Cyber resilience is essential for a trusted payments system. PA Consulting explains how to achieve this
Cyber resilience is vital to a trusted payments system – and UK payments are changing fast. Our experience of helping financial clients spot weaknesses shows that a broad view of cyber resilience is key to achieving lasting security.
Trust in payments is becoming more important than ever
Consumers don’t give much thought to payments systems. But they place great trust in the ability of those systems to function reliably and protect their data. So, it’s no wonder that operational resilience, and cyber security in particular, has always been of critical importance to the UK’s payments industry.
Now, maintaining that resilience is more vital than ever. On the one hand, incumbent banks face growing customer scepticism and stringent requirements to provide new entrants with secure API access to their customer data. At the same time, new entrants are emphasising their commitment to security and their desire to give consumers more control over their data.
Fortunately, Open Banking (the UK’s implementation of PSD2) provides a solid foundation for delivering innovative and secure services based on common standards and greater regulatory oversight. Arguably, this makes it less risky than traditional methods of banking aggregation. The resulting confidence in data security should benefit both customers and providers.
Even so, in a world in which cyber threats can change hourly, we must be constantly vigilant. Regulators need to continually monitor the security of UK financial services.
True resilience encompasses external partners
So how can the UK payments industry maintain its cyber resilience? It’s natural to think the answer lies in internal responses. After all, when things do go wrong it’s often due to factors such as human error, insider threats or inadequate patching. But this is only part of the story. Achieving lasting cyber resilience will require every player in the UK payments ecosystem to think more broadly.
For the banks, a broad view of cyber resilience needs to embrace the ‘extended enterprise’. Banks are making increasing use of suppliers, vendors, FinTechs and other partners to develop and deliver core services. This rapidly growing web of connections can make it harder to achieve end-to-end resilience.
Our experience of running scenario simulations and planning confirms this. For example, we’ve run annual crisis response simulations for NEX Group for the last ten years. By factoring in the fact that data regulations now make firms liable for third party data breaches, we’ve shown the resilience of external partners is often weaker than an organisation’s own environment.
And foreign entrants
A wider perspective of cyber resilience also needs to consider the way non-banks from outside the UK are becoming more critical to the UK’s banking system. That includes technology firms partnering with incumbent banks, and the ever-growing range of firms entering the payments arena. Open Banking provides the opportunity for new entrants to identify and pick off the most financially attractive services, without offering the full services of a deposit-taking bank.
For regulators, a broader view of cyber resilience needs to consider the increasing influence of global players in the UK’s payments ecosystem and the importance of aligning standards with overseas supervisors.
Overall, cyber resilience represents a competitive opportunity for both established banks and new entrants. As the UK adapts to an uncertain future, resilience is also vital to maintaining a trusted financial sector and an agile, flexible economy.
Click here to download PA Consulting's tenth university vice-chancellor survey Protected Past, Precarious Future?