As ASEAN’s financial systems become more tightly linked through cross-border payment schemes, shared digital platforms and common third-party providers, cyber risks are increasingly moving beyond the perimeter of individual institutions. Regulators across the region are raising expectations for operational resilience and cyber readiness, underscoring the need for coordinated, sector-wide defences as digital adoption deepens.

The acceleration of real-time cross-border payments, expanding digital identity schemes and more sophisticated fraud patterns amplify systemic exposure. For UOB—which operates across some of the region’s most interconnected markets—the challenge is sustaining security at scale while preparing for the technologies that will redefine long-term data protection.

Speaking at the Singapore FinTech Festival 2025, Tobias Gondrom, group chief information security officer at UOB and former chair of the Association of Banks in Singapore (ABS) Standing Committee on Cybersecurity, outlined how the bank is strengthening its defences, coordinating sector responses and preparing for quantum-resilient architectures.

Attacker behaviour is shifting to the weakest link

Gondrom observed that adversaries are increasingly exploiting the broader financial ecosystem—including customers, merchants, telco partners and open platforms—rather than directly attacking hardened banks. “In recent times, what we see is that the attacker is more looking at third parties and ecosystem partners… it is easier to go after maybe a customer to trick, or a merchant, or any open platform that they can then use again to get something out of the customer’s money.”

Social engineering remains the most effective attack vector, driven by AI-generated phishing emails, impersonations and deepfakes. “Five years ago you could recognise phishing because of poor English. Today, not really anymore, because all they need to do is open up an AI [tool], and it will be in very pleasant English coming out.”

Criminals typically choose the “easiest path”, he noted, and deceiving customers remains highly effective. The shift highlights an uncomfortable reality: cybersecurity risks now arise as much from ecosystem dependencies and user behaviour as from any weakness within a bank’s own perimeter.

AI introduces new risks—but also new detection capabilities

AI’s dual-use nature is increasingly visible on both sides of the cyber battlefield. “For us, AI is an opportunity as well as a threat,” Gondrom said. On the threat side, criminals can now use AI to craft highly convincing phishing content and impersonation attempts, elevating both their credibility and scale.On the defensive side, UOB deploys AI to proactively detect anomalies that traditional policy-violation models might miss.

“We not only see, ‘oh, this is a violation,’ this might even be just an abnormal behaviour pattern. We can correlate very large numbers of data points, and spot things that otherwise would look perfectly innocent on its own.” This enables faster identification of suspicious activity at scale — critical as digital transaction volumes rise and fraudsters automate their techniques.

Embedding security across a diverse regional organisation

UOB’s footprint spans multiple markets and business lines, making cultural consistency a core pillar of resilience. “Our common motto is security is everyone’s responsibility. That goes to the application developer, the branch officer, the relationship manager, designers for new products and solutions,” Gondrom said.

He credits UOB’s shared values — honourable, enterprising, united and committed — with driving consistent security practices across the bank’s operations. Because UOB is a major participant in regional settlement systems and real-time payment schemes, this cultural alignment strengthens not only internal defences but also the stability of shared infrastructures.

A consistent regional baseline anchored in Singapore’s standards

Gondrom emphasised the role of Singapore’s regulatory expectations in establishing a high group-wide security bar. “Singapore has very strong requirements for cybersecurity; our policy is global. While we develop it here based on Singapore first, it is rolled out globally and enforced globally to the same policy, the same standard, the same baselines.”

This approach is particularly relevant in ASEAN, where cyber-regulation maturity varies. Singapore’s Technology Risk Management (TRM) regime, issued by the Monetary Authority of Singapore, is widely regarded as one of the most advanced globally. Across ASEAN markets, regulatory maturity varies, with markets such as Malaysia and Thailand boasting stronger frameworks. By applying a Singapore-anchored baseline across all markets, UOB reduces fragmentation, improves interoperability and raises the overall resilience of its cross-border operations.

Local requirements are added only when necessary. “We would only add to it; we wouldn’t detract from it,” Gondrom said. The uniform baseline helps ensure consistent governance and strengthens sector-wide readiness as digital systems converge.

