Out-Law News 3 min. read
09 Nov 2016, 3:05 pm
Speaking to the UK parliament's Treasury Select Committee on Tuesday, John Griffith-Jones said "there is a classic ying-yang" inherent in the move to create an open banking standard, which will allow financial applications to connect with one another.
"It is highly desirable for competitiveness in banking that you can put all your data in one place and it helps transferring your accounts from one organisation to another if you are not happy, and it creates a security dilemma," Griffith-Jones said. "It is the role of the regulator … to balance the two together. These sort of incidents that we just appear to have had with Tesco keep reminding us that convenience is one thing but security when push comes to shove is more highly valued by the customers."
Griffith-Jones was commenting before Tesco Bank confirmed on Tuesday night that approximately 9,000 of its 136,000 current account customers were victims of cyber fraud at the weekend.
Tesco Bank said all the customers have now been reimbursed the money they lost, at a total estimated cost of £2.5 million. The bank also said that current account services have now been restored to normal after it had earlier decided to suspend online debit transactions by current account customers in response to the potential risk of further fraud.
Benny Higgins, Tesco Bank chief executive, said: "Our first priority throughout this incident has been protecting and looking after our customers and we’d again like to apologise for the worry and inconvenience this issue has caused. We’ve now refunded all customer accounts affected by fraud and lifted the suspension of online debit transactions so that customers can use their accounts as normal. We’d also like to reassure our customers that none of their personal data has been compromised."
Tesco Bank said it is "continuing to work closely with the authorities and regulators in their criminal investigation of this incident". The National Crime Agency and the UK Information Commissioner's Office were previously reported to be conducting investigations into the case.
Also addressing the Treasury Select Committee on Tuesday, FCA chief executive Andrew Bailey said the regulator regards the incident "very seriously" and that his view was that it "looks unprecedented in the UK".
The FCA intends to carry out a "lessons-learned review from this incident", which should help the FCA determine whether its own capabilities and response was appropriate for handling the incident, he said.
During the Committee session, Bailey was asked whether it would be appropriate to screen financial applications that create a single point of access to accounts and the potential security failings that may arise as a result.
In response, Bailey said: "There is going to be a very interesting trade-off between innovation to increase competition and security. As a regulator, security is going to have to play a big role in this. If we went over to something that appeared very good from the point of view of competition but opened the system up [to threats] that would be a mistake."
Bailey said complex IT systems can make it more difficult for banks to secure against cyber fraud.
"The people who do this sort of thing are just obviously looking for weaknesses in systems – points of entry," he said. "The more complex your systems are arguably the more weaknesses and points of entry there may inevitably be."
There is "inherent tension" between banks' desire to reduce costs and raise returns that can be reinvested in IT systems, he said. However, it would be wrong to consider legacy banking technology as "more secure" than "the new stuff", Bailey said.
"We are … going to have to evaluate what comes through under this open access standard very carefully, but I don't think we should close our mind to it at the outset on the basis that if it's got the word 'open' in it must be insecure," Bailey said.
Asked about the FCA's cyber skills capabilities, Griffith-Jones admitted the FCA board is not "over-endowed with technical expertise". However, in response to the rising cyber issues agenda, the FCA has "recruited a specialist adviser" in that area "very recently" who has a "deep, deep, technical background".