EnterprisingCIO - unleash tech potential | Enterprising Club

Managing Risk For Flexible Banking

By Anil Chakravarthy, VP Worldwide – Enterprise Services, Symantec Corporation $\"\"$

The financial services industry in Asia Pacific is facing a new set of challenges from a consumer revolution. The generation of consumers and business people who have grown up in the internet age are as comfortable in a virtual world as many of us are in the physical world and for these consumers, the current physical and electronic banking offerings are highly limiting. To continue to capitalise on their role as secure and innovative providers of the means of exchange, leading banks must master a new, flexible, collaborative, customer-driven combination of work, play and commerce.

In the coming year, we can expect a period of uncertainty and winning banks will turn this to their advantage. Success will come from the ability to predict and react rapidly to the market and new customer demands. To achieve this, the banks need to adopt flexibility across the entire business as customers demand the ability to conduct commerce anywhere, anytime, and service is measured in seconds.

Technology enables the new world of collaborative, service-oriented banking, but to be effective it must also manage risks from security breaches, system and compliance failures as well as poor system performance.

2008 will be a year of transformation as banks realise that “no change” is no longer an option and they begin to implement IT transformation projects to enable business flexibility, drive productivity gains and minimise IT risks from customer to core. Major initiatives for 2008 will be mobile banking, Banking 2.0, core technology transformation and infrastructure consolidation.

The recent announcement of Telstra and NAB’s mobile banking collaboration signifies the arrival of this channel. Key factors leading to this renewed investment include mobile market saturation, mature high speed networks and sophisticated EFTPOS terminals.

The killer application for mobile banking is the use of near-field communications technology built into the phone hardware or SIM card. The best business teaming approach seems to be where the telecommunications company provides the network capabilities and enabled handsets, and the bank manages the money, merchants and card associations. Both partners are responsible for managing the risk of the new channel.

The bank wins through more merchant fees and credit card interest, while the telecommunications company wins on usage fees. The customer wins because they no longer have to carry cards, they can access bank accounts for over-the-air top ups and transfers and they can use their phones for PIN and SMS authentication.

To be successful, banks and telcos must ensure the channel is secured at all points in the value chain, from phone to telco to bank to merchant. Banks and service providers need to guard handsets against theft of phone-resident data such as credit card numbers, user data and PINs. The chip-based data must have adequate encryption and security available to thwart any hardware hackers in the event of a phone theft.

When a mobile phone is lost, the owner usually knows immediately and will report it to the telco within minutes, thus limiting the ability of hackers to conduct fraudulent transactions.

Given that phones are merging with PDAs, standard operating systems make viruses and trojans the next security risk. This could allow hackers to intercept the transaction information while it is being transmitted to either the bank or the merchant terminal. The best way for banks to mitigate this risk is to ensure telcos install and automatically update comprehensive security software on all customer handsets.

The real money for cyber criminals is in the theft and sale of millions of financial transactions details, hence the reason why key targets to date have been major financial institutions. With mobile banking, a major security concern for telcos is safety of high volumes of financial transactions, including credit card numbers, customer data, PINs and account details. This means telecommunications companies must thoroughly assess and strengthen their data protection policies and processes to the level of banking best practices. They must then automate their security and fraud policy management through the use of integrated compliance management tools across the organisation, to allow for automated enforcement monitoring and reporting.

The new Web is all about interacting in every direction. Up until now the bank has benefited from internet baking by moving low value transactions from the branch to the internet and the customer benefited by being able to do simple transactions anywhere, anytime.

What will allow the banks to fully embrace Web 2.0 will be a combination of sophisticated predictive modelling, products and services built around social networking, and far more capability for the customer to drive and structure complex transactions.

A major focus for Banking 2.0 will be the aspiring young professional. Banking 2.0 should play a major role in virtual commerce, where virtual money earned in virtual world games is traded into real money via virtual services. The annual market for virtual world real money trading is estimated by Symantec at US$2 billion.

