Ask the oracle
Written by Sophie Baker
Ramzi Musallam, information risk management consultant: “While 2011 is a new year the challenges facing those responsible for financial services technology are ongoing. For many the priority this coming year is keeping pace with the changing business and technology environment and managing to do this with increased focus on cost control, finding more efficiencies and coping with additional user demands and new and evolving technology risks.
“The regulatory environment is no less challenging this year. The main regulators will continue to bare their teeth and challenge regulated firms. The UK Information Commissioner's Office (ICO) has recently issued its first penalties under its new powers to fine organisations up to £500,000 for serious breaches of the Data Protection Act 1998 (DPA). The penalties are a clear reminder to all organisations handling personal and sensitive information about the ICO's new powers. The Financial Services Authority (FSA), while undergoing its own changes, continues to identify and penalise poor practices. Firms fined by the FSA for information security/data security failings in recent years include: HSBC, Zurich Insurance, Nationwide, Merchant Securities Group & Norwich Union and 2011 will no doubt see other firms joining this list.
“The multiple challenges that senior financial sector technologists currently face require the adoption or implementation of a robust IT governance framework that incorporate recognised standards. Typically this would include ITIL, and COBIT and for information security, ISO27001 or the Information Security Framework (ISF). So the question is can technologists demonstrate effective governance whilst
meeting their strategic and short-term objectives in an era of shrinking budgets?
“The panoply of regulatory requirements and ongoing demands on finance sector firms is a challenge for most Compliance and Risk Management departments who are not always on top of technology risks and the impact they could have on the ability of a firm to meet its obligations, comply with varying compliance standards in the multi-national markets in which most global FS firms operate in. The success in meeting these challenges is in large part a correlation of the relationship these functions have with the technology delivery groups and the governance programmes employed by the technology function.
“The challenge of demonstrating good technology governance is recognised by the Unified Compliance Framework (UCF). The UCF is an initiative to map information technology controls across international regulations, standards, and best practices. It does this by harmonising terms and control requirements against a master list of worldwide legal and regulatory requirements combined with internationally recognised regulations, standards, and guidelines.
“Proliferating demand for mobile and remote application access, additional interoperability with new platforms and 24X7 global availability and processing is unabating and leads to an increased need to consider security and strengthen data protection controls. This is no mean feat considering end user demand to make these systems available and compatible on new and traditionally non-business devices such as iPhones and iPads or other mobile platforms.
“It should be remembered that almost half of financial sector firms have critical applications on platforms that are over ten years old. There is increasing pressure to migrate to new technology that offers greater flexibility, performance or cost savings which may include cloud and grid computing, virtualisation, outsourced operations or software/infrastructure/ platform as a service and web-based front-ends.
“However, new technology also means new risk. The 2010 Ernst & Young (E&Y) global information security survey noted that the rising level of risk had not gone unnoticed by its survey participants; 60 per cent of its respondents perceived an increase in the level of risk they face due to the use of social networking, cloud computing and personal devices in the enterprise. E&Y concurred, "it is in this changing and borderless environment that information security professionals must find a way to
manage risks and protect their organisations' most critical information assets".
“It is a truism that IT governance covers so much more than compliance and security. It can provide a suitable framework for managing external vendors, improving IT and operational efficiencies, protecting reputation and brand, facilitating mergers, acquisitions and divestitures, and identifying and evaluating new and emerging technology trends.
“Good governance also means enterprises maintaining effective inventories of assets, applications and data. There is clearly work to be done in this area.
PricewaterhouseCoopers’ (PwC) Global State of Information Security Survey found a minority of financial services companies had accurate inventories of locations where data was stored. Also surprising given this finding was the revelation that less than half of all respondents use data leakage prevention (DLP) tools. PwC themselves point out that "using data discovery engines within some of the existing data loss prevention tools can help to identify leakages and build a business case for the board".
“It goes without saying that firms should be taking all feasible steps to avoid security theft. Aside from the risk of receiving a severe financial penalty from the FSA and the related costs of dealing with the security breach and the costs of remediation, there is also the no less significant issue of damage to reputation and brand and the impact that has on ongoing operations.
“These are challenging times for organisations and they need to be nimble in anticipating, evaluating and mitigating new and evolving technology risks. Experience has shown that the implementation of robust and effective controls tends to lag behind the adoption of new technologies and the emergence of new threats. For that reason the need for effective IT governance has never been greater.”
