"Consumers need protection and there aren't minimum technical standards that organizations need to comply with that are strictly tied to these data protection laws."
Michael Magrath, Director at OneSpan
If you don’t work in the Finance industry, you naturally aren’t too concerned with financial services industry regulations. Yet some regulations don’t just affect the people who work in the finance industry – they affect everyone. All of us conduct financial transactions and, from time to time, need to share our personal data and therefore, we are all potential victims of cybercrime.
In 2020, the global pandemic exposed many weaknesses in the security, data management and privacy policies of many international companies in the finance industry. In response to this, governments around the world are now introducing new and updating existing data privacy and data protection regulations to help protect consumers. In November 2020, to help the finance industry navigate the recent and upcoming changes to regulations, OneSpan released it’s first Global Financial Regulations Report.
In part one of our interview with Michael Magrath, Director of Global Regulations and Standards at OneSpan, we discuss the causes and impact of the rise in cybercrime in the finance industry and the existing and upcoming regulations that are designed to help protect us - the consumer.
You’ve been at OneSpan for 5 years now. Can you tell me about what your role involves there?
“I’m Director of Global Regulations and Standards. I’m based in Washington DC and my role is to keep abreast of what is going on around the world – regulatory, legislative, new laws, new standards - and how they would affect OneSpan in terms of complying with these as an employer but also as a third-party partner to our customers.”
OneSpan has recently published it’s first Annual Global Financial Regulations report. What was the thinking behind this?
“We wanted to take the work that I do and package it up into a comprehensive report broken out by regions around the world. As regulations and laws have been enacted, we have put these into a catalogued report which is really for the benefit of our customers. In November 2020, we published all of this in a very extensive Global Finance Regulations Report. “
We saw a huge increase in fraud in 2020. In hindsight, what do you think could have helped prevent or reduce the high level of these incidents?
“Fraud is a huge concern in the digital world, not just cybersecurity breaches but also identity theft. When the pandemic hit, one of the real shortcomings that was exposed was the lack of strong Digital IDs in many parts of the world, most notably in the United States.”
In your experience, how do these breaches tend to occur and what do you see as the main solution?
“A lot of breaches occur because of hackers gaining access to login credentials, typically usernames and static passwords, so financial institutions are going to have to implement stronger access controls to prevent unauthorized users from accessing customer information, e.g., implementing multi-factor authentication.”
Despite the number of breaches and the level of fraud, many of us find that we are still logging into our bank accounts via a username and password.
“Passwords aren’t secure and they’re really the cause of a lot of breaches. One of the things that I think will happen is that as passwords will go away as authentication technology gets better and better while achieving the balance between security and usability, people just aren’t going to remember passwords anymore.“
I read that many issues seem to stem from weaknesses in Mobile Applications being targeted by hackers. Why do you think this is?
“Many companies, when they do product development for mobile apps, have to go through their whole workflow process, but they’re not security experts – most of them are very good at providing a great user experience but on the security side, especially in regulated industries like healthcare and financial services you’ve got to make sure that your mobile application is strong. If your app facilitates transactions or stores or transmits data that can be monetized, that’s a potential ripe target for attackers to develop malware targeting your app that interferes with the app on your users’ devices. If your app isn’t hardened against such attacks and your app can be compromised in any way, your brand will take a hit and you may open your company up to lawsuits, especially where money and personal data are involved. OneSpan has a Mobile Security Suite which provides application shielding.”
So, let’s say I’m in charge of Application Security for a finance company in 2021. What kind of technologies should I be considering employing today whilst considering not making it all too difficult for my Users?
“OneSpan has a whole variety of authentication solutions that can be tailor-made to whatever an organization needs to use. It could be biometrics such as fingerprint or facial recognition technology – to improve the user experience. At the end of the day, one of the things that the security industry has struggled with for years and we’re understanding, is balancing user experience with security. For example, today, I can unlock my phone with my face, or with a swipe of my fingerprint, I can get into my bank account – that’s the user convenience that I want as a user, but I also want to undoubtedly know it’s secure.“
You mentioned biometrics. People are naturally concerned about their biometric data being misused or stolen. What regulations exist that are designed to prevent this from happening?
Several states, including Illinois, Washington and Texas, have laws on the books related to biometrics. The first was Illinois Biometric Privacy Act (BIPA). BIPA requires businesses to obtain consent from individuals in writing before obtaining their biometric data. Businesses must also lose their policies for usage and retention.
At the federal level, there are no comprehensive biometric laws. Last year Congress introduced the National Biometric Information Privacy Act in August 2020 and that is focused on protecting biometric data and putting in the appropriate safeguards to protect that type of data, anything from fingerprints and retina scans to voiceprints.”
Ultimately, more robust authentication methods usually involve consumers sharing more personal data. People, again, are rightly concerned about their privacy.
“There’s a law called the Graham-Leach-Bliley Act, which requires banks and other financial institutions to “explain their information-sharing practices to their customers and to safeguard sensitive data.” In 2019 the Federal Trade Commission proposed new amendments to GLBA’s Safeguards and Privacy Rules. These rules are going to require all financial institutions and businesses that perform financial services such colleges and universities to ensure that all customer data is encrypted and to implement access controls including multifactor authentication to protect customer data.”
How much of an impact do you think the Graham-Leach-Bliley Act will have on the financial sector?
“The Graham-Leach-Bliley Act has far-reaching consequences as it affects any financial business. For example, in the US, colleges and universities may offer tuition assistance and loans, hospitals might extend a payment plan to a patient and may charge interest on that payment plan, so they would both fall under the safeguards rule. “
In terms of data protection, do you think that the existing consumer data protection laws go far enough?
“Consumers need protection and there aren’t minimum technical standards that organizations need to comply with that are strictly tied to these data protection laws. I think that’s a shortcoming of data protection laws.”
Even GDPR? In what ways would you improve it?
“GDPR, as strong as it is, if a database is breached, there isn’t anything that says that ok you were protecting 5 million records with a password that is shared amongst administrators – it doesn’t say anything like that. Therefore, there are no provisions around multi-factor authentication. I think that’s an important area that should be added to some of these data protection laws.”
How effective do you think GDPR has been?
“Numerous countries in the world have data protection, laws but GDPR was revolutionary in terms of the fines that could be issued. For example, if someone was out of compliance - looking out for the consumer as in terms of consent has paved the way for numerous other laws.”
GDPR, however, is a European Regulation. Are there any plans for a national regulation in the USA?
“In the USA, we don’t have an overarching data privacy and data protection law, but California just passed an update during the 2020 election to revise the existing California Consumer Privacy Act and that’s really going to hold companies accountable to obtain consent before any business can share personal and sensitive information. Other states have introduced similar legislation. "
Through a combination of an increase in cybercrime and a fundamental change in how we’re all now conducting our financial transactions, the global pandemic has created a huge challenge for the finance industry. As such, the industry as a whole must now act quickly to prepare for the significant regulatory changes coming this year. It is industry experts such as Michael Magrath that are proving invaluable through producing the timely information that they now need in order to plan accordingly for the transformation of the finance industry.