To succeed, Banking 2.0 must build trust by ensuring appropriate security. The threats are all about loss or theft of data, whether they represent customer identities, account and transaction details or actual money. The threats come in two main forms: external attacks on the customers or the providers by well organised hackers, and internal data loss or theft.

Beating the external threats requires a new approach to security, by linking world class technology solutions at customer endpoints, banks and third party providers in collaborative security partnerships. For example, for its primary internet banking customers, banks should provide session and transaction authentication using SMS or other means.

However, given that most external threats originate on the customer’s own computer, banks could also do far more to ensure the customer has strong and up-to-date security protection.

In this new world, the threat of internal data loss is on the rise. The solution for banks is to establish, enforce and report on clear and comprehensive security policies managed by automated compliance systems. As with end customer security compliance, the use of creative fees and revenue sharing arrangements with third party providers can be used to facilitate adoption.

Today many banks continue to run with COBOL-based systems although the benefits of changing the core are clear. First, a modern, service-oriented, open-system based transaction processing engine will provide the flexibility to deliver products and services when and where customers want. Second, new open architectures promise considerable operational cost savings.

Old COBOL systems retain their integrity through a myriad of security bolt-ons which have been added over the years. New systems are significantly more secure than the old core systems because they use fully integrated security services.

The real risk in transforming the core lies with the migration from the old system, in the form of data corruption or system loss. The solution to data corruption risk is to ensure the required mapping and reconciliation and comprehensively test the conversion and migration.

System loss occurs when not enough focus is given to the underlying infrastructure, (e.g. disk drives, networks, servers). Moving from a large centralised mainframe environment to a more distributed open system environment requires being able to manage multiple vendor technologies and to ensure the same resiliency in the new environment as existed on the mainframe. In addition, with migration to SOA, backup/recovery and business continuity become fully flexible processes requiring more upfront thought and planning to ensure appropriate levels of availability.

To become flexible, banks increasingly can address overly-complex, inflexible, and costly IT environments by consolidating and standardising infrastructure hardware, software, and IT processes.

The adoption of virtualisation is allowing large IT organisations to consolidate their physical servers. At the same time however, the proliferation of virtual devices has created a management headache, especially as all these new servers are accessing heterogeneous resources such as storage from multiple vendors with multiple administrative systems.

While virtualisation is allowing companies to realise large cost savings by enabling hardware consolidation, we have yet to see this reflected in the software that manages the infrastructure resources. Unless banks move to standardise and consolidate the management of their infrastructure, they will increasingly lose track of resources and suffer a corresponding reduction in service levels and potential loss of availability. In addition, the unnecessary complexity is contributing to degrading IT management processes, which will rapidly impact the ability to support a flexible business.

Standardising and automating infrastructure management allows for a number of major benefits. IT productivity is greatly increased due to higher utilisation and resource allocation. Vendor proliferation is reduced, leading to much better resource management and reduced risk of failure. Finally, banks will see considerable savings from the simpler and better managed environment.

The same flexibility that drives new business growth will also enable new security threats, from lost or stolen IP and customer information, hijacked online transactions, or mobile banking compromise. Too often, IT security is viewed as a separate function wrapped around the core business processes.

With the threat landscape becoming increasingly sophisticated, security must become part of the business processes built into all IT interactions, internal and external. Robust security will increasingly become an enabler of business growth. Without a new way of implementing security, customer interactions will increasingly suffer from loss of confidence and trust.

To facilitate flexible banking, security must move from a separately managed set of point solutions such as antivirus and data encryption, to become an integrated part of all processes and systems.

It starts with a well developed IT risk policy framework pushed out from the very top of the business and governed by clear processes, standards, and reporting. Formal security policies will in turn drive consistent governance and security processes across the business.

Security transformation will also provide a positive, rapid return on investment, as the cost of security and compliance operations and administration are reduced and as security becomes more effective in blocking internal and external threats.

In the new world of flexible banking, internal and external security threats will begin to merge and security will be transformed into an integrated service protecting customers, providers, and banks. Banks must work hand in hand with telcos to set and enforce security policies, implement best practice security technology to protect the information wherever it is, and automate policy management, governance, and security processes.