Thursday, August 23, 2007

Reuters at Sibos

In the run-up to SWIFT's annual customer conference, Sibos, it is not unusual for us hacks to receive invitations from banks and financial software vendors to attend press briefings with their key executives.

So when I received in my email inbox an invitation from Reuters to participate in "a limited number of face-to-face consultations, examining key business challenges faced by our customers," my curiosity was aroused.

The invitation mentioned that Reuters is bringing a team of "top-level experts" and showcasing a "new, no-compromise approach" to business automation for capital markets, which it has assigned the rather intriguing name, of "The Power of &."

It appears the "The Power of &." has something to do with "simplifying" front-to-back office trade and risk processes with more seamless integration of "standardised high quality data."

My interest was certainly twigged until I saw the name on the Reuters' invitation, which said, 'Dear Antonio'. At first I thought it was a mis-type (Anita, Antonio) but when I clicked on the RSVP button and the details of an Antonio at a bank in Brazil came up, I realised it was a customer invitation I had mistakenly received. No doubt the press invite for a limited face-to-face with Reuters is in the post.

Where is

Having lambasted 'bricks and mortar' banks for their "second-rate" online customer service based on research findings from Transversal, it appears some online only banks are finding it difficult to keep their sites fully operational.

Tried logging onto Egg recently? Martin Stern, head of the authority on Internet and mobile performance,Keynote UK, issued an edict saying that, seemed to have disappeared from existence with customers unable to find the website anywhere.

So I decided to type Egg's domain name into a web browser, which resulted in a message from Firefox that it cannot find the web server at Egg. Having said that I logged onto again this afternoon and voila, the web site appeared., formerly owned by the Prudential, was one of the first wholly online banking sites to launch at the height of the Internet Gold Rush. Citi bought Egg from Prudential for more than $1 billion earlier this year. Citi has a wealth of online experience with its CitiDirect Online platform, but in this era of 24-hour round-the-clock online banking, any site down time can cause consternation amongst customers.

Stern had this to say about the need for online only banks to ensure round-the-clock availability:

"It is imperative that a company whose total business model is based on online presence manages to maintain consistent website performance. Online-only banks need to ensure their infrastructure performs above-and-beyond their multi-channel competitors and, given the much-lower operating costs of a branch-free model, their margins should be able to fund the building of a world-class online infrastructure."

Wednesday, August 22, 2007

Banks 'second rate' at online service

Banks bang on a lot about customer service but with multiple channels to support for communicating with their customers, it appears banks may be neglecting the most powerful channel of all, the internet.

Multi-channel customer service research from eService provider Transversal suggests that while response times at customer call centres have improved dramatically with 60% of calls answered within three minutes, and the shortest wait times being just a few seconds, the banks still have not get their heads around customer service on the internet.

According to Transversal's findings, 30% of bank websites struggled to answer more than two out of 10 product and service questions - only one bank scored top marks. Approximately a third of banks still do not offer the facility to email questions, and of those that did, the average response time was 30 hours - and it gets worse, only three out of 10 banks managed to answer email questions satisfactorily.

Given that banks have invested heavily in a web shopfront window, there appears to be no good reason for the lack of responsiveness to web enquiries other than the fact that banks don't quite get it.

Some banks still appear to be stuck in the mindset that putting information on the internet means you do not have to provide the same or similar levels of customer service that you would provide if someone walked into a branch.

Although 80% of banks surveyed had a Frequently Asked Question (FAQ) section (up from 50% in 2006) Transversal's findings indicate that many of these were "extremely large" and difficult to navigate to find tailored information. The irony is that despite all the increases in bandwidth and the speed of the internet, customers still found it easier to get a response via the phone than online.

Pushing its own barrow, Transversal said only 30% of banks had implemented natural language eService solutions that use neural network technology to analyse email questions in order to find the best response.

But it is not just about the software becoming more intelligent in order for web sites to more satisfactorily respond to customers emailed questions. Banks need to fully embrace the interactive capabilities of the Internet to encourage more meaningful and fruitful interactions with their customers. Do I hear shrieks of Web 2.0 in the background - quite frankly shouldn't basic levels of online customer service been part of Web 1.0?

Wednesday, August 15, 2007

Politicians up the ante about online fraud

UK politicians it seems are getting all hot and bothered about online fraud, particularly in the banking sector, with the release this week of a UK parliamentary report entitled, "Personal Internet Security", which describes the internet as a “playground for criminals”.

No new revelations there, then. The internet has been used by criminals pretty much since its inception, so why are the politicians suddenly getting hot under the collar about it? Well it seems that the report's authors, the House of Lords Science and Technology Committee, has gone and given themselves a major dose of the 'spooks' by compiling damning statistics and evidence that suggest online fraud is an epidemic.

Not only is online fraud being perpetrated by organized crime gangs (nothing new there either) instead of the teenage-hacker-in-his-bedroom with nothing better to do, the report states, but they have also succeeded in remaining largely "invisible".

