Wednesday 26 April 2017

Alasdair Allan: Digital Banks Are Moving Past the Idea of Passing Around Paper Money

Motherboard

Digital Banks Are Moving Past the Idea of Passing Around Paper Money

By Alasdair Allan

April 26, 2017 12:00pm

Cash is king, until it's not.

Part of the emerging generation of fintech startups, the new digital-only banks—colloquially known as the challenger banks by the financial technology "in" crowd—appear to be approaching consumer banking very differently than the existing major main street banks. The question is, how deep does that commitment go?

Trying to get a feel for them then, it's sort of interesting to see some of the same security anti-patterns developing in the challenger banks that exist in the traditional big banks. For instance, one of them just phoned me and asked me to provide personal information for "security verification" before they'd discuss what they were calling me about.

Providing information to someone cold calling you isn't something you should be prepared to do—no matter whether you're expecting the call, or who they say they're calling from. It also shouldn't be something a company asks their customers to do, at least not if they have a solid security culture.

This security anti-pattern is one of the most irritating consumer-facing security problems that large institutions like banks suffer from, as it has the potential—as a pattern—to assist fraudsters attempting to extort data from customers to commit identity fraud. If you're used to handing over your identity in the opening seconds of a phone call, you're far more likely to hand it over to the wrong person.

Unfortunately there really is no way to mutually, and securely, authenticate using a single-channel medium like a phone call. However the digital-only challenger banks have an easy way around this problem, they have an app, and a second channel.

One possible solution then would be to send a push notification "The person you're talking to on the phone is really from your bank" once the the phone call has begun. This is a perfectly reasonable way to prove that the caller is legitimate, after all, making their own app do something while they're talking to you is a decent first-cut at a second channel proof of authenticity.

Banks are slow to adopt technology. More than a couple of years ago now I worked out some interesting rather back-and-forth technology that would allow your smartphone to geo-authenticate credit card transactions without letting your bank know where you were all the time. I even packaged it up—along with other side projects to enable things like securing emergency cash advances based on geo-fencing—and sold the intellectual property to some friends of mine in the industry. They weren't able to interest any of the major banks in picking it up. This didn't really surprise me.

Banks are notoriously conservative, and to a certain extent I'm okay with that. I really rather like the fact that the people that have all my money are a bit stick in the mud. As an early adopter I can tell you that all new technology has problems, it breaks. A lot. But unfortunately, despite existing on the technological trailing edge, so do banks.

On the face of it the banking industry, at least outside the United States whose continued reliance on cheques makes them a bit of a laughing stock to the rest of the world, looks like it's moving forward slowly and steadily.

This appearance is, however, skin deep. The networks between the banks themselves were designed in a very different era, and are creaking under the threats of a more uncivilized age. Similarly, the backend technology of most banks has reached a breaking point beneath the weight of the layers of new technology that have been added on top. These systems weren't designed with the web in mind, let alone smartphones. The idea that customers would directly interact with their accounts was never a design criteria.

This is where the current crop of fintech startups come in, and along with them the so-called "challenger banks." Some of these new banks, notably Starling and Monzo, have gone with a full stack approach and built their back end systems from the ground up. In the short term that's leaves them a long way behind their competitors—notably Atom Bank, the first of the new clutch of banks to pick up a banking license—who built their core banking systems on existing commoditized banking software. But in the longer term it's a gamble that could well pay off in a big way.

The banking industry is heavily reliant on legacy technology stacks, built up in layers of different architectures and languages laid down over the years. When new technologies come along most banks don't replace existing technology, they put the new technologies on top. The old technology sticks around, lurking behind the scenes. For most banks legacy technology encapsulates their institutional knowledge, all the corner cases that come up when you have software that deals with the that many transactions every second.

For the challenger banks, at least those that have gone down the full stack route, the encapsulated institutional knowledge might not be present, but that means they can build a banking system with design criteria that actually reflects how consumers use money today, rather than how they used money last century. After all, some of that encapsulated knowledge is about how to hand pieces of paper around, and the digital-only banks are hoping to move past that.

Interestingly, one of the reasons that a lot of these new digital-only challenger banks are based in the United Kingdom is that there the Treasury, along with the Competition and Markets Authority, has advocated and eventually mandated the adoption of open banking standards, which are even now being rolled out—although it's notable that of the banks it's Monzo and Starling, the full stack banks, that have developer sites, Github repos, and an actual working API you can develop against.

The whole point of the challenger banks is to think differently, and that shouldn't just be a surface thing. It needs to go all the way down into the culture, security isn't about the back end, it needs to be customer facing. In the end security isn't really about computers, it's about people. So when it comes to calling your customers the onus is on, must be on, the company making the call to identify themselves first. After all, they called you.



No comments: