Sibos 2024: Data lakes and deepfakes

The fundamental premise of the zero trust paradigm is that there is danger in the network at all times and all places, so to speak.

It’s a brave new world out there, and the bad guys have all the tools and none of the legacy to hold them back

Not everything, everywhere all at once, but something, somewhere at any one time. Which isn’t as bad, but it isn’t exactly reassuring.

Frankly, when it comes to KYC, AML and People on the Internet, it is safe to assume that you are dealing with a bad actor as a default position. Or at least a sloppy and careless actor.

I am not here to preach paranoia, but the totality of human history has taught us that people will lie the most when they think they can get away with it: people will seek loopholes, weakest links and crumbling parts of your otherwise impenetrable fortifications.

Or should I say in your once impenetrable fortifications?

I went to an infosec briefing about 15 years ago in the iconic Lloyd’s of London building.

If I tell you now that I only went because I wanted to see the building, will you think less of me?

It was one of the best events I have ever been to, by the way. I learned so much. I remember going back to the office full of ideas and information that was immediately useful.

But I also remember a room full of people sitting in mesmerised silence as a very senior government security expert described to us the endless struggle between embracing innovation, speed and connectivity and protecting all we hold dear. Our hard-earned cash, our identity, our security at a state level.

We want the benefits of digitisation. And we want security.

If the safest thing to do is keep no records at all, the second safest is to keep paper records (OK, fire hazards aside) and the third safest thing is a standalone computer with airlocks galore. You catch my drift. If the safest thing is keeping things locked down and the fastest and most user-friendly thing is connecting things in real time, we all agree something’s gotta give and the two sides should meet in the middle.

Is that the exact middle, though? Because what feels like the middle is directly linked to what has gone wrong recently. Or not.

If nothing has gone terribly wrong for a while, you would probably become frustrated with the security folks. You chafe at the perceived archaic nature of the protection, the helplessness implied in the reaction of not doing something at all in order to not get hurt in the process. The longer things have been OK for, the more tempted you will be to slide towards the connectivity that compromises security.

“Not at all,” I hear you say. “Our tools and infosec folks are brilliant.” Of course they are. But even they would tell you everything is a trade-off of risks. And they are good at minimising the risks and managing those trade-offs in line with the company’s risk appetite.

Why am I telling you all that?

Because if you are a banker, a bunch of your critical infrastructure is older than me. You have data lakes the size of the Caspian Sea (fun fact: it’s the biggest lake in the world). You have mainframes and on prem systems and your reconciliations are done on a spreadsheet.

OK.

Not a spreadsheet.

Many spreadsheets.

And you have 20 years’ worth of digital capabilities, greenfield and brownfield initiatives, API wrappers and a whole host of go-forward plans.

You have a complicated estate.

But the bad guys don’t.

Reports are beginning to appear about deepfakes that are less lurid than the deepfake porn we hear of in the news but which are no less disturbing. Animated photographs from stolen or usurped ID documents that manage to pass liveness checks and KYC checks to open accounts and authorise transactions fraudulently.

Banks are looking at their defences and the temptation to go back to in-person, in-branch is strong. And I, for one, can see why. It won’t happen. But people have thought about it.

Security teams are thinking about what protection you can put in place so company transactions are not authorised fraudulently, which is especially difficult if with deepfakes your boss can come on a Zoom call and authorise a course of action despite it not being your boss at all.

It’s a brave new world out there, and the bad guys have all the tools, all the ill intent and none of the legacy to hold them back.

There is danger in the network at all times.

Sometimes the danger has a face and the person or persons behind the name have the best of modern technology at their disposal.

And so do you. But you are also carrying several decades’ worth of technology antiquities, operational complexity and a million reasons why things are the way they are. But in a world of rapidly changing dangers, the reasons why you still have capabilities that make you vulnerable matter less than the vulnerability.

In a world where the danger is real time, our responses need to be too.

You know what I am going to say now. Of course you do, because you’ve read my stuff before.

This is only going to get harder.

Since we have opted to engage with new technology, we are not retrenching, we are not killing progress in the name of security. In order to improve our chances and the mental health of our beleaguered CISO and their team, we need to do three things. We’ve been needing to do these three things for a while. I’ve been saying it for years. No matter. There’s still time. Just less of it with each passing day.

And those things are:

1) If we are going to play in the real-time world, we need to have a real-time view of our entire estate.

Your systems need to be interoperable across the estate. And that means all of it. Yes, even Dave’s spreadsheet. And your mainframes. Yes, that too.

But also, your systems need to be interoperable across your geographies, because your vulnerabilities cross borders.

2) This means that regulation needs to be aligned in the detail, not just the direction across geographies.

A banker reading this will be thinking ‘not much I can do about that’, but actually there is. The conversation with the regulators is active and specific. Lean in. We need to align on standards for everything from API messaging to reporting protocols because every time a geography has a nice little quirk of its own in the implementation of a regulatory trend, a global bank has additive pressures on budget, timelines and operational complexity. We can avoid that. We must avoid that.

3) Switch the antiques off. It’s time. You can do this.

There is danger in the network at all times. That’s a given. That will never go away.

But the danger coming from your own sloppy housekeeping, our own lack of communication and harmonisation, our own unwillingness to clean up house… that danger can be eliminated. That part is in our control. And where we have control, we should exercise it. Before someone else spots the weakness and plays right into the gap we knew existed and yet didn’t do what we knew was needed when we still had time.

#LedaWrites

Leda Glyptis is FinTech Futures’ resident thought provocateur – she leads, writes on, lives and breathes transformation and digital disruption.

She is a recovering banker, lapsed academic and long-term resident of the banking ecosystem. 

Leda is also a published author – her first book, Bankers Like Us: Dispatches from an Industry in Transition, is available to order here.

All opinions are her own. You can’t have them – but you are welcome to debate and comment!

Follow Leda on X @LedaGlyptis and LinkedIn.