An Enterprise Approach
Therefore, banks will need to take a more strategic, enterprisewide approach to security. Although experts disagree on the degree to which this is happening in the industry today, all concur that the strategic shift is at least starting to occur.
Referring to the FFIEC Guidance on Authentication in an Internet Banking Environment that went into effect last year, S1 Enterprise (Norcross, Ga.) general manager Neil Underwood says some of his clients are still dragging their feet, but not for the typical reasons. "The movement around security in 2006 was very reactionary by banks based on the vague guidelines from the FFIEC," he contends. "I have customers who still haven't implemented this, but it's because they feel they should approach the issue from the enterprise level, not just the online channel."
This is no easy task, says Amir Orad, CMO and EVP with Actimize (New York), an enterprise fraud and risk solutions provider. "The holy grail is an enterprisewide, cross-channel solution to security," he states. "Today, many banks deploy point solutions. When they try to deploy a cross-channel solution, it becomes complicated because there are so many silos to cover."
Although BearingPoint's Zafrin says he sees some banks moving to an enterprise model, their efforts, he confirms, often are stymied by the fact that they're dealing with multiple systems and silos. However, the pay-offs for taking the enterprise security plunge can be great, he opines. Zafrin asserts that banks can obtain an integrated view of their customer relationships by combining their tactics for both external security (user authentication) and internal security (access control).
Security as a Differentiator
"Security solutions can be the differentiator if you combine internal and external security strategies and view that information as an enterprise asset to look at customers as individuals rather than as accounts -- you want one core identity for your customers," Zafrin states. "You can control the information and determine how to market to these customers. There are also cost savings because you won't need multiple marketing engines per channel."
Barry Kouns, principal with consultancy SQM-Advisors (Saint Mary's, Ga.), says that security will definitely be a differentiator, for a while at least. "In time, security will be a given, a commodity. The problem is, we think it's a commodity now, but it isn't. So there's an opportunity for a bank to really jump on this," Kouns explains. "But their competitive advantage won't last because eventually, all the banks will be doing the same thing."
New York-based Citigroup ($1.88 trillion in assets) definitely views security as a differentiator, according to Gary Greenwald, head of global capabilities and information products, Global Transaction Services, Citi. "We've seen a lot of reactivity from banks to security, especially to things like the FFIEC guidance. We want to use this as an opportunity to step back a little and not just react. In the future, you're likely to see financial institutions do this more as corporates look at how banks differentiate and business becomes more commoditized. Security is an area where an innovator can differentiate," he states. "Of course, a minimum standard of security needs to be met, but I do think it's possible to differentiate on security."
The manner in which to do this, however, isn't so obvious, Greenwald concedes. As such, he adds, "It's a great arena for putting in place innovation and R&D to determine such strategies."
New Business Models, New Security Needs
On the corporate side Greenwald, says the changing business models of how banks and corporates interact are contributing to new needs around security. For example, he explains, online banking for large corporates is moving away from interaction on the Web to straight-through processing (STP) via companies' enterprise technology systems. "They're passing payments files to us from their Oracle or SunGard systems, and we pass them their statements this way," Greenwald says. "There is no Web involved here."
Issues then arise around encryption and decryption when files are placed on file transfer servers, Greenwald notes. Furthermore, "With a Web interface, you have to have an actual user at the client handle the entitlement checks," he explains. "With STP, checking is usually done in advance before the file is sent to us -- the audit trail of the payment is lost." To rectify the audit trail, according to Greenwald, Citigroup is creating a solution for the STP environment that can authenticate the individual who released the file to the bank.
San Francisco-based Wells Fargo's ($482 billion in assets) Steve Ellis, EVP with the wholesale services group, says his bank has always considered corporates' needs when developing online products and services. "The Internet is about customers, not products," he says, emphasizing that this holds true for online security as well. For instance, Wells Fargo designed its CEO Portal, an online interface for its corporate clients, so that it gives commercial customers single-sign-on access to their entire relationship with the bank. "When someone signs on, there's a graduated level of information access based on what the client tells us," Ellis explains. "That is, an actual transaction would require a higher level of authentication than would be required for someone who just wants to look at the information."
