02:15 PM
Banks Using Security to Increase Customer Trust and Their Bottom Lines
Just two years ago, the topic of information security was anathema to some bank executives. Sure, problems existed. But the general attitude was that it wasn't quite a crisis until a problem hit your own bank. Security was a cost center -- it was a necessary evil that hampered the quick rollout of new initiatives. As a result, many banks would implement just enough of a fix to meet the bare minimum for regulatory compliance.
But that attitude has taken a sharp about-face over the past year. Perhaps it was the slew of high-profile data breaches and stories of lost data tapes and pilfered laptops that caused financial institutions to rethink their approaches to security. Now information security is coming out of the IT shop and into the front lines of the business itself at an industrywide level.
Andrea Klein, chief marketing officer (CMO) with San Francisco-based digital credential provider IdenTrust, confirms that there is a new interest in security issues among banks around the globe. "What I think is new is that companies in Europe are reporting security and fraud in bigger numbers than they previously did," Klein relates. "They seemed to think security was a U.S. problem, but Europe is starting to see that it's their problem, too. This is a big change. They're recognizing that this is a global problem and they're paying more attention to it. It's not one bank's problem."
And it's not just the banks themselves that need to be safeguarded from criminals. Their growing partner networks also need to be secured, stresses Jonathan Gossels, president of security consultancy SystemExperts (Sudbury, Mass.). In light of the heightened attention to consumer data privacy, "The focus on their partners by banks today is well-placed," he comments. "You want to see if the mechanisms your partner is using are as strong as those you use. Also, besides those interactions between the customers and the banks, some of these interactions are between the partner and the customers. So banks have to recognize it's a more-complex world."
In the Online Channel We Trust?
In that more-complex world, it's crucial to maintain client confidence at all times, whether those customers are from your bank or from another institution, says John Watkins, director of online services at Charlotte, N.C.-based Wachovia ($706.4 billion in assets). "Of most concern to me is customer confidence," he remarks.
"Data breaches and any type of security concern in the online space affect customer confidence, whether it's your bank or not," Watkins continues. "This creates a problem for the fastest-growing channel -- it's convenient, scalable and lower-cost. We're concerned that customers will lose confidence if we can't provide them with a good feeling that they are safe online. It's about trust."
The Internet channel is largely responsible for banks' renewed focus on security, according to Karl Landert, CIO of private banking and Europe, Middle East, Africa region, for Credit Suisse (Zurich/New York; US$1.17 trillion in total assets). "The greater interest in security at large is due to the technology integration that connects clients to the Internet," he says. "The security and availability of all our Internet offerings are top of mind for me. The biggest risk isn't the loss itself but the [damage to the] bank's reputation. Some of our competitors had to close down their online banking systems for days because of attacks. If you don't keep security threats at bay, they will force a bank to shut down its systems" -- and, ultimately, damage its reputation with consumers, Landert adds.
"The money is a concern, but even more so is the reputational risk," agrees Patrick Giacomini, managing director with PricewaterhouseCoopers Advisory in New York. "This can be very damaging. It hurts your market capitalization and you lose customers because they think you can't keep them safe. It's about trust. That's why banks are spending a lot of effort in this space."
For these reasons, financial services providers are beginning to realize that security is about much more than preventing unauthorized access to their customers' data and funds. Winning the trust of customers, both in the retail and commercial space, is key to beefing up banks' bottom lines, experts agree. And building security into business strategy is one way to foster this new way of thinking at banks, especially as they fight tooth and nail for every account.
"Banks aren't looking at security from a risk-management perspective but from a business-acceleration perspective," says Mark Geffen, director of marketing, consumer solutions group, RSA Security (Bedford, Mass.). "This is a very big change that helps fund more security initiatives because it's not something you have to do, but something that grows the business."
"Security is moving from being an infrastructure tool where it protects the data to something at the intersection between compliance and security," adds Warren Zafrin, national practice leader in financial services information security, BearingPoint (New York). "Over time, security will be a differentiator for banks. It's about trust. People will trust their information and assets with a financial institution that will protect them. So security really goes beyond preventing data breaches to enhancing relationships."
And security is increasingly important to maintaining those relationships. "Data privacy laws are raising awareness among banks and their customers regarding handling of data," states PwC's Giacomini. "So the majority of people expect a bank to be secure."
