I’ve just come across a new report from Deloitte titled ‘2019 Banking and Capital Markets Outlook: Reimagining transformation’. I was interested to read its opening sentence: “The global banking system is not only bigger and more profitable but also more resilient than at any time in the last 10 years.”
According to The Banker’s Top 1000 World Banks Ranking for 2018, total assets reached $24 trillion and the return on assets was 0.9 percent. This data would seem to say that at the end of the decade following the financial crash (caused b the banks, lest we forget) banks are in great shape. You may feel they don’t deserve it, but that appears to be the situation.
Banking health isn’t global
However, this healthy environment isn’t a global phenomenon. Deloitte’s says that the USA is ahead of its European counterparts. This is due to “aggressive policy interventions and forceful regulations” Deloitte’s claim, and the result has been healthier American banks.
By contrast, European banks have been held back by structural deficiencies, overcapacity, low/negative interest rates, and the absence of a pan-European banking regulatory agency have all likely contributed to European banks experiencing persistent profitability challenges.
European banks have been shrinking in size, retreating from international markets and exiting businesses that were profitable for them in the past. To illustrate this, just look at the fact that the profits of the top five European banks dropped from $60 billion in 2007 to $17.5 billion in 2017. However, Western European banks seem to be faring better these days, with an ROE that grew to 8.6 percent in 2017, compared with 5.5 percent in 2016
On the other side of the world, the Chinese banks have been the big story. Not only has the Chinese banking industry has surpassed that of the European Union (EU) in terms of size, the world’s four largest banks in 2018 are Chinese. Compare this with 2007 when there were no Chinese banks in the world’s Top 10.
A recession is coming?
But the Deloitte report sees some gloom on the horizon. Deloitte economists are predicting a 25 percent probability of a recession in the United States in 2019, and this is likely to weaken US economic growth in 2020, if not in late 2019. Although we are almost at the year’s end already. And the Deloitte forecasts for GDP growth by region shows most of the regions in decline, or flatlining just past 2020.
Where can the transformation happen in banking?
Partnership with fintechs is one approach. Deloitte says more digital transformation is required. However, Deloitte asks, “But how much of this change is purposeful and strategic? “ It comments: Banks should bolster their conviction and reimagine transformation as a holistic, multiyear process and “change how they change.”
Deloitte also suggest that the transformation “should fundamentally start with banks reaffirming their role in the global financial system.,” but it adds a warning: “Banks should discard grand visions of becoming “a technology company” and instead focus on customers, enhance trust as financial intermediaries, facilitate capital flows, and provide credit to the global economy with data as the bond that sustains the amalgam of technologies—AI, automation, cloud, core modernization, etc.—best suited for the purpose.”
Most of us think that cybercrime is an activity that goes back around 20 to 30 years. We think in terms of how long the Internet has been around. But that would be quite far from the truth. Since technology has been used as a form of communication, there have been individuals who have sought to use it for criminal activity.
The first ‘hack’ took place in 1834. In that year, some thieves hacked (not a word they used then) the French Telegraph system to steal financial market information. And in 1870, a young person was hired to operate a telephone switchboard in order to disconnect and redirect calls for personal use. This also happened in the early days of the New York telephones system, which started in 1878, when a group of teenagers were found to be intentionally misdirecting calls.
Fast forward to 1939, and we have what might be called a ‘good’ hack. This is when Alan Turing and his codebreaking team at Bletchley Park in the UK broke Germany’s Enigma codes. It was an important breakthrough in WW2, and there were some other intrepid technology hacks of this kind during the war.
In 1955 David Condon whistled his “Davy Crockett Cat” and “Canary Bird Call Flute” into his phone, testing a theory on how phone systems work. The system recognized the secret code, assumed he was an employee, and connected him to a long-distance operator. She then connected him to any phone number he requested for free.
In the 1960s there was the first example of a computer virus. Called the Rabbits Virus, it started when an anonymous person installed a programme on a computer at the University of Washington Computer Centre. The inconspicuous programme made copies of itself (breeding like a rabbit) until the computer overloaded and stopped working.
