Traditional Financial Services and Modern Fintechs suffer from the same issues in Siloed Back Offices for Non-Financial Risk
Fragmented Systems, Rising Costs, Unchecked Risks
Siloed Operations with little info-sharing between domains of Non Financial Risk (Fraud, Cyber Security, Financial Crime, DevOps)
Siloed Vendor Systems with Siloed Detection logic
Compliance and Internal Audit do not have effective tools to monitor Non-Financial Risk operations
CAPEX and OPEX in siloed Non-Financial Risk operations and compliance is high
Vendor implementations do not meet outcomes/ROI or business case
Multiple GenAI/ML and rule models often with different versions - Model Governance nightmare
Data Protection/Data Sovereignty Challenges
Multiple investigations and case management tools
Siloed vendor solutions, siloed operations breeds an Empire Building approach with bloated staff requirements
Enterprise Wide Risk Assessment approaches do not follow primary, secondary risk correlations and hence only looks at siloed risk in isolation - often also static not dynamic
Growing AI/Gen AI enabled sophisticated threats are overwhelming siloed detection systems
Majority of RegTech detection and compliance solutions are not Reg Native. They do not actually link compliance to the detection and take contextual information into account
Startups in Payments & Fintechs Industry : Non-Financial Risks Summary
Cyber Security
Financial Crime
Fraud
Dev Security Ops
Lack of Resources: Limited budget and expertise can make it difficult to implement robust security measures, leaving them vulnerable to attacks.
KYC/AML Challenges: Effectively verifying customer identities and monitoring transactions for suspicious activity.
Evolving Fraud Techniques: New and sophisticated fraud schemes constantly emerging – especially hitting real time fraud and anonymous payment techniques such as QR codes, Wallet Transactions
Security Debt: Rushing development and neglecting security considerations.
Rapid Growth: Rapid scaling can outpace security infrastructure, creating gaps and vulnerabilities.
Lack of Compliance Expertise: Difficulty navigating complex regulatory requirements.
Fraud Detection as an Afterthought or Lack of Fraud Detection: Inability identify, recognize and place adequate detection and prevention controls for fraudulent transactions.
Lack of Secure Coding Practices: Introducing vulnerabilities into the code during development.
Third-Party Dependencies & Security Misconfigurations : Relying on third-party APIs and services can introduce security risks if those partners are compromised. Cloud and internal applications as well as 3rd party dependencies security misconfigurations must be logged, managed and monitored.
Cross-Border Crime: Facilitating international money laundering and other financial crimes. This can lead to lapses in KYC/EDD, lapses in Name Screening, lapses in Sanctions and potentially introduce terrorist financing risks.
Synthetic and Deepfake Identity Fraud: Creating fake identities to commit fraud by using GenAI and advanced AI techniques to obfuscate the identity, location, nature of funds and potential account related information.
Software Supply Chain Risks: Compromised software components or libraries introducing vulnerabilities. Startups must have security mindset even when using GIT, other Open Source libraries and even commercial vendors as their own vulnerabilities cascade.
Data Exfiltration and Data Breaches: Loss of sensitive customer data (card details, PII) due to inadequate security practices. Large-scale data breaches compromising millions of customer records and the reputational risk a startup has to address.
Emerging Technologies: Exploiting new payment methods (e.g., cryptocurrencies, QR codes) for illicit activities. Routing, peer to peer, anonymous transactions, wallet security, ISO 20022 compliance, differing consensus algorithms, oracles/bridges, mixers etc
Mule Accounts, Pig Butchering and Self-Committed Frauds – Social engineering techniques, financial position and influencer behavior, over confidence with technology have left many vulnerable groups like GenZ, elderly and others vulnerable to resorting to be manipulated by criminals.
Vulnerability Management: Difficulty tracking and remediating vulnerabilities in complex applications. In addition, penetration testing as well as CVE management and proof of adequate testing against these needs to be shown.
Insider Threats: Malicious or negligent employees compromising payment systems. Robustness of internal logs and adequate monitoring, authentication and other controls need to be put in place.
Regulatory Scrutiny:Cross-Border Home/Host regulators and differences in standards, inter-operability, information exchange and complexity and without the ability to attract and pay for the right compliance skillsets leaves Startup’s vulnerable.
Cyber crime intersection – most fraud SaaS vendors handle one or the other but both not very well. Lacking is full integration of Cyber Security related information and combining this as well as seeing the big picture of timing of multiple actors and victims.
Automation Gaps: Lack of security automation in CI/CD pipelines.
Sophisticated Attacks, nowadays GenAI enabled: Advanced persistent threats (APTs) targeting payment networks and infrastructure at a speed and complexity which is hard for older cyber security software and without adequately skilled cyber security and data scientists to help out.
Contextual Information (Attackers/Victims) and Subtle Signs of Penetration : Even with GenAI there is a growing list of False Negatives and a new type of False Positive growing. Contextual information entwined into profiles will help with this level of detection. Channels are often compromised by seemingly innocent patterns of transactions testing penetration.