Cybersecurity: can neobanking customers really sleep well at night? 😴

Imagine the surprise last summer of the American neobank Dave's 7.5 million customers when they learned that their personal data had been exposed on social media networks and was accessible to the general public. Hackers breached the company's data system, stole sensitive information, and published it. The neobank Dave incident is not an isolated case. In early 2017, German neobank, N26 (which has since become a key player in the sector), was alerted to the existence of flaws in its IT system by Vincent Haupert, a computer security researcher. It only took Haupert five minutes to hack N26’s system. And at the end of 2020, the Australian neobank, Xinja, announced that it would relinquish the banking license it had obtained after a long process just a few months earlier. Officially, this decision was attributed to the health crisis, which slowed the pace of new-customer-acquisition. But it soon became clear that a third-party audit of its IT security infrastructure conducted in the preceding weeks had revealed significant vulnerabilities. Due to company shareholders’ concerns, initially planned rounds of financing were suspended. All these alerts would justifiably raise concerns amongst neobank users and potential future customers.

A global threat

But in the financial realm, cyber risks are not limited just to neobanks. Far from it. Among traditional banks, computer attacks leading to data theft have multiplied over the last ten years. They have not spared the leading banks; Citi, JP Morgan, and Unicredit, to name a few, are amongst the prestigious victims of hackers. Even the Reserve Bank of New Zealand—New Zealand's central bank— and SWIFT—the cooperative responsible for providing services to international banks—suffered similar setbacks earlier this year and in 2016, respectively. In fact, cyber threats are of such concern that the European Central Bank, in its 2020 Risk Map, labeled them as one of the three main risk factors the eurozone banking system should address over the next three years! For its part, the International Monetary Fund has recently called for better cooperation among banking players in the face of increasing cyber risks. In fact, attempts at cyber-attacks on banks have exploded since the beginning of the crisis, as studies from Moody's (the rating agency) and the Banque de France have shown. This trend is expected to continue, driven by the increasing digitization of banking services and the growing use of telecommuting within banks.

Obsolete information systems in traditional banks 

In this high-risk environment—where there’s no such thing as zero risk—the key question is not so much whether neobanking customers can sleep well at night in the face of cyber threats, but rather whether they can sleep better than customers using traditional banks. At first glance, the latter, at least the larger ones, seem, in all truth, to have a major advantage over their "neo" competitors. Given the scale of investment required for IT security, which can amount to tens or even hundreds of millions of euros, most companies generate more than enough revenue to cover these expenses. However, some professionals do not agree that such an investment automatically increases the degree of protection the traditional banks’ IT tools can provide. 

Remember, the major banks’ information systems were designed and installed decades before the Internet even existed and long before the words "hacker" and "cybersecurity" were even coined. Traditional banks’ information systems are fine-tuned every year, but despite the durability, performance, and adaptability these systems have shown over the years, they have now reached their limit.  

As they have grown, legacy banks have continued to rely on the same information systems and have simply updated them over the years, especially with each acquisition. And therein lies the problem. As noted in the Orange Cyberdefense, many information systems” are old and poorly suited to deal with the threats that affect banks today." The Single Supervisory Mechanism (SSM), which is responsible for monitoring the so-called systemic banks, shares this view. "Many large institutions rely on end-of-life information systems to conduct critical business operations, making them even more vulnerable to cybersecurity risk," the SSM recently warned. "End-of-life” was defined, in an op-ed, by two computer science professors at the Leuven and Brussels Polytechnical Schools as information systems "that can no longer be maintained or updated because of their age, but that have not yet been replaced, or that are impossible to replace." The most worrisome fact is that at least two-thirds of banking information systems are in this state today! The situation is all the more problematic as European banks are now forced to provide third-party players—including fintech companies—access to their systems as required by the revised Payment Services Directive (PSD 2). 

Identical regulatory constraints in Europe

While the shortcomings noted at Xinja tend to prove that not all neobanks are beyond reproach in this area, the fact that they have been built using recent technologies (including the cloud), and an open architecture, help give them a competitive advantage. In addition, there is another element of comfort. As stipulated by the Prudential Control and Resolution Authority (Autorité de contrôle prudentiel et de résolution), entities with a credit institution license, be they traditional banks or neobanks, are subject to the same regulatory requirements, particularly with regard to the security of information systems. The French institution in charge of supervising the banking and insurance sectors has just updated a 37-page leaflet outlining expectations in this area.

If more were needed to reassure French customers about using neobanks, they should know that, similar to traditional banks, they are covered by the Deposit Guarantee and Resolution Fund (Fonds de garantie des dépôts et de résolution - FGDR), up to 100,000 euros for the total amount of their checking account, passbooks, and savings plans, in the event that their banking partner fails.

This should help them sleep better at night.  

Click here to learn more about Skaleet's Core Banking Platform.