Voted best Crypto Exchange UK by Forbes Advisor July 2024, Uphold is a multi-asset digital money platform offering financial services globally.
Built on a core of proprietary technologies and e-money apps, Uphold embraces a future where people and businesses around the world have access to safe, transparent, fair, and affordable financial services.
Celebrating 10 years in business in 2024, Uphold is considered the first in its sphere to truly offer a patented Anything-to-Anything trading experience, allowing customers to trade directly between asset classes.
“Our core mission as a web3 financial platform is to provide infrastructure for anybody building on the blockchain,” explained Chris Adjei-Ampofo, Chief Information Officer (CIO) of Uphold, “This includes licensing, the control framework, and access to a wide range of digital assets”.
With over 20 years of experience in the financial sector, including the development and sale of his own software company, Knowledgewire, Chris is at the forefront of fintech.
Since joining the firm, Chris has played a pivotal role in the cultural change of information security and data privacy at Uphold.
“Implementing security and fraud controls is only part of the toolset needed to company cyber risks. People are always the weakest link and changing the company culture in which everyone embraces our information security obligations without it being burdensome is worth its weight in gold,” he highlighted.
Chris spoke with Business Enquirer about the challenges faced by CIOs in the fintech sector, and where financial institutions should be investing their focus in the ever expanding realm of emerging technologies.
Preparation is Key
Over the last 10 years, the fintech sector has evolved from a niche industry trend into a transformative force in the global financial landscape with just under 30,000 fintech businesses across the globe – and growing.
But what does this evolving sector look like in the coming ten years?
“CIO’s in this industry face several significant challenges over the next decade,” shared Chris, “these challenges can be broadly categorised into four areas: technological advancements; regulatory compliance; cybersecurity; and talent management”.
The rapid pace of innovation with advancements in technologies like blockchain, artificial intelligence (AI), machine learning (ML), and quantum computing all pose a risk to businesses if they are not prepared to implement these quickly and correctly.
“Many financial institutions still rely on legacy systems. Integrating new technologies with these outdated systems without disrupting services is a complex task” said Chris. “CIOs must ensure their organisations stay ahead by continually adopting and integrating these technologies,”.
Meanwhile, the regulatory landscape for fintech is continuously changing, and it is CIOs responsibility to ensure that their systems and processes comply with new and existing regulations such as data privacy laws (for example GDPR, and CCPA) and financial regulations (such as the EU’s Digital Operational Resilience Act (DORA), FCA and PRA Operation Resilience policy, PSD2, and MiFID II).
While businesses can control regulatory compliance in-house, particular attention must also be paid by CIO’s to ensure the protection against increased cyber threats, with cyber criminals taking advantage of evolving technology.
“As fintech becomes more prevalent, the sector becomes a more attractive target for cybercriminals. CIOs must invest in advanced cybersecurity measures to protect sensitive financial data and maintain customer trust,” added Chris.
“Preparation is key” says Chris, with some businesses being too reactive, allowing leaky holes in the proverbial bucket.
“Preventing data breaches and financial fraud is critical. This requires robust security protocols, continuous monitoring, and rapid response capabilities,” he said, “its also key that businesses ensure the privacy of customer data in compliance with stringent regulations. This requires sophisticated data management and security strategies but is crucial to building customer confidence”.
Finally, a sector which is introducing ever-evolving technology, Chris highlighted the high demand for skilled professionals in areas such as AI, cybersecurity, and blockchain, for which many businesses are having to back-fill.
“CIOs need to take steps to attract, retain, and continuously up-skill their workforce to keep pace with technological advancements,” Chris said, “Additionally, Implementing new technologies often requires significant cultural and organisational change. CIOs must foster an innovation-friendly culture and manage resistance to change within their organisations”.
Along with this culture shift, the desire from employees for hybrid working, accelerated by the COVID-19 pandemic, presents challenges in maintaining productivity, collaboration, and cybersecurity.
How to Secure Trust
One of the biggest challenges faced by businesses in the fintech sphere is securing customer trust.
Guided by Chris, Uphold has implemented its Zero Trust security model across the organisation to enhance overall security and minimise internal and external threats.
Within this model, Uphold’s governance controls ensure access to information is granted on need-to-know basis after infosec approval, and segregation of duties means access to critical assets and customer data is only available for the purpose of the roles for a time limited period.
“We use a zero trust browser isolation with security policies for third party contractors, and only company issued devices are permitted to access our infrastructure,” explained Chris.
