of the interaction with customers happen on mobile devices—makes them vulnerable to cyberattacks. “Everything from phishing attacks, man-in-the-middle attacks, mobile malicious hash, even ransomware have increased simply because of more use of the mobile channel,” says Michael Araneta, an analyst at IDC Financial Insights. “Note also that a high percentage of mobile phones in use, especially those in developing markets of ASEAN, would have some malware in them. Banks cannot simply turn them off or not allow customers to not use them—that is the only means of interaction!”
“I feel any bank (digital or traditional) will always be a ripe target for cyberattacks,” concurs Kunal Sehgal, a Singapore-based cyber evangelist. “The target audience here are millennials who are digital natives and are new to the financial world.” In the region, identity theft and fraud are the biggest threats, says Andrew Milroy, director at Veqtor8, a cybersecurity advisory firm.
“Data security has been one of the biggest threats in the banking industry,” says Dewi Rengganis, an industry analyst for APAC telecoms and payments at Frost & Sullivan. She cites the case of Japan’s 7Pay as an example of security being a significant challenge for the broader adoption of digital banking for payment service. 7Pay is a cashless payment service rolled out in 2019 by 7-Eleven. The 7Pay service allowed users to pay for purchases at Japan’s roughly 21,000 stores through a smartphone app. The app got hacked only days after its launch. More than ¥38 million (US$350,000) had been confirmed missing from 808 7Pay user accounts. Because of this issue 7Pay terminated its service at the end of September 2019 after losing user trust.
Governments and regulators are aware of these security threats. That’s why in Singapore’s case, “the announcement of digital banking licenses were eventually followed by the release of the updated IT Risk Management Guidelines for financial institutions in Singapore” by the MAS agency, Araneta says. “Although they were not necessarily contingent on the other, what Singapore has done is underscoring how banking (and competition) and the way we deliver banking (as in the IT guidelines) have really changed.”
Milroy concurs, saying, “In Southeast Asia, you need a strong regulator that forces banks to address security challenges. In Singapore, the MAS does this. … For other Southeast Asian nations, the regulators tend not to be as strong in enforcing best practices in security.”
But Asian banks themselves are moving ahead to improve security, working with security technology providers, says Frost & Sullivan’s Rengganis. “Digital banks have been constantly upgrading their risk management to ensure security is maintained and protect customers from criminal activity, such as fraud, and money laundering. Many banks have reevaluated their approach to cybersecurity by leveraging big data analytics and blockchain technology. … They need to add biometrics, device telemetry, and behavioural analytics to mitigate risk of identity theft. For fraud ,they need to ramp up privileged access management [also called privileged identity management] and analytics to detect anomalies” from insider threats.
“Note that fraud often involves insiders,” says Veqtor8’s Milroy. “For identity theft, banks need to move beyond passwords, even one-time passwords. In fact, passwords are becoming a liability.”
IDC’s Araneta points out that many banks’ security-related projects to date have focused on network security (securing the perimeter), but more and more of the banking activity (interactions and engagement) is happening outside the bank’s traditional perimeter. “So the new tools of security really need to focus on securing those interactions as well,” he says.
But banks can’t do it alone—customers need to be better at security, Araneta says. “It is also about customer education—for the customer to know how to protect themselves as the ultimate threat vector or a really vulnerable point of attack for cybercriminals. This is the reason why banks have to exert effort in customer education.” Banks also need to help customers, such as by implementing multifactor authentication, despite the trade-off in user experience it creates.
New APIs emerging for digital banks
According to Gartner, attacks and data breaches involving poorly secured APIs are occurring frequently as each new API represents an additional and potentially unique attack vector into banking systems. The number of exposed APIs in apps has grown dramatically in just two years, making them a larger attack vector than the user interface, Gartner says. It predicts that by 2022, “API abuses will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications”.
For digital banking, the Open Banking API has been emerging in Asia-Pacific region only recently, which will lead to more API adoption and thus possible attack vectors. The good news, Gartner says, is that API management and web application firewall vendors, as well as new startups, are aware of this shortcoming and are addressing it.
Besides secure API management, developing digital ID frameworks is also critical for the industry. Frost & Sullivan’s Rengganis notes that digital ID frameworks have been implemented in countries across Southeast Asia, including Indonesia, Malaysia, and Singapore. that “can reduce the burden on banks for KYC [know-your-customer] processes.”
The digital banking opportunities are huge in Southeast Asia, and the organisations that are taking a plunge in this space will thrive as long as they ensure consumer protection, take steps to mitigate cybersecurity risks, and implement strong data protection.
Copyright © 2021 IDG Communications, Inc.