January 30, 2005

The nation's third-largest bank, Bank of America has grown largely through M&As. Among the many integration challenges faced by the Charlotte-based bank, standardizing employee authentication procedures has been a critical issue.

Each of Bank of America's ($1.9 trillion in assets) acquisitions had its own security protocols. Even some of the bank's legacy systems had unique authentication procedures, notes Noelle Upah, change management executive, and Andy Fiol, senior change manager, BofA.

As a result, by the middle of 2003, 80 percent of the bank's 180,000 employees needed six or more IDs (PINs and/or passwords) to access applications simply to do their daily jobs, Fiol says. About 28 percent had 12 or more IDs. "That was too much for anyone to remember, so it led to poor security procedures, like people taping their passwords to their terminals," Upah says. Others simply tied up the help desk with calls about forgotten IDs: 30 percent of employee calls to the help desk were for ID information.

But limiting the number of employee IDs was a difficult proposition. "We were challenged by the fact that we had to work with a bunch of different" applications and vendors, Upah explains. BofA first examined vendor solutions in 2000, when it purchased Netegrity's (Waltham, Mass.) SiteMinder software. Isolated applications were deployed with the solution in 2001 and 2002, but the bank did not embark on an enterprisewide effort until August 2003.

The first step was to establish security standards that would be acceptable for all applications. To do that, bank officials decided to limit the project, which was branded "Simplified Sign-On" (SSO), to employee-facing Web-based applications, including benefits information, travel accounts and call center tracking systems. However, the new security protocols would not extend to company mainframe information, customer account details, customer loan programs and other data that require stricter security measures.

Already running the SiteMinder application, which is hosted in-house, BofA chose Netegrity's software as the platform for its SSO initiative. (Netegrity was acquired by Computer Associates in November 2004.) Bank staff handled all integration and training. To support the initiative, BofA has deployed more than 30 Sun servers in data centers across the country.

By the end of 2004, virtually all of BofA's employees were using the solution to access Web-based applications. The software acts as middleware for all of the bank's Web-based employee applications and allows employees to use a single identification to sign on to those applications. The solution, however, is not a "single sign-on" application, which would allow employees to sign on once at the beginning of the day. With SiteMinder, applications lock out a user after an hour of idle time. In addition, BofA's employees still must remember IDs for applications that are not linked to the SSO program.

Still, SiteMinder has been a huge success, Fiol says. Currently, the bank has more than 180 applications linked to the solution. The percentage of employees with six or more IDs has dropped to 37 percent. Additionally, the volume of help desk calls for ID assistance has fallen to just 8 percent. According to Bank of America, it realized more than $2 million in direct and indirect savings by the end of 2004 as a result of the implementation.

---

Snapshot

Institution: Bank of America

(Charlotte, N.C.)

Assets: $1.9 trillion.

Business Challenge: Reduce the number of employee passwords and cut ID-related calls to the help desk.

Solution: SiteMinder from Waltham, Mass.-based Netegrity (a division of Computer Associates; Islandia, N.Y.).