NewB implements security for digital banking in weeks – here's how you can do the same
NewB is Belgium’s first new bank in 40 years. A digital-only bank, it serves members exclusively through its online banking portal and mobile app. NewB stands for ethical and sustainable banking. As a co-op, every member is a partial owner, so they each have a voice in how the bank is managed regardless of the size of their investment in the bank.
This is the story of the months leading up to the launch of NewB’s digital banking services to the market. NewB was up against a tight deadline to implement digital security. It was critical that the bank put the right cybersecurity in place to protect members and meet security compliance requirements. After all, members would be using NewB’s digital apps for their everyday banking – entrusting their savings to NewB, applying for personal loans, and using NewB to pay bills and transfer funds.
To achieve their digital security goals, NewB's journey consisted of answering core questions like: What is the right authentication technology to protect our members and transactions? And which security vendor do we partner with to address these security issues, scams, and vulnerabilities?
The Challenge: How to Quickly Implement PSD2-compliant Security for Digital Banking
For starters, regulatory compliance with PSD2 was a must. PSD2 ensures that advanced authentication concepts, such as dynamic linking, become standard security tools in financial services. Some of the most important PSD2 requirements for Strong Customer Authentication (SCA) include:
- Two-factor authentication (2FA): To make sure that only the legitimate account owner(s) can access bank accounts and online services, 2FA or multi-factor authentication (MFA) is the first line of defense.
- Dynamic linking: Also known as transaction authorization, this aims to protect consumers against social engineering and other attacks where cybercriminals intercept legitimate payments and funds transfers, in order to redirect the money to the thief’s bank account.
- Independence of authentication elements: When the bank’s mobile app is used to authenticate a customer or transaction, financial providers must use secure execution environments for their mobile apps. One of the best ways to do this is application shielding technology.
NewB didn’t have the luxury of a long timeline to prepare and implement technology solutions for compliance with these requirements. When they obtained a banking license in January 2020, they needed to move fast to implement security.
“In Belgium, according to the law, when you get a banking license you have one year to start your banking activities. That meant we had to be live with our banking activities by the end of January 2021,” explains Adrien Liénard, Project Manager, NewB.
It was critical that everything happen on time. There could not be any delays that would impact the ability to launch the new bank. They needed to select a security vendor and go live by early November 2020, because that’s when they would be connected to the payments system in Europe.
Starting in January 2020, the race was on to find the right technology – from a provider with a proven track record deploying to banking institutions.
Identifying a Solution: What is the Best Technology to Achieve Our Goals?
In addition to finding the right technologies to achieve compliance with PSD2’s SCA requirements, NewB had to implement within four months. This timeline requires cloud-based solutions. Cloud-based solutions are quick to deploy, easily managed, and can support many authentication methods. And if NewB could find a solution based on a single REST API, they knew they would have a simple setup and be able to go live faster.
The first solution NewB implemented is OneSpan Cloud Authentication. For NewB, one of the major advantages was that it can be deployed in weeks without the need to purchase, provision, and deploy IT infrastructure. This is significant compared to on-premise deployments that can take up to a year depending on resources, budget, and other factors. Second, OneSpan Cloud Authentication is designed to meet PSD2’s SCA requirements out of the box, including multi-factor authentication, dynamic linking, mobile security, and biometric technology such as Touch ID on an Apple iPhone or fingerprint scanner on Android.
OneSpan Cloud Authentication offers many security options for digital banking. OneSpan’s Cronto and Mobile Security Suite technologies were the solutions that checked off every requirement, explains Adrien Liénard. This gave NewB the security to protect account holders from fraud attacks, with the modern banking experience members expect from a digital bank.
1. Cronto technology
When designing their authentication customer experience, NewB selected two authentication methods: the Cronto® transaction authorization solution for mobile and its hardware equivalent, the Digipass® 772 authenticator.
For a digital bank, the user experience on the mobile phone has to be exceptional. Yet from a user experience perspective, one of the most challenging security compliance requirements is dynamic linking. The question is, how to implement dynamic linking in a way that is both compliant and easy for the bank's customers to use?
One of the most widely accepted ways to do this is with color QR-like code known as Cronto.
