Swift’s Latin American Regional Conference (LARC) explored how banks in the region are looking to increase digitisation, while managing cyber and compliance challenges.
Ignacio Blanco, Head of Latin America & the Caribbean at Swift, opened LARC by noting that customer demands from financial services have rapidly increased in the digital world, with organisations operating in a world that is hyper-connected. Financial institutions need to evolve from market leaders to digital leaders, he said.
This was supported by an audience poll that asked delegates to think about the main driver for digital transformation in their organisation – with business model adaptation (32%) and meeting customer expectations (31%) being selected as the key drivers.
Accelerating digital transformation
As to how banks are approaching this challenge, Kartikeya Swami, Associate Partner at McKinsey & Company described how they are deploying systems and tools to drive products with an agile ‘test and learn’ approach – developing solutions and getting them out to customers for testing as quickly as possible, taking on feedback, updating the solution and sending it out for more feedback.
Thinking about what it takes to successfully support the acceleration of digital transformation, Christopher Mager, CTP, Managing Director, Digital Office at BNY Mellon Treasury Services said that two years ago his institution had moved to pursue a more centralised strategy, by creating an enterprise level digital group. Their clients often hold relationships with a number of the bank’s businesses across the world, he said, so this enterprise view was helpful to provide a seamless approach. As part of this process, BNY Mellon created a Digital Council that has representatives from all the different business groups and key stakeholders.
While each business within the group should prioritise its own developments, there are certain functions that every business undertakes – such as onboarding clients or providing reporting, for example. This is where the Digital Council and enterprise approach has its focus, Mager said, helping the business structure its data across the enterprise and avoiding duplicating costs.
Kasif Wadiwala, Associate Partner at Deloitte Consulting reinforced the point that financial institutions need a bank-wide digital strategy in order to bring all businesses along on the digitisation journey at the same time. He added that banks need to understand what their business process rules are and how they manage technological investments before jumping into digitisation projects.
Commenting on his own bank, George Doolittle, Executive Vice President and Head of Global Payments Services, Corporate & Investment Banking at Wells Fargo said they realised they had centralised innovation too much, and needed to get the various business lines more involved in the process. The business lines have the customer connection, which is key in developing solutions that actually solve customer needs.
When it comes to payments, for example, customers want a fast, effective and secure experience. This point was raised by Beatriz Quevedo Umaña, Regional Head of Client Management, Global Liquidity and Cash Management, Latin America for HSBC, who noted that this need is the same for consumers and businesses alike. Mónica García Luzio, Vice President of Finance at Banco Bisa added that corporates need more information around their payments, which is why her bank had added support for Swift GPI last year.
A question from the audience on Day 1 of LARC asked about how banks can go about balancing digital innovation with cyber security and regulatory requirements. BNY Mellon’s Mager responded by saying that his team works closely with business partners on the Digital Council so that legal and compliance teams at the bank have an input on the bank’s innovations. It is important to get all key stakeholders on board before investing in and working on innovation, in order to address any particular issues before time and resources are spent on a project.
Facing cyber challenges
The threat that banks face from cyber criminals was highlighted by Swami, who commented that 25.7% of all malware attacks in 2018 hit banks and other financial services organisations.
Cyber actors will attempt to infiltrate a local system via a phishing attack, a compromised security token or similar, Pat Antonacci, Head of Customer Experience at Swift explained. They would then look to move large volumes of funds over weekends or holidays, for example. While banks smartened up to this approach and would monitor for these sorts of attacks, fraudsters will now try to withdraw smaller but more numerous amounts during weekdays.
Julian Dana, Director of Latin America for Mandiant at FireEye made the point that advanced persistent threats (APTs) are one group of cyber actors to pay particular attention to today. These groups can often be government sponsored. APTs from countries such as North Korea have evolved, he noted, from acting like hacktivists, to now looking for financial gain as a way around economic sanctions. Ransomware like WannaCry is an example of this.
APTs have local contacts to support attacks, who can help with reverse engineering to generate an insider threat. Adam Bulava, Executive Director of Attack Simulation with JP Morgan added that the US financial sector has developed cyber response guides across the community to help address cyber threats. The more that banks run through these eventualities, the better they will be able to respond to a real attack.
The human element in combating cyber crime was highlighted by Carmen Zegarra, Digital Crimes Unit Attorney for Microsoft. She said that people may have their password underneath their keyboard, use basic passwords, or use the same password on their company computer that they use on their mobile phone. She stressed that organisation-wide education is critical to build awareness – nine out of ten people will click on a phishing link, so the business needs to understand that fighting cyber crime is everyone’s responsibility.
