Financial Technology and security. An introduction to the situation in Italy and EU

Financial Technology is the provision of financial services and products through the most advanced information technologies (ICT). FinTech is a subset of "financial innovation"; it is defined by the Financial Stability Board as “technologically enabled financial innovation that can result in new business models, applications, processes, products, or services with an associated material effect on financial markets and institutions and the provision of financial services”. It is characterized by the intensive use of digitalization and cloud computing, supporting decentralized forms of intermediation (peer-to-peer transactions, internet platforms, and outsourcing). FinTech is used for crowdfunding, peer-to-peer lending, asset management, payment management, credit-scoring, data collection, value exchange, and digital currencies or cryptocurrencies (such as Bitcoin). The system of financial technologies is made safe by the cutting edge of the technological factor, but also by the implementation of know-how at the level of employees and specialized technicians

Most of financial processes in Financial Technology are based on Blockchain technologies and this brings advantages and disadvantages. The technology is extremely versatile, in terms of exchange of capital within these systems, and allows the mobility of investments in real time in a fairly safe way. However, Blockchain Technologies make it difficult to identify with clarity the source of the transaction, in many cases almost impossible. This provides opportunity for the technology to be used in extralegal applications. For example, shadow banking, a form of intermediation based on a variety of highly leveraged investment vehicles and other structures outside the banking system, has expanded within the sector.

Some recent events are index of the weakness of Fintech technologies, in terms of cybersecurity, and highlight threats to the entire system:

• The most famous attack in the FinTech sector, the Carbanak Advanced Persistent Threat, has stolen more than 1 billion dollars from 2014 (also hitting the Italian bank system) before being identified by the Russian/UK company Kaspersky Lab.
• The successful attack on the SWIFT system in 2017.
• In the last few months the IT systems of the major Italian banks have been hit by a new type of Trojan called Danabot. In the most recent attack, last July 2018, the virus has spread in the computer systems of the UniCredit Bank in Milan, where the data of 400 thousand users have been stolen.

In the light of current threats, a choice to ignore the problem of cyber security in the FinTech sector, or to relegate it to a mere technical problem is no longer sustainable. The approach to cybersecurity must necessarily permeate top-down corporate strategies: from top management to system administrators and maintainers of the financial sector. It must also be stressed that what said, does not only concern the sector of investments and inter-bank transactions. The lack of adequate security in the online banking sector has direct effects on consumers, who’s savings and virtual identities are put at risk.

European Parliament and the European Commission are increasing attention to cybersecurity and cyberthreat, but in general, there is a lack of adequate legislation to regulate the FinTech sector, given the surprisingly rapid expansion it has developed. In the context of its ongoing monitoring of financial innovation, the European Banking Authority will continue monitoring the impact of FinTech on institutions’ business models. The European Commission has recognized that “FinTech has come to revolutionize the way in which traditional financial services providers work and interact with their customers […] It is changing the dominant paradigms by which traditional financial services are provided, resulting in a significant disruption. Given the rapid evolution of FinTech services, there is no consensus on a standard classification”.

The European parliament requires member states to pay crescent attention to the problem of cyber security and the adequacy of IT system “[It is important to] exchange […] information and best practices between supervisors [to] ensure the timely transposition of the directive on security of network and information systems (NIS Directive) […] welcoming the new public-private partnership on cybersecurity recently launched by the Commission with the participation of the industry; [the European Parliament] also asks the Commission to develop a series of new and concrete initiatives to strengthen the resilience of FinTech businesses in this sector against cyberattacks, especially SMEs and start-ups;”

Focusing on the modernization of the financial and banking system in Italy, it was noted that Italian banking system has followed the general trend of incorporating new technologies. The banking system of European states is shifting to a complete computerization, while international currency exchanges now take place based on cutting-edge technological systems. As the sector of the financial operation through internet growth, Italy took relevant action in improving nformation technology security in the last decade. Each area of the country system has been modernized, while new guidelines have been set in the last 5 years. The implications deriving from the application of the European Directive NIS (Network and Information System) have imposed a verification of the effectiveness of the national architecture, on the increasing sophistication of the threat and the strategic relevance of the targets to which it is addressed, and about the commitments undertaken by Italy on an international level. Furthermore, the application of the General Data Protection Regulation, decreed by the European Union and applied starting from 25 May 2018, directs the country towards legal certainty, harmonization in EU and greater simplicity of the rules concerning the transfer of personal data from the EU to other parts of the world.

