Setting Out a Vision for Customer Authentication

Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

EBAday 2016: A Brave New World for Payments

EBAday 2016: A Brave New World for Payments

EBAday 2016 LogoHosted by the European Banking Association and Finextra, EBAday attracts payments professionals from leading financial institutions and technology providers. This year’s event was held in Milan Italy with the theme, “A Brave New World for Payments.” Sessions focused on the dilemma facing the payments industry – enhancing existing payment models while preparing for alternative payments and technology.

I had the honor of moderating day two’s strategic roundtable discussing future challenges and opportunities for banks. The panelists were Paolo Cederle, CEO, UniCredit business integrated solutions; Christophe Chazot, group head of innovation, HSBC; and Damian Pettit, RBS head of payment operations.

EBAday 2016 Day Two Panel

The panelists felt that there is a disconnect between the limitations of legacy bank infrastructure and the promise of new technologies. With the majority of bank IT budgets spent on maintenance, the challenge is for banks to keep existing systems running while investing in the future. For customers, there is too much complexity, especially in cross-border payments, and customers want an easy experience at minimal cost.

Discussing Faster Payments in the UK, the panelists said the introduction eight years ago has revolutionized payments, completely changing customer behavior and paving the way for new mobile-based services such as Paym, the UK’s mobile payments service offered by seventeen banks and building societies. For countries having implemented immediate payments, real-time is the new norm and with that comes expectation and demand from customers.

With the EU PSD2 payment services provisions looming on the horizon, the discussion turned to the prospect of disintermediation of banks by third-party providers. The panelists were optimistic about the future, and feel that the regulation is helping to steer the banks toward new initiatives and innovation in services, and is a great opportunity to better service customers and push banks up the value chain.

Regarding the question of whether emerging payment models and technology represent an escalating threat, the response was that instant payments brings security challenges. But the panelists overwhelmingly agreed that convenience and speed cannot come at the cost of security–safety and security is absolutely paramount.

The discussion then moved onto the theme of disruption — are payments in a revolutionary or evolutionary phase? The panelists felt it was a bit of both. Revolutionary technologies such mobile and artificial intelligence are pushing payments along an evolutionary path. And banks have an advantage. The Fintech startups entering the market don't have the direct customer interaction and track record that banks have in safety and security. The banks are running hackathons and open to working with startups while improving legacy systems and simplifying the customer proposition.

All of the panelists’ banks are members of the R3 blockchain consortium. Blockchain is bringing a new way of working together for banks and technology providers. Each of the panelists is watching the technology closely and one area of opportunity cited was the last mile of the payments chain and in the trade finance arena.

My take-away from the roundtable was that the global payments industry is transforming. The “brave new world” is one with an imperative to be nimble, keeping your eye on all of the opportunities both for existing payment models as well as alternative technologies. Collaboration is key whether through acquisitions, consortiums, partnerships or open source projects.

Blockchain: Beware the Hype

Blockchain: Beware the Hype

At Celent, we just published a new research report with the same title as this blog – Blockchain: Beware the Hype. Why such a title? Isn't blockchain the coolest technology out there at the moment?

It is. At Celent, we firmly believe that blockchains and other shared ledger platforms will be a powerful catalyst for change in financial services and other industries for many years to come. There are some very promising use cases, particularly in cross-border payments, corporate banking, and capital markets, and even outside of financial services, in identity management, trade logistics, healthcare, and many other sectors. Even if “blockchain” ends up being a small component of the ultimate solutions, it facilitates new thinking that forces organisations to reimagine how they work, both internally and externally. And that can only be a good thing.

However, we do caution against succumbing to the hype, which is inevitable for any new exciting technologies. Blockchain hype is particularly acute, given the complexities of the underlying technologies. Nobody wants to be left behind when proclaiming the benefits of blockchain, but not everybody truly understands how those benefits can be achieved.

Luckily, the investment going into shared ledger technologies is resulting in a growing number of individuals and organisations lending their collective resources to explore deeply how financial services can benefit from these technologies. Their efforts are directed at exploring practical use cases (e.g. Everledger, Ripple, Shocard), developing new technology and tools (e.g. Ethereum, Intel, Multichain) and building out infrastructure for blockchain initiatives (e.g. IBM, Microsoft), with a number of firms engaged across the board. And the collaborative efforts such as the Hyperledger project or R3 are also bearing fruit – for example, R3 recently announced Corda, a new distributed ledger platform specifically designed for financial services.