Bulava said that JP Morgan regularly carries out phishing tests across all of their employees, in a move designed to further awareness and to protect the business. He added that the bank has a ‘red team’ of ethical hackers who will attack the bank’s environment to try and gain access to data or accounts. This can highlight where previously unknown vulnerabilities exist in the bank’s infrastructure.
Delegates had a chance to see Skylar Simmons from Swift’s own Red Team carry out a live hack on the second day of LARC 2019. Simmons showed how a methodical approach could allow a hacker to find a bank’s IP address relatively easily, see which ports of the bank’s IP addresses are open, and target the information they could uncover to quickly gain access to the bank’s servers using a variety of tools that are easily available online.
In the hack, Simmons was able to download sensitive files from the bank’s server. He also found that the bank had written its own programme to send MT103 messages without using Swift interfaces. While the system was set up to only allow authorised users to send payment messages, having compromised the system the hacker can start checking what security measures exist and bypass these, quickly sending tens of millions of dollars to his own accounts. The speed at which Simmons was able to demonstrate a hacker’s attempt to gain access to a bank’s core systems provided plenty of food for thought for attending delegates.
Keeping up with compliance
As well as balancing an innovative digital agenda with managing the cyber threats, banks also need to be able to keep up with the compliance demands they face. Speaking to this point on the second day of LARC, Sandra DePoalo, Managing Director, and Global Head of AML with BNY Mellon said that the compliance team needs to engage with the business team in a bank to understand new clients before the onboarding process begins. She said that AML compliance in the bank could call a similar person in the potential client organisation at the start of this process, for example. DePoalo added that it is important to find out if correspondent banks have similar controls in place. If a bank is making repeated requests for information that go unanswered from its correspondent, red flags can be quickly raised.
Maristella Aldana Sanin, Chief Compliance Officer at Bancolombia agreed with the need for compliance to be close to the business. Compliance programmes need to be reviewed on a regular basis to ensure they share the ethical principles of the organisation, as well as the regulatory rules. In compliance, she added that they are also trying to improve the customer experience by being as agile and efficient as possible, by using new technologies, such as bots to scan for suspicious operations and comparing customers with a pool of peers, for example.
Corporate governance is critical to ensuring that compliance is understood across the whole organisation. Carlos E. Troetsch, Partner and Executive Vice President at MMG Bank & President of FELABAN said that this allows institutions to be proactive rather than reactive, and it should be integrated into a bank’s risk programme. Speaking to different banks in other regions also helps support the understanding of compliance in a bank.
Beneficial ownership was named as the biggest compliance challenge globally by James H. Freis, Jr, Chief Compliance Officer and Managing Director at Deutsche Börse Group. The question is who is behind the corporate entity, he said, what is the nature of the corporate business and where are the funds coming from? While it can be difficult to address beneficial ownership, Freis said that if it is done right it could create a level playing field across all countries. Collaboration and innovation to create common standards, such as the Swift KYC registry, help in this regard, he added.
The issue of corruption and compliance is clearly top of mind for financial institutions in Latin America. A poll of delegates showed 69% believe that the biggest concern for Latin America today is corruption and its impact on foreign direct investment (FDI).
Claudio Irigoyen, Managing Director, Head of Latin America Economics and Foreign Exchange & Fixed Income Strategy at Bank of America Merrill Lynch commented that this issue has certainly been very important in different national elections in Latin America in the past couple of years. He did add, however, that the elephant in the room with regard to FDI is the possibility of US-China trade wars.
On that topic, Humberto López, Director of Strategy and Operations for Latin America with the World Bank observed a split in Latin America, noting how the northern part of the region looks to the US, while the southern part of region looks to China. He added that interest rates in the US could be a concern for companies in Latin America with high levels of debt.
Looking at where opportunities exist in the continent, Irigoyen mentioned Brazil, saying that expectations have adjusted significantly since the most recent presidential election. With the reform bill in Brazil expected to be passed by Q3 2019, and additionally a market friendly government being elected in Argentina, there are good economic news stories in the region, he said.
Margaret Myers, Director of the Asia & Latin America Program, Inter-American Dialogue highlighted SoftBank’s US$5bn technology growth fund for start-ups, which could help to promote growth in the region. She added that the advancement of 5G across the region offered the prospect of development in industries such as agriculture and mining.
In closing LARC 2019, Swift’s Ignacio Blanco drew attention to the variety of opportunities for banks to accelerate digital transformation in Latin America that had been discussed at the conference. He concluded by saying that this transformation needs collaboration, and it is critical that institutions foster a culture that supports this.