The banking and finance sector has seen a flood of tech-driven neobanks and fintechs hit the market in recent years, and if the levels of interest these players have generated is anything to go by, Australians have a real appetite for change.
In fact, according to a 2019 Mozo survey, one in four Aussies have switched or are considering switching to a neobank.
However, one of the biggest hurdles these digital players face is convincing consumers that the move to a digital-only platform won’t compromise safety and security. Hardly a surprise when money is on the line.
So, to delve into the issue and learn more about how one of Australia’s leading neobanks is approaching all things security, we sat down with Jean-Baptiste Bres, chief information security officer at Xinja.
More than just money
Cost, features, ease of use - these are all factors considered important by Australians when it comes to their banking experience. But as 42% of respondents in our 2019 neobank survey showed, the number one priority is security.
So why is security important, and just what are banks protecting?
As Bres explains, for a bank - especially a new bank - proving oneself on the issue of security is vitally important - particularly in building trust with customers.
“Information security is key for people trusting their bank. You know, if the bank isn't secure, nobody is going to trust it.”
Security is no longer just an issue of keeping people’s money safe though, it’s also about all the other types of information they store.
Aside from personal information like your name, ID, date of birth and address, think about all of the purchases you make and the level of detail your bank is now able to provide you about them.
We’re talking about the merchant you made the purchase with, the exact location and time of purchase and (in the case of mobile wallets) even the device you used to pay. That’s all data about you, and data which needs to be kept safe.
“In terms of what we do and what we’re trying to protect I think most people would say that cyber security is all about protecting people, their files, their phones, their money and their accounts,” says Bres.
“That's all true, but the key thing that cyber security in banking now focuses on is data - protecting our customers data and the company data.”
Xinja in a changing landscape
For neobanks like Xinja whose operations are entirely digital, there’s no physical security solution to keeping money and data safe - at least, not one that resembles a big, walk-in safe.
Instead, like many other parts of our lives, everything is moving to the cloud.
While cyber security is an area of continuous evolution, Bres says this has been the biggest shift among financial institutions in recent years, and one that Xinja are at the forefront of in Australia having been cloud-based since their inception.
It’s a shift which has pros and cons though.
“I come from some more old fashioned European financial institutions,” says Bres.
“So if you were in charge of security at one of those you would probably have the same aspirations as we do at Xinja, but you would still spend 95% of your time dealing with all the old stuff in the data centre that you have to protect the old fashioned way. It's much more difficult.”
“We’ve been cloud-based from day one at Xinja though, and that has major benefits including costing less, being easier to manage, easier to implement, but it also creates a lot more risk.”
What is that risk? Well, the way Bres describes it is in terms of shifting perimeters.
Previously, security was all about putting bars around whatever you wanted to keep secure, so people who were deemed good were let inside of those bars, while those who weren’t were kept on the outside.
“That concept doesn’t exist anymore - everything is outside now. We have a very different approach which we call zero trust, where instead of protecting a perimeter, we view the perimeter as not existing.”
“The approach towards zero trust means that whatever you do, wherever you are, you have to demonstrate that you're authorized and you can do what you're supposed to do.”
Striking a balance
As you might expect from a new, digital bank, Xinja has attracted a seriously engaged user base - perhaps more so than the average bank.
This is a community Xinja has fostered from the get-go through, and according to Bres, security is a topic which gets brought up regularly.
“It's quite interesting reading messages on our forum, because there really doesn’t seem to be much middle ground.”
“You see people who are very interested in banking capabilities and not necessarily into security. On the other hand, we have some very hardcore security people who don’t think the security we have today is strong enough - that we need to go one step further.”
“It's a hard balance. But you will never find a way to make everybody pleased, so it’s about trying to find a middleground and giving more flexibility.”
While striking the balance between the wants of two disparate groups is a challenge, Bres sees transparency as part of the solution. Users may not always get exactly what they’re looking for, but they’re looped in on the process.
It wouldn’t be unfair to say that banks have often kept customers in the dark in the past on many issues, but is transparency something that can be extended to security? In the minds of Bres and the Xinja team, it’s certainly seen as possible.
“We're trying to work on the way we communicate with our community to make them understand how we do things, why we do things, and to be more transparent.”
“If you look at most financial institutions, their approach is we're secure, but we can’t tell you anything because if you know how it works, you can exploit it.”
“We don't really believe in that. Over time we want to be able to give more information as to where we are and what we're doing so people can actually have their own opinion on our security.”
“They can say yeah, I believe you're secure enough, I see how you're doing things and I want to be part of that journey and become a customer because I can trust you.”
Mozo may receive advertising fees from the financial institutions, issuers of financial or credit products and third party advice providers that are shown on this page. These fees are based on a cost per click, cost per acquisition, or a fixed fee.