We do think that is the way forward: thinking carefully about suitability of technology for the business problem at hand, and deconstructing blockchain technology to its fundamental components only to assemble the most attractive features in a way that makes sense for financial services. That is what will ultimately help us all move beyond the hype.

Celent research clients can access the full report here.

The banking railroad of innovation: Follow the river

The banking railroad of innovation: Follow the river

I'm a big fan of the old movie classics. The TMC channel was a loyal companion during my graduate school days at the University of Illinois, offering a comforting black and white backdrop to frequent all-day programming sessions, and today I frequently call on TMC to get me through my daily hour-long treadmill sessions.

This weekend TMC offered up Jimmy Stewart as railroad detective Grant McLaine in 1957's Night Passage. A classic Western, McLaine was fired in disgrace over a railroad robbery carried out by his estranged brother, only to be offered a second chance to prove his loyalty to the railroad by being the courier for a large cash payroll being sent to the workers at the rail head.

Night Passage Poster

Grant's companion during the critical train ride to the rail head was young Joey.  Riding with Grant on a flatbed car as the train twisted and turned through the Rocky Mountains, Joey asked Grant how the railroad builders knew the best route through the harsh terrain.  This question gives Jimmy Stewart the rare opportunity to showcase his singing and accordion-playing skills as he responds by singing a song called "Follow The River".  The song ends with the chorus:

"Follow the river,
Wherever you may be,
Follow the river back to me."

Just as the railroad builders used the river to guide the design and layout of the early railroads, bankers have used technology to guide how banking services are designed and built.  In an interesting bit of historical irony, the first use of machine-based bank processing was being rolled out by the Bank of America just as Night Passage was hitting the movie theaters.

The system was called ERMA (Electronic Recording Method of Accounting), a machine-driven approach to electronically reading checks and processing the bank's accounts.  ERMA was co-developed by Bank of America and the Stanford Research Institute, launched in 1958, and was able to process 50,000 accounts per day.  While ERMA's initial capacity was small by today's standards, in those days, it represented an outlandish number in comparison with 10,000 accounts per month that BOA estimated it could process using existing paper-based manual methods.

ERMA ushered in the era of Big Iron in banking (a term also used to describe railroad locomotives), as improvements in the speed and capacity of what we today call the mainframe computer facilitated the rapid growth of the large banks during the 1960s and 70s.  Mainframe computers running programs powered by Rear Admiral Grace Hopper's newly developed Common Business Oriented Language (COBOL) became the river that banks followed when planning and building new banking systems like Electronic Payments (EFT), Electronic Tellers (ATM), and others to meet emerging customer demands.

Mainframe computers are interesting from operational processing perspective in that data (specifically customer accounts and daily transaction data) takes a while to load, but once loaded accounts can be processed at a lightning-fast rate.  While ERMA could process only 50,000 accounts in a day, modern mainframes can process millions of accounts in a matter of a few hours.  COBOL itself as a programming language was scorned nearly from Day One by the computer science cognoscenti as a crude and unstructured way to build an enterprise system. 

In 1975, a respected Dutch computer scientist named Edsger Dijkstra made the famous comment that: "With respect to COBOL you can really do only one of two things: fight the disease or pretend that it does not exist, " before concluding, "the use of COBOL cripples the mind; its teaching should therefore be regarded as a criminal offense."  Despite the withering criticism from academia, mainframe vendors and banks moved forward on the basis that the systems simply workedThroughput is the key to understanding how high-volume banking systems and today's railroad system works. 

A case in point is the Canadian National railroad's purchase in 2007 of the Elgin, Joliet & Eastern Line (EJE) to facilitate its rail connection of parts east and west through Chicago.  While the distrance from Gary, Indiana to Waukegan, Illinois is only 70 miles by car, CN now connects these points using EJE's 198 miles of track.  This makes no apparent sense until you consider that CN is now able to route cross-country trains around the busy hub of Chicago, where previously CN endured a variety of operational restrictions and traffic jams arising from the many at-grade crossings through the congested urban core.  To CN, routing traffic around Chicago rather than through Chicago resulted in more throughput and fewer train delays, more than compensating for the additional mileage.

And so it has gone for the banking processing. The use of oft-criticized COBOL and the unique operating characteristics of mainframe computers was tolerated as there were no other alternatives for banks requiring reliable processing at very high scale. That is, until recently.

