ISSUE 04 | february 2014
industry focus A CNME supplement
Inside
banking special
Published by
mobile payment online banking
Smart Banking
How technlogy is transforming banking and finance
The future belongs to those who challenge the present. The world is changing faster than ever, creating new opportunities for those ready to seize them. In an environment where the biggest risk is playing it safe, you need to break from convention in order for breakthroughs to follow. At Cognizant, our flexible, collaborative approach helps hundreds of organizations across the globe not only run better, but run different. And helps more than half of the Top 50 Fortune companies in the U.S. turn their ideas in the workplace into lasting successes in the marketplace. So if you’re looking to stand apart, don’t stand still. Because Cognizant’s Banking & Financial Services Practice can help those who challenge how business gets done today lead the world tomorrow.
Learn more at cognizant.com/banking-financial-services
Contents
07
04 04
06
08
Changing the face of banking Seyed Golkar, Director of Business Solutions, GBM, discussed some of the hottest trends in the banking and finance sector, and his company’s unique value proposition. Cash, Credit, or Mobile?
Mobile payment is on the way, but the overall package has to be right, writes Jaideep Poondir, Senior Vice-President, Financial Services, Cognizant Why smart users are the key to secure online banking
Online banking is not 100% secure -- nothing is. That is not expected to change in 2014. But a number of security experts, along with an industry official, say it is reasonably safe, if users take reasonable precautions.
09 Industry Focus
3
interview
Changing the face of banking Seyed Golkar, Director of Business Solutions, GBM, discussed some of the hottest trends in the banking and finance sector, and his company’s unique value proposition.
4
Industry Focus
H
ow important is this vertical, and what are some of its unique dynamics? Banking and finance is a very important vertical to GBM. We have been doing business with banks for the last 20 years and continue to do so. Unlike other markets, where customer retention is key, churn is not an issue for the banks in this region. What is important is to provide a quality service to customers and present the product and services in the right way to capture the attention of customers.
What are some of the technology trends shaping the banking and finance sector in 2014? There are a lot of technologies common between most banks today. A while back, integration was a big challenge for banks. The majority of them have gone through that cycle, where they managed to bring together application silos to achieve a degree of optimisation and efficiency. Now, the important question is, where do you go next? This is where the concept of thought leadership comes into picture. The customer base is almost static and the challenge for banks is how to get the most out of it. What we need to do is to bring in international best practices and marry that with the local culture and ethics of doing business. Banks have now started to look at business process optimisation and automation seriously. Of course, technology does provide a degree of automation but is that enough? Certainly not. You have to bring in a degree of business process optimisation and improvement, and that’s what we do. We have consultants who look at the business processes of banks, irrespective of the technology they use, and find ways to eliminate process wastage to increase operational efficiency and process automation. Another area where we are seeing lot of traction is around business intelligence and advanced analytics. Banks have vast amounts of data and
now they have to make sense of the information they have to gain visibility into customer behaviour. Recently, we have implemented a large data warehousing solution coupled with analytics for a relatively large bank in the region. Through the use of this solution, the bank is now able to produce profitability within weeks, whereas it previously took months. GBM is also bringing the concept of ‘banking of the future’ to the region. Traditionally, banks have followed the brick-and-mortar business model and what we have today is a virtual branch for retail banking. Christened VBM, this is a video-based, interactive technology, which allows customers to carry out transactions and banking services, assisted by a centrally based teller though a real-time audio/video interaction. We assume this will not only complement a traditional branch but soon might be the most preferred banking channel.
Isn’t compliance and risk management a key focus area for banks? Yes, absolutely. With the recent market crashes, changes in regulations, and the need to adapt to the ever — changing market dynamics, the focus on operational risk management has increased. The quantity and spread of information throughout the organisation across business lines now mandates the use of an integrated and well-designed solution. In the absence of an integrated approach, banks run the risk of failing to obtain, understand and use effectively the information about external and internal events that enable governance, risk management, and compliance. Banks pretty much look at everything on the technology menu, be it mobile, online or omni-channel. But they don’t do a good job when educating customers about the products and services, do they? Yes, they will have to go that extra mile to educate the customers. Sooner than later, banks will have to use mobile technologies to engage with Industry Focus
5
interview
Seyed Golkar, Director, Business Solutions, GBM
the customers in a context-specific manner to make them aware about the services and products they offer. Right now, the concept of mobility in banking is restricted to making applications available on mobile platforms. But that is not mobility; it is accessibility. Another area where mobile technologies can make a big impact is around image cheque-clearing systems. An image-based, inward cheque-clearing and returns process can help banks streamline and address the growing customer
demand and result in significant operational savings. Globally, a storm combining cloud, mobility and social media is redefining the banking landscape.
