Fraud, Cybersecurity and Banking in Canada
Financial institutions across Canada are positioning themselves for a changing landscape.
Since the late ‘90s in Canada, bank robberies have been on a decline; between 1998 and 2008, such incidents decreased by 38 percent, according to a report by Statistics Canada. While robberies are still a risk factor for banks and financial institutions across the country, time and technology have brought other security risks to the forefront.
Fraud, while not a new risk factor, is rapidly changing and now encompasses a wide-range of possibilities, such as internal and external fraud, card-skimming or ATM fraud, and other cyber fraud. With the explosion of online banking and continual offering of new online/mobile services, fraud remains one of the main security risks for banks.
Cybersecurity, which overlaps with fraud in many instances, is another risk that has expanded and continues to increase in complexity, encompassing outside or inside cyber attacks, ransomware, and sophisticated phishing campaigns.
Yet another recent risk is social activists, disrupting retail banking hours or threatening bank executives. Activists have made headlines for chaining themselves to banks and blocking entrances in protest of banks’ financing of the Dakota Access Pipeline, for example.
At the corporate level, financial institutions in Canada are interested in doing whatever they can to protect data centers and other sensitive areas in those buildings, say industry sources. At the retail level, financial institutions are interested in keeping their customers, staff and assets safe, while facilitating quick, efficient investigations.
To combat these changing and evolving risks, industry sources are seeing several trends in security measures at both the corporate and retail levels, including an increased sophistication of systems, such as surveillance and access control.
“The biggest trend I would say for the past decade is the growth in video surveillance,” says Richard McMullen, partner - security solutions at FCi in Ottawa, Ontario, which provides security to a number of credit unions in its area. Technology, including IP as well as better storage options, have enabled banks to retrieve and manage clearer video faster than ever, as well as ease and quicken investigations into fraud and other incidents.
At the retail level, surveillance can help with investigations and overall security of vaults or safety deposit rooms, as well as vagrancy in vestibules and ATM areas, which is a problem for many banks during the harsh Canadian winters.
On the access control side, industry sources are seeing expanded use of analytics and biometrics, as well as a shift away from PIN codes and cards.
Banks are looking at more sophisticated access control. There is definitely a move away from PIN codes since they can be shared, so we are seeing things as simple as a keyfob or another way to uniquely identify a person, notes Peter Dyk, P. Eng. and director of product management and engineering at Tyco Integrated Fire and Security in Mississauga, Ontario.
Some of the technologies being deployed for access control at Canadian banks today include fingerprint scans, iris scans and facial recognition. For example, some bank facilities have implemented in-motion facial recognition technology to save time in high-traffic areas, as well as tighten security.
Many industry sources say that multi-factor authentication is another trend that continues to develop in the banking sector. At the retail level, there is a move toward multi-layer security in places such as safety deposit box rooms. Such measures use one form of security or authentication to get into the room or area, and another to gain access to the actual box.
“On the physical security side, I would say that this trend has been around a bit longer than on the [online] side of things,” says Carol Osler senior vice president of TD Bank Financial Group. Toronto, Ontario. “I think you are seeing a fair bit of multi-factor authentication on the mobile banking side too as we try to strengthen security controls, so you may see things like iris scan and voice scans there as well.”
What to Do with the Data?
As IP devices and advanced systems continue to proliferate, there is tremendous amount of data going through financial institutions. This leads to perhaps the biggest security trend right now within banks and that is integration of systems and data mining. The combination of data from systems and technologies can make a significantly impact combating fraud and facilitating investigations.
While sources say physical integration of security systems – such as access control, surveillance and ID management – is a trend that continues in this space, the unification and dissemination of the data from all these systems across locations and departments is seen as increasingly important for this market, particularly as it relates to fraud and cybersecurity.
“Most of the banks have built their systems with an enterprise focus, but a more recent trend is how do we take all that data and compute it in a meaningful way to give us something to respond to,” Osler says. And, the key word here is meaningful. “The construct of physical and cyber security is still mostly separate because they are both very big jobs, but from a policy and oversight and sharing of data perspective, those two areas are definitely coming together around response, threat and risk assessments in most banks.”
A Communicative Community
On the one hand, the size of Canada’s national banks make it a challenge to implement systems or technologies enterprise-wide, particularly newer or less cost-effective products. However, the consolidation of the country’s banking system makes it well-suited to communicate with one another, share best practices, and facilitate government conversations when it comes to security issues.
“When we look around the world, Canada does have an advantage over those jurisdictions with a fragmented approach to regulation. Canada’s national banking system provides consumers with the same protection and security regardless of where they live. In addition, banks are able to work with national law enforcement and national regulators to address security issues that could take place in multiple provinces and territories,” says Andrew Perez, manager, media relations at the Canadian Bankers Association (CBA).
Through CBA, banks throughout the country communicate with each other, as well as with government and law enforcement. “We all have members that sit on committees and share common problems, resolutions and new ideas,” Osler says. She adds that the CBA provides a good lynchpin for allowing banks to share common information that doesn’t interfere with competitive requirements and allows banks to also get a very real perspective on trends and other issues.
With a very rapidly changing landscape of fraud and other security risks, all of these trends and industry movements – including more sophisticated systems, multi-factor authentication, and data mining – ultimately allow banks to respond quickly when necessary.
“From an overall security perspective, banks and security departments are well positioned to manage threats, however, a challenge that remains for all banks is the speed and persistency from fraudsters to circumvent controls as well as the speed of transactions. We have to continue to look at all aspects of vulnerabilities through traditional lenses but also beyond the obvious. Much more so than in the past, we must remain nimble and react quicker than ever,” Osler says.