Technology

Solving The Data Security Dilemma

Lynne Landau Temenos Product manager 10 November 2011

Solving The Data Security Dilemma

Client confidentiality and data security are central features of wealth management but pressures in the industry create new problems - and opportunities. Temenos,the technology firm, examines the issues.

Client confidentiality and data security are implicit within any banking relationship. From a bank perspective, data security is critical but it is seldom a source of competitive advantage. When data security appears in the spotlight it is often for the wrong reasons. Several high profile private client data thefts have served as a wake-up call for the industry to elevate data security on the corporate agenda.  Is the industry doing enough? Lynne Landau, product manager of Temenos Private Wealth Management, puts the case for collaboration.

Private banks have worked hard to improve levels of data security. A lot has been achieved but more can be done.  Banks must continue to review data security and to implement new measures to keep data safe. But their technology partners can help them achieve more, faster. How? Their unique position at the heart of private banking means that technology partners can drive a best practice approach to ensure that the industry stays one step ahead of hackers and cyber attacks.

Legislation, legislation, legislation…

Recent regulations demand that private banks know more about their clients. The quantity and complexity of legislation is continually increasing – as soon as MiFID was implemented, consultation began on MiFID II. Emerging legislative initiatives, like the Foreign Account Tax Compliance Act (FATCA) also require more client data to be stored.

Banks are aware of the swelling costs of legislative compliance and data security is a by-product of this. Increasing costs are especially unwelcome at this time of compressed margins. Can banks guard client confidentiality, meet regulatory requirements and remain cost efficient?  Probably, but success may require a fresh approach.

All eggs in one basket?

Private banks often hold client data in a single location for good reasons. Quite apart from legislative requirements, such as KYC [know your customer], a central database promotes data integrity, straight-through-processing and economies of scale. There are client benefits too – a holistic view ensures that client servicing addresses specific needs and that individual investment objectives are monitored. Private banks generally need fast access to accurate information and this is easier with all data in a single repository.  However, it may also be more vulnerable to wholesale theft. 

The multi-channel banking environment also increases the number of opportunities for data thieves.  Many private banks offer web-based contracts, which may not be secure and can be susceptible to eavesdropping. Furthermore, bank staff, third-party advisors and administrators require access to data over multiple geographies, which raises both legal and security concerns.

Data security – a journey not a destination

Security has always been integral to systems development and IT. However, information security is a challenge facing all private banking functions, especially operations, compliance and risk. And client information often has to be maintained by several functions in multiple locations, which increases vulnerability. 

All banks have implemented information security measures and great progress has been made; however, success requires ongoing commitment.  Data security requires banks to remain one step ahead of those who wish to exploit security weaknesses, so it is more of a journey than a destination. But, there is the added complication of not knowing where the criminals are. An insider recently disclosed details of 2,000 private banking client accounts to Wikileaks, proving that it is impossible to provide for every eventuality. Banks require a pragmatic approach that reduces the likelihood of a major breach of security and limits the damage that can result from a single act.  So what should they do?

Essential components of an information strategy

Physical access. Perhaps the most obvious way to improve security is to control access to premises. Most banks operate centralised systems of passes, which work in conjunction with IT networks. As well as controlling access, passes can be used to restrict access to physical areas and to distinguish between employees, contractors or visitors.

User authentication. Most banking systems include two-factor authentication, comprising something a user knows (a password) and something a user has (a token or digital certificate). Many modern banking systems also include biometrics to increase authentication assurance. The important thing is for two independent factors to be used: something the user knows and something the user has.

In the case of online transactions, these elements may be augmented with digital signatures. Such non-repudiation measures prove that a certain user has performed a specific transaction.

Data encryption. As banks operate over multiple geographies, data encryption has become an essential tool to ensure that data cannot be illegally monitored or modified during transportation or directly within a database by malicious bank insiders. It is also an important component of client communications, which are increasingly electronic and remote.  

Internal security. This can bridge the gap between data security and compliance by giving users contextual access, that is, granting access to specified data. Bank users must be restricted to view only the data they require.

Contextual access also enables a bank to benefit from a single core banking system by storing certain information anonymously. Many private banks operate a single processing hub solution for multiple countries. While data is stored centrally, it is encrypted, and business rules are applied to ensure that each country or branch can access only its own information. All parties benefit from centralised systems and processes; data security is increased and certain operations and functions can be shared.

A collaborative approach to a common problem

All private banks face similar threats and challenges within data security. They can achieve a lot more in less time through collaboration. Technology partners can help in several ways: by raising awareness of the current threats and developing solutions that give users access to their data without compromising security or system performance. They can also establish an industry best practice approach and maintain momentum. 

Data security is a ubiquitous feature of banking in the digital age. Private banks cannot delegate data security to a specialist provider as is pervades all aspects of banking.  But security can be improved though collaboration at the industry level and it must be reviewed continually.

 

Register for WealthBriefing today

Gain access to regular and exclusive research on the global wealth management sector along with the opportunity to attend industry events such as exclusive invites to Breakfast Briefings and Summits in the major wealth management centres and industry leading awards programmes