Financial innovation has become one of the cornerstones of economic progress, reshaping traditional financial practices and paving the way for new solutions to existing challenges. The rapid evolution of technology and shifting regulatory environment has seen a surge in ground-breaking concepts within the financial services environment, including tokenisation and digital assets, algorithmic trading platforms, and more. These innovations have enhanced efficiency and accessibility in many cases, as well as fostered greater financial inclusion and transparency. At the same time, they have also brought with them a host of new risks for which financial firms must prepare.
New technology, including Artificial Intelligence, Cloud Computing, and in the not-too-distant future, Quantum Computing, offer financial firms solutions providing significant productivity gains, a better understanding of client expectations, and the ability to further develop and scale up their digital services. Nonetheless, by increasingly shifting towards an open architect environment, the financial services sector is at risk of exposing a mass of sensitive data to malicious actors for whom it represents a significant profit source.
A 2023 study by data security specialist Netwrix found that the financial sector was more often than any other the target of cyber-attacks. The survey, which collected data from financial institutions in over 100 countries, found that 77% of responders had suffered a cyber-attack compared to 68% from other sectors. The same report notes that 39% reported attacks on their cloud infrastructure, with phishing and ransomware being the most common type of attack. Given this, new technology can pose significant risks for financial actors who hold large amounts of data, and risk teams must constantly determine the impact that onboarding these could have on firms.
Code & Capital: Navigating AI’s Risks in Financial Services
Artificial Intelligence is currently spearheading the digital evolution of finance, providing wider access to financial advice and investment opportunities via algorithm enhanced robo-advisors. Machine learning algorithms are enhancing efficiency by processing and analysing large datasets to identify patterns, predict market movements thereby allowing professionals to focus on more strategic responsibilities, and assess credit risks. However, AI brings with it a new set of risks for financial firms, including data privacy and regulatory compliance concerns, as well as algorithmic bias.
The “garbage in-garbage out” principle is also particularly relevant for AI, with the design and success of algorithms dependant on the choice of data sources and the biases inherent within these sources, be it due to human interpretation or faulty statistics. Currently, AI is also subject to “hallucinations” which pose issues within results and require highly trained staff to pour over results to ensure suspicious responses are flagged. Finally, while AI brings benefits for the industry, it also provides fraudsters with new tools, including the production of false passports to divert KYC procedures and facilitate money laundering, as well as false messages and conversations aimed at extracting funds from both clients and employees. Technology therefore demands vigilance. “Cybersecurity must evolve as fast as the technologies developed by malicious actors and all staff at financial institutions must be sufficiently aware of fraud possibilities in order to react,” insists Laurent Marochini, Head of Innovation at Société Générale Securities Services.
Cybersecurity must evolve as fast as the technologies developed by malicious actors and all staff at financial institutions must be sufficiently aware of fraud possibilities in order to react.
Sky-high risks for the cloud?
Cloud computing brings streamlined operational and enhanced agility benefits for firms by offering scalability, increased flexibility, and cost-effectiveness; migrating data and applications to the cloud improves accessibility while at the same time reducing infrastructure costs. Nonetheless, concerns relating to data security, regulatory compliance and potential service disruptions remain. According to Abdelhay Toudma, Technology Partner at EY Luxembourg, “the cloud, in principle, actually offers higher levels of security that traditional infrastructure.” Despite this, data theft and corruption remain the key risk associated with cloud transition.
The highly sensitive nature of the data managed by financial institutions is particularly attractive for malicious actors and therefore once stored in the cloud it must benefit from robust security measures. Risk teams therefore invest in encryption, multi-factor authentication, and intrusion detection systems to fortify defences. The disadvantage of these protection systems is that data processing is often slowed, and firms must therefore strike the right balance. “The processus of IAM (Identity and Access Management) is also very important, it ensures that the right resources are granted the right access to avoid any theft or malicious activity resulting in major damages in term of reputation and financials. Two safeguards’ principles prevail: the need to know and the least privilege”, adds the partner at EY Luxembourg.
The cloud, in principle, actually offers higher levels of security that traditional infrastructure.
Two other risks remain top of mind in relation to cloud computing, namely sovereignty risk and systemic risk. Sovereign risk applies should relations with the data hosting country deteriorate and data access is blocked. To mitigate the risk, some national regulators require data be hosted in the country where business is undertaken, or at an EU level for those operating in the region. While in terms of systemic risk, the Bank of International Settlements has warned about the growing use of cloud services within financial services and the concentration of data in the hands of a few IT giants. Should one fail, the BIS warned, the financial system could be weakened and therefore the use of multicloud systems is being encouraged.
The quantum quandary
Quantum computing brings with it the potential to exponentially increase processing speeds, enabling complex calculations and simulations far beyond current computers. Within financial services, quantum algorithms hold significant promise in relation to portfolio optimisation, risk analysis, and cryptography. Given the nascent nature of this technology, currently focus is predominantly on the potential threat it poses to traditional cryptographic algorithms. To bolster resilience against potential future quantum-enabled attacks, some risk teams are already proactively exploring quantum-resistant cryptography such as lattice-based cryptography and quantum key distribution.
To guard against risks stemming from these technologies requires financial institutions build out robust risk, governance, and compliance frameworks to ensure they are able to navigate the regulatory landscape effectively. “Current regulations already provide an excellent layer of protection,” note Astrid Wagner and Marc Mouton, Partners at Arendt & Medernach. “The series of texts that have been published in Europe are proportionate to the challenges posed by current technology. Dora, for example, stipulates that measures should apply throughout the chain, right up to external suppliers who play a major role with this type of technology,” they continue. Effective regulation is, however, just one part of the story. “Companies must also take proactive and protective steps,” insists Toudma. “If they develop their own applications, which is increasingly becoming the case, it’s essential to use ‘security by design’, to develop protective measures as soon as the application is conceptualised.”
Current regulations already provide an excellent layer of protection.
Effective risk management in this respect necessitates cross-functional collaboration and continuous education across the organisation. “Risk teams must engage with a wide range of stakeholders including technology teams, legal teams, and regulators to continually assess the risk landscape and identify any gaps in internal controls. Further, ongoing training ensures that all employees in an organisation are aware of the latest developments in the industry and can, in a timely manner, identify threats that might emerge, thereby fostering a culture that is both risk aware and resilient,” says Emma Fijen, Head of Operational Risk at Bitstamp.
Risk teams must engage with a wide range of stakeholders including technology teams, legal teams, and regulators to continually assess the risk landscape and identify any gaps in internal controls.
As financial services embrace new technologies, effective risk management is paramount to safeguard assets, ensuring regulatory compliance and preserving customer trust. As the technological frontier continues to grow, risk teams must remain vigilant and adaptive, anticipating and mitigating risks to safeguard the integrity and stability of the global financial system.