Can you trust your IT?

'Restoring trust' was the title of the British Bankers’ Association’s annual international banking conference this year, and appropriately so. Banks in the UK, Europe and the US are still struggling to regain public confidence in the wake of the 2008 global financial crisis. They are hindered in their efforts by the sovereign debt crisis and recession in the eurozone, mis-selling scandals, the manipulation of Libor, Iranian sanctions busting, breaching anti-money laundering regulations, rogue trading, internet security breaches and more.

Because of the inter-connectedness of the global financial system, even banks in countries that have not suffered any of these problems are afraid of being tarred with the same brush and so must work hard to maintain the trust of customers, shareholders, governments and wider society.

There are many facets to this trust: trusting a bank to safeguard customers’ funds; to provide a secure and reliable service; to treat customers fairly; to support the economy through targeted and responsible lending, efficient payments processing and other essential financial services; and to be a good 'corporate citizen'.

IT is central to everything a bank does these days. Trust in IT is therefore vital. Banks must be able to demonstrate to customers and shareholders that they can be trusted to look after their money and their investments, and to provide a good service. Capable and dependable IT systems are central to winning and maintaining that trust.

Virtual threats

HSBC suffered a severe 'denial-of-service' cyber attack in October 2012. Its web-based services around the world crashed, leaving millions of customers without access to their accounts for many hours. It could have been disastrous for customer trust. But the bank was quick to acknowledge the problem, apologise to customers, work with the relevant authorities and tell the press what was happening. Customer data was not compromised and the bank was able to restore normal service in a day.

No banking platform is safe from cyber attackers – even US defence agencies can be hacked into – but the best banks will deploy the latest security measures, limit any damage caused by breaches and ensure high levels of business continuity.

Living in a virtual world

Keith Andrzejewski, practice lead for risk, compliance and regulatory response at EMC Consulting, says a bank needs a first-rate IT department to ensure consistent service availability, business continuity when disasters strike or things go wrong, robust security, regulatory compliance, effective risk management, integrity and good corporate governance.

“As customers do more of their banking on mobile devices and over the internet it is important that, in this virtual world, they have confidence in their banks’ IT systems and that there is trust in who they are doing business with at the other end of the device,” says Mr Andrzejewski. “But they must have the right degree of business continuity and IT security. There has to be a balance. A bank’s business continuity capabilities should not be over-engineered, because not everything needs to have 100% availability, or uptime.”

Minimising risk

When working on uptime assurance for financial institutions, Mr Andrzejewski always starts with the legal and regulatory requirements. The aspects of a banking service that regulators regard as the most important must take precedence when planning service availability. “The next step is risk assessment," he says. "That starts with classifying assets, and deciding on the protection and support that ought to be assigned to each. Separating assets into those where some downtime is acceptable and those that are not is a delicate business, but the key consideration is that they are separate.

“The risks posed by potential equipment failure, and by malicious agents inside and outside your organisation are relatively easy to quantify. Harder to account for is human carelessness, though it should always be factored in to any risk assessment. A huge and costly denial-of-service attack that cost a well-known organisation a great deal of money was only made possible because a technician plugged a USB stick into a server. That organisation’s risk assessment was otherwise solid," says Mr Andrzejewski.

“Uptime in the IT infrastructure, and the risk assessment that goes with it, is merely a part of the wider business risk assessment process. It is still very common to see senior executives in the financial services sector significantly underestimate the risks that their business faces, in IT or elsewhere. It is very common to see short-term business imperatives take precedence over risk control, and that is fundamentally flawed as a long-term strategy. Sometimes those responsible for risk assessment have to tell their bosses things they do not want to hear,” he says.

Effective means of preventing, detecting and mitigating fraud is essential for maintaining customer trust. Banks in advanced countries are good at this, those in emerging markets less so.

“Banking fraud in China is rampant,” says Mr Andrzejewski. “Banks there know how to stop it, but are reluctant to improve counter-measures for fear of making it more difficult for people to open accounts. Many bankers believe that if they require six pieces of information from an applicant for an account, and another bank requires only five, then the applicant will be more likely to choose the second bank – so the first lowers its requirement to five as well.”

Weathering the storm

The destruction wrought by Hurricane Sandy on the US north-east coast in October 2012 caused immense problems for banks and really put their disaster recovery plans – and customer trust – to the test. Most banks coped well. For example, although the storm severely disrupted Citibank’s network, within a few days service was restored to nearly 90% of the bank’s branches and ATMs, including all six branches on Staten Island, one of the worst affected areas.

In a move that showed it understood customers’ problems, the bank offered significant relief to those in the disaster zone. It allowed mortgage customers more time to make repayments, waived late payment charges for 90 days and suspended foreclosure sales. For other customers it provided overdraft protection, wired emergency funds to them and said it would refund fees for the use of ATMs outside its network. To cap it all, the bank donated $1m to the American Red Cross’s relief and recovery efforts.

"Our Hurricane Sandy relief programmes are intended to alleviate some of the financial hardships facing our customers so they can focus on the most pressing issues in front of them,” said Citi CEO Michael Corbat. “Citi is committed to helping our customers recover and rebuild by being sensitive and accommodating their needs.”

Another issue for the bank was the fact that its investment banking operations in New York city were situated at the heart of the hurricane evacuation zone. To minimise disruption to these services, Citi used its back-up locations to ensure continuity of operations until staff were able to return to their lower Manhattan offices.

