The high-profile theft of client data from several private banks has brought the importance of data security into sharp focus. Alison Ebbage finds banks walking a tight line between guarding client confidentiality, meeting transparency regulations and staying cost efficient.
Data security is near the top of the priority list for an industry that prizes confidentiality above all else. But a perceived conflict has developed as regulators demand greater disclosure and banks redouble their privacy and security efforts.
All this is occurring as wealth businesses need to consolidate systems for greater efficiency. How then can private banks work to satisfy all three requirements?
The credit squeeze on the Swiss private banking industry in the past three years has led to a 40% reduction in margins, says Daniel Bardini, president of SunGard’s Ambit private banking business unit. Running a streamlined and efficient business is more important than ever. In addition, tax authorities are demanding more transparency and requiring offshore operations and investors to fully declare their activities and positions.
The US Hire Act and the extension of the EU Savings Directive are two current examples. Both these long-term trends require consolidation and a centralisation of systems to allow for better audit trails and transparency as well as cost savings.
Data theft dangers
Fabrice Bidard, product manager and global partner manager at software vendor Temenos, says one of the biggest challenges is marrying the wealth management trend to consolidate systems with the need to keep data secure.
“To do this, all the data needs to be both centrally maintained for cost effectiveness, but physically segregated for security. The issue is that you save money by holding data centrally – but it then becomes less secure,” he says.
To hold core client data alongside other data is highly dangerous. This was demonstrated in March last year when an ex-employee of HSBC’s Swiss bank stole the details of an estimated 15,000 client accounts, dating back to 2005 and 2006, from its Swiss branch.
The bank has gone on to spend close to $100m on upgrading its security since 2006. Late last month, HSBC Private Bank (Suisse) was officially reprimanded by the Swiss Financial Market Supervisory Authority after a year-long investigation into the theft found deficiencies in HSBC’s internal organisation and oversight of its IT activities that resulted in a serious breach of the bank’s licensing requirements.
“It can seem like an impossible equation,” says Bardini. “Private banks obviously have to be compliant but data security for an industry founded on privacy does keep chief executives awake at night.”
Indeed it is only with recent technological gains that security has become such a big issue. Historically data was kept physically separate. Up to the mid-1990s, there was no core data online.
But the business case to introduce straight through processing (STP) and process optimisation meant that core data was then introduced to the system and onto production databases threatening potential exposure. Even then private banks continued to work to the ‘cell’ principle, restricting the amount of sensitive information available to any single individual.
Regulation drives security
Software providers say that far from being at odds with each other, compliance and security go hand in hand and that in many cases, regulation is there to enforce security.
Amachai Shulman, chief technology officer at data protection specialist Imperva, says banks have often taken a separate approach to compliance and security.
“But a lot of the regulation coming out now, such as PCI-DSS for payment card data security, or even the 1999 GLBA (Gramm-Leach-Bliley Act also known as the Financial Services Modernisation Act) in the US, is actually aimed at having clear audit streams and thus protecting data and customer privacy.
“If you take the compliance process seriously, you improve security too,” he says.
Systems such as Imperva’s aim to provide better web security via a web application firewall that looks at the interface between a customer and an application, rather than an HTTP portal. It also offers a database firewall that protects access to the database and monitors what data is being extracted and when.
Key to this is the ability for firms to set their own policies according to their own criteria.
Anything deviating from that, time or day, amount or content of data, for example, is automatically flagged. The system also monitors access to file servers and creates independent audit silos and applies custom made security policies.
The end result is that data from all depositaries can be captured and dealt with for compliance and monitored for security at the same time. Avaloq, a Swiss-based technology provider, is another major player in the market and its systems are being adopted by Coutts and Adams in the UK.
A Coutts spokesperson says the Avaloq system deals with the privileges the bank gives staff both in the process they are able to operate as well as the client information they can see.
“The system is backed up by an excellent audit trail and, as part of that, we are using smart cards and soft certificates to grant access and will enhance our online offering too in terms of security,” says Coutts’ spokesperson.
Segmentation is critical at Asia-based DBS Bank too.
“We segment data internally so that a relationship manager can see only their own clients. In the back office, we look to remove the customer name which removes some of the risk,” says Sandra Stonham, DBS’s managing director of technology and operations. “We also have a segregated datacentre with limited employee access. We even segregate data for testing purposes so that nothing is identifiable and that nothing can be pieced together.”
Even if internal security can be managed more or less effectively, the demand for multi-channel access is another potential security minefield.
Both clients and relationship managers now demand remote access to systems from laptops, iPads and smartphones leaving systems vulnerable to hackers and cyber attacks.
Using web application firewalls helps. But education is also a key factor in that users are sometimes simply unaware of the risks of leaving devices without proper password protection.
Using two-factor authentification on devices is now common. This is essentially where a user has to verify their identity in two steps, for instance using a personal password and a keypad device. The combination of the two increases security and makes an online platform more secure.
The use of network segmentations, where the bank provides different layers of access so that on initial entry the user is admitted to an ‘empty zone’ and has to provide further verification before getting past the firewall, is also growing. All data ‘leaving the building’ can also be encrypted and devices can also be locked or even wiped instantly
Bidard agrees access to data from multiple channels is a challenge.
“It is not just the clients but also the wealth managers who are travelling and want to use iPads which are harder to protect than laptops. We have a prototype iPhone app which will encrypt data while it is being transmitted while leaving enough clear information to ensure that the message actually gets through.”
One of the biggest issues with multi-channel access is unintentional hardware loss, rather than intentional data theft. This occurs when a laptop or a phone is left somewhere public or otherwise disabled by its user. This can potentially be even more embarrassing for the bank concerned.
At DBS, Stonham says, the bank runs education and awareness programmes internally that look to reduce unintentional loss.
“But it is important to recognise that there is no magic bullet and that human errors will always happen,” says Stonham.
Delayed response times
Adding layers of security means longer response times as data is encrypted or decrypted and access permissions granted.
Segregation also means that software needs more time to bring segregated core data together for know-your-customer (KYC), reporting or audit purposes and then siphon it off again. A longer time frame also means more cost.
“Clients are trying to segregate data and also implement heavy internal access policies and that does have a time and cost implication,” says Martin Endgall, director of product marketing at Advent, a software vendor.
“One private bank which has just installed our software had a delay of several months over data security process issues.”
Cloud computing to the rescue?
A solution to the clash between security, transparency and cost efficiency may lie in an area that has been hotly debated for its security concerns, the Cloud. The money to be saved by outsourcing non-core functions or processes to the Cloud could then be used to invest in top quality security software and processes.
Clearly core data would need to be retained in-house, but potentially it could be an efficient solution as long as the link between the core and non-core data is secure. Bardini says SunGard launched a Cloud-type offering last year which aims to provide robust security along with an on-demand functionality for its suite of solutions.
“It is a move in the right direction and works because we already have the segregation embedded into our software offering. It is just the way that clients access it that changes. We have got one major client and another will shortly follow,” he says.
The dichotomy between data security and compliance is not an easy one to bridge, but a by-product of current technological advances such as the Cloud may well be the solution in the form of new processes and ways of protecting data at, for example, the point of access rather than the firm’s firewall.