Connect with us

Banking & Payments

H.K. research body ASTRI ready to expand cyber-security projects

Audit results should give ASTRI the green light to turn PoCs on cyber-security into projects with banks and HKMA.

Published

on

A Hong Kong research body backed by the government is about to put its cyber-security efforts with banks into higher gear once it receives what it hopes will be a positive audit of its capabilities.

ASTRI, the Hong Kong Applied Sciences and Technology Research Institute, is due to pass an audit conducted dually by two independent consultants, says Ieong Meikei, chief technology officer.

Assuming the institute receives this validation, which is due this month, it will accelerate its work with the Hong Kong Monetary Authority and leading commercial banks in the territory. ASTRI is part of an ecosystem designed to promote innovation, including the Hong Kong Science and Technology Parks Corporation and Cyberport.

DigFin understands one of the consultants conducting the audit is EY, and the other is a smaller, non-Big Four accountancy.

Defending the castle
Cyber-security is one of ASTRI’s core areas of focus. On the third floor of its office in the New Territories is its Cyber Range, where its people, including ethical hackers, trawl the dark web for threats against financial institutions or the government.

The Hong Kong Monetary Authority also has an innovation lab on the same floor, and the HKMA and ASTRI collaborate on building cyber defenses, and coordinate to improve training and collaboration with banks.

Ieong says ASTRI is still working on an assessment of Hong Kong’s cyber defenses. Although he declined to be drawn into detail, he says that although the level of sophistication is high – as befits one of the world’s leading financial centers – there is a lack of breadth. In other words, not enough people are trained in the arts of cyber defense.

“We realize there is a gap. We need to build our local expertise,” Ieong told DigFin.

From PoC to deployment
Although ASTRI has been working with the HKMA as well as the Hong Kong Association of Banks on cyber-security, these have been more proof-of-concept projects than full-throttled implementations. ASTRI has been cautious about ensuring whatever solutions it brings to banks, that they are solid.

Hence the twin audits.

“These projects will affect our partners,” Ieong said. “They need to be done right, with independent audits and feedback, before we can deploy financial solutions.”

Now that such validation is nearly in hand, though, ASTRI is preparing to turn its research into actual tools to defend Hong Kong from cyber threats, such as hacking into accounts or hijacking digital identities.

And as more human activity goes online, to smartphones, or via the Internet of Things, financial systems become more vulnerable to attacks.

Counting the costs
According to a report issued by the Financial Services Development Council on Hong Kong fintech issued in May 2017, worldwide cyber-security spending topped $75 billion in 2015, and is expected to exceed $150 billion by 2020; meanwhile, the cost of cyber-security breaches is on track to hit $2.1 trillion by 2019.

Hong Kong has not been immune to these risks: in April 2017, the South China Morning Post reported that hackers had stolen HK$110 million ($14.1 million) from local securities brokers over a period of 18 months.

ASTRI’s various units help share information on hacks among banks, technology vendors, and government bodies, as well as with counterparts in mainland China. They provide alerts, help develop protective software (including screens powered by artificial intelligence), and support training and education, in order to raise domestic capabilities.

As a research institute, ASTRI is also looking at future risks, notably how to defend blockchain against hacks by quantum computers. (Blockchain and A.I. are also prominent research topics, in addition to cyber-security; Ieong and ASTRI will be announcing new blockchain initiatives at the upcoming Hong Kong Fintech Week.)

Next on ASTRI’s to-do list, is to extend what it has learned in banking to the insurance industry. It is just beginning to share results in cyber-security and other areas, such as KYC, to the Hong Kong Insurance Authority and the local Federation of Insurers. The insurance industry is looking for technology to help combat fraud as well as hacks.

Ieong says ASTRI can only play such a role once it has proven itself. “We don’t run too fast,” he said. “First we have to do a good job for the banks. Then we can deploy our research elsewhere.”

Banking & Payments

What China’s new crypto law is all about

DigFin asked the legal eagles at Latham & Watkins to tell us what we need to know.

Published

on

By

Image by Jack Moreh on Stockvault

In late October, China passed a cryptography law that goes into effect on January 1, 2020. The law itself is short on specifics but makes a distinction in how Beijing is likely to treat blockchain-related projects serving the state, versus those being pursued for commercial purposes.

