Cyber security: Fear of fraud driving client calls for online safety nets
Investors expect to access their portfolios digitally, which opens up the possibility of cyber fraud, particularly when mobile devices are involved
Although wealth managers turn up at regular client meetings, ready to present stories of falling oil prices, disinflation and emerging market uncertainty, they are increasingly finding broader concerns trumping market mechanics.
“With everything now reliant on the internet, the main topics of discussion start with security,” says Iain Tait, a partner in London & Capital’s Private Investment Office, who reports concerns intensifying since hacking of the US military’s social media accounts was reported. “This question now comes up in every single family office meeting.”
Most clients expect to see their portfolio online, but the more access they demand, the greater the risk of exposure to cyber fraud. “This concern about safety of online profiles, emails, passwords and portfolio valuations has been amplified in recent weeks due to the North Korea and Sony situations and then most recently the story about US government social media,” says Mr Tait.
But the cost of effective protection for banks is not prohibitive, given the number of high quality solutions providers in the industry. Third party software solutions used to back up client data include packages from Cisco, Citrix. Microsoft and Oncore IT.
In addition, wealth firms are increasingly facilitating calls between concerned clients and their chief technology officers on issues such as password control or improving how they manage online portfolio valuations. “This has become part and parcel of our wealth management offering,” admits Mr Tait.
Yet many banks are grappling to control fast-proliferating numbers of data points with one arm tied behind their backs. Not even the institutions themselves fully trust digital innovations needed to provide the efficient service satisfying both clients and regulators.
Wealth management firms generally understand the benefits of cloud computing, but many have taken a wait-and-see approach, fuelled by security concerns. A survey from software providers Advent, conducted together with WealthBriefing and Weatherill Executive found a significant minority of 38 per cent refusing to increase cloud usage in the medium term, due to worries about data security and regulation.
“This is understandable, since safeguarding client data is foundational to the wealth management proposition,” reads the report.
Whereas people are becoming more educated about the notion of “public” and “private” clouds, says Martin Engdal, Copenhagen-based market strategist with Advent, the industry has not yet reached the “tilting point” with firms still reluctant to take strategic decisions on technology.
Mr Engdal contrasts the “public” cloud used by retail companies, where data can be processed cheaply on servers in distant locations, without the client’s knowledge, with the more expensive “private” route that financial services companies are likely to take. In the latter case, data is held on a named server, generally close to the bank’s headquarters.
He says that concern about security of cloud-based solutions is currently coming from the largest, top tier institutions, carrying heavy, legacy IT infrastructure rather than smaller players. Many are still waiting for regulatory certainty on the issue.
But to what extent security concerns are justified is a more complex issue. “The whole notion of private banks storing data about the client’s identity has been an anathema, particularly in Luxembourg and Switzerland,” says Gary Linieres, CEO of technology consultants Wealth Dynamix. “But this is all changing due to regulations and the move to cloud-based solutions. It can be a very difficult concept for wealth managers to cope with.”
Private banking has always prided itself for security, according to Amit Pau, managing director at financial technology investor Ariadne Capital, based just off London’s Trafalgar Square. “Physical private bankers would rarely share information about their client to a third party,” but security is under threat more than ever “in the hyper-technical world we now live in.”
These threats are both on and off line. In the office, personal assistants – with access to more information than bankers – have become fraudsters’ main target. Online, he says, serious information leaks by the US Government, Sony and JP Morgan have made two-step authentication a necessary security hurdle for banks fearing cyber fraud.
But experts believe we have not yet seen the worst of the leaks and Mr Pau expects an even more serious breach, a “Pearl Harbour moment” to take place before systems and procedures are finally secured. While “robust” secure desktop technology is in place almost universally, it is the fast moving mobile area which most banks must tackle. Systems can, for instance, add an extra security level by matching advance travel plans of wealthy individuals with purchases, stock trades, money transfers and mobile communications, so that identity can be verified.
If technology is deployed correctly, it can significantly enhance security
“In 2015, this is one of the biggest issues our industry faces,” says Mr Pau. “If technology is deployed correctly, it can significantly enhance security.”
Some oligarchs and family office bosses typically use fingerprints to verify their credentials, but with a risk of kidnap, a mobile service linked to individual travel plans is a much safer proposition, he believes.
“By deploying mobile related technology and security principles, you are in a significantly better place to enhance the consumer experience and deliver a more ultimately robust and reliable service,” he says.
He points to evidence that when people lose their bank cards, passport and mobile phone, 90 per cent call their mobile operator first, barring calls, messages and financial transactions from the device.
Many retail and private banking customers refuse to use mobile technology for transactions, says Mark Kanji, CEO of Apptivation, which designs mobile apps for banks including Lloyds and Investec.
“Mobile has suffered similarly to online banking in the early days, when some customers didn’t see the internet as a secure channel to make payments,” he says.
This suspicion has abated to some extent, following the banks’ investment in two-step authentication and anti-viral software. Two years ago, around 50 per cent of customers did not trust mobile banking as a payment channel, says Mr Kanji. Today, he reckons the sceptics account for 20 to 30 per cent of customers.
“In many remote parts of the world, where we see bill payments through SMS messages, there is no alternative to mobile banking,” he says.
Yet those wary of making payments through mobile channels do have a case, as fraudsters increasingly target mobile banking, in the same way they launched online “phishing” expeditions a decade ago. He lists popular scams, including bogus mobile apps “which ask customers to share log-in credentials and trick them into transacting,” although they are increasingly being policed, as “Google steps up its search for malware”.
Ensuring secure connections between app and server is also crucial. “Users must avoid connectivity to bogus wifi routers, which intercept information,” says Mr Kanji, suggesting installation of SDK software to encrypt data before it is transferred from mobile app to server. Banks can also install custom keyboards within apps, to prevent fraudsters’ operating systems capturing customer passwords.
Some commentators believe clients do not yet have the confidence in their designated private bankers to step further into the digital unknown. “Once you have built this trust, you can ask your clients in which direction they wish to go,” says Caroline Garnham, CEO of Family Bhive social media platform for ultra high net worth individuals. “Online banking can be efficient, but when something goes wrong, clients want to talk to a person and online banking does not help. They will not be wooed to join a bank just by an app, even in the digital age.”
She describes a call she recently made to her private banker to transfer money to her daughter’s account. “The fact they knew my daughter’s name – through their CRM system – and they asked about my book, which was published last year, made me feel instantly warm and cuddly.”
The feeling of security such exchanges engender is so far difficult to replicate through an online system. While Ms Garnham appreciates the “myriad of steps” needed to register for online banking, these are sometimes of little comfort to customers, who have seen names posted on the internet after recent hacking incidents and sold to foreign governments by disgruntled employees.
“Those stories got into the press,” says Ms Garnham. “But how many other incidents have there been where information was sold and it didn’t get into the newspapers? You would expect a big bank to get the basics right. This is what really worries people.”
Technology has become a commodity, with the expense yet to assure clients their secrets are any safer than in previous, clunkier eras, argues Ray Soudah, CEO of Millenium Associates and an expert on Swiss banking. “There are all these fancy apps allowing clients to see their portfolio online, which has been hugely expensive,” he says. “But what does it actually do for people? Despite the money spent, more than 80m people have had their data revealed to the world in several incidents. Where is the security?”