Finland, like its Scandinavian peers, is among the world’s most cashless economies. But according to the central banker, now is not a good time to give up on cash.
Households in Finland should make sure they have some cash on hand, just in case the country’s payments system were to go down, warns Päivi Heikkinen, the Head of the Payment Systems Department and Chief Cashier at the Bank of Finland. In an interview with the national broadcaster MTV3 on Tuesday, Heikkinen said (machine translated) her intention was not to ”fabricate catastrophic scenarios.” That was before saying that in the worst case scenario, the payments system could go down for a period of weeks.
“I don’t want to paint devils on the wall,” she said, “but now we are talking about more serious disruption than what has been brought up in the past.”
Since applying to join NATO in July this year, Finland has allegedly been the target of a number of cyber attacks, including a Denial-of-Service (DoS) attack that targeted the Finnish Parliament on August 9, 2022, temporarily disabling the organization’s website. Since then, the State has begun awarding grants of up to €100,000 to companies, large and small to help them bolster their cyber security.
Although Finland has not yet joined NATO, its foreign minister Pekka Haavisto recently said it would still receive help from its NATO partners in the event of direct threat, even before full membership. Now, a senior official of that country’s central bank is warning of a possible cyber attack against the payments system that could disrupt the system for over a week, and is urging people to have some cash savings at home just in case.
Not a Good Time to Give Up Cash
The irony is that Finland, like its Scandinavian peers, is among the world’s most cashless economies. According to the Bank of Finland, it is on track to become completely cashless by 2030. A survey conducted last year by the central bank found that only 7% of people use cash when making purchases. Ninety percent of the survey’s respondents said they pay for their groceries with a card or mobile payment app.
However, Heikkinen says that now is not a good time to give up cash completely, given the rising risk of attacks against Finnish infrastructure, including its payments system:
“More payment methods bring resilience. If a single payment method sometimes does not work, then we have other payment methods at our disposal. Cash still plays a very important role here.”
One of the oft-overlooked drawbacks of increasingly cashless economies is their inherent fragility. Readers may recall from an article I wrote in June that a widely used payment card terminal in Germany, the H5000, suffered a software glitch, forcing many retailers in the country to display “CASH ONLY” signs on their windows. As I noted in the article, Germans, like their Austrian cousins, have a lingering soft spot for physical lucre. Whereas cash accounts for only about 12% of all payment transactions in Finland, in Germany it accounts for more than 60%. This meant that when the payment outage hit, German consumers and retailers had a fail-safe option to fall back upon.
This is one of the beauties of cash: it is resilient. It won’t fail in a power cut or seize up during a cyber attack (although, of course, ATMs might). That was the lesson offered by Puerto Rico’s harrowing brush with Hurricane Maria in 2017. After the category-four hurricane took out the island’s power grid for weeks on end, the island essentially became a de facto cash-only economy, dependent on airlifts of undisclosed cargoes of cash from the Federal Reserve.
Any society that runs purely on digital platforms operated by large financial institutions “is going to have major resiliency problems,” notes Brett Scott, author of Cloudmoney: Cash, Cards, Crypto and the War for our Wallets.
That inherent systemic fragility is one of the reasons why the Bank of Finland has recommended that the use of cash payments be guaranteed by law. In March, the bank initiated a proposal for legislation to ensure a minimal level of cash-paid services.
It also seems that many Finns are already taking the risk of disruption to the country’s digital payments system seriously. According to a study commissioned by Nosto ATMs in April, more than a third of people had already withdrawn or were planning to withdraw extra cash due to the proxy war in Ukraine between neighboring Russia and NATO. That was before Finland applied for NATO membership.
Meanwhile, Down Under…
Finland was not the only US-NATO aligned country to warn this week of the heightened risk of disruptive cyber attacks against financial institutions. In Australia Wayne Byres, the outgoing chairman of the Prudential Regulation Authority, said a cyber attack on one of the nation’s financial institutions is all but guaranteed:
Financial institutions, at least in a broader context, are quite advanced [in cybersecurity], but what we also know is that, at some point, some sort of event will happen. It doesn’t matter what sort of defences you put in place…
Unlike many risks that financial institutions deal with, you’ve got an active adversary that is constantly trying to defeat your improved defences… It’s high on the priority of all boards of all executive teams; there’s a huge amount being put into investment in improving defences, improving detection capabilities, and improving response capacity.
Bryes was giving testimony on Tuesday to a parliamentary inquiry convened to investigate a recent cyber attack against Optus, Australia’s second largest telecommunications provider. Said attack took place on Sept. 22 and resulted in a breach of the personal data of 10 million current and former Optus customers. That data included customers’ names, dates of birth, phone numbers and email addresses, while a smaller subset of customers had their street addresses, driving licence details, medicare and passport numbers leaked. Some of those customers are now falling prey to scammers.