However, in the analysis of the broad field of action of these European and Italian regulations, some problems remain unresolved as regards the threat of cyber-attacks.

Weakness of the FinTech system and cyberthreat issues

Countless steps have been taken towards greater cyber security in Italy. Nevertheless, the more recent actions, Network and Information Security (NIS) Directive and the General Data Protection Regulation (GDPR) are insufficient in themselves to create a secure cyber environment in the sense of FinTech. The NIS Directive involves the adoption of technical and organizational measures to reduce the risk and limit the impact of IT incidents and the obligation to notify incidents with a significant DoS (Denial of Service). The second concerns the protection of personal data. Neither is specifically aimed at the banking, insurance and financial sectors. The most important legislation in this field is the Europe directive called Payment Service Directive 2, which for the first time – specifically - obliges FinTech companies to comply with the regulations. The PSD2 directive is also a milestone in the founding of a new type of banking system, called Open Banking.

Continued renewals of the security certificates of the IT systems of all banking institutions are also required. Furthermore, the basic knowledge of information technology on employees is not always enough to guarantee a minimum level of protection, during a crisis, due to a cyber-attack on the systems.

Criminal infiltration in FinTech sector: anonymity could facilitate money laundering

Organized crime reinvents derivatives from illicit activities into intangible assets. Among the latest trends registered by the Italian Anti-Mafia Investigation Department, significant growth was seen in the investment of dirty money, also on the Internet. The process of reconversion of money through the purchase/sell of goods in internet is called Cyber-laundering - the use of a computer to form a transaction or a relationship involving property or benefit, whether tangible or intangible, which is derived from criminal activity.

Criminal proceeds are used to purchase readily marketable goods or prepaid cards, which can later be sold for cash. Also, dirty money can be used to purchase tickets, travel documents, household items, etc. over the Internet for subsequent use or resale.

The difficulties of these procedures lie in the anonymity that is guaranteed in many layers of the operation: the process is based on use of open accounts with the use of false or stolen documents or fictitious companies with foreign offices; in some phases of the transaction chain, cash is often used, so it is impossible to understand the exact references of a transaction as seen alone.

Finally, criminal groups, proceed with the purchase of electronic money and the use of e-wallet, almost untraceable thanks to the Blockchain technologies.

Conclusions

While technological progress now provides us with advanced tools to protect data and systems, the human factor continues to be the weakest point of security. The most advanced technical measures can also completely lose their effectiveness if the preparation of the people who use them is not considered carefully. The top managements of all the Italian Banks must take care to prepare for all institution personnel a special training, necessary to provide at least the basic notions of security.

More in general, to avoid any kind of cyber threats, it’s also fundamental to keep checking on obsoletes devices and software - inside Italian credit institutions. Where these are no longer updatable, the disposal of the same is fundamental.

It would also be very useful, to prepare new joint Cyber-Defense exercises within the EU members states, paying attention to the Financial sector. During these exercises, resistance tests of the networks will have to be performed, checking the whitelists of reliable partners and simulating a cybernetic attack, through operation of threat modeling, and penetration testing.

Finally, it is essential more transparency between the banking institutions affected by cyber-attacks, by spreading reports on attacks, so in-depth analysis can be created. This is generally difficult in the world of cyber security because in every single European country the tendency is to deal with specific issues in an “internal” way. Furthermore, in the case of banking institutions, this could lead to a loss of trust towards the client.

Sources:

1. ASSOCIAZIONE PER LA SICUREZZA INFORMATICA (Italian Informatic Security Agency), “Report CLUSIT 2018 On ITC security in Italy”, 2018; ( https://web.uniroma1.it/infosapienza/sites/default/files/rapporto_clusit_2018.pdf - Last online access 01/12/2018 )
2. N. BAUERLE, “How Could Blockchain Technology Change Finance”, COINDESK.COM, coindesk.com, (https://www.coindesk.com/information/how-blockchain-technology-change-finance - Last online access 01/12/201)
3. S. BIMBO, E. COLAIACOVO, “SCADA, Supervisory Control And Data Acquisition”, Ed. APOGEO, Roma, 2010
4. CENTRAL BANK OF ITALY, “Speech by Carmelo Barbagallo, Director General for Financial Supervision and Regulation Bank of Italy”, Milan, July 23 2018; (https://www.bancaditalia.it/pubblicazioni/interventi-vari/int-var-2018/barbagallo-20180723.pdf - Last online access 01/12/2018 )
5. CENTRAL BANK OF ITALY, “Shadow banking out of the shadows: non-bank intermediation and the Italian regulatory framework” (Carlo Gola, Marco Burroni, Francesco Columba, Antonio Ilari, Giorgio Nuzzo, Onofrio Panzarino), BANCADITALIA.IT, February 2017, (https://www.bancaditalia.it/pubblicazioni/qef/2017-0372/index.html?com.dotmarketing.htmlpage.language=1 - Last online access 01/12/2018 )
6. DIA (Anti-Mafia Investigative Committee) “Report of the Minister of the Interior to the Parliament”, Roma 2017, (http://direzioneinvestigativaantimafia.interno.gov.it/semestrali/sem/2017/1sem2017.pdf - Last online access 01/12/2018 )
7. DIRECTIVE (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (Text with EEA relevance) (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366)
8. EUROPEAN BANKING AUTHORITY, “Report on the impact of FinTech”, 03 July 2018, https://eba.europa.eu/documents/10180/2270909/Report+on+the+impact+of+Fintech+on+incumbent+credit+institutions%27%20business+models.pdf - Last online access 01/12/2018 )
9. EUROPEAN PARLIAMENT, “Report on FinTech: the influence of technology on the future of the financial sector”, 28th April 2017, (http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A8-2017-0176+0+DOC+XML+V0//EN - Last online access 01/12/2018 )
10. EUROPEAN SISTEMIC RISK BOARD, “Securities financing transactions and the (re)use of collateral in Europe. An analysis of the first data collection conducted by the ESRB from a sample of European banks and agent lenders”, Occasional Paper Series n. 6, September 2014.
11. FINANCIAL STABILITY BOARD, “Shadow Banking: Strengthening Oversight and Regulation”, Recommendations of the Financial Stability Board (Basel: Bank for International Settlements) 2011.
12. ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), “Destructive Malware”, ics-cert.us-cert.gov, 2017; (https://ics-cert.us-cert.gov/Information-Products - Last online access 01/12/2018 )
13. ITALIAN PARLIAMENT DEFENCE COMMITTEE, Cognitive survey on security and defense in cyber-space, Roma, December 21 2017;
14. (http://www.camera.it/leg17/1102?id_commissione=04&shadow_organo_parlamentare=0&sezione=commissioni&tipoDoc=elencoResoconti&idLegislatura=17&tipoElenco=indaginiConoscitiveCronologico&calendario=false&breve=c04_cibernetico&scheda=true - Last online access 01/12/2018 )
15. ITALIAN PRIME MINISTER, “Piano nazionale per la protezione cibernetica e la sicurezza informatica nazionali, di cui all’art. 3, comma 1, lettera c), della Direttiva recante indirizzi per la protezione cibernetica e la sicurezza informatica nazionali, allegato al decreto”, Roma, 31/05/2017, (Prot. n. 0053289 Reg. U);
16. PRESIDENZA DEL CONSIGLIO DEI MINISTRI (Presidency of the Council of Ministers) - Information System for the Security of the Republic, “Relazione sulla politica dell’informazione per la sicurezza”, Roma, 2017; (http://www.sicurezzanazionale.gov.it/sisr.nsf/relazione-2017.html - Last online access 01/12/2018 )
17. PRESIDENZA DEL CONSIGLIO DEI MINISTRI (Presidency of the Council of Ministers), “National Strategic Framework”, Roma, December 2013; (https://www.sicurezzanazionale.gov.it/sisr.nsf/wp-content/uploads/2014/02/quadro-strategico-nazionale-cyber.pdf - Last online access 01/12/2018 )
18. REGULATION (EU) 2016/679, “Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” April 27, 2016, (https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679 - Last online access 01/12/2018 )
19. D. SHANE,“$530 million cryptocurrency heist may be biggest ever”, January 29^th 2018, CNN.COM; (https://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html - Last online access 01/12/2018 )
20. A. SHELEIFER, R.W. VISHNY, “Unstable Banking”, Journal of Financial Economics, Vol. 97, September 2010
21. A. STARGAME, “Cyptocurrencies and Mafia”, FORBES.COM, April 26^th 2018, (https://www.forbes.com/sites/rahulsingireddy/2018/03/06/the-stanford-bitcoin-mafia/#4b15930374c2 - Last online access 01/12/2018 )
22. W. SCHWARTAU, “Information Warfare”, 2nd edition, 1966;