Vendor Selection and The Evolving Security Landscape For Banks in Malaysia

With nearly 2 decades in finance, Leong Kwan Seng shapes bank technology strategy, fosters innovation, and ensures secure digital infrastructure.

He oversees digital bank technology design, ensures reliability, and implements robust security controls, collaborating with stakeholders for effective risk management and regulatory compliance.

D-Ron: Considering the evolving security landscape and technological advancements, what is your perspective on the overall security strategy and preparedness for financial institutions in Malaysia and Southeast Asia as we approach 2024 and 2025?

Leong: Let's just start with what the evolving security landscape, security, and technological advancements are. For cyber security, I think we've seen a lot more ransomware data breaches, which is very worrying because it's more frequent and sophisticated. And, of course, the targets are financial institutions like us or any institutions that hold sensitive data or payment transactions which they can then get money out of.

It all comes via various methods - social engineering (that's the most common), phishing, sharing of passwords, and things like advanced persistent threats. So, this is a bit more technical because these methods are often state-sponsored, or by highly organised criminal groups. And they usually dwell in the system of that institution for a long time.

So, it is these common cybersecurity issues that are keeping most Chief Technology Officers (CTO) and Chief Information Officers (CIO) awake at night.

I think, from a regulatory perspective, what helps is that in Malaysia, for example, Bank Negara has been very proactive in looking at cybersecurity compliance, issuing Risk Management in Technology (RMIT) guidelines, looking at collaboration in terms of financial intelligence, threat intelligence, and other things like that.

What has also been evolving is the whole adoption of the Cloud. As we are now moving towards launching as a digital bank, the bulk of our services would be on a public Cloud, and with Cloud itself comes a different kind of model, which is the shared responsibility model. So that requires a lot of rejigging of how conventional IT operating models, roles, and responsibilities are looked at.

The other part, in terms of technological advancements, includes AI machine learning, the whole hype of ChatGPT, generative AI and Large Language Models has definitely eaten into management meetings and boardrooms. Hence, more focus is put on there. But, at the same time, the business as usual (BAU) still needs to happen.

There are also things like advancements in authentication. So, we've seen a high take up of electric Know Your Customer (eKYC) Solutions. That’s also something we are working on because as a digital bank, that will be our only channel. There will be no branches, so there is no way for any physical KYC. The mobile banking app itself is now key.

So, everything that runs on the phone needs to be important, you need to have device binding and multi-factor authentication. Last but not least, this whole evolvement then leads to a lot more complexities, hence incident response and planning are very key.

It's unlike the conventional days, where you talk about looking at just a particular one-track scenario or component failure scenario. It’s now more of looking at integration-based scenarios, connectivity scenarios, and how they flow from one process to another, one system to another, and one API to another. So, that itself brings a lot of planning and collaboration in order to get the response recovery right.

So, to answer the question, from an overall security strategy and preparedness point of view, I think it depends also on the maturity of what the cyber security posture is for that institution.

I think what I see generally, especially with the conventional banks, is what they've been able to do with the resources that they have, both in terms of money and staffing. They’ve put in the right focus and preparation, while proactively looking out for what is coming at them.

The likes of us - the digital banks are somewhat insulated for now, especially in Malaysia because of the guard rails that are being brought about by the licensing framework, which allows us to only scale up from a small, gradual perspective before we look at graduation. What that means is our ecosystem is a bit smaller.

So, the way it starts is we look at friends and families, people who are working in the group, and the ecosystem before actually opening up to the public. But even then, we start with limited services like deposits and personal lending for example. So, that itself closes or narrows our universe in terms of protection.

But from a channel perspective, what makes it more difficult is that we are only fully digital. So, we really cannot afford to go down at all. Again, the analogy is with the other banks, if there's really a problem with your online banking, you can go into a branch and still do transactions. In our case, it's virtually impossible.

So, the whole resiliency and redundancy of things including recovery and response is at the very top of our security priority, and that trickles down into our whole business strategy as well.

So again, no specific answer there. But I think we are well prepared in that sense, but security is a cat-and-mouse game, it's never enough. I mean, there are always threat actors out there who are looking at ways to hack. I like this analogy that I encountered with one of the security companies before. We banks are like protecting a balloon. All it takes is for a hacker to poke a needle somewhere and then that's it.

