Cyber threat looms for banks in UK as ring-fencing exposes data

Bloomberg

New rules that were supposed to protect depositors may end up making them vulnerable to fraudsters. Changing the account data of about a million clients at banks including Barclays Plc and HSBC Holdings Plc is a golden opportunity for hackers, the UK’s Financial Conduct Authority has warned banks.
The FCA has briefed lenders about its concerns, as British banks alert customers of the need to move their accounts, said a person with knowledge of the discussions, who asked not to be identified because the matter is private. A spokesman for the regulator declined to comment and pointed to its warnings on treating all bank communication with care.
“In creating a new system that houses personal data, you’re opening up security holes,” said James Tedman, managing director in London at ACA Aponix, a company which provides cyber-security services to hedge funds and investment managers in Europe and the US “The impact of an indiscriminate attack can be substantial.”
Formulated after the financial crisis to protect consumer deposits, the ring-fencing rules require lenders with more than 25 billion pounds ($33 billion) of deposits to separate core services such as checking and savings accounts from riskier investment banking by 2019. The Bank of England said in June that almost a million customers will see changes to their sort codes, a six digit number that helps identify their bank account.
“When you start shifting a huge amount of data, there are always risks attached,” Richard Benham, cyber director at the Corsham Institute and chairman of the National Cyber Management Centre, said in a phone interview. “This is a perfect scenario for a cyber attack.”
HSBC has launched a campaign to encourage clients to “take five and stop to think” if they get a request to hand over personal information, said a spokesperson at the bank. Barclays has been “rigorous” in its communication with customers, a spokesman said, declining to comment on any discussions with regulators. In information sent to clients Lloyds has urged clients to be “extra vigilant,” while a spokeswoman declined to comment further. RBS will need to make “very few” changes to account numbers, it said in an emailed statement.
Banks are “very aware” of the risks, but this doesn’t make them immune, said Tedman. Hackers are usually professionally organized. “We’re not talking about 15-year-olds in their bedroom, we are talking about well-financed and sophisticated criminal groups,” he added.
The number of reported cyber-attacks against FCA regulated companies rose to 89 in 2016 from five in 2014, Nausicaa Delfas, executive director at the UK authority, said in April. However, the problem may be more acute as “in many cases, attacks go unnoticed,” said Tedman. Private sector fraud could cost the UK economy just over 140 billion pounds this year, a report by Crowe Clark Whitehill, Experian and the Centre for Counter Fraud Studies at the University of Portsmouth showed.
Cybercrime isn’t new to banking. A year ago, Tesco Bank, the lending unit of the UK’s biggest grocer, suffered an attack with money taken from about 20,000 consumers accounts.