Additionally, Uphold implements regular audits, continuously monitors for suspicious activity, and runs annual security penetration tests to validate its external preventative controls. This aims to protect the platform’s infrastructure and software from security vulnerabilities and hackers.
To further build customer trust, the multi-asset digital money platform is always 100%+ reserved, and is the only financial platform to publish our assets and liabilities in real-time.
“At least 90% of our customer assets are stored in cold storage protected from external threats,” shared Chris”
Finally, Uphold is SOC 2 Type 2, ISO 27001, PCI DSS Level 1 compliant to certify the robustness of our security, fraud, and payment controls.
“Ultimately, our customers want to feel confident that their money is safe – we strive to continually validate that confidence,” he said.
A Problem Shared
Supporting Uphold’s sustainable growth and ongoing evolution, industry partnerships have played a pivotal role in shaping the platform’s approach to cybersecurity and digital transformation.
Chris emphasised the importance of collaborating with specific providers in areas such as Know Your Customer (KYC), threat and vulnerability detection, financial crime prevention, regulatory compliance, fraud management, and the future-proofing of cryptographic measures to protect critical assets and payment processes.
Uphold’s ecosystem includes several key partners essential for safeguarding its assets and customers. Among these, Veriff, Intigriti, Unit21, and SymmetriQ stand out.
“First and foremost, Veriff, a leading KYC provider, ensures that Uphold complies with regulatory anti-money laundering (AML) requirements and actively prevents fraud,” shared Chris. Veriff’s robust verification processes authenticate user identities, minimising the risk of identity theft and fraud while streamlining customer onboarding. This KYC provider has been instrumental in Uphold’s efforts to combat prevalent customer fraud, particularly Account Takeover (ATO) and Pig Butchering schemes.
The latter involves sophisticated social engineering tactics to manipulate victims into trusting the fraudster before ultimately defrauding them. By integrating Veriff’s biometric authentication and fraud risk scoring with Uphold’s fraud detection tools, the platform has effectively implemented preventative measures to protect its customers, achieving a remarkable 80% reduction in total fraud within a year.
“Not only is Veriff efficient and secure, but it also enhances the user experience while maintaining essential security standards, which is crucial for showcasing the value our platform offers to customers,” Chris added.
Unit21 plays a critical role in Uphold’s global compliance team, streamlining operations related to financial crime, regulatory compliance, and fraud detection. As a no-code, AI-driven platform, Unit21 empowers the team to create and test custom rules, risk models, and workflows with ease.
Utilising AI, Unit21 prioritises alerts and surfaces pertinent information for investigations, thereby increasing efficiency and programme health. Its rules engine, risk rating, and case management features enable Uphold to effectively prevent, detect, investigate, and report suspicious activities and fraudulent transactions.
Additionally, Uphold’s partnership with Intigriti, a trusted leader in crowdsourced security, is vital for continuously detecting and mitigating evolving threats and vulnerabilities in the industry.
While many companies still rely on annual penetration tests to identify security weaknesses, Chris points out that such time-limited assessments can offer a false sense of security. Given the rapid emergence of new threats and vulnerabilities, it is essential to engage a broad community of ethical hackers and researchers dedicated to continuously identifying potential risks within Uphold’s ecosystem.
“By collaborating with Intigriti’s global community of security researchers, we leverage their expertise to enhance our platform’s security posture, reinforcing our commitment to safeguarding our customers’ assets and maintaining their trust,” said Chris.
Lastly, advancements in quantum computing and AI present both benefits and risks. The computational power of quantum computers far exceeds that of classical computers, posing a direct threat to current encryption methods like RSA and ECC, which are foundational to digital security.
These algorithms could be easily compromised by quantum technology, undermining the integrity and trustworthiness of blockchain systems. To address this challenge, Uphold has partnered with SymmetriQ, a specialist crypto cybersecurity firm co-founded by Dr. Barry Childe, a leading expert in quantum-resilient networks.
This partnership enables Uphold to assess the threats posed by quantum computers, evaluate the feasibility and costs of implementing quantum-resistant algorithms, quantum key distribution (QKD), and post-quantum blockchain solutions. Together, they have devised a strategic plan for integrating quantum encryption into Uphold’s existing security infrastructure, thereby safeguarding critical assets against quantum computing threats.