An Enterprise Approach
Therefore, banks will need to take a more strategic, enterprisewide approach to security. Although experts disagree on the degree to which this is happening in the industry today, all concur that the strategic shift is at least starting to occur.
Referring to the FFIEC Guidance on Authentication in an Internet Banking Environment that went into effect last year, S1 Enterprise (Norcross, Ga.) general manager Neil Underwood says some of his clients are still dragging their feet, but not for the typical reasons. "The movement around security in 2006 was very reactionary by banks based on the vague guidelines from the FFIEC," he contends. "I have customers who still haven't implemented this, but it's because they feel they should approach the issue from the enterprise level, not just the online channel."
This is no easy task, says Amir Orad, CMO and EVP with Actimize (New York), an enterprise fraud and risk solutions provider. "The holy grail is an enterprisewide, cross-channel solution to security," he states. "Today, many banks deploy point solutions. When they try to deploy a cross-channel solution, it becomes complicated because there are so many silos to cover."
Although BearingPoint's Zafrin says he sees some banks moving to an enterprise model, their efforts, he confirms, often are stymied by the fact that they're dealing with multiple systems and silos. However, the pay-offs for taking the enterprise security plunge can be great, he opines. Zafrin asserts that banks can obtain an integrated view of their customer relationships by combining their tactics for both external security (user authentication) and internal security (access control).
Security as a Differentiator
"Security solutions can be the differentiator if you combine internal and external security strategies and view that information as an enterprise asset to look at customers as individuals rather than as accounts -- you want one core identity for your customers," Zafrin states. "You can control the information and determine how to market to these customers. There are also cost savings because you won't need multiple marketing engines per channel."
Barry Kouns, principal with consultancy SQM-Advisors (Saint Mary's, Ga.), says that security will definitely be a differentiator, for a while at least. "In time, security will be a given, a commodity. The problem is, we think it's a commodity now, but it isn't. So there's an opportunity for a bank to really jump on this," Kouns explains. "But their competitive advantage won't last because eventually, all the banks will be doing the same thing."
New York-based Citigroup ($1.88 trillion in assets) definitely views security as a differentiator, according to Gary Greenwald, head of global capabilities and information products, Global Transaction Services, Citi. "We've seen a lot of reactivity from banks to security, especially to things like the FFIEC guidance. We want to use this as an opportunity to step back a little and not just react. In the future, you're likely to see financial institutions do this more as corporates look at how banks differentiate and business becomes more commoditized. Security is an area where an innovator can differentiate," he states. "Of course, a minimum standard of security needs to be met, but I do think it's possible to differentiate on security."
The manner in which to do this, however, isn't so obvious, Greenwald concedes. As such, he adds, "It's a great arena for putting in place innovation and R&D to determine such strategies."
New Business Models, New Security Needs
On the corporate side Greenwald, says the changing business models of how banks and corporates interact are contributing to new needs around security. For example, he explains, online banking for large corporates is moving away from interaction on the Web to straight-through processing (STP) via companies' enterprise technology systems. "They're passing payments files to us from their Oracle or SunGard systems, and we pass them their statements this way," Greenwald says. "There is no Web involved here."
Issues then arise around encryption and decryption when files are placed on file transfer servers, Greenwald notes. Furthermore, "With a Web interface, you have to have an actual user at the client handle the entitlement checks," he explains. "With STP, checking is usually done in advance before the file is sent to us -- the audit trail of the payment is lost." To rectify the audit trail, according to Greenwald, Citigroup is creating a solution for the STP environment that can authenticate the individual who released the file to the bank.
San Francisco-based Wells Fargo's ($482 billion in assets) Steve Ellis, EVP with the wholesale services group, says his bank has always considered corporates' needs when developing online products and services. "The Internet is about customers, not products," he says, emphasizing that this holds true for online security as well. For instance, Wells Fargo designed its CEO Portal, an online interface for its corporate clients, so that it gives commercial customers single-sign-on access to their entire relationship with the bank. "When someone signs on, there's a graduated level of information access based on what the client tells us," Ellis explains. "That is, an actual transaction would require a higher level of authentication than would be required for someone who just wants to look at the information."
