Basil Jarrett | Can tap. But can we trust?

Growing up in the ‘80s and ‘90s, one of the first survival lessons you learned while traversing the bus system was to keep your wallet in your front pocket. Not the back where it was more stylish. The front. Close enough to your hand that, if some light-fingered swindler in a crowded patty pan decided your lunch money belonged to him, he would at least have to fight you for it.

That was banking security, Jamaican style. Physical. Personal. Suspicious. You counted your cash twice, watched who stood close by and, when you finally graduated from cash to card, the paranoia simply got a little more sophisticated. Cashiers would look away almost apologetically while you entered your PIN, because all of us had been trained the same way: nobody must see that number.

CAN TAP?

Fast-forward to today and look how quickly we have moved from security to convenience. These days, you don’t even need a PIN for many transactions. “Can tap?” is the most common question you get from cashiers these days, as you simply tap the card on the machine and keep it moving. No signature, no PIN, no awkward little moment of security verification. Tap, beep, approved, done.

And that is why the Bank of Jamaica’s (BOJ’s) recent move to widen oversight of digital payment providers and money transfer operators matters far more than the average person may realise. According to a recent Jamaica Observer report, the BOJ is moving to strengthen supervision over a payments ecosystem that now stretches well beyond traditional banks, covering digital payment providers, settlement entities, remittance operators and cambios, as more Jamaicans move their money electronically. The reality is that, as more money now moves through more digital channels, the central bank is trying to make sure the regulatory net keeps up. That is the sensible part.

The not-so-sensible part is that while this is happening, we remain eager to rush into the digital domain with the kind of enthusiasm that usually comes back to bite us in the back pocket.

SPEED THRILLS

Jamaica loves convenience. We love speed. We love anything that lets us skip the line, beat traffic and avoid paperwork. But convenience has a nasty habit of lowering our guard, one casually tapped ATM card at a time, even as cybercriminals remind us daily that they are always lurking.

The BOJ’s own 2024 Financial Stability Report says occurrences of internet banking fraud increased by 890.6 per cent between 2020 and 2023, with losses of $330.6 million over that period. The same Jamaica Observer article notes a nearly ninefold increase in Internet-banking fraud incidents between 2019 and 2023. And Jamaica is not facing this alone. Globally, IBM’s 2024 Cost of a Data Breach report found that the average cost of a breach reached US$4.88 million, while, for the financial industry, it was even higher at US$6.08 million. Large breaches involving 50 million records or more averaged a staggering US$375 million in healthcare and finance, and financial firms still took an average of 168 days to identify and 51 days to contain a breach. That means attackers can be inside the gates for nearly six months before the bank even fully understands what is happening.

If that doesn’t make you sit up straighter, Verizon’s 2025 Data Breach Investigations Report probably should. It analysed 22,052 security incidents and 12,195 confirmed breaches, the highest number it has ever studied in a single year. Ransomware was present in 44 per cent of all breaches reviewed, up from 32 per cent, while the exploitation of vulnerabilities as an initial access route rose to 20 per cent.

And, speaking of vulnerabilities, human error was still at fault for around 60 per cent of breaches. In other words, the machine is dangerous, but the human being clicking nonsense remains the weak link.

TECHNOLOGY AS THE SAVIOUR

This is the part where the digital evangelists tell you not to worry because technology is also the answer. And, to be fair, some of that is true. Better fraud detection, better analytics, better identity management, better incident response all matter. Even IBM notes that firms using AI and automation well can reduce breach costs significantly.

That is why BOJ’s proposed widening of the security perimeter is a good sign. The central bank is effectively saying that, if digital payments are moving beyond banks, then oversight must move beyond banks too. The systems that clear and settle transactions, move remittances and enable electronic transfers must now become very much part and parcel of the country’s core financial infrastructure.

But, let’s not fool ourselves. Oversight on paper is not the same as security in practice and, alas, the safest system is quite often not the smoothest one. The future of banking therefore will not be secured by legislation alone. It will depend on whether banks, remittance companies, regulators and the public are willing to accept more inconvenience in exchange for more protection. That may mean tighter authentication, more scrutiny in suspicious cases, tougher third-party vendor processes, and the removal of the infernal “can tap?” from our purchasing vocabulary.

Yes. Of course we need to modernise. We cannot stay trapped in a cash-only past, clutching our wallets in our front pockets and pretending that the future of money isn’t digital. But we also cannot race headlong into a future where speed and convenience are the be-all and end-all. Banking was built on trust. And, in the digital age, that trust will live or die on the security hill.

Get that balance wrong and we will soon be begging for a return to the halcyon days when your front pocket was the only security you needed.

Major Basil Jarrett is the director of communications at the Major Organised Crime and Anti-Corruption Agency (MOCA) and crisis communications consultant. Follow him on Twitter, Instagram, Threads @IamBasilJarrett and linkedin.com/in/basiljarrett. Send feedback to columns@gleanerjm.com.