While Uphold recognises the immense value of its partnerships, it is equally committed to optimising its clients’ platforms. Recently, Uphold launched its latest innovation, Topper—a user-friendly fiat on-ramp that boasts high approval rates and serves as a simple-to-implement Web3 payment tool.
“Topper empowers crypto projects to seamlessly process a broader spectrum of customer payments,” explained Chris. “Furthermore, it supports a wider range of digital assets than our competitors, providing end consumers with more choices.”
Plan of Attack
As mentioned by Chris in his comment on challenges to CIOs, preparation is key. From his perspective there are several emerging technologies which he feels will significantly impact the fintech space in the coming years.
Chris believes AI and Machine Learning will continue to have purpose in its developing analytic credentials.
“As this technology evolves it will be able to analyse vastly more amounts of data to predict customer behaviour, credit risk, market trends, and enable more informed decision-making by fintechs,” Chris explained.
In addition, Chris foresees a positive impact from AI’s ability to automate repetitive and mundane tasks such as data entry, account reconciliation, and compliance checks, freeing up human resources for more strategic activities.
Meanwhile, CIO Chris believes that quantum computing will support enhanced data processing, which will significantly improve data analysis, risk management, and optimisation processes for fintech’s and beyond.
“Quantum computing poses both a threat and an opportunity for cyber security. It could break traditional encryption methods but also enable the development of more secure cryptographic techniques,” Chris highlighted.
As with all enhancing technology, Chris highlighted the current key areas where quantum computing poses a threat.
“‘Harvest Now, Decrypt Later’ indicates that adversaries can intercept and store encrypted data now, with the intention of decrypting it once quantum computers become powerful enough,” explained Chris.
The implications of this means that sensitive data, including personal information, financial records, and intellectual property, could be exposed in the future, leading to severe breaches and loss of confidentiality.
Secondly, quantum computers have the potential to break the cryptographic algorithms used by the blockchain for security. “This could undermine the integrity and trustworthiness of blockchain systems,” said Chris.
Ultimately, compromised blockchains could lead to financial fraud, loss of digital assets, and erosion of trust in decentralised systems.
“The threat of quantum computing to traditional encryption technologies and blockchain security is imminent and requires immediate action,” added Chris “By exploring quantum-resistant encryption algorithms, quantum key distribution, and post-quantum cryptographic solutions for blockchain, and engaging with expert solution providers, we can develop a robust security strategy to protect our organisation against future quantum threats”.
When Will Quantum Computers Become A Threat?
The timeline for quantum computers depends on several factors, including the development of large-scale, fault-tolerant quantum computers and advancements in error-correction techniques. While quantum computers today are still in their early stages, experts predict that breaking RSA could happen within the next 10 to 30 years, depending on progress in quantum computing technology. The Research and Advisory firm Gartner makes the strategic planning assumption that by 2029 advances in quantum computing will make conventional asymmetric cryptography unsafe to use.
How to prepare and defend against the attack
The National Institute of Standards and Technology (NIST) offers several key recommendations for preparing for the risks of quantum computing.
1. Identify and Document Vulnerable Cryptographic Systems
Organisations are advised to begin by assessing their current cryptographic infrastructure to identify systems that rely on algorithms susceptible to quantum attacks, such as RSA and Elliptic Curve Cryptography (ECC).
2. Develop a Transition Strategy
NIST recommends that organisations establish a clear plan for migrating to quantum-safe cryptographic systems, often known as Post-Quantum Cryptography (PQC). This strategy should:
• Prioritise the most critical and vulnerable systems.
• Define timelines and milestones for adopting quantum-safe algorithms.
Strategic Planning Assumptions
Gartner predicts the following assumptions:
- By 2029, advances in quantum computing will make conventional asymmetric cryptography unsafe to use.
- By 2026, advances in quantum and cloud computing will require classic symmetric algorithms to support larger key sizes.
- By 2025, post quantum encryption algorithms will see more use for their secondary properties like privacy enhanced computation, than they will as replacements for existing cryptography.
3. Test and Implement Cryptographically Agile Solutions
Organisations are encouraged to test quantum-resistant algorithms and adopt “cryptographically agile” systems. This agility allows organisations to switch between different encryption methods as technology evolves, easing the transition to PQC.
By partnering with SymmetriQ and following the NIST recommendations, Uphold has developed mitigating strategies including implementation of quantum-resistant cryptography technology within our infrastructure to secure our critical assets against the threat of quantum computing and stay ahead in the rapidly evolving field of cybersecurity.