So the parameter is really a large one and we have to ensure that it's properly done.

D-Ron: And sometimes, it may not even be someone like a hacker, it could just be things like an outsourced data centre that goes down?

Leong: Yeah, exactly. So I mentioned one word about resiliency. I think that it can be broken down into two parts.

So, your question is on resiliency from a technological standpoint. So that includes the components, the failover, bringing things up, making sure things are active or running, that's from a technology standpoint.

And then, there’s resiliency from a cyber security standpoint. So, this is where protecting from hackers, being proactive, doing threat intelligence, and plotting whatever is needed all comes in to prevent disruption of the business.

So, two different angles there.

D-Ron: What technological advancements do you see as crucial in enhancing the security of both physical and digital banking platforms in the coming years?

Leong: So for me, I probably won't be touching on the physical portion of things for the very fact that we are not even looking at it. It's a good thing not to be a part of my problem, haha! But there are things that are going to be interrelated anyway.

So, I think in terms of enhancing our digital banking platforms, it really is important that we protect sensitive or confidential information. Ultimately, it is most important to maintain trust. I think in banking, whether digital or physical, it is trust that’s first and foremost because as soon as we lose trust, a bank run will happen. So, that's really the objective.

What I see as something immediate that we are already looking at, also as part of our launch, are things like authentication. So the whole biometric authentication is key for those who are with the iPhones and it’s all still Face ID. Unfortunately, touch ID is not in yet. For the rest, it's fingerprints, touch ID, some even go into iris scanning, but these methods are tied to a biometric because it's only to a person and then, you have further device binding. It definitely helps in terms of enhancing security.

These will be used in combination with what we call multi-factor authentication. So, in the earlier days, there was a lot of SMS being used, but in Malaysia, that’s now being slowly removed. In fact, banks are not allowed to use SMS OTP as a means of multi-factor authentication. It needs to be an app-based or third-party-based authentication solution.

But multi-factor definitely helps because as we all know, for a password, regardless of its complexity or length, the weakest link is us writing it down or sharing, and then it doesn't matter altogether. But multi-factor provides that additional protection. Of course, two-factor authentication is the most common type but many times, for high-risk transactions, we can go into even three or four-factor authentication.

Of course, then that increases the friction, the areas that we, as a digital bank, find most interesting is the whole area of AI machine learning and what comes with it - behavioural analytics. So, the data that we gather, the data that we can get from our ecosystem partners, like our shareholders for example (which are fintechs or corporate companies - we have the Sea group and the YTL group backing us up); this ecosystem data will then be able to fit into Artificial Intelligence-Machine Learning (AI-ML) models which can then help in various areas such as credit score.

So, this is one area that is even new to regulators because all this while, we have only been looking at credit assessment through income verification and historical data. But these alternative models will look at your behaviour in terms of payments of your bills, your shopping behaviours, and how you actually complete those purchases.

So, there are a lot of data points that we can look at from the AI-ML perspective that can be replacements or at least, compliments to the other credit score methods. So, that's where we will also be working closely with the regulators to see how we can provide more data from a result perspective, to complement the other modes.

This is an interesting area because it's something that no one has been able to solve 100% because of what we only have as our ecosystem data. So, we need to expand that to improve the learning for sure.

D-Ron: And I guess with more time, as the data sets increase, it will be definitely better as well.

Leong: Yeah, exactly, but what remains is the risk of the models themselves. So, we only learn from the data sets that we have, and that may already create some bias which is not good in the long run, especially if we want to expand our business. And the other is the accuracy of what comes up from the model itself.

So far, there are no models that are 100%. Even scoring above 90% is already a good score. But if you think about it, even if you get one decision out of 10 wrong, that's still going to have a huge impact.

The last one, I think, is more of the Internet of Things (IoT) endpoint. So again, you're talking about devices here, every device now is like a mini-computer. That itself is a danger and an opportunity at the same time for us. Because everything that's connected to the internet means that we can get data in and we can get data out. So, it's a double-edged sword. But these are the considerations that we are looking at.