Mark Gunning, global banking director, Temenos: “We see a move by tier 1 banks into taking packages – I would argue that banks need to consolidate their systems. We also see the day to day processing of banking transactions by core banking systems as being a commodity. Banks are looking for flexibility and longer term architecture. Banks want ways to offer better customer service and be more efficient; we have to prove that systems will make them more efficient. An advanced approach to multicountry banks is another trend we see – banks are saying they want one integrated structure globally. There is a spending trend, in that we definitely see a rebound in the market, but I would say more consideration of the selection processes is evident: they tend to be a little bigger, involve more people from the bank, bigger selection processes that are seen to be more strategic for the bank.
“We see more of a blurring of the borderlines between banks, for example in retail and private wealth – we offer all of that in one system. They want one system, are all rationalising across business lines, and a product that can do that is more appealing. We have a unique approach to the channels as our system is front to back. The challenge lots of banks have is getting seamless channel integration. This is a major trend and our approach is to have all the channels in a single system that does everything cross-channel, front to back. The trend is wanting to have a seamless experience for the client and customer across the bank from front to back.”
Laurence Leyden, director of Core Banking EMEA, SAP: “Whilst some of the more familiar post-crisis themes such as cost reduction, increased efficiency, and the rebuilding of the balance sheet, will still drive behaviour in 2011, this year there will be a greater need to start focusing on investment cycles to improve risk management, compliance and retaining talent. In addition, the FS industry will call for sharper analytical insight, developments in mobile capabilities, and a more strategic approach to creating value for its customers to ensure retention and rebuild their trust in the industry. In order to meet these challenges, FS organisations will need to look at their infrastructures to decide on whether it continues to deliver the required level of flexibility and value to the business or needs overhauling.
“With a raft of new regulation coming into play in 2011 and with numerous 2012 deadlines looming, there will be fresh challenges ahead with regard to compliance – particularly for those who have not planned sufficiently in advance. It is therefore likely that risk and regulatory expertise will be in high demand this year. As 2011 gets underway many will also begin to realise the need to step up the pace in the areas of risk management and stakeholder reporting in order to achieve compliance. This is driving the need for technology in the areas of Governance, Risk and Compliance (GRC) and Reporting technology, to comply in a way that brings opportunity for more efficient and improved processes and long term cost savings.
“The banking industry will see continued investment in core platform replacement, enhanced analytics platforms including in-memory reporting, and improved mobile capabilities. The effect of this being more efficient operations, increased insight from both a bank and customer perspective and a broader customer experience across all aspects of mobile devices.”
Ian Goldsmith, Solutions Architect & Subject Matter Expert - Financial Services, Axway: “2011 looks set to be a year of technological transition for financial services businesses – with the likes of SWIFT7, facilitating increasing micropayments and streamlining the finance supply chain being big enough challenges in their own rights.
“However, another interesting issue that looks set to take the financial industry by storm is the move towards eBAM (Electronic Bank Account Management). This is the proposed electronic automation of the full end-to-end process of corporate bank account management – from account opening, maintenance through to account closure. Currently this is a very paper intensive process, which leaves it open to inefficiency and human error. The opportunity to streamline this process with electronic efficiency has been backed by significant market demand, so we certainly expect to see greater adoption of eBAM this year. The journey won’t be easy, but with our market leading experience in secure data transfer solutions, we hope to be integral to the transition.”
Andy Brown, ACI Worldwide: “The financial sector will need to deal with increasing consumer demand for more ways to pay electronically. With a large proportion of the world population unbanked, the potential for growth as the economy recovers will spiral – especially as banks consider expanding beyond their borders to take advantage of global markets. To best respond to this growth, banks need a payments infrastructure that can handle real-time transactions and new payments channels such as mobile. In fact, mobile banking and payments will move to the mainstream in some countries and further channels for payment processing will emerge. With this growth taking place, there will be a new requirement for the financial sector to get a better view of their liquidity – especially with increased legislation. Financial crime will also continue to be a challenge. As fraudsters’ existing sources of funding become blocked thanks to proactive action by the banks, criminals will become more devious in finding new chinks in the armour of fraud protection.”
