As banks strive to offer customers good online experiences, they often partner with a variety of fintechs. But how do they ensure that their apps are secure?
Joe Mancini of Radius Bank and Paul Siegfried of TransUnion discuss security at BCX 2019.
Banks striving to offer customers better online experiences often partner with a variety of fintechs to create apps. But they may find it a struggle to ensure that those apps are secure.
It's an issue that Joe Mancini, chief information security officer at Radius Bank, deals with daily. He believes striking the right balance between customer experience and security is the biggest challenge in digital banking today. Banks and credit unions need to make sure their data is secure, but they also need to bring their digital offerings to market in a timely manner.
"If you're too heavy on the security side, you're going to force customers to go elsewhere. That mentality has forced a lot of banks and application providers to push products out much sooner than they're really ready for," he said last month during a panel at the 2019 Bank Customer Experience Summit in Chicago. Mancini and Paul Siegfried, SVP at consumer credit reporting agency TransUnion, answered several questions about digital security and the future of banking during the session, moderated by Amy Castor, editor of ATM Marketplace.
Application program interfaces play a big role in allowing banks to deliver their services via mobile apps and online tools.
"An API is simply an easier method for a bank to connect with fintechs, who often provide cool apps and features that maybe, as a bank or financial institution, you don't want to implement on your own," Mancini said.
Radius has 12 projects going on at the moment with fintechs, he said, in explaining how common it is for banks to rely on APIs for sharing their data.
"How many folks here know where all your data is?," he asked the crowd. One person in the audience raised a hand.
"When regulators come to the bank, they are going to ask for a data map," Mancini said. "They will want to know where your data is going and who has access to it. They will want to see your disclosures and the contracts that you signed when your partnered with these fintechs."
Security goes beyond simply tracking your data, however. A critical aspect of managing third-party risk comes down to testing, he said.
"You're allowing these connections to happen in your organization, but do you really know what risks you might be exposed to when you're doing these things?," he said. "What type of tests are you putting into place? A huge aspect of what we've done, especially as we've transformed our banking into a digital-first approach, is the testing component."
While it is critical for FIs to know what sort of exposures they are vulnerable to before going live with a new app, testing should be ongoing.
"Are you continuing that testing throughout the cycle of the year?," Mancini said. "Depending on how critical that connection is, it's a big, big part of what we do," he said, in explaining the role his security group plays at the bank.
Even when FIs think they have all angles covered, breaches still happen. As an example, earlier this year, more than 2.9 million Desjardins Group members had their personal information compromised in a data breach targeting Canada's biggest credit union due to a rogue employee. When something like that does happen, it's important to respond appropriately.
In the event hackers take personal information from your corporate server, an insider steals customer information, or information is inadvertently exposed on your company's website, it is vital to know what to do next, Siegfried said.
The U.S. Federal Trade Commission provides general guidance on what to do, but FIs need to go the extra mile.
"Do you have a plan in place for when something might occur,?" he said. "Whether it's one piece of information that might get released on a single transaction or a single employee who might have taken a larger chunk of information, do you have that plan defined?"
He recommended FIs reach out to law enforcement to discuss what relevant actions they should take.
"They are open in the way of a conversation if you say, 'Here's my readiness plan, what are the things I need to know?'"
Photo courtesy Networld Media Group.
Amy Castor has more than 20 years of experience in journalism and mass communications. In the last several years, she has gotten particularly interested cryptocurrencies, blockchain technologies and other evolving forms of payment. Her work has appeared in consumer and trade publications throughout the U.S., including CoinDesk, Forbes, and Bitcoin Magazine. She is now the editor of ATMmarketplace.com and WorldofMoney.com
Sign up now for the ATM Marketplace newsletter and get the top stories delivered straight to your inbox.
Privacy PolicySeptember 9-11, 2024 | Charlotte, NC
 | Copyright © 2024 Networld Media Group, LLC. All rights reserved. |
Already a member? Sign in below.
You may sign into this site using your login credentials
from any of these Networld Media Group sites:
