Cyberthreat looms for UK banks as ring-fencing exposes data

[LONDON] New rules that were supposed to protect depositors may end up making them vulnerable to fraudsters. Changing the account data of about a million clients at banks including Barclays plc and HSBC Holdings plc is a golden opportunity for hackers, the UK's Financial Conduct Authority (FCA) has warned banks.

The FCA has briefed lenders about its concerns, as British banks alert customers of the need to move their accounts, said a person with knowledge of the discussions, who asked not to be identified because the matter is private. A spokesman for the regulator declined to comment and pointed to its warnings on treating all bank communication with care.

"In creating a new system that houses personal data, you're opening up security holes," said James Tedman, managing director in London at ACA Aponix, a company which provides cybersecurity services to hedge funds and investment managers in Europe and the US. 

"The impact of an indiscriminate attack can be substantial."

Formulated after the financial crisis to protect consumer deposits, the ring-fencing rules require lenders with more than £25 billion (S$44.6 billion) of deposits to separate core services such as checking and savings accounts from riskier investment banking by 2019. The Bank of England said in June that almost a million customers will see changes to their sort codes, a six-digit number that helps identify their bank account.

"When you start shifting a huge amount of data, there are always risks attached," said Richard Benham, cyber director at the Corsham Institute and chairman of the National Cyber Management Centre.

"This is a perfect scenario for a cyberattack."

HSBC has launched a campaign to encourage clients to "take five and stop to think" if they get a request to hand over personal information, said a spokesperson at the bank.

Barclays has been "rigorous" in its communication with customers, a spokesman said, declining to comment on any discussions with regulators. In information sent to clients Lloyds has urged clients to be "extra vigilant", while a spokeswoman declined to comment further.

RBS will need to make "very few" changes to account numbers, it said in an emailed statement.

Banks are "very aware" of the risks, but this doesn't make them immune, said Mr Tedman. Hackers are usually professionally organised. "We're not talking about 15-year-olds in their bedroom, we are talking about well-financed and sophisticated criminal groups," he added.

The number of reported cyberattacks against FCA regulated companies rose to 89 in 2016 from five in 2014, Nausicaa Delfas, executive director at the UK authority, said in April. However, the problem may be more acute as "in many cases, attacks go unnoticed", said Mr Tedman. Private sector fraud could cost the UK economy just over £140 billion this year, a report by Crowe Clark Whitehill, Experian and the Centre for Counter Fraud Studies at the University of Portsmouth showed.

Cybercrime isn't new to banking. A year ago, Tesco Bank, the lending unit of the UK's biggest grocer, suffered an attack with money taken from about 20,000 consumers accounts. In February 2016, hackers exploited weaknesses in how banks connect to the Swift system to steal US$81 million from Bangladesh's central bank.

Encrypting data and having staff fully trained is crucial to ensure a smooth implementation of the new rules as a single mistake could provide an opportunity for criminals. 

"One of the biggest area of weakness would be if one member of the team sends something incorrectly,"said Mr Benham.

The scale of the challenge of implementing ring-fencing is indicated by the cost of the rules. HSBC estimates expenses of as much as £2 billion while Barclays has said that "structural reform costs" will be up to £500 million in 2017 and 2018. Lloyds has predicted £500 million of costs.

"This is an ever-evolving threat," said Mr Tedman. "In many cases, you have to secure yourself against the unknown."

BLOOMBERG