Are Virtual Banks Safe?

By Alvin Mak

Jumpstart sits down with cybersecurity expert Jason Lau as he discusses the challenges that come with virtual banking.

The digitization of shopping, communication and entertainment is now as clear as day. The most dominant and relevant startups today have earned their reputations because of their innovative approaches to redefining outdated lifestyles. 

Fintech has been riding the same wave, with the emergence of payment apps like Venmo and HSBC PayMe. The banking world as a whole is also beginning to experience a whole new shift with the inception of virtual banks. 

Virtual banks, or VBs, have no physical location; there is no real-life branch for these services. VBs are natively and completely online, operating on a self-service basis. They provide 24/7 service to customers, and thus add never-before-seen accessibility to the banking experience. 

The online aspect of VBs streamlines banking processes to their fullest extent. Their APIs create smooth transitioning interfaces that facilitate seamless, two-way interactions between banks, business partners, and third-party entities

Financial inclusion is also a large part of their goal. To that end, VBs claim to offer lower fees and dues to increase accessibility of these services. Additionally, VBs are a part of a transition from traditional static banking data–unprocessed numbers and balances–to active financial pointers, which take static data and convert them into comprehensive banking tips and advice for the user. 

Powered by AI computing, machine learning, and data analytics, financial advisory, a service traditionally out of reach for most individual consumers, has also become much more accessible. 

So far, it seems that VBs, along with the abundance of newly-developed fintech applications, have been effective at enhancing financial experiences–68% people now prefer to conduct their banking needs online

Virtual banks in the current market

Domestically, Ping An OneConnect has taken steps to tap into this online industry. As a subsidiary of OneConnect Financial Technology, the virtual banking ecosystem leads in blockchain and AI technology in its field. Looking to continue expanding in China and Southeast Asia, the VB announced its acquisition of a Hong Kong operating license from the Hong Kong Monetary Authority (HKMA) in May 2019

Hong Kong’s own fintech unicorn, WeLab, also recently launched to the public. WeLab claims to dramatically cut down the operational delays one would expect from traditional brick and mortar banks, with the ability to open virtual bank accounts in under five minutes. Customers are also not charged monthly fees. 

Additionally,  Mastercard’s collaboration with WeLab gave rise to its numberless debit card, where full card details and spending tips can be accessed natively on WeLab’s app. 

Outside of Asia, Square has been leading the charge in virtual banking solutions. The mobile payment merchant service aggregator lets business owners transfer and receive payments with its Square Point-of-Sale app. The company has had over 64 million business owners use its service and has hence grown its market cap to $61 billion as of mid 2020. 

Recent headlines seem to point to the inevitable popularity of VBs, and perhaps their eventual ascension to becoming substitutes for the traditional banking system. Yet, their inherent virtual identities also work against them to pose a unique set of challenges.

Blue-Green Deployment

By nature of being a 24/7 service, finding opportunities to conduct regular software maintenance will undoubtedly be a challenge for VBs. With traditional banks, operational systems can be serviced during off hours–this isn’t an option for VBs. If friction and frustration in the user experience were to come from anywhere, it would likely be due to inability to access banking services during server downtime. 

According to Jason Lau, Chief Information Security Officer at Crypto.com, VBs solve this issue by employing an intuitive technique known as Blue-Green deployment. 

“VBs and similar organizations could run two identical production environments–one Blue, one Green–and at any one time, only one of them is truly live serving all production traffic,” says Lau, who has previous experience as the former regional Cyber Security Advisor at Microsoft, advising big-time international corporations from Credit Suisse to The Royal Bank of Scotland.

He continues, “As Green is idle, the company can prepare new versions of the application, patches and fixes in the backend and have it ready for production but not live.” 

When ready, the VB reroutes traffic to the Green environment, freeing up the Blue system for the next round of updates or maintenance. 

By being able to quickly switch between the two environments, VBs are also able to maintain smooth-running user experiences in the event of an unexpected stoppage of online operations. 

Inexperienced banking operators

As a result of the long history and branding associated with big-name banking corporations, consumers more naturally place trust in larger companies rather than small, arguably inexperienced VBs. In other words, the average consumer or business owner is more likely to turn to banking titans like HSBC and Standard Chartered, as opposed to some recently-opened online service. 

VBs must thus innovate to create solutions that are sufficiently different from traditional banking, to lure early adopters into signing up. 

Yet, innovation is not new to the fintech world. Consumers have previously been incentivized to adopt technologies like P2P lending, robo-advisory, cryptocurrency, and insurtech because of their diverse finance solutions. Virtual banking is no different. Lau stresses the inclusion of AI data analysis in VB functionality. 

“VBs and their digital transactions will ensure that they capture more data for analytics, which in turn will allow for the types of hyper-personalized services traditional banks may not be able to provide,” he says.

Lau also cites the inherent convenience and speed of online operations when compared to their more traditional brick and mortar counterparts. The waiving of many fees and the addition of loyalty programs may also be effective stimulants to lure skeptics into trying these services out. 

Tackling cybersecurity concerns

Beyond all the challenges of early adoption, the largest obstacle in the way of VB domination is ultimately cybersecurity. Given the world’s transition to more and more digital solutions, threats from bad actors have also become increasingly prevalent. 

The most recent reminder of our virtual vulnerabilities is undoubtedly the Twitter hacks of July 2020. The incident involved the infiltration of multiple high-profile Twitter accounts from Jeff Bezos to Joe Biden. 

Following this incident, the world was reminded of the ever-lurking threat of online criminals who exploit security flaws of online platforms to either seize control or steal data. Perhaps the most disturbing part of this fiasco was that no one was immune–not even the richest man in the world. 

Lau validated these concerns, citing that the main deterrent for customers was not the lack of functionality or the accessibility of these new services, but rather security and privacy. Lau noted that over 42% of the region’s consumers cite their primary concern as cybersecurity, with data privacy coming in as a close second at 35%. 

Although VBs in Hong Kong require approval from the Hong Kong Monetary Authority (HKMA) to operate legally, Lau believes that VBs should work to improve cybersecurity beyond the minimum parameters required by HKMA. 

“VBs also need to drive a secure culture within their environment and use these as core pillars to help drive trust with their customers,” he says.

Lau cites additional established security standards such as the ISO 27001:2013 or newer privacy standards like ISO 27701:2019 as good ways of demonstrating security proficiency. 

“Companies can differentiate themselves by showcasing such badges on websites, as well as conducting regular external audits, signaling to users that they take security and privacy seriously,” he adds. 

However, while much of the responsibility falls into the hands of the VB developer to create a safe-to-use service, Lau recognizes that the user still needs to be diligent. Through building truly strong passwords, monitoring screen lockout times, and using multi-factor authentication when available, the user plays their part in ensuring a secure virtual banking experience. Cybersecurity, like many things, is a shared responsibility. 

What’s next for virtual banking?

Virtual banking is still in its early stages. It’s perfectly reasonable for the average consumer to not trust VBs, especially when cybersecurity concerns continue to affect even the largest, most experienced social media companies. 

VBs should continue to demonstrate their security competence while at the same time innovating to develop unique machine learning banking solutions. Trust in these young services will not–and should not–come overnight. However, given that these companies continue disrupting the traditional banking world and addressing cybersecurity concerns, there’s little doubt that VB’s will stand poised to take over the fintech world as we know it. 

Header image by Morning Brew on Unsplash

SHARE THIS STORY