Is the Future More or Less Secure?

The Economist online is currently hosting a debate about cybersecurity and specifically the question of whether we are headed for a more or less secure world as interconnectivity increases. My vote is "no" for the following reason which I posted to their debate site:

It would be quite difficult to compromise security if we each existed entirely in our own hermetically-sealed network like an egg in a carton or a standalone PC on a desk. Each connection with the outside world creates a perforation in the egg shell and creates a security risk in the form of a point of potential compromise. The perforation can be compromised or the "tube" connecting me to the next "egg" can be compromised. Further, the "egg" I'm connecting to can be compromised. Or an "egg" connected to the one I'm connected to can be compromised. As you can imagine, hyperconnectivity increases the number of points of potential compromise exponentially with time. 

Our current risk-mitigation approach tries to hermetically seal all the perforations, joints, and pipes by wrapping them in a "fortress firewall." This becomes exponentially more difficult with the increase in points of potential compromise. Attacks are inevitable, as are compromises until and unless our approach to risk mitigation shifts from a "fortress firewall" approach to one in which we can examine, wrap, and filter actual bytes of information as they float around cyberspace. 

While I don't know what this approach will look like in practice, I predict it will include a strong focus on data provenance. Imagine an "HTTPS 2.0" in which we not only wrap packets of data in an encrypted security layer, but also give that packet the ability to either reveal its contents or self-destruct based on who/what/where/when/WHY it is accessed. 

Until then, data security risk shall continue to increase.

Did You Know? ... The Makeup of the US Financial Services Industry

This is the first of a new "Did you know?" category of posts which will appear periodically on this blog. These brief posts will contain industry statistics relevant to risk and financial crime management.

Quite often, both in the Consulting arena and in Financial Services, analyses require an understanding of the industry. Hard statistics are often ... well ... hard to come by. My intention is to provide a quick public point of reference for this type of information.

Statistics posted here will carry a source URL link, as you can see below, or a citation.

Today's stats relate to the overall size and makeup of the US Financial Services industry. According to a recent report by the Department of Homeland Security:

1. Deposit and payment systems and products ($12 trillion in assets; 17,000 depository institutions)
2. Credit and liquidity products ($14 trillion in assets; many thousands of credit and financing institutions)
3. Investment products ($18 trillion in assets; 15,000 providers of investment products)
4. Risk-transfer products ($6 trillion in assets; 8,500 providers of risk-transfer products)

Quote of the Day: KYC --> EPS

An organization that positively knows its clients can obtain a commercial advantage over rivals.
- KPMG, Anti-Money Laundering Compliance in a Changing Risk and Regulatory World

Food for New Years Thought: The Future of Banking

Every consultant worth his salt is busy trying to write something prescient on the future business model for banks. GLG Research recently published a report calling out the following key parameters, with a focus on retail banking:

1. Peer-to-Peer (P2P) Lending: An advanced technology that eliminates middlemen and directly connects borrowers and lenders.

2. Prepaid General Purpose Reloadable (GPR) cards: In return for modest commissions, a global agency network of convenience stores and retailers are now enabling cards to be “loaded” with cash. When equipped with remote deposit check capture, direct deposit, bill payment and ancillary credit, savings and investment accounts, these cards make traditional bank branching redundant. eWallets such as those touted by ISIS, Google, Visa, Amex, Paypal and FaceCash are the offspring of GPR built on the same infrastructure; similar economics but a different, arguably more convenient, access device.

3. Social Media: Social media like Facebook and LinkedIn can offer insight into customer behavior that can be applied to enhance customer acquisition, retention, and even underwriting (http://www.freepatentsonline.com/20110112957.pdf).

Banks which are early movers in this area have a great opportunity to reverse the post-2007 profitability decline. Success, in my opinion, will depend on three things:

• Getting it done quickly
• Getting the customer experience right
• Getting the risk management right

Those aims are, in many areas, conflicting. A balancing act is required. Wading too timidly into these areas might cause impatient "early adopter" customers to defect, or at least decrease their activity level. Making a big splash in these areas without consideration of risk factors invites the wrong kind of customers and is sure to balloon losses.

Critical to all three of these emerging trends are the "Three Risk-Management A's of Next-Generation Banking"

1. Analytics: Collecting the necessary data about behavior as well as customer preferences to objectively understand and address behavior in a consolidated, risk-based, customer-centric manner 
2. Authorization: Making an informed, risk-based decision about what the bank allows the customer to do
3. Authentication: Making sure the transaction is being done by the customer, not a fraudster

Periodically on this blog, I will individually look at these trends, highlighting the risk implications for the future banking business model.