"Risk Management in Open Finance Era"
This presentation on "Risk Management in Open Finance Era" is an attempt to visualize a New Operational Risk & Information Security strategies through industry development lenses, and simultaneously to "Zoom" into the details of operations, threats, and technical enablers for sound risk management to FIT the new paradigm of 'Open Finance'.
For example: to ensure a #ZeroTrust’ strategy and #ComposableArchitectures or even help the business to accelerate by ‘Capitalizing’ on Risk Data Value Chain and on #DifferentialPrivacy.
#RiskTech 4 #FinTech
2. Risk Management in Open Finance Era
Image: ansonmiao
Helicopter view on 'Open Finance' and on associated transition risks &
opportunities.
Capitalizing on 'Risk DataValue Chain' – three use cases.
Tech Enablers
(Smart Data Sharing – key enabler for next ecosystem)
3. What is different about Risk Management in FinTech?
Image: ansonmiao
Data
A brand new Risk Framework.
Traditional closed perimeter defense model vs. New, open,
third party info sharing & outsourcing ecosystem model;
Openness &
Partnerships
“Open Finance” (cross) - industry data sharing and open-
source endless Opportunities.
5. Image: ansonmiao
Open Ecosystem challenges in the highly regulated industry
- how to secure data - how to share data not only securely but smartly
Analogy from the tech industry:
-Think about a restaurant reservation application that has Google Maps embedded
into it.
- APIs allow external applications to read data from Google and portray the data on
their own applications.
What we need in case of Open Finance is:
# 1. A ‘new perimeter (s)’. #2 Smart ways to ensure a secure data- sharing.
7. WHO
• Banks, Fintechs & other companies involved in personal finance business.
WHAT
• DataAPI and PaymentAPI services via AISP & PISP.
HOW
• B2B business, intermediary between the Banks and ‘all kind of Fintech’
companies.
• Providing anAPI service in highly specialized eco-system market, using by
itself third party infrastructure in the Claud.
• Efficiently, securely and in compliance of existing laws and regulations.
Open Banking’s simplified (PSD2)WHO,WHAT and HOW.
8. A path from OpenBanking to DataEconomy via OpenFinance
- different Strategies to achieve it in different jurisdictions (market-driven, regulatory-driven, or hybrid)
- Industry development lenses (the ecosystem of partners)
- technical Enablers (APIs connectivity)
1) 'Who is Who' in open banking - mapping of the companies’ business model differentiators in today's Open
Banking.
2) 'Who will be Who' in the next Ecosystem of Open Finance - why Banks Must Become the DataCustodian in
the DataEconomy
- Implementation of the data strategy is a supernational task for the EU. The European Commission has
published a Data Strategy proposal in 2019 https://lnkd.in/dWG9Uqu to allow the EU to take full advantage of
data-driven innovation by managing the cross-sectoral use of data between sectors (in health, manufacturing,
agriculture, mobility, energy, etc).
- So it is for the UK too, where the concept of OpenBanking is a part of the wider SmartData Strategy declared
by the UK's government..
9. A dilemma between the proper regulation and an efficient grow, at the level of
designing
- an evolution of the Internet
is different of the path made
by traditional media like
Radio, Telephone or
Television.
- security is a Negative goal
10.
11. Image: ansonmiao
# 1. A ‘new perimeter (s)’ (ZTA) uses zero trust principles to plan infrastructure & workflows.
ZT assumes there is no implicit trust granted to assets or user accounts based solely on
their physical or network location (i.e., local area networks versus the internet).
With the
movement
towards the
Openness
and the
Cloud, to
minimize the
increased
risks of the
connectivity.
> > > ZEROTRUSTARCHITECTURE 4 CONSUMERTRUST
12. Image: ansonmiao
The key tech enablers for Open Banking are external APIs, But…
https://www.openbanking.org.uk/providers/account-providers/api-performance/
- But, unlike more mature areas of
cybersecurity, when people talk
of API security, they mean lots of
different things..
- Questions Every Executive Should
AskAboutTheir APIs' by NIST:
Asset Managt: How many APIs
do we have? What do the APIs
do? Who are the API owners?
13. Image: ansonmiao
Is PSD2’s SCA a good fit for Open Finance ?
8 major challenges within
the EU Open Banking
regulation's technical
aspects (SCA); ranging from
“too strict” 2FA till the OS
upgrade discipline by
smartphone holders.
14. Image: ansonmiao
SCA vs. Smart Data SharingTechnologies
Designed for an Ecosystem
What is Differential Privacy?
https://www.youtube.com/watch?v=-
JRURYTfBXQ
No need for the most of the
data to be shared at all !
15. Image: ansonmiao
SCA vs. Smart Data SharingTechnologies
Designed for an Ecosystem
What is Differential Privacy?
https://www.youtube.com/watch?v=-
JRURYTfBXQ
No need for the most of the data
to be shared at all !