Just as the river in Night Passage twisted and turned through the Rockies, the path of technological progress has twisted in an unexpected way to many bankers, as cloud services are now challenging the hegemony of mainframe-based banking systems. While a top of the line mainframe computer can be purchased with more than a 100 lightning fast processors, a bank can "rent" thousands, even tens of thousands, processors for 10 minutes, 10 days, or 10 years. Using software that is tuned to manage the distributed processing of bank accounts across thousands of virtual machines, banks can now meet and exceed the enormous throughput of their mainframe computers at a fraction of the cost.

The king of mainframe computing, IBM, clearly understands and has responded to the changing role of the mainframe in banking.  During the 50th Anniversary celebration of the mainframe in 2014, IBM rolled out its new vision of the mainframe as an uber-sized cloud server, allowing for the hosting of several thousand virtual machines at one time.  Last summer, IBM upped the ante with the annoucement of IBM LinuxONE Emperor, a z13-based server allowing for up to 8,000 virtual machines to be hosted on a single machine.

While banks have experimented with cloud services to varying degrees, most of the innovation has taken place at the channel services level, with new online and (particularly) mobile banking applications getting a technology refresh through the unique benefits of cloud services.  While each bank will need to build its own business case for the gradual porting of COBOL-based account processing systems to modern programming languges that are "cloud-ready", it is clear that cloud-based account processing will allow the level of agility in product development that is increasingly called for as channel and payment systems continue to evolve.

Cloud-backed innovation in back office systems has been slow to develop, with many banks citing security and the fear of regulatory issues as inhibitors to adoption.  As the recent two-part Celent report Banking in the Cloud:  Between Rogues and Regulators establishes, regulators in fact do not have any objections to banks hosting their banking services in the cloud, provided that banks follow the same standard of care (including encryption, access controls, data masking, etc.) that they manage for in their own data center.

In time, I expect that the banking railroad will continue to follow the river of innovation that is now leading us directly into the age of cloud services. The proven yet inflexible COBOL-based systems that have served the industry reliably for 50 years will be replaced with agile and cloud ready account processing platforms that will over time both reduce costs and the drive service quality improvements that banks will need to compete and survive in the increasingly competitive world of financial services.

Digital banking is ready to take off in Latin America

Digital banking is ready to take off in Latin America

Digital is the new reality in Latin America. In a recent Celent survey 100% of the participants recognized that a scenario where all financial products get digitized needs to be addressed sometime in the next 7 years and 59% of them believe it needs to be addressed immediately. There is also a general consensus that most banks are entering into Digital late, despite some are already moving in that direction. Threat of fintechs is also a reality. Over 80 fintechs in Brazil and 60 in Colombia are a good sense that the industry is already being challenged beyond incumbents.

In other geographies Banks have responded to this threat by becoming extremely digital and also neo-banks have been launched to attract those customers seeking for a more friendly and digital relationship with its financial institution. Atom Bank in the UK, Fidor Bank in Germany, and mBank in Poland are only a few to mention. In Latin America the major milestones in Digital development we had seen were Nubank (Brazil – Market Cap $500M) and Bankaool (Mexico – ~$142M in assets), until March of 2016 when Banco Original (~$1,67Bn in assets) launched in Brazil.

While Nubank is focused entirely in offering a credit card with a customer friendly personalized real-time view of expenses and modern contact channels (email, call or chat), Bankaool is mainly focused in a checking account with a debit card, SME loans and investment vehicles.

Banco Original is the 3rd step in this digital only bank strategy in the region, becoming the 1st universal digital only bank in Latin America.  As part of its strategy to position the bank as different and innovative they launched this advertising campaign featuring Usain Bolt. As part of a strategic definition in 2013 the bank started a ~$152M investment over the period of 3 years to become a digital bank. They launched in March of this year . The bank has no branches and the interaction is 100% through digital channels and a call center. This move was central to its strategy of becoming a universal bank moving away of being solely focused in agribusiness.

While most of neo-banks and fintechs looking to change the customer experience in financial services have adopted in-house development to support their digital strategy, this is not the case of Banco Original which relied in a 3rd party Open API solution. Commercially available solutions that can support a digital only bank means that as an industry we are ready to take off. There is no reason now why other banks should not follow, and software vendors will do their part pushing their offering into banks of all sizes.

I believe that we are in a tipping point were banks in Latin America will need to re-think their investments and strategies towards digital: the threat is now real.