And in 1971, the founders of Apple, Steve Jobs and Steve Wozniak, discovered the joys of phone pranks. Wozniak, built a blue box designed to hack into phone systems, and pretended to be Henry Kissinger, as well as prank-calling the Pope. He started mass-producing the device with friend Steve Jobs and selling it to classmates.
But it isn’t until the beginning of the 1980s that the first cybercrime conviction happens. Ian Murphy, aka “Captain Zap,” hacked into the AT&T network and changed the internal clock to charge off-hour rates at peak times.
Since then, the cybercrime incidents have picked up speed, to include an array of viruses, such as the Melissa virus that infected Microsoft Word documents, and a host of DDoS attacks, and a global bank attack perpetrated by a group of Russian hackers to secure information from more than 100 institutions around the world. They stole £650 million.
And this year 74 Facebook groups devoted to the sale of stolen credit card data, identity info, spam lists, hacking tools, and other cybercrime commodities were uncovered.
Perhaps it is somewhat surprising that history is able to keep repeating itself with such ease. It does seem that cybersecurity has too often been something of an afterthought on the part of large organisations. There is no such thing as “perfect security”, because there will always be some hackers out there who are busy working out how to stay ahead of the security systems. The challenge for everyone is how to stay ahead of the hackers.
Take a read through the timeline below and give some thought to how innovation, information sharing, proactivity, diligence, and experience have transformed how we would have reacted in these situations if given the chance to tackle them again…
1834 — French Telegraph System — A pair of thieves hack the French Telegraph System and steal financial market information, effectively conducting the world’s first cyberattack.
1870 — Switchboard Hack — A teenager hired as a switchboard operator is able to disconnect and redirect calls and use the line for personal usage.
1878 — Early Telephone Calls — Two years after Alexander Graham Bell invents the telephone, the Bell Telephone Company kicks a group of teenage boys off the telephone system in New York for repeatedly and intentionally misdirecting and disconnecting customer calls.
1903 — Wireless Telegraphy — During John Ambrose Fleming’s first public demonstration of Marconi’s “secure” wireless telegraphy technology, Nevil Maskelyne disrupts it by sending insulting Morse code messages discrediting the invention.
1939 — Military Codebreaking — Alan Turing and Gordon Welchman develop BOMBE, an electro-mechanical machine, during WWII while working as codebreakers at Bletchley Park. It helps to break the German Enigma codes.
1940 — First Ethical Hacker — Rene Carmille, a member of the Resistance in Nazi-occupied France and a punch-card computer expert who owns the machines that the Vichy government of France uses to process information, finds out that the Nazis are using punch-card machines to process and track down Jews, volunteers to let them use his, and then hacks them to thwart their plan.
1955 — Phone Hacker — David Condon whistles his “Davy Crockett Cat” and “Canary Bird Call Flute” into his phone, testing a theory on how phone systems work. The system recognizes the secret code, assumes he is an employee, and connects him to a long-distance operator. She connects him to any phone number he requests for free.
1957 — Joybubbles — Joe Engressia (Joybubbles), a blind, 7-year-old boy with perfect pitch, hears a high-pitched tone on a phone line and begins whistling along to it at a frequency of 2600Hz, enabling him to communicate with phone lines and become the U.S.’s first phone hacker or “phone phreak.”
1962 — Allan Scherr — MIT sets up the first computer passwords, for student privacy and time limits. Student Allan Scherr makes a punch card to trick the computer into printing off all passwords and uses them to log in as other people after his time runs out. He also shares passwords with his friends, leading to the first computer “troll.” They hack into their teacher’s account and leave messages making fun of him.
1969 — RABBITS Virus — An anonymous person installs a program on a computer at the University of Washington Computer Center. The inconspicuous program makes copies of itself (breeding like a rabbit) until the computer overloads and stops working. It is thought to be the first computer virus.
1970–1995 — Kevin Mitnick — Beginning in 1970, Kevin Mitnick penetrates some of the most highly-guarded networks in the world, including Nokia and Motorola, using elaborate social engineering schemes, tricking insiders into handing over codes and passwords, and using the codes to access internal computer systems. He becomes the most-wanted cybercriminal of the time.
