Data protection requires digital identity: operators can stand between banks and vast fines

We live in an age of data breaches.  An unfortunate side effect of the digital economy’s daily growth is an ever-rising number of opportunities for cybercriminals – and companies falling victim to them face increasingly stiff fines where customer information is leaked, particularly where compliance with data protection regulation is found wanting. Even major players in key industries such as banking, transport and hospitality are encountering difficulties in keeping their systems of the right side of the regulators – and that can be a very expensive shortcoming, as well as a major reputational risk. Seamlessly flagging irregular activity, or ensuring only the right people can access sensitive data – and do so in the right way – can help to avoid serious financial penalties.

Just this month the airline Cathay Pacific was fined £500,000 by the UK’s data watchdog after failing to adequately secure systems tasked with protecting access to passengers’ personal details, such as passport and identity information. In view of the company’s size, this fine would likely have been far higher had the compliance failure occurred since the EU’s General Data Protection Regulation (GDPR) came into force, which allows for fines of up to 4% of global turnover. Hotel group Marriott for instance was fined almost £100 million for losing the records of 339 million guests following GDPR’s introduction; in the same week British Airways was fined £183 million for a comparable breach. 

This is of particular concern to that most data-sensitive sector – financial services – in which data breaches rose fivefold in 2018, with punishment for lack of compliance increasingly stiff.  Since GDPR came into force fines of more than 100 million euros have been levied – and the financial services sector has incurred more of these than any other.  Last summer for instance the Bulgarian bank DSK was fined around 500,000 euros by the country’s Commission for Personal Data Protection, for a data breach affecting over 33,000 clients, which saw disclosure of their full names and addresses, account numbers, and copies of ID cards.  The nation’s data protection regulator concluded the bank had failed to implement the “appropriate technical and organisational measures” to guarantee the “confidentiality, security, and integrity” of personal information. A similar appraisal was made by the Romanian Supervisory Authority, which fined Raiffeisen Bank and Vreau Credit when employees were found to have improperly accessed credit check data.

This is not only about GDPR, however – those entrusted with their customers’ personal information which is then compromised face an increasingly stiff response from regulators and the courts. Around the same time as the DSK case was concluded, Capital One in the US accepted culpability for a breach affecting the personal details of 106 million customers across North America, including credit scores, payment histories, linked bank account numbers and social insurance details.  This came just a week after credit agency Equifax agreed to pay out just under $700 million for a data breach exposing the personal data of 150 million people, with provision of identity restoration services a key requirement of the agreement. In the UK, Equifax faces a claim of around £100 million for failures to comply with data protection obligations prior to GDPR’s introduction, in the UK’s first representative data breach claim to the High Court.

In the US, Chair of the Federal Deposit Insurance Corporation, which regulates and underwrites deposits in US banks, indicated that cybersecurity is the biggest risk facing the banking system, and that fines may be levied against those failing to comply with stringency requirements. “We will certainly undertake enforcement action,” warned FDIC Chair Jelena McWilliams at the Community Bank Investors Conference, adding that inadequate cyber defences could also force regulators to downgrade their ratings of bank management teams. The FDIC is now “continuously” monitoring and testing the resilience of banks’ security systems and ordering them to address deficiencies.

The digital economy’s continued growth underpins countless improvements the world over, and the financial sector has a clear role to play in helping to deliver those improvements. But for that growth to continue unhindered, consumers must trust that their data is safe, and businesses must be confident in the systems they put in place to ensure that confidence. That means taking note of the growing rates of cybercrime aimed at financial services, and planning to avoid them before their ruinous effects come to pass.  As cybersecurity specialists James Carder and Nicole Lindsey, commenting on the breach at Italian bank UniCredit in November 2019 which affected 3 million customers, explain: “The financial industry continues to be inundated with breaches, and unfortunately this latest one is part of a recurring theme… the time to act is not after a major data breach has already taken place; rather, the time to act is in advance of any new data breach.”

Building on 15 years of work in digital identity, the mobile industry already enables authentication services used by nearly 1 billion people every month, and that figure is set to more than double by the mid-2020s (GSMA Intelligence). That growth stems from a unique array of tools and capabilities operators have at their disposal: a range of databases, services and resources derived from mobile networks and technologies, and the ubiquity of both cellular connectivity and mobile devices themselves. With for instance $1.3 billion transacted every day from mobile money accounts, considerable investment in AI and machine learning applied to user attributes, and rigorous legal obligations to ‘know your customer’, operators are uniquely well-placed to help institutions like banks know theirs too. The mobile industry and financial sector have already achieved a great deal together – but there is plenty more yet to do, and the time to do so is observably now.