Collaboration in Singapore as a model for regional cooperation

Cybersecurity remains an area where collaboration does not conflict with competition. Singapore’s scale and longstanding trust networks enable fast, open exchanges of threat intelligence and fraud patterns.

“Threat intelligence sharing is very strong in Singapore. On a very regular basis, the banks come together and exchange about the latest mode of operation of criminals in cases of fraud and scams.” Gondrom noted that response times are exceptionally fast: in the event of a breach, he and other banks' CISOs are often in contact within hours—and sometimes minutes.

Other ASEAN markets also share intelligence, though collaboration models differ across jurisdictions. As cyber incidents increasingly spill into adjacent sectors — including merchants, telcos, utilities and fintechs — Gondrom sees growing need for broader ecosystem alignment. With financial systems deeply digitalised, resilience now depends as much on non-banks as on banks themselves.

Evolving interfaces and the persistent human factor

Before turning to cryptographic risks, Gondrom highlighted how rapidly evolving digital interfaces — mobile devices, wearables, biometric gestures — are reshaping user behaviour. “One of the biggest challenges… is that people take some time to understand what risks come with it.”

Generational differences and uneven digital literacy complicate fraud prevention for both consumers and businesses adopting new digital services. These behavioural gaps, he stressed, will remain a persistent challenge even as technical safeguards improve.

Preparing for quantum-safe cryptography

Beyond immediate operational threats, UOB is preparing for structural shifts that could undermine the foundations of digital security. “We have identified quantum-safe systems as one of our emerging risks a few years ago already. What this is about is that quantum computing may develop new capabilities that may make the current cryptographic algorithms less secure,” Gondrom said.

Gondrom pointed to earlier industry-wide shifts—such as moving from MD5 to SHA-256 and from DES to AES—as reminders that cryptographic transitions are not new. The challenge today, he noted, is that many organisations have not had to make such changes at scale for more than a decade, creating operational and institutional memory gaps.

UOB monitors developments at NIST and the Internet Engineering Task Force (IETF) closely. “NIST has approved these newest algorithms. IETF is currently working on amendments to their transport layer security protocols, which should be approved sometime in the first quarter of next year,” Gondrom explained, adding that the bank’s approach focuses on engineering for agility and adapting its transition plans as standards mature.

Closer to home, MAS issued an advisory in February 2024 that highlighted the cybersecurity risks associated with quantum technologies and encouraging financial institutions to begin preparing accordingly. For banks, PQC affects every cryptographic layer — from browser encryption and API traffic to interbank messaging, long-dated data archives and identity systems — making early readiness essential.

QKD for data-centre links, PQC for customer touchpoints

UOB’s participation in MAS’ quantum-safe collaboration also clarified where quantum key distribution (QKD) is relevant. “This particular technology is quite suitable for data-centre-to-data-centre communication; it is something that would be part of the communication channel, provided by a telecommunication organisation.”

Its limits, however, are pronounced. “One of the core risks is in fact the bank-to-customer communication. And we cannot deploy QKD between us and every single customer.” As a result: “The main strength for the bank is to develop post-quantum cryptography, PQC. And then QKD is a solution for the specific use case of data-centre-to-data-centre communication.”

SFF as a regional platform for shared security priorities

Gondrom sees the Singapore FinTech Festival as an important convergence point for regional stakeholders. “It’s great to see the enthusiasm, all this innovation coming together. It is also quite encouraging to see that quite a few speak about security in some form.” As digitalisation accelerates, he said, security must remain central to preserving trust: “We want to make sure your digital transactions are safe so that we can all benefit from this digitalisation together.”

UOB’s approach—anchored in Singapore’s regulatory expectations, coordinated cross-sector response and early planning for quantum-safe security—offers a pragmatic model for cyber resilience in an increasingly interconnected ASEAN landscape. The bank’s focus on culture, interoperability and future-proofing highlights how institutions must evolve alongside shifting technologies and threat patterns, without assuming resilience is static.