The data-reliance of digital banking means an AI-driven approach to cyber security and risk management is integral to success, UnionDigital Bank CISO Dominic Grunden tells CSO.
For him and his team, this took on greater significance given the speed at which UnionDigital Bank was created to empower the Philippines’ digital economy. The bank enables the Filipino people, communities, businesses, problem solvers, and regulators to leverage digital banking, fintech, blockchain, and open-finance technologies. It was established in just five months, a timescale unheard of in the banking industry, Grunden says.
From the get-go, Grunden recognised the need to adopt an AI-first security policy to keep pace with both the unprecedented growth of the company and the complexities of the digital banking sphere.
Key to achieving this has been a seamless relationship with the firm’s Chief Data Officer (CDO), Dr. David R. Hardoon. Working together, the two used autonomous technology to instill a “truly holistic” AI-enhanced security and risk management strategy.
How AI-driven cyber security enables UnionDigital’s banking needs
The proliferation of digital financial technology is big in the Philippines, as is a growing demand for and reliance upon cryptocurrencies and other payment methods, Grunden says.
“This presents digital banking with an unprecedented opportunity, but at the same time it heralds a new age of digital crime. I say that because it’s one characterised by a complex interconnectivity and undefined geographies. It’s not like a traditional bricks and mortar bank; we don’t technically have borders.”
The biggest challenge in the digital banking space is that the threat landscape changes quickly, and criminals are constantly evolving, using more electronics, and getting more sophisticated, Grunden adds. “They’re impersonal, they’re complex, they’re interrelated, and they’re leveraging data and advanced techniques that humans cannot keep up with.”
That’s what drives UnionDigital Bank’s AI-first security focus, Grunden says.
“We need to be able to keep up – to be both defensive and offensive at the same time by innovating to protect our customers and their data," Grunden adds.
"AI has given us that mechanism to feel like we are keeping up with the pace of the industry, where we can also understand the behaviours and motivations of individuals, consumers, detect criminal activity quicker, and advance our collective capacity to fight and repel financial crime, because ultimately, that’s what it comes down to in the digital banking space.
"I have a firm belief that digital banking is going to be more than just finance; we’re going to be the custodians of customers’ data. There is going to be a need for faster risk decisions such as real time blockage of payments and detection of fraud, and we’re going to have to detect breaches quicker and respond to breaches faster,” while also meeting higher expectations around consumer experience as digital banking becomes more pervasive.
AI’s potential for data transparency its key security, risk management quality
Data transparency is key to achieving this, and AI’s capability to deliver vast, accurate data pattern analyses is its chief security benefit for UnionDigital Bank, according to Hardoon.
“AI is fundamentally about identifying patterns and/or irregularities in patterns, and through that the ability to offer a hyper-personalised service that can recognise abnormalities," he says.
"To me, the premise of security, governance, compliance, and crime prevention is part and parcel of serving the customer. That’s the goal and embedding anything and everything from a defensive line point of view that necessitates data implants a dynamic understanding of behaviour that helps to better manage risk."
Grunden concurs, adding that this transparency of data also offers diverse viewpoints around threat patterns that can be understood and used to identify potential new risks based on trends within the digital banking perspective, lowering the cost and time to detect and respond.
Hardoon cites an example of when he was asked to use AI-powered data analyses to help predict non-compliance before it occurred.
“Again, this was all about establishing if there was a pattern and asking if we can learn from it. Sometimes the answer is no, but in this case, we were able to predict the likelihood of non-compliance some two or three months ahead of time.”
He admits the term “likelihood” is important here because there is no way to 100 per cent guarantee risk, but if you can say that there’s an 85 per cent chance of non-compliance, it allows you to shift from only being able to react once it occurs to taking preventative measures ahead of time.
“In a way, it lets you create a capability that you want to eventually be proved wrong because it allows you to put every control and measure in place to make something much less likely to happen. That’s a real shift in risk operation – using data and leveraging on AI to find something that might happen, so you can put in place preventative measures to make sure it doesn’t.”