The law also comes at a time of heightened expectations of the People’s Bank of China issuing a digital renminbi, of which there has been much speculation and guesswork. The law doesn’t directly address any framework for a digital renminbi, which although a government project would involve private-sector wallets and payments in order to propagate the currency.

Given this situation, DigFin figured whatever clarity exists will have been parsed by the legal industry.

Latham & Watkins’ counsel Simon Hawkins, who leads the firm’s financial regulatory practice for Asia Pacific, and his colleagues compiled the following report for our readers. Thank you, L&W.

The crypto law

The new cryptography law is not specific to (and does not mention) financial services, fintech or digital currencies. The definition of “cryptography” is very broad and, while the introduction of the law is timely in the context of the PBoC digital currency project and other high-level government pronouncements about the potential for using blockchain technology (which inherently relies upon cryptography), there are many other industries in which cryptography is used (e.g., defense, telecoms, military hardware, government I.T. systems, certain consumer software, etc) and the new law provides a framework that would also cover those industries.

State secrets?

The law is a framework. In due course, State cryptography administrations will develop cryptography administration regulations that will supplement the law. In some parts the law is intended to work in conjunction with the existing PRC Cybersecurity Law.

While the law is clearly a significant development and paves the way for specific standards and controls to be applied to cryptography, it is not entirely clear how the law will be applied in the context of the PBoC’s digital currency project. This is partly because it is not immediately apparent whether/how cryptographic technology that is involved with/linked to the PBoC digital currency will be categorized under the new law.

Stricter controls and standards apply to cryptography involving state secrets. There is a question as to whether there will be aspects of the technology underpinning the digital currency that will be state secrets – and, by extension, whether cryptographic solutions to be used in conjunction with the digital currency also will characterized as involving state secrets. Or will it be regarded as purely commercial cryptography, with no state secrets involved.

Even commercial cryptography can become subject to more onerous rules or requirements under the new law if the commercial cryptography involves state security, the national economy and people’s livelihoods, and/or the social public interest.

It is not a stretch to imagine how these triggers could be met if the PBOo digital currency has a high uptake after it is launched.

State versus commercial

The law distinguishes between three types of cryptography: (1) core cryptography, (2) common cryptography and (3) commercial cryptography.

Core cryptography is used to protect top secrets of the State and common cryptography is used to protect confidential secrets of the State.

Commercial cryptography is used to protect information that is not related to, or does not involve, State secrets.

Core and common cryptography are strictly managed by government authorities. The law stipulates that the State’s confidential information must use core and common cryptography for encrypted data protection and security certification.

Commercial cryptography, on the other hand, is for the protection of information not considered State secrets. It can be used by businesses and individuals to enhance the security of information that exists on, or is transmitted through, the internet.

Where does the digital yuan fall?

In the context of the PBoC digital currency project, it is not immediately clear whether wallet providers for the digital currency would fall into the common or commercial categories of cryptography.

Presumably this could depend on whether the protocols on which the digital currency operates are considered to be State secrets, in which case a wallet provider using cryptography to protect the integrity of the wallet could be subject to the higher standards for common cryptography imposed by the new law.

On the other hand, the cryptography used in e-wallets that currently exist for existing stored value/payments platforms in China (i.e., where the wallet reflects a digital version of cash in a bank account) appears more likely to fall into the commercial cryptography category.

And wallet operators?

Critical information infrastructure operators (CIIOs) are treated in a similar way under this law as they are under the Cybersecurity Law.

CIIOs will be required to seek assessment and approval by a government authority when procuring cryptography solutions in certain cases. This is not too dissimilar from the way that CIIOs are impacted under the Cyber Security Law when they process certain personal information – meaning this in some way aligns the requirements for CIIOs in respect of processing personal information and now cybersecurity.

Wallet providers for the PBoC digital currency could, if they achieve sufficient scale, become CIIOs and become subject to the State security review procedure (this could be unpalatable for foreign-invested enterprises that are categorized as CIIOs).

The use of commercial cryptography in the context of “mass consumer systems” is not expected to need an export/import licensing review, suggesting the law is more focused on State secrets and CIIOs, and the use of commercial cryptography for those types of solutions.

However, “mass consumer systems” is not defined in the law so it is not obvious whether wallet providers would be classified as “mass consumer systems” under the law.

What about foreign-invested providers?