The report reels off a damning array of statistics including VeriSign's predictions that the level of “bad traffic” (Denial of Service attacks, email spam, phishing) was peaking at 170 times the basic level of Internet traffic; by 2010 it is predicted to be 500 times the basic level.

The report highlighted the vulnerability of online banking to fraudulent activity, citing figures published by the UK bank payments association, APACS, which recorded more than 1,500 “unique” phishing attacks directed at UK banks in September 2006, up from just 18 in January 2005. US banks are the most targeted by phishing, with their losses totalling approximately $2 billion.

The UK parliamentary report recommends the establishment of a framework for collecting and classifying data on e-crime, and “more rigorous and co-ordinated analysis” of the incidence and costs of such crime. It also talked about deployment of security software at ISP level (not that old chestnut), the need for a dedicated regulator for the online world (Hmmm!) and for Government to increase banks' fraud liability.

It did not take long for the security software industry to leap on the parliamentary band wagon, coming out and touting the latest and greatest authentication technologies including two factor authentication (which uses two different methods for authenticating someone's identity), and the most amazing suggestion I have heard so far, a "pattern-based" approach based on peoples' ability to remember patterns to offer a more secure, yet more simple (surely not?) means of authentication, other than the much maligned Chip and PIN.

No one is disputing the need for stronger more robust means of authenticating someone's identity. However, some of the newer technologies being touted are expensive to deploy and complex to implement. Furthermore, a lot of these technologies only provide authentication up to a point. With pin and password for example, it may authenticate a user to an online site or banking application, but it does not provide an iron-clad guarantee that person is who they say they are.

What is even more alarming is that multinational corporations sending high volume payments via their banking partners, have desk drawers full of security tokens and fobs which only provide authentication at the corporate level, but do not identify the individual sending a payment and whether they are authorized to do so.

It seems the banks have been caught napping and have been too busy trying to push their proprietary identity management and information security technologies on customers in an effort to lock them in.

Well no one wants to be locked in, they want to be able to bank online or send payments electronically without the risk of someone intervening in that transaction and altering payment details for fraudulent purposes.

What is even more surprising is that banks have been sitting on a solution for the last eight years. It is called IdenTrust, which uses PKI encrypted digital certificates to verify someone is who they say they are.

The advantage of IdenTrust is that the banks behind it have already invested $170 million in ensuring IdenTrust digital certificates are binding in more than 175 countries and interoperable cross-border between banks.

So with a solution to stronger means of authentication staring them in the face and the chance to deliver a single identity management solution instead of a multitude of different ones, why on earth does the industry continue to perpetuate their own proprietary versions of digital certificates and other security technologies that do not actually vouch for someone's identity?

Mind you if we have entrusted banks with our money, can we entrust them with our identities? The argument in banks favour is that they already hold a lot of theinformation necessary to authenticate someone is who they say they are, although admittedly some of this documentation may be fraudulent.

The security software services industry also has to ask itself does it want to continue to perpetuate solutions that sound like a prop from a James Bond film but are difficult and expensive to implement for widespread use.

Thursday, August 09, 2007

MiFID highlights lack of good practice in outsourcing

Some time back I remember hearing PJ DiGiammarino of the JWG-IT Working Group mention that outsourcing contracts were likely to be impacted by the Markets in Financial Instruments Directive (MiFID).

Then we never heard another whisper about it in a lot of the high level debates about MiFID which tended to focus on best execution, pre- and post-trade reporting and client classification. All worthy subjects, but it appears now that outsourcing and MiFID are finally in the spotlight with a survey by law firm, Field Fisher Waterhouse, revealing that most financial services organisations’ outsourcing agreements still fail to comply with MiFID.

How can that be so? Well Field Fisher Waterhouse says that the main points of failure are that 40% of firms do not have an up-to-date exit management plan in place with their service provider; 36% do not have their regulatory team review its contracts; 33% do not have a service level agreement in place with every service provider; 32% do not regularly test service provider’s disaster recovery; if an outsourcing provider fails to meet regulatory standards, 31% do not have the right to terminate the agreement; and more than 30% of outsourcing agreements do not require the provider to regularly test back up facilities.

These are some pretty glaring oversights, when you consider that irrespective of MiFID and with the buy-side outsourcing more than just non-core back office processes to providers, they do not even bother to question or test whether that provider is able to keep the show on the road if and when a disaster strikes.

Field Fisher Waterhouse technology partner Simon Briskman had this to say to firms nervously scratching their heads wondering how to put this right before the 1 November MiFID deadline:

“In order to achieve the deadline, firms need to engage their suppliers in negotiations now. Many companies have assumed that the outsourcing rules under MiFID are no more than an extension of the current rules and reflect good practice. To some extent this is true and our survey suggests that good practice is often not met in financial services outsourcing.”

Wednesday, August 08, 2007

IdenTrust adoption at inflection point

A couple of years ago in financial-i magazine we did an article aptly titled,'Whatever Happened To', which alluded to the spate of bank-led initiatives, Identrus (now IdenTrust), Bolero, SWIFT's ePaymentsPlus,, that emerged at the height of the boom only to find that user adoption was not forthcoming.