According to Ellis, information is the key to creating an overall business strategy in which security plays a starring role. And the very nature and importance of that data has evolved along with the rest of the industry. "Laptop theft today takes on an entirely different meaning than it did in the 90s," he comments. "Today, there is data on laptops that can potentially endanger a company. Now we have to take steps like encrypting the data and establishing policies around internal business practices regarding data handling. Information used to be in one place. Now we're in a distributed information world."
Wachovia's Watkins says the bank's SecurityPlus program offers both customers and employees resources to help keep data safe. It is an umbrella strategy for the online space that combines communication with internal and external users along with technology to give the bank a better handle on security, he asserts. As part of the program, Wachovia provides a customer center that accumulates information regarding desktop security, the bank's online security guarantee for losses, information on how the bank handles incidents, and other details, along with an employee resource center to help educate Wachovia team members in security matters.
Of course, there is the underlying technology layer that allows the bank to expand its product offerings in a secure manner as well, Watkins adds. "If you close the door to fraud in one area, it will jump to another," he observes. "SecurityPlus helped us develop flexibility and scalability into our architecture so we can adapt. Our technology strategy not only targets security but also gives us the ability to support future functionality for customers to make the bank more convenient and attractive to them."
A Culture of Security
Even small financial institutions understand the connection between security and customer loyalty. "If you show customers that you care about their security, you can really build loyalty," states Brent Rickels, SVP of operations and CIO with Waco, Texas-based First National Bank of Bosque County ($90 million in assets). "We send suspicious transaction alerts to our customers and they are really appreciative of this service. So we're using security to enhance the customer experience. It's a way to make an impression on people. But it's a lot of hard work. You have to create it in the culture."
Again, that relates back to thinking about security from an enterprise perspective. "There has to be an enterprise approach to security," says Art Tyszka, director of product management, mortgage, with information solutions provider Wolters Kluwer (Minneapolis). "It shouldn't just be the burden of the IT department. You need a holistic approach to security. You want to show customers that you're investing in ways to keep their money safe. So you're not just increasing security but the customer experience."
Of course, the IT people at the bank aren't usually the ones to interact with customers. That is why financial institutions need to bring people to the security table who they would not have typically included in the past, such as marketing, customer service, legal and risk personnel.
"Security has to tie together all the lines of business," says Credit Suisse's Landert. "We created a single IT organization, and this helps us tackle all IT risk issues centrally. We look at how we approach security and set guidelines globally. This group draws from expertise throughout the bank. You need to build this into the organization's culture and enforce the process throughout. For example, sometimes security has to be valued more than convenience. That's where marketing would come in. We always include marketing when we implement new security procedures because of the impact on our clients."
But touting security to the public requires a certain subtlety, experts agree. "It's a double-edged sword because as soon as you reveal you have a particular safeguard, you'll draw a lot of flies," states PwC's Giacomini. "The conundrum is doing so without attracting fraudsters. Part of this is in how you word it. It will go into your pitch book but you will need some way to communicate this message effectively. You don't just want to broadcast it."
Frederick Felman, CMO with fraud prevention and brand protection vendor MarkMonitor (San Francisco), contends that some of his biggest advocates are in banks' marketing departments. "Security can't happen in a silo," he says. "The marketing folks are aware of how integral security is in converting people to online banking. It's around brand strength, reputation and trust. Banks drive more profitability by driving more interaction online or to ATMs. If customer confidence is disrupted, the effectiveness of this conversion goes down."
"Financial losses are negligible," adds RSA's Geffen. "It's the users who abandon the online channel that's significant. If people do more in the branch, this will hit banks' bottom lines. Banks' operational costs and business models rely on people going online."
Security ultimately leads to cost savings in more ways than one, notes SQM's Kouns. "Putting measures in place to increase the trust factor will help offset operating costs," he remarks. "But if people see their bank's name in the paper too much, they'll switch. The time is coming when losses will be measured in customer leakage rather than dollars. It takes a lot to earn trust, but only seconds to lose it."
System Experts: Security Management Goes Front Stage in 2007
SOA, The FFEIC And Consumer Awareness Up The Security Ante For Banks
Basel II Drives ERM
BASEL II is the driving force behind enterprise risk management.
Banks Scramble to Meet FFIEC Online Banking Authentication Guidelines by Yearend
While Many Banks Have Chosen Solutions To Meet The Ffiec'S Online Banking Authentication Guidelines, Others Are Still Searching For Answers