Nick Senechal, strategic business development manager, VocaLink: May 2010 saw the second anniversary of the UK’s Faster Payment Service, which enables payments between accounts in near real-time. The year was an important milestone; 13 banks have now committed to the service, half of all regular standing orders have migrated and over ten million one off payments are made using the service every month. With the service having been progressively adopted as a new payments standard in the UK over the last two years, 2011 will see banks looking to enable Faster Payments through mobile phones. Outside the UK, a number of countries have seen Mobile Payments as the driver for implementing a Faster or ‘Immediate’ Payments infrastructure. This is driven by increasing demand for mobile person to person payments. This was one of the findings of The Voice of the Consumer research conducted by VocaLink in the autumn of 2010. The same research, found that a third of respondents would be happy to pay a fee per transaction for the convenience of mobile immediate payments. It’s still early days for mainstream awareness of Immediate Payments, but with consumer demand already there, change is afoot in 2011.”
Tony Virdi, VP, Head of Banking & Financial Services, UK & Ireland, Cognizant: "We are already seeing a key trend emerge this year: mobile payments. Mobile phones were developed primarily in the late 1990s for voice communications. Due to sophisticated development and eager consumer adoption, these have been transformed into devices more versatile than Swiss army knives. With the advance of broadband technology the mobile is the new desktop but able to deliver a more flexible user experience. From music players to cameras, digital diaries to mini computers, it was only a matter of time before they turned into our wallets. There are huge opportunities for banks and financial institutions to leverage this technology which is beginning to take place.
A mobile payment is any form of financial payment for a transaction made using a mobile phone. Many organisations are now offering this service. Mobile payment technology also includes mWallets (hardware and software-based ID solutions with encrypted card and cardholder related information), mobile coupons (consumer preference or location-based) and mobile e-receipts.
However, there are challenges. User experience needs to be improved on devices which are limited in form factor and processing power, and applications need to be supported across multiple devices, often requiring certification on multiple platforms. We’re working with many banks to put their applications on the mobile to help enhance their customer experience. We are also working closely with mobile test vendors who provide a virtual device environment using browsers. This process allows us to test both mobile browser and thick client applications.
Other challenges include integration with back-end systems and fraud prevention, which is still a major obstacle to consumer adoption. There are security mechanisms which ensure only a registered user and device can be enabled, as well as remotely deactivating and disabling mobile payment transactions from stolen or lost devices. Regulatory compliance, which often varies regionally, is another barrier.
Despite these challenges, financial institutions will take mobile payments seriously in 2011. As adoption of mobile phones overtakes PC purchases, it’s time to recognise the benefits available. It is a point of entry for banks to get closer to rural and unbanked consumers in developing markets, and it provides a direct connection with the consumer as mobile provides a new catalyst for disintermediation in the payments value chain. And, there is great potential. Research from Citibank in March 2010 into a contactless payments trial showed that consumers in Bangalore were likely to conduct six times more transactions when contactless payment methods were adopted."
David G.W. Birch, director, Consult Hyperion: "It’s generally a good game trying guess which new technologies will grab our attention in 2011, but to be honest we all know that by far the most important technology for the financial services sector is mobile, and therefore it’s developments in the mobile sector that will shape strategy.
There are five billion mobile phone subscriptions active in the world today. In some countries, mobile penetration is approaching 300% as consumers lap up smartphones, dongles, 3G Kindles, iPads and the first “4G” devices. Too much of the sector’s response to date has been to shift web services to the mobile internet without really exploiting the capabilities of the mobile channel: my bank’s mobile service is just a small window to their web service and it doesn’t use any of the location, security, facilities and convenience associated with my mobile phone. There’s plenty of room for improvement here, but they will need a better integration between the channel and the service.
It will be difficult for financial services organisations to adjust to a new business model whereby their transactions are mediated by a third-party (in this case mobile operators) but they are going to have to. Historically, it’s fair to say that the relationship between banks and mobile operators have been poor and that their co-operation has been less than fruitful. Personally, I think they should re-align so that the operators provide well-defined “smart pipe” services (such as digital identity) to the banks and others so that they can build value-added services on them.
If you’ll tolerate a more technical prediction for the year: the battle for the “secure element” will be fascinating. The mobile operators want to keep control, naturally, and want applications that need security to be managed in the UICC (the smart card chip inside the phone - the one that currently has only one application on it, the SIM) but transit operators and payment companies are already experimenting with secure elements in stickers, SD cards, UICC overlays and handsets as well as the first integrated NFC services. This is going to be fun."