Do you think these tech trends will have a significant impact on banking and finance organisations in the region? I believe there is a bit of a lag when it comes to the adoption of technologies such as cloud in the region. But the question is not really whether banks should follow
Banks pretty much look at everything on the technology menu, be it mobile, online or omni-channel. But they don’t do a good job when educating customers about the products and services, do they?� 6
Industry Focus
technology trends or not. It’s all about figuring out what a particular technology means to you and how do you effectively utilise it. So you have to look at technology adoption in the context of how to actually utilise it to enhance your customer service and increase profits.
What does GBM bring to the table? Apart from being one of the leading IT solution providers in the Gulf region, GBM has already partnered with some of the well-known global technology providers specific to this vertical. What we do is look at the technologies, its applicability to the local businesses and bring in thought leadership from across the world. Being one of the most credible solutions providers in the region, with a wealth of domain expertise and consulting experience, GBM, along with its business partners, is uniquely positioned to address the needs of the vibrant banking and finance sector in the Middle East.
opinion
Cash, Credit, or Mobile? Mobile payment is on the way, but the overall package has to be right, writes Jaideep Poondir, Senior Vice-President, Financial Services, Cognizant
A
s mobile continues to proliferate in the marketplace, mobile payment capability has emerged as an important feature for consumers. Gartner1 predicts that the mobile payments user-base in the Middle East will grow to 9.5 million by 2017 at a CAGR of 57%, the highest growth rate for any region in the world. In the same period, transaction volume is expected to grow at a whopping 82% CAGR to reach $27.6 billion, again the highest growth rate among all regions. The rise of mobile payment should come as no surprise considering the explosive growth in the smartphone and tablet markets. Consumers
take their mobile phones with them everywhere they go; it has become as essential to everyday life as their wallet and car keys. Research from Cognizant and Monitise² shows that of consumers who use mobile payments, 44 percent of those surveyed do so at least once a week, and IE Market Research³ predicts that global mobile payments will account for $998.5 billion in revenue by 2016. The biggest challenge facing a seamless transition to mobile payments is creating a widely accepted mobile payment platform. Right now, there is a typical chicken-and-egg dilemma in the market. Many retailers are still uncertain about investing in the new technology
without the assurance that consumers will use it. However, they cannot know that until they actually make it available as a payment option. Retailers are waiting for customer demand for these payment options, but the current lack of retail outlets accepting mobile payments is one of the main reasons consumer awareness remains low. Meanwhile, consumers want mobile payment to be safe and easy to use, and they want guaranteed data privacy. Ideally, they would also like mobile payment platforms to offer smart functions such as reminders, price comparisons, and peer-to-peer transactions. They want the system to be available everywhere, accepted Industry Focus
7
opinion
around the world, and in step with the modern mobile lifestyle. One company trying to meet this demand is Starbucks, whose Starbucks Card Mobile Payment app lets customers pay for items and earn rewards by having their mobile phone screens scanned at the counter. Retailers play an important part in the equation too, since they are the ones who install the system in stores, kiosks, vending machines, and so forth. The smart functions offered by mobile payments will be an incentive for retailers as they add something to the buying experience, but retailers will need reassurance that the solutions are easy to implement and do not involve high transaction fees. Banks’ Core Business So who is going to provide this mobile payment solution? There are many possible candidates. At the center are the banks, as mobile payments affect their core business. However, plenty of potential competitors are lining up to enter the market, from wireless carriers, device manufacturers, and e-commerce players to alternative payment services like PayPal, Square or iZettle and software manufacturers. We have already seen technology playing the role of a disruptive force in challenging the traditional business models in music, media and publishing industry. Yet despite the competition, banks can still have the best chance of profiting from the mobile payment trend. Mobile payments are a key opportunity for banks, compelling them to focus on monitoring the technology landscape and developing a better understanding of customer needs. Customers have remained loyal to local banks, and many people stay with the same bank all their lives. Aggressive marketing and stylish innovations from competitors could level the playing field. Who says the Millennial Generation may not prefer to pay through a payment service run by Apple, Google, or Amazon? Apple and Google have resources and technology backing and can build or buy such a capability. Even if traditional banks are still the ones behind the scenes, they may run the risk of being relegated to just holding the money. 8
Industry Focus
Banks need to develop a plan now if they are to turn their advantages— such as security expertise and loyal client base—into profits. According to Cognizant and Monitise’s research, about 63 percent of consumers agree that their bank provides a more secure transaction than non-banks. In addition to security, partnerships will also be important. Banks tend to handle all their business by themselves, but may need to reconsider this approach, given the many players in the mobile payment cycle. Banks must create a clear strategy to identify potential partners and competitors, and those that will wear both hats. Google Wallet and Isis are two examples of what the market can expect. Partnerships like these demonstrate an effective way for banks to use their strengths to stand out in the mobile payment game, and avoid standing on the sidelines. In addition to good partnerships, a strong mobile payment strategy needs to invest cleverly and innovatively in technology. The key is for banks to create an interface between their legacy systems and mobile operations. Getting there will require investments in data management, security, and application development, to name a few. They will need to use a backbone that enables standardized processing while working with various payment platforms. Privacy and data security also need to be a top priority. This will entail investments in dependable security platforms and complex authentication protocols. Turning Customer Data Into Real Knowledge Partnerships and technology investments are just the start. Banks will only succeed if they manage to offer increased added value to their biggest asset—their reputation for safety and reliability. In addition to offering services that are safe, easy, and convenient to use, they will have to provide smart extras like real-time transaction overviews. Analytics and big data technology will play a major role here, because banks can use them to turn customer data into real knowledge about customer needs. That will make it easier for them to design
Jaideep Poondir, Senior Vice-President, Financial Services, Cognizant
innovative products and services that are adapted for specific customer groups—and supplied straight to these customers’ mobile devices whilst a transaction is taking place. However, it is important to remember that customers are sensitive about how their data is used. Banks must demonstrate that their analyticsbased offers are intended to give customers what they want. Retail banks should leverage the opportunity to deepen consumer engagement, supported by specific insights tied to loyalty and incentive programs. Performed effectively, this allows for more precise targeting of additional products and services. This precise targeting keeps consumers from feeling like their data is just being used to sell them more without thought. Last but not least, mobile payments open up new ways for banks to improve customer loyalty. Before that can happen, customers need to familiarize themselves with the benefits of mobile payment. Targeted campaigns are a good approach. To convince their younger customers, banks will need to put more campaigns where those customers go, such as social media sites. If banks start moving in these areas, they should be able to keep up with the mobile payment leaders. However, they must move quickly, as the race has already begun.
analysis
Why smart users are the key to secure online banking Online banking is not 100% secure -- nothing is. That is not expected to change in 2014. But a number of security experts, along with an industry official, say it is reasonably safe, if users take reasonable precautions.
T
hat can be a big if, of course. Convenience still trumps security for most people, even when it comes to protecting their own money. And while some risks come from vulnerabilities in banking apps, some come from problems outside the control of banks, including the carelessness or cluelessness of users themselves. Joram Borenstein, vice president at NICE Actimize, said while mobile banking apps tend to have, “more lightweight authentication procedures,” other risks come from factors outside a bank’s control, such as, “communicating via an unknown Wi-Fi signal or running on a device with a rogue application on it.” Even those who shun mobile and only bank online from their desktop, “run
the high risk of being conducted via an unpatched browser or infected PC,” he said. A security official at one of the nation’s largest banks, who declined to be identified, said banking from desktops and laptops is riskier than mobile, not because of the quality of the apps, but because of social engineering and phishing attacks. If users can avoid those risks, he said, online banking is, “convenient, efficient, effective and pretty secure.” Whatever the risks, millions of people are doing it, with millions more expected in the coming years. The use of mobile banking apps is still not at the level of desktop Internet banking, but that is changing. According to a survey conducted last year by Princeton Survey Research Associates International and published last August by the Pew
Internet & American Life Project, 51% of U.S. adults (61% of Internet users) bank from a desktop or laptop, while 35% of mobile phone users did so. However, the increase in desktop banking from 2010 to mid-2013 was only 5% (46% to 51%), while the increase in mobile banking nearly doubled, from 18% to 35%. That number is expected to grow to nearly 50% in the next two years. That is obviously an expanding attack surface that cyber criminals cannot help but notice. But there is considerable disagreement over how great the danger is and who is responsible for it. A blog post by Ariel Sanchez, a researcher at security assessment company IOActive, suggested that the danger is great, largely due to the failure of app developers to take security seriously. He said he found Industry Focus
9
analysis
