The most immediate disruptive threat, although not the biggest, is clearly Brexit because of a welter of regulatory obligations. When UK finally and irrevocably leaves the EU on December 31, it will introduce even more complications for the finance sector
in general and payment service providers (PSPs) in particular.
There’s considerable potential for disruption during the transition period in terms of processing payments as UK firms phase in regulatory changes. The authorities will be watching closely. “We expect UK PSPs to have effective risk-based procedures that apply where the transfer of payment lacks the information needed on the payer or the payee,” warns the Prudential Regulation Authority.
Firms will have to be on the ball in the weeks and months after Brexit. “If any payments are disrupted, we expect firms to communicate promptly with any affected customers….and give them the opportunity to make the payment in another way,” says the PRA.
But the most pressing risk is cyber attacks. If there is one issue that strikes at the heart of all firms having custody client funds, it’s security of client’s money, identity and other personal details.
As Mastercard reports, fintech is the biggest target of cyber attacks after healthcare. And too many fintech firms are vulnerable. Research by ImmuniWeb, an application security group, has found that 98 percent of the biggest global fintech startups are vulnerable to major cyber attacks. In 2019 the industry saw a 480 percent increase in the number of cyber attacks on regulated financial services companies, according to the Financial Conduct Authority (FCA), most of them from phishing, ransomware and data leakage.
The frequency of attacks has forced the International Monetary Fund to conclude that they amount to a full-on threat to financial stability. “As we become increasingly reliant on digital financial services, the number of cyber attacks has tripled over the last decade, and financial services continue to be the most targeted industry. Cyber security has clearly become a threat to financial stability,” the organisation concludes in a blog in December. “Given strong financial and technological interconnections, a successful attack on a major financial institution, or on a core system or service used by many, could quickly spread through the entire financial system causing widespread disruption and loss of confidence.”
And as the cost of hacking tools collapses and more bad actors get involved, the risks mount. “In our view many national financial systems are not yet ready to manage attacks while international coordination is still weak,” warns the IMF.
But management has not yet risen to the challenge either. The pandemic has increased cyber risk because more staff are working remotely, notes cloud security specialist Trend Micro. “Home networks, remote working software and cloud systems will be at the centre of a new wave of attacks in 2021,” it predicts in its latest report Turning the Tide. “Cyber-criminals will particularly look to home networks as a critical launch pad to compromise corporate IT and IoT networks.”
The main targets will be anybody who regularly accesses sensitive data such as sales managers holding information about customers and senior executives managing confidential company numbers. Also application programming interfaces (APIs), one of the most important tools of the fintech sector, will come under fire, predicts Trend Micro. “As third-party integrations reign, exposed APIs will become a new preferred attack vector for cyber-criminals, providing access to sensitive customer data, source code and back-end services.
In the long run artificial intelligence may come to the rescue by blocking all unauthorised access, but security experts say the looming prospect of a wave of attacks will force firms to invest heavily in training, especially of remote workers, as well as in systems that improve detection and response rates around the clock.
By common consent home working has greatly increased the risk of losing vital data. Yet, notes Ireland’s advisory and accounting firm HLB Sheehan Quinn in its 2020 cyber security report, more than half of organisations said their security procedures were not designed for remote working.
A much softer but by no means insubstantial risk arises in investors’ insistence on a culture of sustainability. Put another way, firms that aren’t seen as sustainable will lose potential and actual clients.
Climate-friendly behaviour is no longer optional as regulations steadily tighten, like the EU’s imminent rules on sustainable finance (SDFR). “Sustainability and responsible investment are becoming mainstream priorities for pension funds, insurers and other investors,” explains Melville Rodrigues, senior consultant for funds services in Ocorian, a specialist in fiduciary services, fund administration and capital markets, in a briefing in December. “Managers are responding with fund products that look to meet these priorities.”
And the obligations are onerous, applying from March 2021 to all products marketed into the EU including from non-EU managers. Rodrigues adds: “The SFDR requires fund managers, such as those operating as alternative investment fund managers (AIFMs), to disclose how they have integrated in their processes, including in their due diligence, an assessment of all relevant sustainability risks that might have a material negative impact on the financial return of a fund investment.”
Brexit won’t make things any easier. The UK government has already announced it will implement mandatory climate-related financial disclosures right across the economy by 2025 at the latest, but many disclosure obligations will come into force by 2023.
This is a bottom-line issue for investors who watch firms’ credentials closely. Indeed rating agency Scope has started ranking stock exchanges on the average environmental impact of their component stocks.
“Our assessment of environmental, social and governance impacts acts like an early warning system for portfolio managers, showing where future regulatory risks and associated costs lie through the analysis of today’s impacts by factor, sector and geography,” said head of ESG Diane Menville in mid-December. Incidentally, also in December France’s CAC40 index scored higher than Germany’s DAX30. “In ESG impact CAC40 has a greener global footprint than DAX30,” notes Scope, putting the former at 6.5 out of a perfect 10 compared with the latter’s 6.3.
Lobby groups are watching too. In mid-December UK-based Make My Money Matter gave a pat on the back to the mighty New York State Pension Fund with $193.4bn under management after it promised to sell shares in companies, mainly oil and gas, by 2040 if they are still contributing to global warming. Meantime Make My Money Matter is lobbying the UK government to require all pension funds to report on their emissions projections up to 2050 and align their portfolios with the Paris Agreement.
Investment firms are rapidly waking up to the risks of climate-hostile actions. Luxembourg-based investment manager Lombard Odier is one that has committed to a “bio-friendly” philosophy built around the CLIC economy, standing for circular, lean, inclusive and clean. It’s a new world in investment, say portfolio manager Alina Donets and head of CLIC Kristina Church. “Global businesses already recognise the need for transformation toward circular and lean operating models,” they explain in a paper released in December.
This is seen as virtuous and profitable. Lombard Odier has identified 550 bio-friendly companies, mostly small and mid-cap, that offer “superior growth profiles and excess economic returns, combined with solid ESG credentials including assessment of any controversies.”
French neo-insurer Luko could be the new model. The home insurance specialist, which has just raised €50m in a second round of funding, has grown six times since its launch in 2018 on the back of the kind of ethical behaviour that increasingly attracts customers. At the end of every financial year the insurtech, boasting 100,000 clients, hands to charities any premiums in the pool that haven’t been used to refund claims. The policyholders choose the charities.
In a fast-developing industry based on high technology, firms that fail to keep up will suffer, for instance in cross-border payments. As the Bank for International Settlements (BIS) pointed out in a report in August, cross-border payments are generally “slower, more expensive, less transparent and less accessible than domestic payments.” Consequently, the G20 has made them a top priority and has asked the Financial Stability Board (FSB) to address systemic issues.
As a report by America’s Association for Financial Professionals makes clear, this will necessarily involve investment, planning and technology. Citing the importance of “operational improvements that can be made to domestic and international payment infrastructures,” notes the association in November, the FSB sees opportunities to reduce problems caused by different operating hours, long transaction chains, high funding costs, access regimes, and weak competition.”
The pandemic has made reforms more urgent. As the association notes, the BIS believes that the crisis has “amplified calls to reinforce coordination and reduce fragmentation in cross-border payment systems.”
And that may increase competition in a shrunken, pandemic-hit market. As McKinsey & Co has calculated, global payments revenue will probably fall by seven per cent – equivalent to $170bn – in 2020. And the established institutions are fighting back. Working with more than 20 banks, SWIFT is expanding into lower-value transfers for SMEs and consumers with fewer friction points in what it calls “predictable payments”.
In this market there are only the quick and the dead.