Despite some consolidation in the African banking market, most of the banks we speak to remain confident about future opportunities on the continent. However, we have noticed security steadily making its way towards the top of the agenda for bank executives, and rightly so.
Africa’s relative lack of infrastructure is both a blessing and a curse for banks. While access to traditional services is still a challenge, innovation in technology can offer big opportunities. Mobile has become the de facto means of banking in many parts of Africa and, as mobile penetration — particularly smartphone penetration — increases, this is allowing banks to connect with more of the population than ever before, and to do so in a more targeted, personal way.
A study looking at trends in banking in sub-Saharan Africa, released in June 2015 by the European Investment Bank, noted that the region leads the world in mobile money accounts. Although only 2% of adults worldwide have a mobile money account, in sub-Saharan Africa, the figure is 12%. Although the base is still low, financial inclusion through mobile is growing fast.
While this is encouraging for the continent and the banks involved, banking CEOs are increasingly concerned about systemic risk and, more importantly, about the growing risk of cybercrime.
The Kenyan government alone is losing KSh5bn (R725m) yearly on cybercrime and the number is expected to grow. In fact, in March last year, 79% of African banking executives surveyed by PwC saw cyber risks as an inhibitor to growth.
This is not surprising. Globally, security is too often seen as a grudge purchase, and is brought in as a last resort and, even worse, often after a critical breach has already taken place. This can cause serious reputational damage to the banking and payments ecosystems.
Complacency around the security technology employed to authenticate a customer in particular is still rife. Despite all the international best practice, many banks still seem comfortable with using one-time password (OTP) technology as their primary means of authenticating their customers. Technology, one must add, that is already decades old.
Back in 2012, Australian mobile operators warned their local banks that SMS was not secure and urged them to re-look at how they protect their customers. At the time, Communications Alliance CEO John Stanton said it plainly: “SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication.”
This is not the end of the challenge. Many banks have shifted to two-factor authentication (where users have a password and make use of a token or phone as the second factor), but Gartner warned back in 2009 that any two-factor authentication relying on a browser can be beaten. The company went on to suggest banks make use of a fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification.
Over the years, there has been a marked rise in man-in-the-middle attacks and these are receiving particular attention from African security analysts. These are best described as attacks criminals designed to secretly intercept and possibly tamper with messages between two parties who believe they are communicating only with one another. Many unsuspecting banking clients have become victims of phishing attacks through clicking e-mail links, downloading fake or altered mobile apps or through the use of unsecured public Wi-Fi connections.
This is a real challenge for banks. They do work to educate their clients on safer browsing habits, but this is simply not enough. Banks must take responsibility for securing financial or personal data. The same is, of course, true for all organisations that hold sensitive information. Regulations around this are growing incredibly onerous and, if companies can’t guarantee they are protecting the consumer, they will be subject to very hefty penalties.
Not only a compliance challenge
If banks want to improve their bottom line, they must own the channel through which they communicate with their clients. This channel is the proverbial goose that lays the golden egg. In a downturn economy especially, financial institutions are developing and rolling out incredibly innovative new products. This is all pointless, however, if the end user — the client — doesn’t trust your technology enough to complete a transaction.
Criminals are constantly evolving and refining the ways they access data and funds. If banks want to ensure they can leverage the mobile channel for increased profits, they cannot afford to be complacent about security. Criminals are thinking three steps ahead. Shouldn’t our banks be doing the same for their clients?
- Schalk Nolte is CEO of Entersekt