significant vulnerabilities in dozens of iOS banking apps. Sanchez ran a series of tests on 40 mobile iOS apps from 60 leading banks throughout the world, and reported that 40-90% of them lacked various features that would guard against Man-in-theMiddle (MitM) attacks, credential theft, session hijacking and memory corruption. More specifically, he reported that 70% of the apps had no support for twofactor authentication and 40% of them accepted any SSL certificate for secure HTTP traffic. This, according to Michael Whitcomb, president and CEO of Loricca, should be no big surprise. “Security for both (desktop and mobile) is relatively poor,” he said. Borenstein agreed, noting that, “most app developers do not focus on security when developing their app. Security requirements are typically only included to appease the App Store or Google Play guidelines.” In addition, “many of these flaws are not surprising due to the fact that the app world is racing to increase adoption -- sometimes at the risk of everything else,” he said. But that doesn’t mean he thinks online banking is too risky. Borenstein cheerfully admits that he regularly does it. “Of course!” he said. “I take the necessary precautions that are offered to me by my financial institution and when new, secure mechanisms come out. I am an early adopter.” And that, said Gary McGraw, CTO of Cigital, is more significant than flaws in mobile apps. “Those flaws (in the apps) are real,” he said, “but the real question is, ‘does it matter?’ Those looking at the app are only looking at a part of the entire ecosystem, and you have to look at the whole thing. The bank will allow various stuff to happen or not, depending on the condition of the device attaching to it, which takes into account the operating system and whether it’s rooted.” McGraw points out that banks are liable for losses to individual depositors (not businesses) due to fraud, “and they’re not freaking out over this (Sanchez’s findings). If mobile and online banking were really such a disaster, the banks wouldn’t be doing it. They’re smart about money, you know.” Blake Turrentine, CSO for the online social networking dating site Zoosk, and 10
Industry Focus
a penetration tester for Kaiser, was even more dismissive of Sanchez’s findings. “I would say that it’s a biased, script-kiddie assessment, in which he glosses over or ignores security features already provided by the operating system,” he said. “Furthermore, I seriously doubt if he could write his own jailbreak by himself to get the phone to such a compromised state as a jailbroken phone.” The bank security official who read Sanchez’s post also said the flaws, while real, were relatively trivial -- referring to them as “table stakes.” “Something like this, while it makes headlines, doesn’t tell you what’s going on behind the scenes,” he said, where most banks’ systems can tell if a device has connected before from a specific
Whitcomb is a bit less optimistic. While he agreed the fixes should be easy for “a competent development team,” the fact that the problems exist in a production banking app, “means the teams producing them don’t understand secure coding practices and they don’t have the management infrastructure in place to ensure the security of their environment,” he said. But Turrentine said he believes online banking security continues to be more secure, through improvements like, “third-party libraries supporting jailbreak detection for example, making it easier for coding for less technical developers dealing with native code versus HTML5.” And there is general agreement that online banking security depends in
Those who use public Wi-Fi to do it, for example, are asking for trouble. Also, one of the biggest risks for mobile users starts with physical security -- the loss or theft of their phone.” customer. It also flags large transactions and can usually tell by the velocity of clicks if it is a human user or malware. But Jamie Blasco, director of AlienVault Labs, countered that the risks are not simply confined to communication with a bank. Vulnerabilities with secure transfer protocols and SSL certificate checks, “expose the user of the application to a man-in-the-middle attack,” he said. “If you are using an insecure connection such an open Wi-Fi or a network that the attacker controls, a malicious actor can actually set up an attack to sniff your credentials and all the traffic that is being sent to the bank’s servers.” Beyond that, “malicious actors can steal sensitive information stored on the device via other apps,” he said. Whatever the app risks, experts say they could probably be fixed quickly. “I believe it’s a two-week review process by Apple before a new binary is accepted to the store,” Turrentine said. “With Android, you can post same day. With an agile software development, the fixes could be remediated in one Sprint.”
significant measure on the user. Those who use public Wi-Fi to do it, for example, are asking for trouble. Also, one of the biggest risks for mobile users starts with physical security -- the loss or theft of their phone. “I know of several people who have had their phone stolen from their hands while talking on it,” Turrentine said. In general, additional advice to users is to beware of social engineering attacks and phishing email; keep banking software updated; only use your bank’s app; lock your device with a PIN code; and don’t store banking information on your device. Turrentine has some advice for app developers as well, starting with some homework on the Open Web Application Security Project (OWASP). “Refer to owasp. org for some initial insight,” he said. “Review whitepapers, presentations, videos on mobile app security from conferences posted to the web. Take some security classes that focus on secure mobile development. Read some security books on mobile apps, review third-party solutions to help increase the security posture of your app.”