BofA To Install Secure Messaging System

War is too important to be left to the generals," goes Clemenceau's famous quote. If he were alive and working at Bank of America today, he might instead say, "Information delivery is too important to be left to the techies."

In deciding how to send confidential information, like monthly statements, securely to corporate clients and consumers, BofA officials have abandoned conventional approaches in favor of guerilla tactics, where businesses and technical staff engage each other in a war of ideas.

Everyone, it seems, has put their two cents in. "The consumer bank, global and investment bank, and asset management group all had a role in defining a common list of requirements," said Wil Koenig, senior vice president, operations and technology at Bank of America.

"We wanted to make sure we identified the 'deltas' between what everybody wanted and what the individual businesses wanted," Koenig added.

As head honchos for the project, Koenig and his team-Messaging and Collaboration Services-were responsible for recruiting the necessary technical skills from within the organization. "Because a lot of the security aspects of messaging are outside our scope, we engaged Information Security and the Internet Services group."

Internet Services, he noted, is responsible for implementing components at the "demilitarized zone" between the bank and the Internet-to "ensure that whatever design was contemplated was appropriate to information security guidelines."

Much of the discussion focused on usability. "We had our own ideas of what it would take to provide a fairly transparent experience," said Koenig. "We wanted to make sure that our thoughts were aligned with those of our business partners."

Also discussed was the level of robustness required.

"We wanted to make sure the new system was able to handle a campaign of monthly statement distributions in the event of a node failure, without any risk of overall degradation of performance," said Koenig.

The business units wanted control over the way they interact with customers-no easy task.

"It's one thing to brand the message as coming from BofA, but it's another to allow the customer to see that not only does it come from BofA, but it comes from the investment subsidiary, the mortgage company or any of the other businesses," Koenig said.

The bank has chosen two basic approaches for transmitting secure information-a "pull" model, in which a customer retrieves information at an in-box that resides at a secure Web site, and a "push" model, in which the bank sends confidential and private information to a customer at a destination they specify, e.g., a Hotmail address.

The goal is to provide maximum flexibility to customers. "Along with our large base of customers, we have a large base of opinions about how transactions should be conducted over the Internet," said Koenig. "We conducted a great deal of research on both the pull and push scenarios."

The discussions led to the licensing of a secure messaging and statement delivery system from Sigaba, a San Mateo, Calif. software firm. Under a five year deal, Sigaba will provide secure e-mail gateways, authentication adaptors and encryption services, secure e-mail plug-ins, and custom-developed secure messaging solutions.

Once the Sigaba system is installed in early 2003, bank employees may communicate internally, and with clients and suppliers, securely and privately from anywhere in the world.

The system provides maximum ease of use and flexibility for clients, allowing them to use any e-mail system, choose the method of secure document receipt, and manage their own secure messaging account information. At the same time it also helps protect clients' private financial data from being disclosed while in transit.

For Bank of America, Sigaba provides a scalable, robust security offering that leverage public key infrastructure (PKI) and help meet privacy regulations such as the Health Information Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLB).

The product also protects confidentiality, secures infrastructure elements, and supports homeland security initiatives.

Regulatory compliance was a primary reason for choosing Sigaba, according to Koenig.

"We have a lot of guidelines to which we must adhere. GLB dictates how we need to treat confidential and private information," he said.

Secure messaging has benefits beyond regulatory compliance, though.

"It provides an opportunity for customers to establish a more personalized relationship, knowing that they can structure the way they want information delivered," Koenig said.

It also makes customers more likely to adopt online services, which can translate into better customer retention for financial institutions, he noted.

"If we provide the ability to send and receive information in a fashion similar to the way they send regular e-mail, then it's one less hurdle for them to scale and one more opportunity for the bank," Koenig said.