Commercial cryptography products involving State security, national economy and people’s livelihood, and social public interests will be included in the catalogue of critical network equipment and dedicated cybersecurity products.

Such products cannot be sold until they have passed the testing and certification conducted by a “qualified agency.” The applicable provisions of the Cybersecurity Law will apply to the testing and certification of such commercial cryptography products.

It is possible that digital currency wallets could be subject to these requirements if they are regarded as commercial cryptography products that involve state security, national economy and people’s livelihood and/or social public interests – and this outcome may be unpalatable for foreign-invested enterprises that develop such products.

Interoperability of wallets – including abroad

Parts of the law focus on and appear to encourage standardization, reflecting perhaps a desire to achieve greater interoperability of systems over time (which is a problem associated with blockchain technology).

The law also specifically mentions that the State promotes participation by enterprises, social groups and educational and scientific research institutions in international standardization activities on commercial cryptography.

Even though the PBoC rhetoric on the digital currency project so far has focused only on its domestic usage, this could be a nod to potential cross-border development of the digital currency in due course (or at least these does appear to be some scope for this under the law).

Misconduct

The law imposes penalties for misconduct. For example, those who discover vulnerabilities in core and common cryptography (i.e., cryptography used for matters involving state secrets) but fail to report it to authorities may be subject to liability and punishment under the law. In addition, persons involved in commercial activities relating to unauthorized cryptography products and services may also be subject to punishment under the law.

Continue Reading

Banking & Payments

Revolut’s live in Asia. Now what?

The fintech is competing in an environment very different from its home market.

Published

on

By

Jacub Zakrzewski, Revolut

In Europe, Revolut now has around 7 million users after just four years of operation, making it one of the world’s most exciting fintech companies. It’s now live in Asia, having just made its debut in Singapore, and with Australia and Japan waiting in the wings.

But Asia has already proved to be a tougher challenge than Europe, as Singapore-based managing director Jakub Zakrzewski acknowledged in his recent sit-down with DigFin.

What is Revolut? It’s a debit account-app aimed at affluent people who travel, with services that undercut banks. For a monthly fee, Singaporean residents can open a debit account via their mobile, receive a Revolut card (plastic or metal), and use it to spend worldwide in Singaporean dollars or 12 other currencies. Revolut offers interbank rates for foreign exchange and free money withdrawals worldwide. In Europe, Revolut also offers free commissions on trading stocks or cryptocurrencies (like RobinHood in the U.S.).

Singapore has plenty of customers that could be Revolut users. But scaling in Asia will be difficult. First of all, the region presents all companies, especially fintechs like Revolut, with the challenge of fragmented markets.

The culture offers a challenge too. Banks in Asia, especially in Singapore, are already at the forefront of digital innovation (at least by bank standards). In 2014, when Revolut was founded, the mood in Britain was in full hate-the-banks swing; but today, Asians still trust their big bank brands.

Finally, the competitive landscape is different to what Revolut grew up with: there’s no Grab or other “superapp” competition in London or Berlin. Singapore, on the other hand, boasts not only Grab but also an endless parade of consumer-facing fintechs.

The MAS is also about to issue virtual bank licenses, and while Revolut debuted in Britain where there was already a healthy environment of challenger banks, none of them (Monzo, Starling, etc) were built on the capital or sophistication of superapps: but in Singapore, the likes of Grab as well as big players like Singtel have indicated they’ll compete to win these licenses.

Launch delays

Zakrzewski says the fragmented nature of the region was a bigger hurdle than the company initially understood. Revolut won a money-operating license from the fintech-friendly British Financial Conduct Authority, which allowed it to market throughout the European Union. Its license in Singapore is just for Singapore, so expanding to new markets means extra layers of cost and complexity.

But this was not the real reason why Revolut’s launch was delayed, after having been announced for the start of this year or even earlier.

There were two factors to the delay. One was regulation. The Monetary Authority of Singapore has recently passed a Payments Services Act that consolidates licenses, but until then, Revolut had to operate one license for storing money and other to remit it.

We’re working to convince people it’s better to be early so you’re not playing catch-up when your experience is no longer relevant

Jakub Zakrzewski, Revolut

The second hurdle was talent.