So, the security of these things from an authentication point of view, multi-factor and AI-machine learning will help. Of course, from an institution’s perspective (that’s running on public clouds), that's going to be important.

D-Ron: In your experience, what are potential key challenges that banks face when implementing and integrating various security systems like access control, video surveillance, uninterruptible power, and data protection?

Leong: Yeah, definitely, and it is all of the above that you mentioned. But maybe I’d just like to highlight a few key points.

Complexity and compatibility are definitely the main issues. Because the more services that you bring in, the more systems you want to communicate to each other, the harder it is to manage, and the harder it is to resolve if there’s an issue. And we also know how it works in terms of the system integration world. When there's a problem, the finger-pointing starts to happen, right? Haha!

And what does not help is proprietary-like systems. So I'm a fan of open source and hopefully, one day we'll even have open banking in Malaysia and Singapore. Because all these open Application Programming Interfaces (APIs) will be the ones that allow for the reduction of complexity and compatibility.

Although that itself brings a risk as we know for open source, there are versions where it's not supported. So, we have to make sure that these enterprise versions are supported, but with an ‘open enough’ technicality for us to integrate and connect.

So those are the key points that I think are going to be big game changers if we are able to solve them.

For other key challenges, I think the one that I can relate to is a vendor lock-in, especially platforms and even Cloud that we are in. We are quite reliant on these vendors or service providers to provide a particular technology or service. It's all well and good if they are growing and spending and ensuring that they upkeep cyber security and features at the same time. But as we know, not everyone is in the black all the time.

There are days where, sometimes within their own constraints, they may not be expanding or growing as we are. And if we are locked in with them without much of an alternative, then we are also going to be very much tied down with all their problems.

Interoperability. I think, in a way, I've touched on the point that if we actually pivot more towards open API systems, it will reduce the interoperability issues and at the same time, reduce complexity. So that's almost like a two-in-one thing that we can solve in open banking.

But all in all, we should look at the different challenges on a case-by-case basis. I think it is not a one-size-fits-all solution as well. I think that conducting the right risk assessment is crucial, which then looks at selecting the right providers and ensuring that everything is tested, and updated (of course, that includes our own resources).

Employee training and readiness are key too. I think that will solve quite a lot of issues in terms of implementing all these systems.

D-Ron: Access control systems, and other systems as well (like the other things we mentioned above - video surveillance, uninterruptible power, data protection, all of these) are crucial for sensitive areas in the banks and sensitive portions of the banks.

In your experience, what do you look for in such systems or vendors before deciding on one?

Leong: So, maybe I can share broadly what's the scorecard that we look at in terms of third-party vendor selection.

We look at areas of track record, business requirements, and compatibility. So, in terms of how the solutions can fully meet our business requirements and technical requirements. So, it’s more of what are the technical capabilities that can or cannot be done by the vendor.

Pricing. Cost definitely plays a big factor, especially for a digital Bank in Malaysia, which needs to graduate within the five years of the license framework.

And the last part is actually more of the etcetera, which is the added value that this solutions provider can actually bring to the table. But of course, added value is nice to have. So, in terms of the wage, it is usually the lowest. We also look at track records, business requirements, technical requirements, and cost with a higher weightage.

So it also depends, in terms of, what exactly we want in the different areas. If it is with regards to security, I think the main thing that I would be looking at first is can they comply with regulatory requirements? Bank Negara’s RMIT is a very good start. If there's some mapping done, they can already show us that “Look! All this compliance has already been mapped and justified.” That takes away half of the pain because we then get assurance that it's something that the vendor can really do.

But that aside, it’s the normal thing again that we look at - “Can the solution be scalable? Can we ramp up or ramp down when it's required?” Because, just like most things on the Cloud now, there are always peak demands that we need to resolve, especially in terms of transactions and banking, including self-customisation, and how easy it is to do things on our own without dependence on the vendor.

So, low code/ no code solutions would definitely be of a higher priority. And then, it goes down to the functionalities itself, and this is usually covered under the technical requirements, in terms of how we actually look at the integration capabilities, friendly interfaces, audit trails, and how the architecture of the system itself provides resiliency like what I have mentioned earlier on.

