© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

3rd Annual FinancialServices CyberSecurity Summit

Wednesday 13th July 2016Peter Oakes, Fintech Ireland / Fintech UK

1

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Peter Oakes

Executive and non-executive director and advisory committee member toregulated and unregulated companies, including Fintech, RegTech, MiFID andFunds. Panel Member, Fintech20 Ireland

Solicitor admitted in Ireland, the United Kingdom and Australia

Founder of Fintech Ireland & Fintech UK (RegTech Ireland & Regtech UK). Thesegroups support ‘fintech’ & ‘regtech’ initiatives in Ireland & the UK

2014-2016: Board Director & Chief Risk Officer for Bank of America MerchantServices Europe (based in London)

2010-2013: Central Bank’s first Director of Enforcement and AML/CTFSupervision in October 2010. Member of the Senior Leadership, Operations,Policy & Supervisory Risk Committees

Over the past 25 years Peter has worked as a regulator (Ireland, UK & Australia)and in the investment management, payments, funds & fintech industries (UK &Ireland) in Board, C-Suite, Legal and Compliance/Risk roles. He has alsoadvised Central Banks, Regulators and their senior management on a wide rangeof supervisory and enforcement issues

2

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

FinTech & RegTech – cybersecurity

Case Study II

How will Fintech & RegTech drive cyber security? Futurescenarios and possible solutions

Peter Oakes, Founder and Fintech Member, Fintech Ireland

3

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Unbundling Banks

4

Source: © CB Insights

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Fintech Attacking Banks’ ValueChain

5

Source: © CB Insights

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Ireland’s Fintech Ecosystem

6

Source: © Dave Anderson /https://www.linkedin.com/in/daveandersonireland

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

A Global RegTech Mapwww.letstalkpayments.com

7

© Letstalkpayments.com

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

SIM Swap – What is it? SIM Swap is a basic

functionality made availableby Mobile Operators

You have probably done it

Allows customers to◦ move their mobile number

from one network to another◦ change SIM card formats

when changing make / modelof their phone

◦ recover their phone number ifits lost or stolen.

8

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971 9

SIM Swap ExplainedHow a SIM Swap Attack Occurs

What is a SIM Swap Attack? - 1/2

© moQom.com

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

What is a SIM Swap Attack? - 2/2

A SIM Swap attack occurs when a fraudster tricks the MobileOperator into believing they are the legitimate owner of themobile number, for example through social engineering

Fraudster simply convinces a shop worker to provide them anew SIM card with the targets telephone number on it

All the fraudster needs is a believable story regarding the fateof the lost, stolen or broken handset, a stolen/fake utility bill forthe address of the target, and the target’s mobile phonenumber

By doing so, the Mobile Operator unknowingly transfers thevictim’s mobile number onto a SIM card in the fraudster’spossession, which when placed in a new handset, allows thefraudster to gain access to the victims banking services

10

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

SIM Swap Fraud

United Kingdom

Ireland

Australia

South Africa

Abu Dhabi

11

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

United Kingdom

12

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Ireland

13

http://www.irishtimes.com/business/technology/are-banks-answering-the-call-on-mobile-phone-security-1.2704035

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Recent report on SIM Swapfraud

www.moqom.com

What is a SIM SwapAttack?

Terms of Reference

Methodology

Key Findings

Consumer Exposure

Broader Implications

14

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Australia

15

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Cyber Security – RegulatoryExpectations Irish and UK cyber security governance

initiatives◦ there are other regulators that are focussing on

this area, e.g. EBA, IOSCO, ASIC, SEC andpretty much every EU regulator

The role of the Board

The accountability of the Non-ExecutiveDirector (NED)

The relationship between the CRO / CSIO,the Board and the NED

16

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Data Security & Cyber Security- Financial Crime FCA refers regulated firms to

examples of good and poorpractice in data security atChapter 5 in Part 1 and Chapters6 and 10 in Part 2 of our FinancialCrime: A Guide for Firms

“Outsourcing to a 3rd party doesnot mean you have outsourcedyour obligations to look aftercustomer data. [Must] carry outdue diligence on 3rd partysuppliers before hiring them, try toestablish what their vettingprocedures are, and ensure thatthey respect your firm’s securityarrangements”

If you are a senior manager orboard director of a FCA regulatedentity take note

17

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Is it really a matter for theBoard? YES!

18

“It is the responsibility ofthe board to ensure thata firm is properlygoverned”

See Central Bankletter on operationalrisk & cybersecurity dated 22September 2015

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Will this keep the CRO/CISOawake at night?

19

CISO/CRO

© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971© Fintech Ireland www.fintechireland.com / hello@fintechireland.com / ph +353 1 639 2971

Thank youContact Peter Oakes to discuss non-executive director& consulting services for regulated financial entitles,fintech & other innovative companies

https://ie.linkedin.com/in/peteroakes

peter@peteroakes.com

+353 87 2731434 / +44 75 635 26834

20