1971 — Steve Wozniak and Steve Jobs — When Steve Wozniak reads an article about Joybubbles and other phone phreaks, he becomes acquainted with John “Captain Crunch” Draper and learns how to hack into phone systems. He builds a blue box designed to hack into phone systems, even pretending to be Henry Kissinger and prank-calling the Pope. He starts mass-producing the device with friend Steve Jobs and selling it to classmates.
1973 — Embezzlement — A teller at a local New York bank uses a computer to embezzle over $2 million dollars.
1981 — Cybercrime Conviction — Ian Murphy, aka “Captain Zap,” hacks into the AT&T network and changes the internal clock to charge off-hour rates at peak times. The first person convicted of a cybercrime, and the inspiration for the movie “Sneakers,” he does 1,000 hours of community service and 2.5 years of probation.
1982 — The Logic Bomb — The CIA blows up a Siberian Gas pipeline without the use of a bomb or a missile by inserting a code into the network and the computer system in control of the gas pipeline. The code was embedded into equipment purchased by the Soviet Union from a company in Canada.
1984 — US Secret Service — The U.S. Comprehensive Crime Control Act gives Secret Service jurisdiction over computer fraud.
1988 — The Morris Worm — Robert Morris creates what would be known as the first worm on the Internet. The worm is released from a computer at MIT to suggest that the creator is a student there. The potentially harmless exercise quickly became a vicious denial of service attack when a bug in the worm’s spreading mechanism leads to computers being infected and reinfected at a rate much faster than he anticipates.
1988–1991 — Kevin Poulsen — In 1988, an unpaid bill on a storage locker leads to the discovery of blank birth certificates, false IDs, and a photo of hacker Kevin Poulsen, aka “Dark Dante,” breaking into a telephone company trailer. The subject of a nationwide manhunt, he continues hacking, including rigging the phone lines of a Los Angeles radio station to guarantee he is the correct caller in a giveaway contest. He is captured in 1991.
1989 — Trojan Horse Software — A diskette claiming to be a database of AIDS information is mailed to thousands of AIDS researchers and subscribers to a UK computer magazine. It contains a Trojan (after the Trojan Horse of Greek mythology), or destructive program masquerading as a benign application.
1994 — Datastream Cowboy and Kuji — Administrators at the Rome Air Development Center, a U.S. Air Force research facility, discover a password “sniffer” has been installed onto their network, compromising more than 100 user accounts. Investigators determined that two hackers, known as Datastream Cowboy and Kuji, are behind the attack.
1995 — Vladmir Levin — Russian software engineer Vladimir Levin hacks into Citibank’s New York IT system from his apartment in Saint Petersburg and authorizes a series of fraudulent transactions, eventually wiring an estimated $10 million to accounts worldwide.
1998–2007 — Max Butler — Max Butler hacks U.S. government websites in 1998 and is sentenced to 18 months in prison in 2001. After being released in 2003, he uses WiFi to commit attacks, program malware and steal credit card information. In 2007, he is arrested and eventually pleads guilty to wire fraud, stealing millions of credit card numbers and around $86 million of fraudulent purchases.
1999 — NASA and Defense Department Hack — Jonathan James, 15, manages to penetrate U.S. Department of Defense division computers and install a backdoor on its servers, allowing him to intercept thousands of internal emails from different government organizations, including ones containing usernames and passwords for various military computers. Using the info, he steals a piece of NASA software. Systems are shut down for three weeks.
1999 — The Melissa Virus — A virus infects Microsoft Word documents, automatically disseminating itself as an attachment via email. It mails out to the first 50 names listed in an infected computer’s Outlook email address box. The creator, David Smith, says he didn’t intend for the virus, which caused $80 million in damages, to harm computers. He is arrested and sentenced to 20 months in prison.
2000 — Lou Cipher — Barry Schlossberg, aka Lou Cipher, successfully extorts $1.4 million from CD Universe for services rendered in attempting to catch the Russian hacker.