D-Ron: What about things like “future-proofing”? Do you feel like that is something important?

Leong: So, it's definitely a factor but I don't quite like to use the word future-proofing. This is for the very fact that you can't future-proof because you don't know the future. But I get where you're coming from - the whole upgradability, keeping up with standards, and then being able to tap into leading technology. That's definitely key.

So, I also see that in two parts. One is that from a technical capability, the vendor solution should be able to keep up with the new technologies without us pushing them. For example, if it's a new type of API or database that is commonly used, it should already be taken up by the vendor without us actually asking for it. So, that's a proactive one.

The other way through which I’m looking at upgradability is that there's a need for them to also keep up with the latest patch versions, and OS versions, in terms of making sure that things are again resilient and secure.

So, definitely, a big portion of it will be covered under technical requirements.

D-Ron: As we look toward the future, what trends in AI and machine learning do you think will have the most significant impact on banking security and how can banks prepare for these changes?

Leong: Yeah, there are still various areas that I've not touched on yet. I think I talked a little earlier in terms of how AI is evolving and how we can actually tap it in terms of credit scores and assessments, but that is from the business side.

From an operational side, there are things like fraud detection because the whole machine learning will definitely make us more competitive in catching possible fraud, or flagging out fraud rather than a human manual intervention.

From a predictive analysis perspective, it can help in looking at potential threats, or just by looking at historical data, come up with emerging trends and behaviour. So it will help to come up with something that's predictive and is able to flag something out like, “Hey, this is possibly coming.” Or “We are possibly being attacked” without even knowing about it. But the AI-ML model can flag it out.

From a compliance monitoring perspective, as a bank, we are inundated with all sorts of policy documents, standards, guidelines, and requirements. The AI-ML tool can pull things together to allow for more automated monitoring and analysing from a data perspective that we have, before going to the proper compliance team for further updates. So, that saves a lot of time rather than everyone manually updating an Excel template or PowerPoint to fill up.

From an internal perspective, I think what would help is something that's probably already more common now - the whole natural language processing for chatbots and virtual assistance. Some banks have already done it. However, it was not as successful as I think everyone thought it would be because there are always human elements that would complement such assistance.

So, I think, it's more of a hybrid mode that will help right now. If we were to launch a product that is all just going to be manned by chatbots, I don't think that's going to succeed right away as well. So, it's something that definitely needs to be looked at.

From an authentication side, I think I shared it earlier. Even from a biometric, or behavioural standpoint, the models will actually help us improve in making it more accurate and secure. So, this will then elevate into the trust that we build with the customers.

So, these are the main areas that the AI-ML plans can help us cover.

I am fortunate enough, being in the digital banking sector, that I no longer need to look at legacy system issues, haha! So, that’s something most of my peers are envious of. But the fact that being digital also means we are really trying to be disruptors, trying to look at what we can use from an AI-ML perspective, still within the context of regulatory compliance, while finding ways to push the envelope.

D-Ron: Thank you once again for this session.

Leong: I think it's a good and relevant one because all those questions that you’ve included as part of the survey are things being discussed in the market.

So, I actually look forward to seeing what's the outcome of all these interviews. Perhaps, I can learn something from it too!

ABOUT LEONG KWAN SENG

Leong’s solid foundations in the Information Technology (IT) sector were laid while he studied at the Universiti Teknologi Petronas where he graduated with Honours in Information Technology with a minor in Finance. He later progressed to the University of Oxford where he obtained a Master of Science in Computer Science in 2009.

Leong has seasoned experience in the intersection of the Finance and IT sectors, having occupied various positions in Bank Negara Malaysia for over 17 years, which were critical to the bank’s stability in information security. Subsequently, he served as the Chief Operating Officer of the Consumer Credit Oversight Board (CCOB) Task Force, overseeing its digital operations, technology setup, finance, strategy, communications, and overall day-to-day administration of the Task Force.

As the Chief Technology Officer, Leong currently draws on his broad range of competencies in shaping the technology strategy of the YTL-SEA Digital Bank Project, while implementing robust security controls to safeguard its overall digital infrastructure.

Leong has been described as a fantastic team player, who is equally a great person to relate with. Check out his LinkedIn page to learn more about him!