Some of these solutions, particularly and ePaymentsPlus have since gone to the technological graveyard in the sky, and even those that have survived have had to re-invent themselves to establish a more compelling business case for user adoption.

One of those companies of course is IdenTrust, which with a new name, a new focus and a new CEO,Karen Wendel, formerly of Gemini Consulting, has gone from being a bank-centric organisation to one that is now focused on helping banks deliver more robust identity management solutions to their corporate customers.

Formed in 1999 by leading global cash management banks such as Citi, Bank of America and Deutsche, IdenTrust (then known as Identrus) positioned banks as trusted third parties in B2B e-commerce by establishing policies, rules and guidelines for banks to issue PKI-encrypted digital certificates for authenticating an individual's identity.

IdenTrust's founding bank's invested $170 million in developing a policies, legal framework, trusted operations and technology (P.L.O.T.) to create a comprehensive environment for issuing trusted identities based on customer agreements which are enforceable in more than 175 countries.

IdenTrust is the only bank-developed identity authentication platform and unlike other digital ID solutions, it emphasizes the interoperability of its digital certificates and their ability to function cross-border. However, since its formation in 1999 it has suffered from an image problem. Wendel says at the time of its inception, PKI was largely driven by 'techies' more focused on encryption than business applications of PKI.

Early implementations of PKI were also costly and cumbersome to implement, and by the onset of the millennium it had been superseded by cheaper means of authentication such as pin and password. But as the incidence of identity fraud has increased in recent years, with attacks becoming more sophisticated, Wendel says PKI and IdenTrust are back in favour.

According to Wendel, IdenTrust's digital certificate volume is doubling every year and instead of having to spend $7 million to $10 million just to get started, banks can deploy PKI digital certificates for less than $500,000.

But the real inflection point when it comes to adoption of IdenTrust's identity credentials has to be pressure from major multinationals such as Shell and Merck, weighed down with hundreds of different security tokens and signature cards for logging onto proprietary banking applications.

These companies are asking banks to implement a single ID management solution that is interoperable across multiple banks. As part of a multi-year overhaul of its treasury management operations, Merck is implementing an innovative identity management solution using IdenTrust digital ID credentials and the concept of an "e-vault," to provide an extra layer of security.

Wendel says Shell will also be one of the first corporates to implement a bank account mandate application which has IdenTrust credentials embedded in it. The challenge now for IdenTrust is to encourage banks and software vendors to develop more applications with its digital credentials embedded in it and to get banks to abandon their proprietary PKI technologies.

As more and more corporates communicate with their banking providers via SWIFT, IdenTrust believes it also well positioned to provide authentication at the individual level for bulk payment transfers via the SWIFT network. Currently SWIFT’s PKI security protocol only provides authentication at the corporate level, so the bank knows for example, that Company A is sending a payment file, but not the individual within that company that has authorized the payment.

Wednesday, August 01, 2007

SmartStream expands its global footprint

With a number of financial software vendors being bought by private equity outfits, the expectation more or less is that once they are pumped full of venture capital, they will embark on an acquisitions spree.

SunGard has certainly been busy acquiring companies following its acquisition by a consortium of private equity investors led by Silver Lake Partners. Others, however, prefer the more organic approach rather than having to integrate multiple acquisitions.

Following TA Associates' acquisition of 3i's majority stake in UK financial software vendor,SmartStream, acquisitions are not high on newly-appointed CEO Ken Archer's agenda at the moment.

Having been convinced to give up his job as president of European business development for Computer Sciences Corporation, a $4 billion operation, to go and run a smaller UK software outfit, Archer's strategy for the leading reconciliations and STP vendor so far has been to ramp up staffing and to expand the company's global footprint.

Over lunch at the Royal Exchange in London yesterday, Archer said SmartStream would expand its Asian and emerging market presence by establishing a presence in Beijing, China, where it recently signed a major deal with one of the top four banks. It is also increasing its sales strength in Singapore to address the Northern Asian market and there is also potentially going to be an office in Miami to expand sales in South America. SmartStream has also completed a feasibility study for setting up an office in Dubai.

Not many CEO's of financial software companies can boast that they don't really need more customers, but with more than 1000 customers, including 75 of the world's top 100 banks, Archer says it is not so much about acquiring more customers, but about being able to sell more to its existing customer base, and eliminating some of the barriers to straight-through processing via its STP Control Architecture.

Approximately 70% of SmartStream's customers use its Corona platform to address reconciliations challenges. TLM Corona which offers the reconciliations functionality of Corona coupled with its thin client web portal, WebConnect. SmartStream boats that its solutions are able to scale much more efficiently than its competitors, with the ability to process millions of reconciliations an hour in real time.

SmartStream subscribes to the belief that reconciliations are "instrument agnostic" so its solutions tend to span multiple asset classes (cash, securities, FX, derivatives). Utility computing is also an area of increasing focus for the UK software vendor in terms of providing a cost effective increasingly scalable solution for the processing intensive nature of reconciliations.