The high-profile theft of
client data from several private banks has brought the importance
of data security into sharp focus. Alison Ebbage finds banks
walking a tight line between guarding client confidentiality,
meeting transparency regulations and staying cost
efficient.

 

Box outlining how banks scored poorly in web security surveyData security is near
the top of the priority list for an industry that prizes
confidentiality above all else. But a perceived conflict has
developed as regulators demand greater disclosure and banks
redouble their privacy and security efforts.

All this is occurring as wealth
businesses need to consolidate systems for greater efficiency. How
then can private banks work to satisfy all three requirements?

The credit squeeze on the Swiss
private banking industry in the past three years has led to a 40%
reduction in margins, says Daniel Bardini, president of SunGard’s
Ambit private banking business unit. Running a streamlined and
efficient business is more important than ever. In addition, tax
authorities are demanding more transparency and requiring offshore
operations and investors to fully declare their activities and
positions.

The US Hire Act and the extension
of the EU Savings Directive are two current examples. Both these
long-term trends require consolidation and a centralisation of
systems to allow for better audit trails and transparency as well
as cost savings.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

 

Data theft
dangers

Fabrice Bidard, product manager and
global partner manager at software vendor Temenos, says one of the
biggest challenges is marrying the wealth management trend to
consolidate systems with the need to keep data secure.

“To do this, all the data needs to
be both centrally maintained for cost effectiveness, but physically
segregated for security. The issue is that you save money by
holding data centrally – but it then becomes less secure,” he
says.

To hold core client data alongside
other data is highly dangerous. This was demonstrated in March last
year when an ex-employee of HSBC’s Swiss bank stole the details of
an estimated 15,000 client accounts, dating back to 2005 and 2006,
from its Swiss branch.

The bank has gone on to spend close
to $100m on upgrading its security since 2006. Late last month,
HSBC Private Bank (Suisse) was officially reprimanded by the Swiss
Financial Market Supervisory Authority after a year-long
investigation into the theft found deficiencies in HSBC’s internal
organisation and oversight of its IT activities that resulted in a
serious breach of the bank’s licensing requirements.

“It can seem like an impossible
equation,” says Bardini. “Private banks obviously have to be
compliant but data security for an industry founded on privacy does
keep chief executives awake at night.”

Indeed it is only with recent
technological gains that security has become such a big issue.
Historically data was kept physically separate. Up to the
mid-1990s, there was no core data online.

But the business case to introduce
straight through processing (STP) and process optimisation meant
that core data was then introduced to the system and onto
production databases threatening potential exposure. Even then
private banks continued to work to the ‘cell’ principle,
restricting the amount of sensitive information available to any
single individual.

 

Regulation drives
security

Box outlining three steps to improve data securitySoftware providers
say that far from being at odds with each other, compliance and
security go hand in hand and that in many cases, regulation is
there to enforce security.

Amachai Shulman, chief technology
officer at data protection specialist Imperva, says banks have
often taken a separate approach to compliance and security.

“But a lot of the regulation coming
out now, such as PCI-DSS for payment card data security, or even
the 1999 GLBA (Gramm-Leach-Bliley Act also known as the Financial
Services Modernisation Act) in the US, is actually aimed at having
clear audit streams and thus protecting data and customer
privacy.

“If you take the compliance process
seriously, you improve security too,” he says.

Systems such as Imperva’s aim to
provide better web security via a web application firewall that
looks at the interface between a customer and an application,
rather than an HTTP portal. It also offers a database firewall that
protects access to the database and monitors what data is being
extracted and when.

Key to this is the ability for
firms to set their own policies according to their own
criteria.

Anything deviating from that, time
or day, amount or content of data, for example, is automatically
flagged. The system also monitors access to file servers and
creates independent audit silos and applies custom made security
policies.

The end result is that data from
all depositaries can be captured and dealt with for compliance and
monitored for security at the same time. Avaloq, a Swiss-based
technology provider, is another major player in the market and its
systems are being adopted by Coutts and Adams in the UK.