Two upcoming reports will be covering Digital and a couple of disruptive scenarios in the banking industry in Latin America, so expect to have more information soon if you are a Celent customer. If you would like to become a Celent customer please contact Fabio Sarrico (fsarrico@celent.com).

 

Top trends in corporate banking webinar

Top trends in corporate banking webinar

Please join me on Thursday, April 21st at noon EST for an overview of the 2016 edition of our Top Trends in Corporate Banking report, which was published in March.

2016-04-18_15-40-50

Corporate banks continue to place an enormous focus on investing in digital channels to meet the ever-increasing demands of clients for enhanced tools while boosting security and fraud prevention. Despite this investment, corporate banking has lagged in terms of adoption of innovative technologies. To improve that performance, corporate banking lines of business are undertaking a broad set of initiatives to overcome the inertia that has left clients behind in terms of innovation. Among the top trends, we will examine the opportunities in trade finance and customer onboarding for improving efficiency and enhancing client satisfaction.  Other top trends include fintech partnerships, distributed ledger technology and open APIs and adapting liquidity management strategies.  I look forward to having you join us on Thursday! 

Click here to register

 

 

 

Congratulations to Celent Model Bank 2016 Winners!

Congratulations to Celent Model Bank 2016 Winners!

Last week many of us at Celent were in New York attending our Innovation and Insight Day on April 13th. It is Celent's flagship event during which we announce Model Bank and Model Insurer winners and celebrate their achievements. In addition, the program includes keynote speeches from industry leaders and Celent analysts, plenty of opportunities to network with peers, and even to experience some of the latest technologies first hand, courtesy of our sponsors.

The theme of this year's event was "Financial Services Reborn", and the Museum of American Finance on Wall Street provided an inspiring setting to celebrate innovation in financial services. Craig Weber, Celent CEO, kicked off the proceedings drawing insightful parallels between the battle of Alamo and the future of financial services. It must have been the first time in Craig's career that he had to come up on stage to the soundtrack of hip hop music, an extract from the Broadway musical "Hamilton", but it set the tone for the rest of the day – to expect the unexpected and to be open to new ideas.

Both of our guest speakers – Nadeem Shaikh, Co-Founder and CEO of Anthemis Group, and Leanne Kemp, Founder and CEO of Everledger – thrilled the audience and opened everyone's eyes to the opportunities presented by Fintech and Blockchain respectively, while our colleague Will Trout spoke eloquently about consumer-led convergence. A big 'thank you' to all the speakers, as well as the sponsors supporting the event!

The rest of the day was all about celebrating the achievements of Model Bank and Model Insurance award winners. As many of this blog's readers know, the vision for Celent’s Model Bank research, now in its ninth year, is to spotlight effective uses of technology in banking. This year we received a record number of submissions – well over 100 – that came from all over the world; the nominations were spread equally between North America, EMEA and APAC. The award winners come from four continents and nine countries and range from credit unions and microfinance institutions to the world's largest banks.

Celent Model Bank 2016 winners are:

  Model Bank 2016 Categories

  Award Winners

  1. Digital Banking Transformation

  Citizens Bank, US

  DenizBank, Turkey

  Garanti Bank, Turkey

  Santander, US

  2. Omnichannel Banking

  BECU, US

  Beyond Bank, Australia

  Standard Chartered Bank, Korea

  3. Digital Payments and Cards

  Bank of America Merrill Lynch, US

  RBC, Canada

  4. Corporate Payments and Infrastructure Modernization

  Bank of China, China

  CBW Bank, US

  5. Cash Management and Trade Finance

  CIBC, Canada

  HBL (Habib Bank), Pakistan

  6. Security, Fraud, and Risk Management

  Alfa-Bank, Russia

  USAA, US

  7. Legacy Transformation

  Sberbank, Russia

  Umpqua Bank, US

  Vietnam Bank For Social Policies, Vietnam

  Model Bank of the Year

  Eastern Bank, US

As always, we published a series of reports with detailed case studies of all winning initiatives. Celent research subscription clients can access the Model Bank of the Year and individual category reports via our website.

This year we also introduced a new award, Model Bank Vendor. We wanted to acknowledge the vendor role in helping multiple clients achieve technology or implementation excellence, one of our judging criteria, and to extend our appreciation to the entire vendor community, which is instrumental in the ongoing success of the Model Bank program. Celent recognized two companies as Model Bank Vendors for 2016:

  • EdgeVerve Systems
  • Nucleus Software

Congratulations to all our award winners! We are grateful to have been exposed to so many extraordinary initiatives and the talented individuals responsible for their success. We look forward to continuing with the Model Bank program next year to identify and award the most impressive banking technology initiatives from around the world, and will begin accepting nominations again in September – stay tuned!

