Most banks have implemented multifactor authentication mechanisms which add a layer of protection to the sign-in process and funds transfer functions of their online banking solutions. When accessing accounts or apps, users provide additional identity verification, such as scanning a fingerprint or entering a code received via phone or email. This ensures to a large extent, that a bank is dealing with the actual person. These are further augmented by Know Your Customer (KYC) checks for confirmation of the customer’s personal details. On mobile apps, there are several background tools that are used to confirm every transaction for the protection of the customer without sacrificing convenience. Another critical thing that remain key is user awareness through various channels. As the saying goes in the security fraternity, your security programme is as solid as your weakest link and usually, the weakest link is the human element in the chain.
A bank can develop massive security controls but if the human element within the chain is not diligent enough, the entire security architecture and technological investments would be close to being useless. Consequently, banks put a lot of effort into creating awareness and educating customers. There are some information a bank will never ask customers to divulge. Information such as username, password and bank account details are the preserve of customers and when they are made aware of these things and other risks, they become vigilant and diligent. This diligence then complements the security provided by the bank, making it whole.
Another significant element in providing security for bank customers beyond awareness creation is collaboration with regulatory and security authorities. Fortunately, in late 2020 the Parliament of Ghana passed the Cyber Security Act 2020, which spells out what we must do as a country to be able to secure our cyber space. Banks, as key stakeholders, made critical inputs into the Act to ensure that it covers all dimensions of cyber security concerns in today’s world. But even before the Cyber Security Act 2020, the Bank of Ghana, which is the regulatory body for all banks and financial institutions in Ghana had in place a cyber and information security directive (issued in 2018) that enjoins all banks to adhere to.
Apart from local laws and regulations, there are international banking standards that banks adhere to. There is the Payment Card Industry Data Security Standard (PCIDSS), an information security standard that handles branded credit cards from the major card schemes that banks must also adhere to. Being PCIDSS compliant means you have security standards in place for all your payment cards. Additionally, the International Standard Organization’s (ISO)’s ISO 27001 provides requirements for an Information Security Management System (ISMS) that banks must pass to be deemed secure. Stanbic Bank for example, has both PCIDSS and ISO 27001 certifications, affirming the bank’s commitment to protect its customer’s information.
As a bank, we collaborate with key institutions such as the Bank of Ghana (BoG), the National Cyber Security Centre and the Cybercrime Unit of the Criminal Investigations Department (CID) of the Ghana Police Service to ensure we have adequate threat intelligence and collaborations. We have an internal strategy we call ‘PPDR’ – predict, prevent, detect and respond to the threat of cybercrime. All these measures and interventions are put in place, so we provide our customers the best banking service while ensuring that they remain secure.
By Albert Yirenchi Danquah
The writer is the Chief Information Security Officer at Stanbic Bank]]>