Cybersecurity drives new financial market policies

Governments and the private sector respond systematically to the demands of digitisation, forced by COVID-19 blockades or lockdowns

The current situation caused by the COVID-19 lockdowns has not only paralysed and constrained our lives, it has also forcibly digitised them. As a result, many sectors, such as the financial market, have had to adjust to forced restrictions on mobility, social distance measures or teleworking, among others, which have made services and tools such as electronic signatures, remote authentication services and online payment indispensable for carrying out transactions.

In fact, the digitisation of finance had already taken off before the emergence of the economic and social blockade caused by the political class due to the SARS-CoV-2 virus. Banks, stock exchanges and the like needed to adapt to the “laws” of the unstoppable digital transformation. They could also learn about its advantages and embrace a range of opportunities and improvements to their businesses, such as blockchain technology, which gives users autonomy to control the trajectory of their financial movements without relying on banks.

However, moving financial activity to the internet also exposes it to risks such as the absence of cross-border jurisdiction, very high-risk transactions or information hijacking. The changes forced in recent months have accelerated, in response, a rapid updating of operational and security policies in national and international banking.

These updates drive, above all, cybersecurity applied to the transactions carried out by customers, their payments, and their personal details. And also that of the companies themselves. For example, in the United States, a “112 (911) telephone number” is being considered for banks that experience cybersecurity incidents. This is an emergency notification policy to the Office of the Comptroller of the Currency (OCC), which is responsible for overseeing the “good governance” of the US banking system. The measure is the long-form Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, published as a proposed rulemaking on 12 January 2021.

New recommendations and regulations have also been issued for crypto-assets such as bitcoin, as well as their providers (known as “VASPs”, Virtual Asset Service Providers). Among other objectives, governments want to avoid facilitating money laundering, terrorist financing or other financial crimes by circulating on the internet outside national laws. This is the case of the Financial Transactions and Reports Analysis Centre (FINTRAC) in Canada, which since last June has been registering all cryptocurrency exchanges in the country. Or the Financial Action Task Force (FATF), which will update its recommendation guide for virtual assets in June after a public consultation period that is already open.

However, the initiative that generates most consensus among governments and regulators is the need to implement Multi-Factor Authentication (MFA), also known as Strong Customer Authentication (SCA), on financial activities. These measures mean that access to a bank account, the signing of a contract or the sending of a transfer, for example, passes through two or more different security controls (patterns, codes, “video identification”, biometric analysis, etc.). The ultimate goal is to ensure that the customer is who they say they are. In other words, that he is the real owner of the account, the person who wants to execute the contract, or the person who wants to send money. In this way, imitation, impersonation or identity fraud in remote transactions is prevented.

Since the Second Payment Services Directive (PSD2) made these identification processes standard within the European Economic Area, countries such as Colombia, India, Peru, the United States and Canada have joined the mission to create a re-armed online ecosystem, as well as being committed to eradicating the most unprotected financial crimes by the cloud.

In addition to identity verification measures, there are also measures for the protection of personal data. It is not only a matter of safeguarding the most sensitive information, but also of guaranteeing the rights related to its management, such as the rights of rectification, deletion or access. Governments around the world seem to be increasingly aware of this issue. Canada, New Zealand, Singapore, Brazil, South Africa, Thailand, California or the state of Virginia are regions that have incorporated recent measures to modernise their data protection laws, increase corporate accountability, better detect breaches, increase fines and even prevent large-scale spam. Many of these regulations are inspired by the EU’s pioneering General Data Protection Regulation (GDPR).

The focus on cybersecurity is complemented by demands for convenience and usability. Apart from creating a more reliable cyberspace, financial institutions, both public and private (and especially large central banks), are developing digital applications that make life easier for users and businesses. The most promising are those that enable electronic and instant payment. The Central Bank of Brazil has been launching Pix since last October, an application which, for example, allows instant payment of electricity bills via a smartphone. New platforms are also in the pipeline in North America. The FedNow Service will arrive in the United States in 2023, while the Bank of Canada is preparing two new systems: the innovative Lynx for the middle of this year, and Real-Time Rail (RTR) for 2022.

Alongside these new payment methods, countries are opening their doors to the acceptance and use of electronic signatures. Australia wants to allow it to execute its public legal documents. The United States has also embraced it in order to sign the electronic filings that companies have to make of their corporate information on EDGAR, the open database of the Securities and Exchange Commission (SEC).

As we can see, this transitional banking landscape between the face-to-face and the digital, the mediated and the decentralised, the traditional and the alternative, is not only the seed of a global political crisis that has altered the social and economic order. It is also a response to new consumer habits, which demand greater agility, convenience and transparency; to the speed and complexity with which today’s hyper-connected world operates; to new forms of crime that take advantage of the Internet to go unnoticed; and to the powerful business opportunities made possible by the digital “ether”. In fact, traditional entities have reached a context of exhaustive competition with their virtual alternatives… Or, on the contrary, of a necessary collaboration or convergence with them. Elon Musk’s firm commitment to bitcoin, for example, is a reflection of this “state of alarm” that the new rules of the game are imposing.