Differential privacy: where noise is added to an analytical
system so that it is impossible to reverse-engineer the
individual inputs
Federated analysis: where parties share the insights from
their analysis without sharing the data itself
Homomorphic encryption: where data is encrypted before
it is shared, such that it can still be analyzed but not
decoded into the original information
Zero-knowledge proofs: where users can prove their
knowledge of value without revealing the value itself
Secure multiparty computation: where data analysis is
spread across multiple parties such that no individual party
can see the complete set of inputs
16. Image: ansonmiao
SCA vs. Smart Data SharingTechnologies
PET, Differential Privacy, Double-Blind Consent-Driven Data Sharing on BlockChan
For PSD2 For Ecosystem
18. Image: ansonmiao
TechFin – FinTech: banks are welcomed to the new business of
Trusted Data Assets Stewards
Use-case: a new employer in a new country would request onboarding info, based on the
given consent, directly from a customer's/new employee's local bank via the secure API and
in compliance with the rules of GDPR.Also, an use case of CDI from HKMA:
https://www.linkedin.com/posts/varlam-ebanoidze-41594043_cdi-hkftw-hkfintechweek-activity-
6729104774077153281--T6Y
19. Capitalizing on 'Risk DataValue Chain'
Three use cases:
- Digital onboarding
- Transaction monitoring
- From big data to security by design
20. Image: ansonmiao
Investing in Onboarding automation & Transaction Monitoring via Open Finance by
aggregating different financial and non-financial data.
21. Image: ansonmiao
Capitalizing on 'Risk DataValue Chain' – Onboarding
Open finance has the
potential to remove
many of the hurdles
new customers face –
like having to fill in
long applications that
require them to dig up
hard-to-
access financial infor
mation or send
notarised copies
of documents with
this information
22. Image: ansonmiao
Digital Touch vs. Human Touch
Apart from the strategic decisions to invest or underinvest in Digital vs Non-digital process, IMHO, the
bottom line of the operational problem IS the visualization of the holistic process
incl. the call center's part to address the bottlenecks in digital processes by suggesting both the data-
driven algo. (the better prediction power) & process optimization tools.
23. Image: ansonmiao
Capitalizing on 'Risk DataValue Chain' –Transaction Monitoring
1. single customer view and Single BehavioralView
2. static RulesVs Interactive Models
3. risk data's value-chaining
24. Image: ansonmiao
Capitalizing on 'Risk DataValue Chain' – Layered approach to the risk model
To achieve an accurate KYC procedure, a Layered approach to the risk model is offered.
It enables on one hand avoiding the Parallelism and saving the computational power of the algorithm (if
identity is easy to check, at 1st layer no need to follow other layers), on the other hand, provides the assurance
that a customer is who they say they are - by checking Several layers from Account to Device & Activity.
25. Interested to know how the online fraud risk
management at Alibaba Group and with the
help of Alibaba by its merchants was evolved to
allow this? Here is the answer:
https://lnkd.in/dFjBb7X
This paper is to introduce the Fraud Risk
Management at Alibaba under big data. Alibaba
has built a fraud risk monitoring and
management system based on #real-time big
data processing and intelligent #riskmodels. It
captures fraud signals directly from huge
amount data of #userbehaviors and network,
analyzes them in real-time using machine
learning, and accurately predicts the bad users
and transactions. To extend the fraud risk
prevention ability to external customers, Alibaba
also built up a big data based fraud prevention
product called #AntBuckler.
Best practice: "At its peak, 256,000 transactions a second. No report of any breakdown over the 10 years."
27. Image: ansonmiao
Security through behavioral interventions - from the series of the
customer-centric security.
In the practical context, the idea is Open Banking enabled
budgeting app's conceptual analogy for InfoSec.
'Which threats we take seriously and which we neglect is
mostly driven by availability bias — we intuitively assess the
likelihood of outcomes based on how easy they are to imagine.
So we overestimate the danger of terrorism (which is vivid,
concrete, and direct) and underestimate the dangers
of climate change (which is vague, abstract, and indirect). Our
ability to predict rare events is systematically undermined by
our intuitions.'
So, how to visualize the risk (make it more evident) to the
customer and help in risk management decision making?
28. Impact of the Covid 19
As the pandemic accelerates Digital
transition the boundaries between the
monitoring of external threats (Cyber)
& the assessment of risks inherent to
new infrastructure (Digital) became
more evident for Boards.
29. Up to 70% of all public clouds and the data on them are concentrated with just 3 cloud service providers. I doubt
that the systemic risk of such concentration and the domino effect for those organizations which store data (or use
IAAS ) with these 3 companies is assessed and backed-up adequately.