Australia’s banks have been plagued by a slew of IT outages over the past few years. In fact, on Wednesday, just a day after Bryes’ warning, Australia’s Osko payments system suffered an internal system engineering issue. Developed by a consortium of 13 financial institutions, including the Reserve Bank of Australia, Osko provides for almost-instant, around-the-clock settlement of transactions between banks. But when the system went down on Wednesday evening, the result was a four-hour industry-wide bank payment transfer outage that left customers in the lurch.
Brad Kelly, the managing director of consultancy firm Payment Services described the outage as a “whopper”, adding it should give the industry pause about the push towards the NPP and away from traditional services like direct debit or Bpay:
“Unfortunately, NPP falls over, you can see what happens – there’s no fallback. So that’s what we’re dealing with today.”
Rising Threat
In its latest Financial Stability Review, published last week, the Reserve Bank of Australia noted that the recent Optus data breach had demonstrated the threat cyber crime poses to Australian businesses and their customers. In its previous review, in April, the central bank cautioned that a large-scale cyber attack “would not only create problems for the institution concerned but could also undermine confidence in the broader financial system.”
Banks and government agencies in the US have also been escalating their warnings about the threat posed by cyber attacks. In December 2021, a month after the attack on Banco de Venezuela, the JP Morgan International Council, which is chaired by Tony Blair and whose members include JPM CEO Jamie Dimon, Condoleezza Rice and Henry Kissinger, urged for closer collaboration between the government and businesses, increased intelligence sharing and stiffer cybersecurity legislation.
“Cyber is the most dangerous weapon in the world – politically, economically and militarily,” Bob Gates, the former US Defense Secretary and CIA Director, said in the report. Gates is currently vice chairman of the JPM’s International Council, which certainly has an eclectic mix of alleged war criminals sitting on it.
On February 9, just two weeks before Russia’s invasion of Ukraine, European and U.S. regulators told banks to prepare for the threat of a cyber attack from Russia. There were also fears that Russia would retaliate against its banks’ expulsion from Swift by launching cyber attacks against the Belgium-based global payments system. Neither of these have happened. In fact, as the FT reported in late September, most of the dire warnings about Russian-sponsored cyber attacks have not materialized.
In fact, most of the lenders hit hardest by cyber attacks to date have been in emerging markets such as Pakistan, Ecuador and Venezuela. Interestingly, Venezuela’s government laid the blame for the one-week IT outage suffered by Banco de Venezuela, the country’s largest bank, in September last year on the US government, which Venezuela’s vice president Delcy Rodríguez accused of launching an “intense and aggressive” cyber attack against the bank’s IT system.
On April 1 (yes, April Fool’s Day), the European Banking Authority warned of the risk of fake news triggering a run on European banks. The warning bore an eerie resemblance to a scenario featured in a 10-country simulation of a major cyberattack organized by the Israeli government in December 2021. As Reuters reported at the time, the simulated cyber attack, dubbed “Collective Strength”, took place over 10 days, “with sensitive data emerging on the Dark Web along with fake news reports that ultimately caused chaos in global markets and a run on banks”:
The simulation featured several types of attacks that impacted global foreign exchange and bond markets, liquidity, integrity of data and transactions between importers and exporters.
“These events are creating havoc in the financial markets,” said a narrator of a film shown to the participants as part of the simulation and seen by Reuters.
Participants in the Collective Strength simulation included treasury officials from Israel, the US, the UK, Austria, Switzerland, Germany, Italy, the Netherlands, the United Arab Emirates and Thailand, as well as representatives of the IMF, the World Bank and the Bank of International Settlements, the central bank of central banks. The participants discussed a range of responses to the simulated crisis, including a coordinated bank holiday, debt repayment grace periods, SWAP/REPO agreements and coordinated delinking from major currencies.
Now, two senior banking officials have issued fresh warnings about the risk of disruption to the financial system caused by a cyber attack. One of them even urged citizens to take out cash for emergency purchases just in case the electronic payments system goes down. That, of course, does not mean it will happen. As previously noted, none of the dire warnings of a cyber attack disrupting the financial system have thankfully come to pass.
But given the provenance of the latest warning — i.e., the director of the Payment Systems Department and Chief Cashier at the Bank of Finland — and the increasing incidence of large-scale coordinated acts of sabotage on key infrastructure in Europe, including quite possibly false flag attacks, it is probably worth at least taking notice.