A Coutts spokesperson says the
Avaloq system deals with the privileges the bank gives staff both
in the process they are able to operate as well as the client
information they can see.

“The system is backed up by an
excellent audit trail and, as part of that, we are using smart
cards and soft certificates to grant access and will enhance our
online offering too in terms of security,” says Coutts’
spokesperson.

Segmentation is critical at
Asia-based DBS Bank too.

“We segment data internally so that
a relationship manager can see only their own clients. In the back
office, we look to remove the customer name which removes some of
the risk,” says Sandra Stonham, DBS’s managing director of
technology and operations. “We also have a segregated datacentre
with limited employee access. We even segregate data for testing
purposes so that nothing is identifiable and that nothing can be
pieced together.”

 

Multi-channel
minefield

Even if internal security can be
managed more or less effectively, the demand for multi-channel
access is another potential security minefield.

Both clients and relationship
managers now demand remote access to systems from laptops, iPads
and smartphones leaving systems vulnerable to hackers and cyber
attacks.

Using web application firewalls
helps. But education is also a key factor in that users are
sometimes simply unaware of the risks of leaving devices without
proper password protection.

Using two-factor authentification
on devices is now common. This is essentially where a user has to
verify their identity in two steps, for instance using a personal
password and a keypad device. The combination of the two increases
security and makes an online platform more secure.

The use of network segmentations,
where the bank provides different layers of access so that on
initial entry the user is admitted to an ‘empty zone’ and has to
provide further verification before getting past the firewall, is
also growing. All data ‘leaving the building’ can also be encrypted
and devices can also be locked or even wiped instantly

Bidard agrees access to data from
multiple channels is a challenge.

“It is not just the clients but
also the wealth managers who are travelling and want to use iPads
which are harder to protect than laptops. We have a prototype
iPhone app which will encrypt data while it is being transmitted
while leaving enough clear information to ensure that the message
actually gets through.”

One of the biggest issues with
multi-channel access is unintentional hardware loss, rather than
intentional data theft. This occurs when a laptop or a phone is
left somewhere public or otherwise disabled by its user. This can
potentially be even more embarrassing for the bank concerned.

At DBS, Stonham says, the bank runs
education and awareness programmes internally that look to reduce
unintentional loss.

“But it is important to recognise
that there is no magic bullet and that human errors will always
happen,” says Stonham.

 

Delayed response
times

Adding layers of security means
longer response times as data is encrypted or decrypted and access
permissions granted.

Segregation also means that
software needs more time to bring segregated core data together for
know-your-customer (KYC), reporting or audit purposes and then
siphon it off again. A longer time frame also means more cost.

“Clients are trying to segregate
data and also implement heavy internal access policies and that
does have a time and cost implication,” says Martin Endgall,
director of product marketing at Advent, a software vendor.

“One private bank which has just
installed our software had a delay of several months over data
security process issues.”

 

Cloud computing to the
rescue?

A solution to the clash between
security, transparency and cost efficiency may lie in an area that
has been hotly debated for its security concerns, the Cloud. The
money to be saved by outsourcing non-core functions or processes to
the Cloud could then be used to invest in top quality security
software and processes.

Clearly core data would need to be
retained in-house, but potentially it could be an efficient
solution as long as the link between the core and non-core data is
secure. Bardini says SunGard launched a Cloud-type offering last
year which aims to provide robust security along with an on-demand
functionality for its suite of solutions.

“It is a move in the right
direction and works because we already have the segregation
embedded into our software offering. It is just the way that
clients access it that changes. We have got one major client and
another will shortly follow,” he says.

The dichotomy between data security and compliance is not an
easy one to bridge, but a by-product of current technological
advances such as the Cloud may well be the solution in the form of
new processes and ways of protecting data at, for example, the
point of access rather than the firm’s firewall.