(Bloomberg) -- New rules that were supposed to protect depositors may end up making them vulnerable to fraudsters. Changing the account data of about a million clients at banks including Barclays Plc and HSBC Holdings Plc is a golden opportunity for hackers, the U.K.’s Financial Conduct Authority has warned banks.
The FCA has briefed lenders about its concerns, as British banks alert customers of the need to move their accounts, said a person with knowledge of the discussions, who asked not to be identified because the matter is private. A spokesman for the regulator declined to comment and pointed to its warnings on treating all bank communication with care.
“In creating a new system that houses personal data, you’re opening up security holes,” said James Tedman, managing director in London at ACA Aponix, a company which provides cyber-security services to hedge funds and investment managers in Europe and the U.S. “The impact of an indiscriminate attack can be substantial.”
Formulated after the financial crisis to protect consumer deposits, the ring-fencing rules require lenders with more than 25 billion pounds ($33 billion) of deposits to separate core services such as checking and savings accounts from riskier investment banking by 2019. The Bank of England said in June that almost a million customers will see changes to their sort codes, a six digit number that helps identify their bank account.
“When you start shifting a huge amount of data, there are always risks attached,” Richard Benham, cyber director at the Corsham Institute and chairman of the National Cyber Management Centre, said in a phone interview. “This is a perfect scenario for a cyber attack.”
HSBC has launched a campaign to encourage clients to “take five and stop to think” if they get a request to hand over personal information, said a spokesperson at the bank. Barclays has been “rigorous” in its communication with customers, a spokesman said, declining to comment on any discussions with regulators. In information sent to clients Lloyds has urged clients to be “extra vigilant,” while a spokeswoman declined to comment further. RBS will need to make “very few” changes to account numbers, it said in an emailed statement.
Banks are “very aware" of the risks, but this doesn’t make them immune, said Tedman. Hackers are usually professionally organized. “We’re not talking about 15-year-olds in their bedroom, we are talking about well-financed and sophisticated criminal groups,” he added.
The number of reported cyber-attacks against FCA regulated companies rose to 89 in 2016 from five in 2014, Nausicaa Delfas, executive director at the U.K. authority, said in April. However, the problem may be more acute as “in many cases, attacks go unnoticed,” said Tedman. Private sector fraud could cost the U.K. economy just over 140 billion pounds this year, a report by Crowe Clark Whitehill, Experian and the Centre for Counter Fraud Studies at the University of Portsmouth showed.
Cybercrime isn’t new to banking. A year ago, Tesco Bank, the lending unit of the U.K.’s biggest grocer, suffered an attack with money taken from about 20,000 consumers accounts. In February 2016, hackers exploited weaknesses in how banks connect to the Swift system to steal $81 million from Bangladesh’s central bank.
Encrypting data and having staff fully trained is crucial to ensure a smooth implementation of the new rules as a single mistake could provide an opportunity for criminals. “One of the biggest area of weakness would be if one member of the team sends something incorrectly,”said Benham.
The scale of the challenge of implementing ring-fencing is indicated by the cost of the rules. HSBC estimates expenses of as much as 2 billion pounds while Barclays has said that “structural reform costs" will be up to 500 million pounds in 2017 and 2018. Lloyds has predicted 500 million pounds of costs.
“This is an ever-evolving threat,” said Tedman. “In many cases, you have to secure yourself against the unknown.”
--With assistance from Stephen Morris