This allows UnionDigital Bank to enhance its attack and threat prevention capabilities, moving from merely “catching the idiots” that fall into simple traps to implementing a more sophisticated way to stop attackers that are using their own autonomous technology to carry out malicious campaigns.
“Attackers are getting far more sophisticated than we may want to acknowledge,” Hardoon says. “The systems we put in place go beyond that, and we think in terms of better service for customers and more relevant and heightened defence. Ultimately, I think this needs to be an industry-wide approach.”
Grunden reflects on plans to go one step further. “We’re definitely pushing the envelope, and a lot of that comes down to the maturity of the security function, despite the fact that we’re a new bank.”
Excitement and alignment integral to AI security success
Grunden says he and his team are motivated by an excitement about AI’s potential to enhance their cyber security strategy, something that plays a key role in their collaboration with Hardoon’s department.
“We look at what AI solutions David’s team either currently has in place or what can be built to enhance things, because we might be buying a product that’s ‘out of the box’ but not good enough for us. We want to go above and beyond, so we leverage AI to create enhanced capabilities and push the envelope on the products, services, and platforms that we buy.”
Grunden’s team works in close collaboration with Hardoon’s especially in areas where AI plays in and how it can make things better, he notes.
“I’ve never had that same level of excitement and engagement in previous organisations I’ve worked for,” Grunden adds. “It’s also about keeping that excitement for an AI-first policy there so that we can use the technology to make security our own, and my staff fully embrace that.”
Both Grunden and Hardoon believe that true AI-driven cyber security must be holistic, a concept they are passionate about ensuring is in place at UnionDigital Bank. This means operationalising end-to-end application of AI with regards to cyber security and risk management.
AI is still evolving with challenges to consider
This strategy does not come without challenges – or at least important factors that must be considered – Grunden and Hardoon agree.
“One of those is a higher call for talent in relation to AI and cyber security,” Grunden says. “Currently AI technology is still in the early stages, and so the cost of creating a talent pool that is very good with both AI and cyber security is high.”
There’s also the fact that AI can benefit attackers in certain ways if it’s not well understood, implemented, and used, he adds.
“Then there’s the old cliché that more data creates more problems, and while I don’t suffer from this at UnionDigital Bank due to the way our CDO has structured data, it’s generally an issue in that you are required to entrust data to third parties.
"That would be more of a challenge if we were based in Europe with the GDPR to consider, for example. Lastly, if there’s room for human error in how AI is deployed, you can still be vulnerable to mistakes.”
From Hardoon’s perspective, the main point of consideration in applying AI to security and risk management centres around establishing a definition of what “good risk” is.
“Of course, there is always risk, but AI makes the questions a lot more acute – i.e., how much risk is okay? It can tell you up front your risk levels, which is very different from an operational perspective whereby you, in hindsight, detect that you’ve missed something, because x, y or z happened downstream.
"So, if you decide you don’t want to accept the level of risk presented to you, it can impact the businesses operationally moving forward, so there does need to be careful consideration about how to best leverage on the output.”
Ultimately though, the benefits of AI in cyber security far outweigh the negatives or the challenges for UnionDigital Bank, Grunden says.
AI will be more critical to cyber security than many think
Looking forward, Grunden thinks the need for an AI-driven approach to cyber security is only going to increase for the digital banking sector and beyond.
“It’s going to be more critical than many experts think,” he says. “In my opinion, AI will be pulled into some type of security standard in the next five to ten years, whether that be an ISO standard or something else.
"For digital banking specifically, I also believe there’s a very solid chance that it may become illegal or a form of regulatory non-compliance if an organisation is not using AI in their cyber security. I think AI will be a catalyst for determining whether the digital banking industry can keep up with the threat actor community, and I can see a time when we’ll have ‘good AI threat hunting bots’ working against ‘bad bots’ changing on the fly depending on the threat landscape.”
Hardoon concurs. “AI simply needs to be a staple component of cyber security defence. If not, you’re just going to get clobbered – maybe not now, but someday.”