Benj Hosack, director, Foregenix: “Information security management is an ongoing challenge for businesses. During the next 12 months, bad decisions will continue to make good stories. IT will continue to be secured based on untested assumptions, which will result in more headline hitting data compromises. Understanding where unprotected data resides, the existing data controls and the IT environment will improve security and reduce risk for organisations. Mobile phone/portable device malware. Lots of us seem to have received a new smartphone or ebook reader for
Christmas. These personal devices will naturally enter the workplace, causing many challenges for IT staff to secure and control. Third party co-operation. 'Hacktivism' or politically motivated attacks are on the increase, as seen in the recent action by Wikileaks supporters against MasterCard and Visa. This puts organisations at risk of being the target of a 'social cause attack'. Now, more than ever, constant vigilance, education, well-managed controls and a clear strategy are needed to combat security risks.”
Adam Shearn, Head of Enterprise Presales, Nuance Communications: "Voice authentication technology is developing rapidly. It is now one of the most advanced methods of identity verification and payment authorisation a financial organisation can implement to reduce the risk of fraud and make significant cost and efficiency savings. Expect 2011 to be the year that voice authentication becomes pervasive. Voice authentication uses voice biometric technology to prove a customer is who they say they are based on the unique characteristics of their voice. Only if a caller’s voice matches their stored voice print will they gain access to the system, making it an extremely effective security measure. It also means that contacting retail banks is more convenient for customers as banks can be accessed any time, anywhere, without callers having to reveal sensitive information in public places.
Fraud has always been a problem for the financial services industry. Card not present fraud, including phone, online banking and mail orders, accounted for losses of £118.2 million in the UK in January to June 2010. Banks are understandably focusing their attention on securing their online presence. However, what many are yet to realise is that the phone remains one of the least protected channels against fraudulent activity. If this continues criminals will inevitably divert their attention to the phone channel.
Financial organisations not only stand to make savings through a reduction in fraud, but according to a report by the centre for economics and business research automated caller authentication can also generate efficiency savings of £472 million per year . The technology can reduce call centre agents’ time by 40% and increase accurate identification from 70% to 90% or higher.
Not only is voice authentication user friendly, it offers an effective and convenient solution to security issues, while helping financial organisations save money. Against this backdrop voice authentication is moving ever-closer to fulfilling its potential in 2011."
Colin Rowland, VP EMEA, Operations, OpTier: “The conversations we're having with customers lead us to believe that we will see banks go beyond embracing just
the private cloud, to make serious inroads into public usage. They are already adopting private cloud models and they will start to optimise those with clearer visibility to stakeholders, more rigorous SLAs and with smarter chargeback models. But they will not stop there. They will consider public cloud as a serious option because it offers more flexibility. Internal private clouds don't really offer them the ‘time to resource’ they really need. It's also a price issue – to support the same
level of activity in the private cloud, banks would have to dig extremely deep in their pockets as use of public cloud resource does not require the upfront capital expenditures needed to build on-premise infrastructure. Savvy banks will recognise that it often makes much more sense to implement a hybrid model – a blend of the public and private cloud. Being security conscious they will first move less sensitive
apps, dev, testing and so on, but will eventually need to also move production workloads – with the right security in place.”
Julian Box, CTO, Virtustream: “There is already recognition that from a technology perspective most people accept that migration to cloud is possible. Most people are concerned about how secure cloud is, how data is isolated from other clients, risk mitigation, and on-boarding and off-boarding perspectives. The security aspect will be big – people want to move into the cloud but are cautious unless that issue is
covered. The strength of service provider will be as important as the technology they have. We feel that progressive and thought-based companies that put IT at the forefront will look at the cloud far more strategically. There will be two camps - tactical and strategic. For me, if you are going to look at cloud then you have to have a strategy about it. Strategic-based services will be important this year. There are probably a dozen or so committees out there, and there isn't one voice yet, and a recognised set of standards. People should be looking at best practice and having as much information as possible to get through processes. I think the issue is there are perhaps too many of them. There needs to be consolidation in that space.”
Alex Brown, partner, Simmons & Simmons: “In 2010 we continued to see a suppression of discretionary IT spend in the sector; but there are signs that spend on IT projects has started to increase and this looks set to increase further in 2011. In part this appears to be due to pent up demand as shelved projects have to be implemented, but external factors play their part as well. The principle external factor driving a large proportion of IT spend today and for the future is the regulatory burden that financial institutions now face. 2010 saw the FSA nearly trebling the level of fines issued (up to £89million from £35million) and the increased regulation and governance is set to drive projects dealing with data storage and management going forward.
“Data security has continued to be a significant issue for financial institutions and in 2010 we saw Zurich being fined £2.3million by the FSA for a lack of appropriate systems and controls relating to data security in connection with transfer of data to an offshore, outsourced data storage centre. In the future the rise of ‘hactivism’ will pose further threats to institutions' data security.”