2000 — Mafiaboy — 15-year-old Michael Calce, aka MafiaBoy, a Canadian high school student, unleashes a DDoS attack on several high-profile commercial websites including Amazon, CNN, eBay and Yahoo! An industry expert estimates the attacks resulted in $1.2 billion dollars in damages.
2002 — Internet Attack — By targeting the thirteen Domain Name System (DNS) root servers, a DDoS attack assaults the entire Internet for an hour. Most users are unaffected.
2003 — Operation CyberSweep — The U.S. Justice Department announces more than 70 indictments and 125 convictions or arrests for phishing, hacking, spamming and other Internet fraud as part of Operation CyberSweep.
2003–2008 — Albert Gonzalez — Albert Gonzales is arrested in 2003 for being part of ShadowCrew, a group that stole and then sold card numbers online, and works with authorities in exchange for his freedom. Gonzales is later involved in a string of hacking crimes, again stealing credit and debit card details, from around 2006 until he is arresting in 2008. He stole millions of dollars, targeted companies including TJX, Heartland Payment Systems and Citibank.
2004 — Lowe’s — Brian Salcedo is sentenced to 9 years for hacking into Lowe’s home improvement stores and attempting to steal customer credit card information.
2004 — ChoicePoint — A 41-year-old Nigerian citizen compromises customer data of ChoicePoint, but the company only informs 35,000 people of the breach. Media scrutiny eventually leads the consumer data broker, which has since been purchased by LexisNexis, to reveal another 128,000 people had information compromised.
2005 — PhoneBusters — PhoneBusters reports 11K+ identity theft complaints in Canada, and total losses of $8.5M, making this the fastest growing form of consumer fraud in North America.
2005 — Polo Ralph Lauren/HSBC — HSBC Bank sends letters to more than 180,000 credit card customers, warning that their card information may have been stolen during a security breach at a U.S. retailer (Polo Ralph Lauren). A DSW data breach also exposes transaction information from 1.4 million credit cards.
2006 — TJX — A cybercriminal gang steals 45 million credit and debit card numbers from TJX, a Massachusetts-based retailing company, and uses a number of the stolen cards to fund an electronic shopping spree at Wal-Mart. While initial estimates of damages came up to around $25 million, later reports add up the total cost of damages to over $250 million.
2008 — Heartland Payment Systems — 134 million credit cards are exposed through SQL injection to install spyware on Heartland’s data systems. A federal grand jury indicts Albert Gonzalez and two Russian accomplices in 2009. Gonzalez, alleged to have masterminded the international operation that stole the credit and debit cards, is later sentenced to 20 years in federal prison.
2008 — The Church of Scientology — A hacker group known as Anonymous targets the Church of Scientology website. The DDoS attack is part of a political activist movement against the church called “Project Chanology.” In one week, the Scientology website is hit with 500 DDoS attacks.
2010 — The Stuxnet Worm — A malicious computer virus called the world’s first digital weapon is able to target control systems used to monitor industrial facilities. It is discovered in nuclear power plants in Iran, where it knocks out approximately one-fifth of the enrichment centrifuges used in the country’s nuclear program.
2010 — Zeus Trojan Virus — An Eastern European cybercrime ring steals $70 million from U.S. banks using the Zeus Trojan virus to crack open bank accounts and divert money to Eastern Europe. Dozens of individuals are charged.
2011 — Sony Pictures — A hack of Sony’s data storage exposes the records of over 100 million customers using their PlayStation’s online services. Hackers gain access to all the credit card information of users. The breach costs Sony more than $171 million.
2011 — Epsilon — A cyberattack on Epsilon, which provides email-handling and marketing services to clients including Best Buy and JPMorgan Chase, results in the compromise of millions of email addresses.
2011 — RSA SAFETY — Sophisticated hackers steal information about RSA’s SecurID authentication tokens, used by millions of people, including government and bank employees. This puts customers relying on them to secure their networks at risk.