 

The iPhone, the FBI, and the lessons for bankers

The iPhone, the FBI, and the lessons for bankers

With today’s news comes the interesting development that the FBI has apparently used a “tool” acquired from an unnamed third-party white hat security firm to gain access to the locked iPhone of one of the San Bernardino shooters without requiring Apple’s cooperation.  This issue had been the subject of a recent tug-of-war between Tim Cook and the US Department of Justice.

While FBI Director James Comey has been mum on the details, some in the IT security community have speculated that the new tool employs a so-called “brute force attack” on the iPhone by sequentially guessing the device’s passcode until the device unlocks itself.  While the lock-out feature is user-configurable, an iPhone running the current version of iOS will normally give the user 10 chances to input  the passcode correctly before permanently locking the user out while deleting all user data from the device.

Cloud services to the rescue.  The speculation is that the newly acquired FBI tool was able to get around this measure by simply cloning the software from the perpetrator’s iPhone — including the operating system and all of the user data files — hundreds or thousands of times and performing what is effectively a “distributed brute force attack” by repeatedly guessing passcodes from a master checklist across the clones in parallel.  When an individual clone became locked, that clone is discarded and the tool continues the guessing game with other clones on a reduced list of candidate passcodes until one of the guesses finally works.

The likely reason why the FBI has apparently succeeded is the fact that the perpetrator’s passcode was static, meaning it didn’t change during the course of the many times that the FBI tried one guess after another.  (In this context, it was important that the perpetrator was caught, as otherwise  he would have changed his passcode and/or wiped the data remotely, a capability that Apple provides to all iPhone users.)

What does this have to do with banking security?  As demonstrated by the success of the FBI’s  new white hat tool in breaking Apple’s device security, the simple reality of data protection is that no encryption technique is foolproof, particularly from the threat of a brute force attack.

Given the power of the cloud to solve a large computational problem like guessing an large encryption key using a cloud-based “divide and conquer” approach, bankers need to pay attention to the need to employ strong encryption keys while rotating their keys on a regular basis.

The definition of “regular basis” will depend on the sensitivity of the data to be protected, but one thing is for sure:  the bank that creates an enterprise encryption key once and thinks the bank is protected forever is dangerously vulnerable to a future cyber attack based on a distributed brute force technique such as the one that was quite possibly used by the  FBI’s white-hat vendor.

Given the importance of encryption to maintaining a safe and FFIEC-compliant environment for the safekeeping of NPI, and especially in light of the emergence of  services like Blockchain that are dependent on encryption for success, banks ought to be paying close attention.

The new 4 C’s of commercial lending

The new 4 C’s of commercial lending
Last week, I participated in a Finextra webinar on the topic of “Connected Credit and Compliance for Lending Growth” with panelists from ING, Vertus Partners, Misys and Credits Vision.  As I prepared for the webinar, I thought back to my first exposure to commercial lending when I worked for a large regional bank and I recalled the 4C’s of commercial lending from credit training:  character, capacity, capital and collateral.  All of those original 4C’s are still relevant in today’s environment when evaluating borrowers, but when considering the state of the commercial lending business in 2016, we need to think about an entirely new set of 4C’s:
  • Constraints on capital and liquidity
  • Cost of compliance
  • Changing client expectations
  • Competition from new entrants
On a global basis, banks are being forced to restructure their business models, technology platforms, and organizational processes in order to grow their portfolios, remain profitable, and stay in the good graces of their regulators.  All the while, meeting the evolving demands of clients who can view and manage their personal finances on demand, at their convenience, using the device of their choice. Despite these challenges, the panel remains optimistic that banks can and will evolve to grow this critical line of business. finance590x290_0 Where does this optimism comes from? Alternative lenders provide both a threat and an opportunity for banks as they make the difficult decisions on whether and how to serve a particular segment of the commercial lending market. Fintech partners offer more modern solutions than the decades-old clunkers that many banks still use; providing for more efficient and accurate decisioning, enhanced visibility and processing within the bank, and where appropriate, self-service capabilities.  Connectivity with clients and partners will increasingly be the hallmark of a successful commercial lender. For more insights from the panel, please register for the on-demand version of the webinar here: Finextra: Connected Credit and Compliance for Lending Growth.