BOOSTING TRUST -Beyond the Basics
Banking Frontiers organized a conference on cybersecurity and risk management strategies in Mumbai in association with Expleo Solutions Limited. Highlights of the discussions at the conference:
Every one should be delighted that financial organizations are successfully adopting multiple facets of digitization to augment offerings, improve CX, reduce operating cost and enhance operational efficiency. Open APIs have infinitely empowered collaborations and experiences for organizations by simplifying complexities. This happiness comes with an equally big fear - with every new technology and innovation, cybercrime is escalating, resulting in losses, penalties and loss of trust and reputation. To identify how business and management strategies can arrest the rising threats and ensure smooth continuity, Banking Frontiers organised an insightful session of senior business and technology leaders from the BFSI to discuss cyber security risks in current scenario of business and strategies to combat them.
Anup Purohit, Sr. President & CIO, Yes
Bank: Security is the mindset, 20% of our applications are developed by our in-house team. Our development team is a mix of employee and partner staff. Our 10% applications have an agile methodology while the applications which we purchase from technology vendors are still not getting into an agile methodology. The applications which are developed in-house are driving the developers. These have almost zero application security vulnerabilities. Applications which come from tier-1 vendors have failed to comply with the top 10 IOS guidelines.
Technology companies need to create a mindset before developing products and customization as per banks’ requirements at a lowest common denominator. For example, when Yes Bank did core banking migration, I ensured my CISO and IT team were sitting with the developer’s team in their office. We daily visited that office during the development lifecycle and a created mindset among the developer staff. All my applications which are coming from the vendors have a huge number of security vulnerabilities. We have a team of 40 people to check these vulnerabilities. After that our CISO checks them, before it goes to the final production.
We are in no way close to open banking in India. In European countries all the banks have come together, and they have decided on standardized format in which APIs are developed. So, unless there is a
standard format made by a governing body for APIs, API banking will not be a reality. We will continue doing open banking in a individualized manner. There is scope for the open banking, all the API need not to be standardized, banks have right to do innovations in API and they can build their own innovations.
No one in the organization can say no to security, including the board members. Security infrastructure should not have any budget constraints. It is up to the CISO and the CIO of banks to have right kind of security tools and framework.
Sharatee Ghosh, EVP-Service & Quality, Kotak Mahindra Bank: The risk versus convenience issue is always a problem in banking. Product managers and marketers want the best possible UI and UX in their products. None of the global organizations which are into fintech have strong regulatory guidelines. We are all living in a viral world. For example, there was a problem in the mobile banking service of a bank, which went viral on Twitter and WhatsApp.
We do not want to compromise on risk, and we need to focus on educating our customers. Aadhaar has brought standardization in banking and banks are innovating. Banks need to make their customers scalable - for example if one of our customers wants to open 811 account, when he or she has come back from a night shift, then it should be extremely scalable.
In the last 3-4 years, we have realised that our product managers were thinking like risk managers and that stiffens innovation. We are focusing on product managers to do blue sky thinking, then come back and challenge the rest of the organization. We must constantly challenge our developers and that’s the way to go ahead.
Shivangi Kamath, Head- Process Excellence Group, TATA AIG General
Insurance: Insurance is a service industry and we focus on what a customer wants. Before the launch of any product, it goes through an ideation phase. If the product meets the needs of the customer then we check value chain, service or product. Each value chain has its own processes and risks. We have focused on risk management on equal intervals from ideation, planning, delivery and to the end results.
When it comes to innovation or new kind of service, data plays a very important role because most of our services and products are online. The world is moving away from information technology. IT staff is performing risk management functions to protect information. We are focusing on how intuitive insurance can be brought to India. Insurance companies should be focusing on giving money to the customer before they need it.
The customer expects human touch and not the technology part to get its fund back. We focus more on the customer experience than product or service launch initiatives. We also perform vulnerability and penetration tests to see whether there are any kind of risks, and if there are, how can we mitigate those risks. Quality professionals are always perceived as auditors more than quality experts. We need to do planning about the mitigating risks. Intuitive insurance journey has started, and it is in the developing phase. We have ideating about it, and we will implement it in the coming years.
Balaji Viswanathan, Managing Director & CEO, Expleo Solutions: Technology service providers need to understand how the services impact the banks before developing a product related to it. When you are developing your internal product you probably need whole planning and testing for it. But there is also a bigger vulnerability in the current open banking scenario - interfaces and networking.