2011 — ESTsoft — Hackers expose the personal information of 35 million South Koreans. Attackers with Chinese IP addresses accomplish this by uploading malware to a server used to update ESTsoft’s ALZip compression application and steal the names, user IDs, hashed passwords, birthdates, genders, telephone numbers, and street and email addresses contained in a database connected to the same network.
2011–2012 — LulzSec — Lulz Security, or LulzSec, a break-off group from hacking collective Anonymous, attacks Fox.com and then targets more than 250 public and private entities, including an attack on Sony’s PlayStation Network. They then publicize their hacks though Twitter to embarrass website owners and make fun of insufficient security measures.
2009–2013 — Roman Seleznev — Roman Seleznev hacks into more than 500 businesses and 3,700 financial institutions in the U.S., stealing card details and selling them online, making tens of millions of dollars. He is eventually caught and convicted for 38 charges, including hacking and wire fraud.
2013–2015 — Global Bank Hack — A group of Russian-based hackers gains access to secure information from more than 100 institutions around the world. The hackers use malware to infiltrate banks’ computer systems and gather personal data, stealing £650 million from global banks.
2013 — Credit Card Fraud Spree — In the biggest cybercrime case filed in U.S. history, Federal prosecutors charge 5 men responsible for a hacking and credit card fraud spree that cost companies more $300 million.
2014–2018 — Marriott International — A breach occurs on systems supporting Starwood hotel brands beginning in 2014. Attackers remain in the system after Marriott acquires Starwood in 2016 and aren’t discovered until September 2018. The thieves steal data on approximately 500 million customers. Marriott announces it in late 2018.
2014 — eBay — A cyberattack exposes names, addresses, dates of birth, and encrypted passwords of all of eBay’s 145 million users.
2014 — CryptoWall — CryptoWall ransomware, the predecessor of CryptoDefense, is heavily distributed, producing an estimated revenue of $325 million.
2014 — JPMorgan — Hackers hijack one of JPMorgan Chase’s servers and steal data about millions of bank accounts, which they use in fraud schemes yielding close to $100 million.
2015 — Anthem — Anthem reports theft of personal information on up to 78.8 million current and former customers.
2015 — LockerPin — LockerPin resets the pin code on Android phones and demands $500 from victims to unlock the device.
2015 — Prepaid Debit Cards — A worldwide gang of criminals steals a total of $45 million in a matter of hours by hacking a database of prepaid debit cards and then draining cash machines around the globe.
2016 — DNC Email Leaks — Democratic National Committee emails are leaked to and published by WikiLeaks prior to the 2016 U.S. presidential election.
2017 — Equifax — Equifax, one of the largest U.S. credit bureaus, is hacked, exposing 143 million user accounts. The sensitive leaked data includes Social Security numbers, birth dates, addresses, driver’s license numbers, and some credit card numbers.
2017 — Chipotle — An Eastern European criminal gang that is targeting restaurants uses phishing to steal credit card information of millions of Chipotle customers.
2017 — WannaCry — WannaCry, the first known example of ransomware operating via a worm (viral software that replicates and distributes itself), targets a vulnerability in older versions of Windows OS. Within days, tens of thousands of businesses and organizations across 150 countries are locked out of their own systems by WannaCry’s encryption. The attackers demand $300 per computer to unlock the code.
2019 — Facebook — 74 Facebook groups devoted to the sale of stolen credit card data, identity info, spam lists, hacking tools, and other cybercrime commodities are uncovered.
Let these examples be a reminder to us all — history needs to stop repeating itself!
One way in which the banks have tried to catch up with the digital age is by partnering with fintechs. Basically, it saves them the problem of finding new staff and creating a specially developed department, and it makes sense.
There has been a noticeable growth in bank-fintech partnerships since 2018, and it appears to be happening in three different ways.
First, banks are making direct investments in fintech startups. Second, the banks are integrating new startups’ technology into their own applications by using a ‘white label’ agreement. Third, at least one in three banks plans to buy a fintech in the next year.
