Globally, digital risks are rising, posing unprecedented threats to financial institutions. Latin America’s banks are implementing increasingly sophisticated defence mechanisms, but still there is much to be done, as Katie Llanos-Small reports.


Over just four days in May, the WannaCry ransomware spread across the globe and infected hundreds of thousands of computers, encrypting files and leading to demands for payment to release the data. Brazilian government departments were not immune, and nor was the country’s biggest privately owned lender, Itaú Unibanco.

Even after a solution was found to halt the spread of the main form of the ransomware (a ‘kill-switch’), the virus had mutated and continued spreading. It was discovered that during execution the malware searched for an internet address and, when unable to find it, continued the attack. By registering that domain, the attack stopped. Variations of the virus did not have that feature.

“We detected more than 150 varieties of this ransomware where parts thereof no longer carried this kill-switch,” says Nelson Novaes Neto, Itaú chief information security officer.

The bank’s security and technology teams swung into action, setting up a war room to respond to the fast-evolving threat.  “Rapid detection makes all the difference,” says Mr Novaes.

Counting the cost

The high-profile and damaging nature of the WannaCry attack was a reminder of the inherent, and growing, risks of daily online activities. For banks, which depend on clients’ confidence, cybersecurity is paramount.

And while many of the risks and solutions are global, Latin America is particularly poorly protected against cybercrime. The Inter-American Development Bank (IDB) warned in 2016 that a lack of coordinated planning left the region “vulnerable to potentially devastating” attacks.

“If you look at the economic importance of cyber criminal activity, it is really concerning,” says Miguel Porrúa, lead author of the IDB’s 2016 report. “It’s a huge part of the economy. The banks have studied the cost of cyber attacks in the region, and in 2016 it was $1bn just in Latin America in the banking sector. That’s a lot of money.”

Latin America has made some advances in cybersecurity over the past year, says Mr Porrúa. Particularly encouraging is that the region’s banks are increasing the resources they dedicate to fighting online crime. Investment in cybersecurity at Latin American banks is estimated to account for 10% of IT budgets, says Mr Porrúa. At the same time, the region’s banks are thinking more strategically about how to get ahead of the risks.

Enhanced security

Mexican lender Banorte launched a two-year digital security-focused programme dubbed Task Force 20-20 in 2016. The bank has identified six main areas of risks that it hopes to tackle with the programme: theft of client or bank data, fraud in client or employee systems, losing critical information or losing system access.

At a group level, Santander updated its business continuity plans in 2016 to cover cyber risks, and overhauled its IT contingency plans. The bank, which operates retail lenders across Latin America, upgraded its protection against denial-of-service attacks and refreshed its internal cybersecurity model to be in line with global standards.

Itaú is another that has dedicated significant resources to cybersecurity. Today, its information security department is split into two groups: the RedTeam focuses on continuous testing of IT systems, while the BlueTeam watches for changes in behavioural patterns in systems usage.

“Agility in detecting possible threats and a rapid response to them is what will guarantee the success of cybersecurity initiatives,” says Mr Novaes.

Old enemy, new tools

But with digital risks originating from a wide range of sources, there is always more that could be done to keep customer data and assets safe. Payment processors across Latin America, for example, say that with a little more help from banks, they could cut incidences of fraud in online payments.

US residents who shop online are often asked for an extra piece of data, typically their postal code, in addition to their card details when they make purchase. It is easy to remember and offers another simple layer of verification for web purchases. Payment processors complain that similar simple checks are unavailable to them in Latin America.

“The mindset at Peruvian banks has been to keep their data locked up,” says Amparo Nalvarte, chief executive and co-founder of Culqi, a Peruvian digital payments company. Partly, that stems from strict local data protection laws, but Ms Nalvarte argues that the caution is overplayed. “It is one thing to have data for marketing purposes, and another thing to use it for a better anti-fraud system,” she says.

Banks, which stash huge amounts of customer data, should open application programming interfaces (API) to allow companies such as Culqi to verify addresses or similar data to combat online fraud, according to Ms Nalvarte. She is hopeful that the relationship with banks might change.“We’re going through a sort of transformation at the moment,” she says. “The banks have at least realised that opening their APIs is important. They haven’t done it yet. But we see that every time we talk to them about APIs they pay a little more attention.”

Information gathering

In the absence of such access, Culqi is one of a swathe of financial institutions across Latin America turning to artificial intelligence and machine learning tools for cybersecurity.

“We pull information from proxies, device fingerprints, browers and data about when the account was created, and so on,” says Ms Nalvarte. “There’s a series of electronic data that the client shares at the moment of making their purchase.”

For Culqi, checking that data against normal behavioural patterns is a more efficient form of protection against digital payments fraud than advanced authentication measures – extra passwords, or biometric validation – which ultimately deter customers from completing a transaction.

This a trend sweeping the financial services industry in Latin America, as institutions put machine learning systems to use to study behavioural patterns and flag up anomalies in user activity.

“The types of solutions are becoming more sophisticated ones that focus on prevention rather than detection,” says Mr Porrúa. “[Banks are] using intelligence tools to anticipate which types of attack you are going to get, and from where.”

To-do list

Despite the increasing sophistication of some banks’ defence mechanisms, more needs to be done given the rapid changes in information security risks and the rising portion of economic activity exposed, says the IDB’s Mr Porrúa. One frontier often left undefended is customers’ responsibility for their own digital security.

“I notice less effort on the side of clients,” says Mr Porrúa. “In creating awareness and educating the customers, the users of online banking, I don’t see as many initiatives in the region, and probably that’s something the banks have to invest in and take more seriously.”

The IDB wants governments across Latin America to step up their efforts on cybersecurity across the economy, implementing national and regional strategies to stay ahead of the hackers and to defend sensitive data. That would involve encouraging employees to train in information security, raising awareness among citizens about the importance of data privacy, and more.

“There’s a need to somehow push the banks to follow certain cybersecurity procedures,” says Mr Porrúa. “If you leave it at the will of the CEO of the bank, some may do it and some may not. You probably need some regulation about what standards every bank should follow in cybersecurity and probably some supervising mechanisms.”

Order The Banker July edition

FREE trial access to Top 1000 World Banks

Join our community

​Interview with Santander's executive chairman Ana Patricia Botín - Part 3

The Banker's editor Brian Caplen talks to Ana Botín about buying Popular and Santander's new acquisition style.

The Banker on Twitter

By continuing to use this site you consent to the use of cookies on your device as described in our cookie policy unless you have disabled them. You can change your cookie settings at any time but parts of our site will not function correctly without them.