Bitcoin and the cryptocurrency revolution has seeded the market with blockchain usage in various arena.
For financial service institutions (FSIs), blockchain has spawned the concept and implementation of “decentralized finance” or DeFi, where financial products are available on a public and decentralized blockchain network. However, much like cryptocurrency, and blockchain-based offerings in general, this development presents some critical fraud concerns, especially for the more traditional FSIs analyzing opportunities in this space.
Still in the early stages, DeFi schemes would allow financial customers to sign up for services and accounts without going through traditional providers like banks or investment firms, typically without being authenticated by a Social Security number, a driver’s license or a passport. In the DeFi world, there are no “central” financial intermediaries, but instead smart contracts built on blockchains like Ethereum.
Kenneth Mendelson, senior managing director for Guidepost Solutions, a global security, investigations and compliance consultancy, pointed out that, in fact, “blockchain technology was originally touted as a method to disintermediate traditional financial institutions from the transaction process. However, the institutional stability and accountability regulated financial institutions offer are appealing characteristics that legitimate businesses actually value.”
But this type of financial transaction arrangement typically presents more risk than most traditional U.S. FSI customers are used to in dealing with highly regulated banks and investment firms.
“Considering that numerous cryptocurrency fortunes have been lost by people and organizations that have simply lost a private key, those who amass large amounts of crypto will appreciate the security of a more robust custody service than they can provide for themselves," Mendelson added.
“Just as people moved from keeping their valuables in their mattresses to storing them in bank vaults, holders of large amounts of crypto will look to regulated financial institutions, with established cybersecurity programs and offline solutions, to store and manage their fortunes.”
But herein lies the rub: How can more traditional, and compliance-bound banks, investment firms, insurance companies and other FSIs support their customers in this movement toward decentralized finance, while mitigating potential risk?
Jonathan Tanner, senior security researcher at Barracuda, which handles security, networking and storage for many FSIs, said that one of the “most significant concerns [in DeFi security] comes from knowing how many touchpoints that data actually has, in addition to also determining who is responsible when an incident occurs.”
“Sharing data with third-parties is not necessarily a simple process because many have their own third-parties,” Tanner said. “More specifically, it is not uncommon for the original data to reach sixth-parties or more along the way.” Because of this, Tanner added that it is essential to understand the full reach of the data that is being shared, as well as the security measures at each step along the way, becomes very complex, making it near impossible in some cases.
Given the increased reliance on decentralized systems online, and blockchain-based options within financial services (even outside of cryptocurrency), many industry experts see DeFi as a natural evolution for the U.S. financial industry and its customers. But these decentralized exchanges, lending systems and other financial offerings, that essentially remove the conventional bank or investment firm from the equation, present a clear fraud risk concern, especially when they are avoiding the usual regulatory checks and balances.
Tanner suggested the need for a "chain of trust," “where you just have to trust that each entity along the way is following an appropriate level of security during the risk assessment process, which is definitely is an area of concern.”
This complexity especially comes into play when an incident occurs and teams then have to determine, remediate and assign responsibility appropriately, Tanner said.