“In Europe,” Zakrzewski said, “startups are seen as fun and innovative, and offer higher risk but higher rewards. In Singapore, there is a still the perception that people want to work for big corporate brands. They want the prestige and pay of a top-tier investment bank or consultancy.”

As a result, “We spent a crazy amount of time on recruitment, working to convince people that it’s better to be early [by joining a fintech] so you’re not playing catch-up when your experience is no longer relevant.”

Payment partners

So now that Revolut has launched in Singapore, with about 30,000 users, how does the company maintain that pace?

One boost are global deals cut in London with VISA and Mastercard. The payment companies will support Revolut issuing their credit cards. This kind of brand recognition should support Revolut’s rollout. (Recent news about the company seeking a $20 billion valuation for an IPO is also helpful, Zakrzewski says.) The card companies have seen fintechs like Revolut carve out a slice of the market for forex, and prefer to team up so that money circulates through their payment rails.

But that’s more of a bonus rather than core to Revolut’s Asia prospects. To make an impact, it will have to maintain a furious pace.

The barriers to innovation are coming down every year

Jakub Zakrzewski, Revolut

“If we don’t continue to innovate, we’ll be disrupted,” Zakrzewski  said. “The barriers to innovation are coming down every year.”

That innovation is primarily about finding ways to improve the customer experience, he says.

Do the economics work?

But is that sustainable? Ride-hailing app companies are losing money, and the torpedoed WeWork IPO in the U.S. shows the limits to customer numbers. In Singapore, most people are spoiled for choice when it comes to credit cards, for example.

“It’s not going to be a bloodbath,” Zakrzewski said. “We’re not going to throw money around like a ride-hailing company. We’re going to focus on the best [finance] product that keeps people using it.”

We will all compete on service, not on price

Jakub Zakrzewski, Revolut

Revolut in Europe has succeeded in building user numbers by offering things like free commissions. But commission-free just suggests that a great swathe of financial services is headed towards zero rates. How does anyone, fintech or bank, make money? What’s the premium service that customers will pay for?

Zakrzewski disputes the premise. “Things are not going to end up at zero. They’re going to a level better understood by clients.”

Revolut versus the banks

The difference, he argues, is that traditional banks are hampered by quarter-to-quarter thinking and rely on big marketing budgets to remain relevant. Fintech players like Revolut, as well as e-commerce and other disrupters, will force banks to go through a massive restructuring, as they focus on growing revenue and cut costs.

That doesn’t mean going entirely digital, either. But it does imply that financial institutions still have a formidable transformation ahead.

Despite the presence of Amazon and Shopify, “There are still retail shops, for niche things,” he said. “Brick-and-mortar banks will have a similar role. But every bank should become a technology company.”

Incumbents have been innovative when it comes to hiding fees

Jakub Zakrzewski, Revolut

Sounds slick – but it doesn’t answer the question of what customers will continue to pay for. Zakrzewski provides an additional answer:

“We will all compete on service, not on price, by relying on an agile tech stack for a leaner cost structure, and on good developers to provide better products.”

Transformation for all

In a twist, he says banks have actually been very innovative. Just at things that aren’t going to be relevant anymore.

“Incumbents have been innovative when it comes to hiding fees, in order to make more money.” The transparency, efficiency and good digital experience that fintechs can bring will render this model increasingly moot.

Banks will instead find themselves on the same hamster wheel as Revolut and other fast-paced companies, fighting for the same talent to build the best product, and constantly innovating. Zakrzewski says the introduction of virtual banks will provide the industry with a necessary jolt to make banks more competitive.

One thing that banks tend to be good at, or at least have resources to manage, is cyber security. As open APIs create new vulnerabilities, fintech companies will find themselves increasingly under attack. How can a firm such as Revolut protect itself and its users, without spending the billions of dollars that global banks dedicate to security?

Revolut this year hired its first chief information security officer. Zakrzewski thinks this could lead to a new wave of services. “This needs to be the new normal for any tech company. I can see ‘Information Security as a Service’ becoming a thing.”

Alongside this is using customer engagement to educate users about data and money storage.

Superapp strategy

What about the superapps? Revolut has no experience of these behemoths in Europe. How will it compete against them, particularly given their deep, deep pockets?

“We focus on providing the best experience in financial services,” Zakrzewski said. “And you know what? It’s really hard.” He believes digital conglomerates lack the expertise, focus and DNA to do fintech well. 

