Managing Third-Party Risks from Fintech

Jun 13, 2019 | by Yael Gour

The pressure to meet changing consumer needs, compete with fintech companies, and comply with regulations like the revised Payment Services Directive (PSD2) is leading many banks around the world into some dangerous territory.

In Europe, PSD2 is reshaping the business landscape for financial institutions. Intended to create a more open banking environment for consumers, PSD2 requires banks to build new application programming interfaces (APIs) that give third parties, such as fintech companies, access to their back-end systems. This API access enables third parties to leverage big banks’ data and infrastructure to build innovative services for consumers, but it creates a host of digital risks for the banks: the new APIs add fraud vulnerabilities by increasing the banks’ attack surfaces, and the “innovative” services created by third parties may expose them to new forms of fraud.

In the U.S., pressure to compete with both tech titans and nimble startups for consumers’ bank accounts and wallets is prompting many financial institutions to adopt third-party banking services. In some cases, banks are rolling out these services to their customers without fully understanding the risks these services present, and therefore, without comprehensive risk mitigation and fraud prevention plans in place. A textbook example is the use of P2P payment platforms that allow consumers to send and receive money directly to their bank accounts via their mobile devices. Almost as soon as one of these is launched scammers begin taking advantage of the service and cybercriminals begin exploiting vulnerabilities. Javelin Strategy & Research tells us that P2P payments services are “irresistible” to fraudsters, and that fraud on these platforms totaled $630 million in 2018, up from $549 million the prior year.

Fraud losses are not the only concern when it comes to P2P payments; brand reputation is also on the line, as consumers affected by scams and cyberattacks targeting P2P payment platforms are posting their dissatisfaction with those services—and with their banks’ handling of their claims—all over social media.

There’s a lot of money on the line for banks, too. The cost of investigating these claims, and in some cases, compensating the victims, is ticking higher. As the volume and value of P2P payments increase, so too will the operational costs associated with case investigations. This is clearly a risk for which banks must plan.

Regardless of their reasons for doing business with third-party banking services—whether it’s driven by regulation or rising competition—banks must prepare themselves for the possibility of fraud in these new channels and make them part of their overall fraud mitigation strategy. The best defense is a holistic fraud prevention approach that analyzes customer behavior in ALL channels and determines the risk associated with each and every transaction. This approach gives banks more data to reference, enabling them to make faster, more accurate fraud management decisions that lower costs, improve revenue, and most importantly, drive customer satisfaction.

# # #

To learn more about managing risks associated with the API economy and fintech innovation, sign up for our webinar, Protecting Zelle Payments with RSA Adaptive Authentication, scheduled for 2 PM Eastern on Thursday, June 20, 2019.

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity

Author: Yael Gour

Category: RSA Fundamentals, Blog Post

Keywords: Fintech, Fraud, Payments Fraud, Payment Services Directive, Mobile Payments, PSD2, P2P