Mergers and Acquisitions
It would appear that banks and fintechs are moving away from seeing each other as competitors, and instead acknowledging that they need each other. We are seeing banks being more proactive in their approach to collaborating with fintech firms, and there have been hundreds of bank-fintech partnerships taking
place via strategic investments, innovation programmes, incubators and accelerators,
as well as M&A activities.
We are also seeing that banks want to leverage more fintech know-how and their front-end capabilities. Meanwhile fintechs want to leverage the banks’ vast customer bases, their infrastructure, and their stronghold on the financial regulatory systems.
The thing that is helping this the most are APIs. The banks want to revamp their core banking systems by enabling plug-and-play services offered by fintechs. So, we are seeing a lot of open platforms being built in different fintech sectors. As Medici’s Global Deep Dive report says, “This is seen as a natural step forward to embrace
the growing need for co-development, reusability, and agile/rapid application
Banks also have lots of customer data, which is very valuable in an era ruled by Big Data and AI. Fintechs want to tap into this data and discover the actionable insights that will help their growth. There are some questions about who owns the data though.
Medici gives the example of Apple, which has managed to gather a lot of support from UK banks. This is because it has agreed not to hold onto to customer data. Although, with stronger data protection regulations such as GDPR in place, it will beinteresting to see how this situation pans out in the coming years.
The fintech sector started with the idea of disintermediating the incumbent banks’ service lines and adding a tech-driven customer experience to deliver innovative offerings. But it seems that the story has moved from ‘breaking the banks’ to ‘working with the banks’. As a result, the coming together of banks and fintechs has given a new direction to the strategic expansion of the financial services ecosystem, and in the coming years, we can expect the same trend to continue and take a more concrete shape. That seems to be the industry consensus.
Neobanks are having the same effect on banking, as quantum theory did on our ideas about reality, Medici suggests. Furthermore, digital banking has become a part of our everyday lives.
Stash CEO, Brendan Krieg, claims that his company has gained over 3 million customers since 2015. He says that the reasons as to why they have become so popular is that they’ve studied the consumer, and discovered that the average person wants to live a better financial life. Perhaps it is unsurprising that Stash’s average user is a 29-year-old who makes $50k a year, not a bad salary for a Millennial these days. But, success, Krieg suggests, is down to the fact that Stash’s app makes it easy for people to invest.
As Medici points out, the neobanks have gained their successes because they are meeting the customer where they are and are finding ways to connect advice, banking, and investing in one experience.
This applies not just to Stash: it’s a global phenomenon. The leading success factor for the major neobanks’ growth appears to be their superior customer experience compared to the traditional banks.
The redesigned mobile and web applications, and smooth customer onboarding, have enabled players like Monzo, Atom and Starling Bank to grow at speed.
Also, by eliminating costs associated with physical branch maintenance, neobanks are able to reduce the fees associated with key products.
However, while the customer experience seems to be the neobanks’ key selling point, there is another factor. They are solving the bigger issues with conventional banking.
For example, they are looking at innovative product offerings and improved customer service. Medici gives the example of Open, a neobank in India. It has integrated automated accounting and payment gateways with their current account offering. Furthermore, its platform enables startups and SMEs to integrate banking and accounting in one place using a multi-bank connect feature. And Open helps startups and SMEs to manage employee expenses in a seamless way.
Another example from India is InstantPay. It is focused on bridging a gap that traditional banks have not looked at since banks opened in India, and that is some time ago. InstantPay drives financial inclusion in a responsible and sustainable way and has reached 10,000+ PIN codes, and caters to 50 million unique customers.
Anish Achuthan, CEO of Open, said, “Most Startups & SMEs generally use multiple dashboards and interfaces for invoices, bookkeeping, and online payments. Making vendor payments and employee payouts have always been a challenge. All of this drains entrepreneurs and finance teams of their time & energy.”
Western neobanks have been successful largely because of the customer experience they offer, while in the Asia-Pacific markets the neobanks have to take a step further by answering core banking problems in the industry, such as like ‘knowledge transfer,’ ‘undocumented logic,’ ‘technical debt,’ and a ‘skills/desire gap’.