All of this comes down to Revolut, or any company’s, ability to keep pleasing its users. It’s working in Europe. But Asia’s a different environment.

Zakrzewski says the only way to survive is to rely on local talent to make decisions and reward innovation. “Great companies fail in Asia if they can’t localize and iterate,” he said.

Continue Reading

Banking & Payments

Singtel advances banking ambition with OCBC

Can the telco use its mobile partner network to beat techfins, fintechs, and banks?

Published

on

By

Singtel has added OCBC Bank as a mobile payments partner, enabling the bank’s customers to reduce their need for cash when visiting Thailand or Japan. But the telco’s e-wallet is only a stepping stone to its becoming a bank. Singtel and OCBC are expected to jointly apply for a virtual-banking license in Singapore (although Singtel might yet decide to seek a license independently). What might this look like?

OCBC is the second regional bank, after Thailand’s Kasikorn Bank, to join the telco’s mobile-payments platform, an app called Dash. Bank customers can use their own banking apps to make Singapore-dollar denominated, cashless payments with merchants in Singtel’s network, which it calls VIA.

Singapore’s digital infrastructure makes this possible, as Dash users can move money easily thanks to MyInfo (for data sharing), PayNow (for peer-to-peer funds transfer), a local standard for QR codes, and Singaporean banks’ early lead in developing open APIs.

As of the end of 2018, Singtel said it has over half a million Dash users, including Singapore residents, tourists, and – most importantly – foreign workers in Singapore. Such workers are often lower income people who are not well served by banks who join Dash to remit money home. Singtel is now gradually adding more financial services to Dash, such as very basic insurance packages from NTUC Income, says Valerie Law, an analyst writing on Smart Karma.

The ambition

But Singtel is looking at a market for banking services 100 times bigger: the 50 million consumers and 2 million merchants in its VIA network across Singapore, Malaysia, Thailand, Indonesia and Japan.

In addition, the mobile payments industry in Southeast Asia is vast, driven by high adoption rates of smartphones. Singtel has partnered with Razer, an e-gaming company that is in talks to acquire MOL Global, a major e-payment network in Southeast Asia that is used by e-commerce giants like Lazada and Grab.

Valerie Law has identified a few strengths of Singtel as a virtual bank. (Be sure to check out her various reports on Smart Karma, which go deep into the details and also provide a good competitor landscape.)

Singtel’s strengths…

First, while the license prohibits bank branches, Singtel nonetheless has lots of shops and kiosks around Singapore, where users go to top up airtime, among other things – an infrastructure that could be readily converted to topping up money or to pitch users financial products. Bundling telco and payments should help Singtel build a deposit base in short order.

Secondly, in Singapore, many merchants accept Dash, so there’s a ready network of players to accept payments and offer deals such as cash back, giving Dash the opportunity to evolve into a “lifestyle app”. Dash can also be used to pay for public transportation (unlike Grab). And it offers competitive foreign-exchange rates for local markets.

…and weaknesses

Law also noted the app has flaws, such as no customer support, not even a chatbot. And its remittance function only works with recipients on the network, which means no one can direct money back home to pay bills directly to a hospital, for example.

Indeed, Singtel would be going up against companies such as Grab, LINE and Alibaba that have well-developed user bases and advanced processes, such as credit scoring, which provide them with an edge – while also fighting lifestyle fintechs such as Revolut (which is more positioned for affluent users), TNG (a direct competitor for the foreign-worker segment) and Oriente (which is offering consumer loans via local consumer conglomerates in the Philippines and Indonesia). Throw in remittance players like InstaRem and Transferwise, plus incumbents such as Western Union, and the picture gets muddy indeed.

Singtel’s best weapon, as close to a “sure thing” that exists in business, is that demand for mobile and mobile services will grow. As a leading telco, this is a big advantage; with a virtual-banking license, it will be able to add on a growing number of payment, deposit, lending, insurance and investment products.

So within its network of merchants and partner banks, Singtel looks competitive. The question is whether it can develop its wallets and other services to be competitive in the broader market.

Continue Reading

DigFin direct!

Get your daily download

 

Sign up for our free newsletters – delivering our story headlines straight to your inbox!

List choice

Copyright © 2017 Digital Finance Media Limited. All rights reserved.

H.K. research body ASTRI ready to expand cyber-security projects