When the bank sends a financial transaction or payment data to the customer to verify and authorize, that data is encrypted inside the Cronto code. The customer decrypts the data by scanning the cryptogram with their smartphone or hardware device. In the event that Trojan malware is present on the person's computer, it will not be able to alter the data inside the visual code. This approach allows financial institutions to comply with PSD2's dynamic linking requirements.
Cronto functionality is available in both software and hardware. This gives members options in how they prefer to authenticate, while maintaining the same user experience and security across the entire customer base. As Adrien Liénard explains, “The main reason why we chose Cronto was because of user friendliness and having the same user experience for everyone. The deciding factors were cost, user friendliness, and the fact that it would allow us to launch the bank before our debit cards were available.”
2. Mobile Security Suite
The second component of NewB’s solution was the OneSpan Mobile Security Suite (MSS), which enables mobile developers to integrate additional security features natively within their mobile banking apps. Of these mobile security features, NewB makes use of the mobile application shielding capability to protect the mobile banking app developed.
Mobile app shielding is a low-code technology that safeguards against mobile banking cybersecurity threats such as Trojans, reverse-engineering techniques, runtime threats, and other methods that attackers use to steal banking credentials, sensitive data, or personal data and hijack banking transactions. It also creates a secure execution environment, allowing mobile apps to operate safely even on untrusted mobile devices such as those that have been jailbroken.
This technology specifically addressed PSD2 compliance. PSD2 requires that bank mobile apps used as a part of their authentication flows must mitigate the risk of an attacker reverse-engineering the app to uncover and potentially reproduce the token secret used to generate an authentication code. OneSpan’s mobile app shielding protects NewB’s banking application against cloning. And as an added benefit of app shielding, the app is also protected against repackaging cyberattacks.
Vendor Selection: Which Security Provider Should We Buy From?
After an evaluation of leading security vendors, NewB selected OneSpan. “A partner’s expertise and reputation is just as important as the capabilities of the solution itself,” says Adrien Liénard of NewB. “The authorities are going to scrutinize new banks, it’s part of being new to the market. We know they are looking at NewB and it reassures them to see us working with trusted partners. OneSpan works with most of the banks in Belgium and that gave us credibility in the eyes of the National Bank.”
“OneSpan’s reputation in the market, security expertise, and experience with PSD2 have made a real difference for us. For example, recently we had to send a PSD2 report to the National Bank. We asked OneSpan for help and in 24 hours we had the answers. That was a value-add for us, to know OneSpan has our back.”
NewB also selected MAINSYS as the integration partner for this project. MAINSYS provides NewB’s core banking system and is a Belgian IT services and software company specialized in digital platforms for the financial sector.
“The time constraints were tight, so we prioritized the implemention of OneSpan’s Cronto technology and Digipass authenticators for online banking. Once that was completed, we began phase two which was the mobile development,” explains Mathieu Latour, Project Manager at MAINSYS.
“It was very important to NewB that members without a cell phone could securely authenticate just as easily as those with a mobile. OneSpan solves this by offering their solution in both a software and hardware format, which provides the same user experience and authentication flows to all users. That made the difference — and helped shorten the implementation timeline.”
Final Thoughts
As every industry seeks to implement modern processes and IT environments, cloud authentication presents an opportunity for the banking industry to gain efficiencies very quickly. Cloud authentication provides financial institutions a solution that is easy to deploy, economical, and comes with all the typical benefits of a cloud deployment. At a time when digital channel fraud is surging and the customer experience is paramount, the cloud needs serious consideration. Cloud authentication can help protect your digital channels from hackers, phishing, data breaches, ransomware, identity theft, account takeover, and other cybercrime.
According to David Vergara, Sr. Director of Security Product Marketing at OneSpan, "It's really the speed, flexibility, and simplicity that cloud enables in providing a mechanism to add new technologies to address fraud and other security risks. And the fact is, cloud platforms are exceptionally well suited to integrate authentication and security technologies, and make these cybersecurity measures available very quickly to banks and fintechs."
To learn more about how NewB implemented OneSpan’s cloud technology into their customer experience and authentication flows to protect their customers’ financial information, read the full case study.