There are so many third parties that you interact with each of them requiring to have the same kind of security, mindset and thought process when they are deploying it, because that could be your weakest link when you actually start deploying it in your product. We focus on how to build your fortress correctly. And the kind of security that you need to have. The developer needs to have the right kind of mindset. If everybody in the ecosystem places the same level of responsibility and accountability, it would address many of the challenges in the ecosystem.
Security is expected to be inbuilt and the customer is not giving you a brownie point just because your application is secure and that is fundamentally what the customer expects from Banks and the Banks expect from Technology and Product providers. Hence, security needs to be a key element for any designing process. It’s a question of what you know, what you need for the end customer and how you build it to make sure that it is secured and at least meets the basic expectations from the customers.
You cannot compartmentalize your quality function; it must start from the beginning - right from the planning stage.
Everything is in agile mode and agile is not associated with technology but with project execution. So, you start designing it from the beginning and make sure that everybody in the ecosystem, including product team and developer team work seamlessly. Companies need to go beyond security to deliver it.
Sachin Vijayvargia, CTO, India Post
Payments Bank: We have both the mobile banking app and the agent app. It is called as ‘ Dakiya’ app. Dakiya is actually the person who mainly delivers mails and today he is the same person who provides doorstep banking services to the customers of India Post Payments Bank. We are the only bank in India, to which NPCI has given an exceptional approval for an agent driven UPI. No banks or financial institutions in India has UPI services outside the PSP app. Instead of debit card and PIN we are have used the biometric authentication of the customer for our app.
Security is a building process. It should not start in the development team. Ideally, it should start from the product. Whenever the requirements are being sketched, the security details should be shared with the IT team and then with the vendors. We have implemented API technology two months ago in our bank. We realize that the hardships that we had to face by writing abstract layers on top of already developed products are creating customized way of solving a given problem.
We are trying federated authentic protocols that they do not seek into our 1.5 crore database. We can innovate in terms of API to provide a particular experience to the customer and to integrate with fintech players.
Biswabrata Chakravorty, CIO, IndusInd
Bank: At an enterprise level, there must be a security architecture and companies must look at all the layers of security - from the physical layer to the web. Detect, respond and remediate are the 3 factors that companies need to focus. We have also seen that developers do not pay attention on the educational aspect.
India’s open banking concept is different from those developed by other countries. European banks have tieups with fintechs for open banking. IndiaStack is a pioneer in providing access to biometric-based authentication. We use open banking in preventing frauds, in customer identification and in identity management. We have done partnerships with third parties and merchant aggregators. For example, we have a tie-up with a broking entity, which allows our customer to trade on that entity’s platform, but IndusInd Bank is not visible to them. So, it is an example of open banking for a stock company in our ecosystem.
Micro finance company B ha rat Finance has recently merged with us and use open banking in the microfinance segment to open accounts instantaneously. Our ‘ Sangam Manager’ meets a group of customers on the field. The Sangam Manager empowered to open accounts on the spot.
Today, API banking model is contextspecific, but if you look at India’s economy at large, the next wave will come from PDP and account aggregator models. There are 3-4 banks working on it. Once it gets mainstream then customer approval will can be done on the fly, information will get analysed on the fly. Information will result in asset for the product development and the products will be delivered to the customer on the fly. So, it will be truly an open banking. It is a dream journey and a vision for us.
The cost of compliance and remediation is typically very high and the cost of prevention is sometimes lower. We don’t want a scenario that something happens in the public media which results in a brand erosion. Most of the vulnerabilities happen because of the people inside the ecosystem - inhouse developers, staff and mangers as most of the time they commit unknowingly these kinds of mistakes and these become issues after some time.
Balaji Viswanathan: A cybersecurity event happens every 32 seconds around the world and India stands second in the number of security attacks. We are trying to incorporate the best practices followed across the globe in cybersecurity solutions and we have worked with over 60 banks and financial institution in addressing these challenges.
In the last 5 years, 30-35 CEOs and probably double the number of CIOs left their organisations due to security incidents and resultant Financial and Reputational losses. For example, CEOs of Yahoo, Uber and Sony have lost their jobs due to the cybersecurity issues in their companies. Security is not the direct responsibility of the CEOs, but they face impact of it.
According to a recent study almost 60% of cyberattacks are not for money. So, it is mostly related to reputation and the question is how you would deal with such attacks.
We have an assessment tool kit and implementation checklist and we are trying to make security through vulnerability assessment. We are confident these will help to maintain reputation for financial institutions.