The hacking of Tesco Bank may be a negative for the company's reputation and stock price. But the fallout will be felt across the wider fintech industry.
You might not think of Tesco, the U.K.'s largest grocer, as a start-up. Its banking arm has more than seven million customer accounts and generates about 17 percent of the company's operating profit.
But Tesco has only offered checking accounts since 2014 and then mostly through its website or mobile app. In that sense, the bank is a newcomer, trading on technology.
News that 20,000 customers had money fraudulently taken from their accounts sent the stock down as much as 3.3 percent on Monday.
Whether the stock falls further will depend greatly on how Tesco handles the fallout. If botched, the damage could be costly: TalkTalk, a British provider of phone and broadband services, lost about 100,000 customers after an attack in 2015.
Tesco still has to resume normal service for its clients -- and respond to suggestions a lack of weekend staffing slowed the bank's response to the hack.
At stake is the bank's continued relationship with many of its clients. Cyber attacks can prompt the most tech savvy customers to walk way: about 29 percent of U.S. millennials will close all accounts with a bank after a fraud incident, according to an October-November 2015 survey by credit scoring agency FICO.
But the financial damage could spread far beyond Tesco. It's easy to imagine how the rising financial cost of cybercrime could damage the big selling point for fintech firms and challenger banks: being able to acquire customers and operate at a lower cost than established rivals.
British banks spent 700 million pounds a year on cybercrime, according to a 2014 estimates from the British Bankers' Association. Firms are likely to have to spend more in future. More stringent EU rules on data protection will come into force in 2018. And regulators are taking a tougher line on how much banks should set aside in capital against operational risk, something which includes fraud and cybercrime. Add that to the regulatory bill for just being a bank and you can see why fintech start-ups might not look so nimble in future.
Sure, being small might have its advantages. Big banks are systemic, complex creatures with multiple points of vulnerability: look at the recent attacks on JPMorgan and SWIFT, the global messaging network that handles payments for lenders.
But even tech-savvy start-ups have proven vulnerable to savvier foes. In 2014, payments app Clinkle was hacked before it even launched. Earlier this year, utopian digital-currency investment project DAO was hacked and about $60 million stolen.
Protecting against cybercrime is about more than just spending of money on the right technology -- and it's also about having the right plan in place when a successful attack does get through.
With over 40 challenger banks slugging it out for market share in the U.K., Tesco offers a timely reminder of the biggest threat facing the industry.
This column does not necessarily reflect the opinion of Bloomberg LP and its owners.
To contact the author of this story:
Lionel Laurent in London at firstname.lastname@example.org
To contact the editor responsible for this story:
Edward Evans at email@example.com