According to Ellis, information is the key to creating an overall business strategy in which security plays a starring role. And the very nature and importance of that data has evolved along with the rest of the industry. "Laptop theft today takes on an entirely different meaning than it did in the 90s," he comments. "Today, there is data on laptops that can potentially endanger a company. Now we have to take steps like encrypting the data and establishing policies around internal business practices regarding data handling. Information used to be in one place. Now we're in a distributed information world."
Wachovia's Watkins says the bank's SecurityPlus program offers both customers and employees resources to help keep data safe. It is an umbrella strategy for the online space that combines communication with internal and external users along with technology to give the bank a better handle on security, he asserts. As part of the program, Wachovia provides a customer center that accumulates information regarding desktop security, the bank's online security guarantee for losses, information on how the bank handles incidents, and other details, along with an employee resource center to help educate Wachovia team members in security matters.
Of course, there is the underlying technology layer that allows the bank to expand its product offerings in a secure manner as well, Watkins adds. "If you close the door to fraud in one area, it will jump to another," he observes. "SecurityPlus helped us develop flexibility and scalability into our architecture so we can adapt. Our technology strategy not only targets security but also gives us the ability to support future functionality for customers to make the bank more convenient and attractive to them."
A Culture of Security
Even small financial institutions understand the connection between security and customer loyalty. "If you show customers that you care about their security, you can really build loyalty," states Brent Rickels, SVP of operations and CIO with Waco, Texas-based First National Bank of Bosque County ($90 million in assets). "We send suspicious transaction alerts to our customers and they are really appreciative of this service. So we're using security to enhance the customer experience. It's a way to make an impression on people. But it's a lot of hard work. You have to create it in the culture."
Again, that relates back to thinking about security from an enterprise perspective. "There has to be an enterprise approach to security," says Art Tyszka, director of product management, mortgage, with information solutions provider Wolters Kluwer (Minneapolis). "It shouldn't just be the burden of the IT department. You need a holistic approach to security. You want to show customers that you're investing in ways to keep their money safe. So you're not just increasing security but the customer experience."
Of course, the IT people at the bank aren't usually the ones to interact with customers. That is why financial institutions need to bring people to the security table who they would not have typically included in the past, such as marketing, customer service, legal and risk personnel.
"Security has to tie together all the lines of business," says Credit Suisse's Landert. "We created a single IT organization, and this helps us tackle all IT risk issues centrally. We look at how we approach security and set guidelines globally. This group draws from expertise throughout the bank. You need to build this into the organization's culture and enforce the process throughout. For example, sometimes security has to be valued more than convenience. That's where marketing would come in. We always include marketing when we implement new security procedures because of the impact on our clients."
But touting security to the public requires a certain subtlety, experts agree. "It's a double-edged sword because as soon as you reveal you have a particular safeguard, you'll draw a lot of flies," states PwC's Giacomini. "The conundrum is doing so without attracting fraudsters. Part of this is in how you word it. It will go into your pitch book but you will need some way to communicate this message effectively. You don't just want to broadcast it."
Frederick Felman, CMO with fraud prevention and brand protection vendor MarkMonitor (San Francisco), contends that some of his biggest advocates are in banks' marketing departments. "Security can't happen in a silo," he says. "The marketing folks are aware of how integral security is in converting people to online banking. It's around brand strength, reputation and trust. Banks drive more profitability by driving more interaction online or to ATMs. If customer confidence is disrupted, the effectiveness of this conversion goes down."
"Financial losses are negligible," adds RSA's Geffen. "It's the users who abandon the online channel that's significant. If people do more in the branch, this will hit banks' bottom lines. Banks' operational costs and business models rely on people going online."
Security ultimately leads to cost savings in more ways than one, notes SQM's Kouns. "Putting measures in place to increase the trust factor will help offset operating costs," he remarks. "But if people see their bank's name in the paper too much, they'll switch. The time is coming when losses will be measured in customer leakage rather than dollars. It takes a lot to earn trust, but only seconds to lose it."
RELATED STORIES
System Experts: Security Management Goes Front Stage in 2007
SOA, The FFEIC And Consumer Awareness Up The Security Ante For Banks
Basel II Drives ERM
BASEL II is the driving force behind enterprise risk management.
Banks Scramble to Meet FFIEC Online Banking Authentication Guidelines by Yearend
While Many Banks Have Chosen Solutions To Meet The Ffiec'S Online Banking Authentication Guidelines, Others Are Still Searching For Answers