Eliminating inconvenience

David Gledhill, managing director and head of group technology and operations for DBS, Singapore’s biggest bank by assets, says reliability, resilience, security and performance all play a part in the customer’s mind. “It is one thing to build a back-end internet resilience solution, so if the internet banking goes down there is an immediate alternative, but if the user feels that the performance of that alternative is not up to standard, then it is not a good solution,” he says. “From my risk management point of view it may be alright, but it may not meet the customer’s expectations of reliability and dependability.”

DBS uses a number of tools to constantly monitor the availability of its digital channels. It also monitors what its competitors are doing. Planned downtime for maintenance has been reduced significantly as this was identified as an inconvenience for customers.

“Historically, banks have regarded planned downtime as OK, because the idea was that all you do is inform customers and they should accept it,” says Mr Gledhill. “But informing customers in advance is not good enough these days. The principle we applied is that planned downtime is almost as bad as unplanned downtime, so the aim has been to get planned downtime to as close to zero as possible. In the past few years we have striven to reduce it and have done so by 95%.

“At the back-end this has required a massive amount of re-engineering on the main frame. We have had to re-architect the main frame and put in place all sorts of parallel processing. On the internet front-end, we have completely revamped it to provide parallel environments. I can now take down one online banking site to upgrade it and flip to the other. This is all invisible to customers,” says Mr Gledhill.

Technological transformation

Mr Gledhill says this re-engineering is a prime example of IT transformation. In the past three to four years DBS has almost completely transformed much of its IT infrastructure and many of its applications to make banking easy for customers. It has been a long journey, focused on what really delivers value to customers.

“An important driver behind transformation is derisking. You can never get to zero risk in an IT environment, but what you can do is be obsessed about where you see potential risks and then mitigate them. We have an availability strategy that allows us to decide what capacity we need to build to cope with a crisis," says Mr Gledhill. 

"Some of the systems when I first arrived here had a disaster recovery capacity that was less than 100% of the total need. Imagine a scenario where you lose a data centre. Many more customers than usual will log onto their online account to check their balance. So you will need even more capacity in a disaster than in a normal situation," he says.

“But you shouldn't have too much capacity. If a data centre goes down you might have a 200% to 300% surge of customers in the first couple of hours of them hearing the news, then it trails off. So you probably don’t want to build 200% to 300% of emergency capacity. What else can you do that is better than putting up a ‘service not available’ message, which for customers would be the worst possible time for them to see such a message? We have therefore invested in ‘overflow technology’ from third-party vendors, so that in such situations we can gracefully overflow, with a reassuring message saying that due to high traffic they may experience a delay, so could they try again later,” says Mr Gledhill.

Action by the authorities

Although banking fraud is endemic in China, Hong Kong is a different matter. Hong Kong banks are in the process of adopting chip-based technology to strengthen ATM security even more, assisted by the Hong Kong Monetary Authority (HKMA), which has set the technical and security standards banks must implement. All ATMs must comply with the new standards by the end of February 2013 and existing cards must be replaced by new chip cards by 2015.

“Although ATM fraud is not a significant fraud in Hong Kong, it is important for Hong Kong to stay at the forefront of the technology and be in line with international trends,” says Arthur Yuen, HKMA’s deputy chief executive. Anita Fung, chairwoman of the Hong Kong Association of Banks, says that banks set up a taskforce on ATM fraud more than two years ago to work with the HKMA on developing the new security measures.

An indication of how seriously politicians treat IT security is provided by the UK government, which in 2011 launched a cyber security strategy. As part of that initiative it set up a research institute in the science of cyber security in October, funded by the government intelligence agency GCHQ and other official bodies, and hosted by University College London (UCL). Its purpose is to increase the country’s academic ability in all fields of cyber security. Its research will ultimately make it easier for businesses, individuals and governments to protect their computer networks and the data they contain.

Professor Angela Sasse, director of the institute and professor of human-centred technology in the department of computer science at UCL, is looking for businesses, including financial institutions, to get involved with the research the institute will carry out to assess the costs and benefits of security measures for all stakeholders. She believes that banks take cyber security seriously. They are well aware that fraudsters target online banking because that is where the money is. But controls are not always effective, as evidenced by the fact that there have been a number of examples of banks losing customer data and countless more examples every year of customers being defrauded.

“Regulators may require a firm to have a security policy, but do not specify how strong the policy has to be and whether it is working in practice,” says Ms Sasse. “For instance, a bank may require that employees have strong passwords, but if employees re-use the same password on external services or sites, to make it more memorable, it may become compromised. Compliance with regulation often deteriorates into a tick-box exercise and the ‘best-practice’ approach, which should really be called ‘common practice’ as they are only doing what others are doing rather than what is ‘best’.”

Protecting number one

Another problem is that banks tend to focus on protecting themselves more than their customers, who are wide open to phishing and malware attacks. “There have been some efforts to protect them with two-factor authentication devices, such as Barclays’ PINsentry, and anti-phishing software such as Solid, but customers are still vulnerable,” says Ms Sasse.

“This is particularly the case where banks still
 have bad habits such as phoning up customers to ask for their credentials, when the customer has no way of verifying that the caller 
is actually from the bank and not an attacker,” she says. 

So, there is no denying that bankers, regulators, politicians and academics share the same view – that it is a bank’s fiduciary duty to safeguard customers’ money from loss or fraud, as well as provide a reliable service that works even when disaster strikes. Just as importantly, everyone also agrees that for a bank to fulfil that duty it must have a dependable, secure, high-performance IT infrastructure. Trust in IT is everything.