The cost of keeping a secret

Many MENA banks now spend heavily on cutting-edge technology to keep their clients’ finances secure and protected from cyber fraud. PAUL MELLY looks at the sophistication behind their systems

Few industries can have felt the positive impact of automation and online technology to such an extent as banking. What seemed implausible not so long ago is now routine, with massive benefits for efficiency, cost-saving, speed and the simplification of procedures that only a decade ago were generally laborious and bureaucratic.

But for all the advantages that it brings, the advent of electronic online financial service has been accompanied by a major threat: it has opened up new avenues for fraud and theft.

And this is paradox is particularly applicable for transaction functions such as cash management, trade finance and bulk payments.

Automation and the use of internet services hugely reduces the workload entailed in providing these services.

It becomes easier and cheaper for banks to process the many different transactions required, and to do so quickly and with a degree of reliability that traditional manual paper procedures could not provide. Payments through letters of credit, for example, were notoriously hampered by minor clerical errors that could lead to serious delays as documents were corrected and submitted afresh.

Electronic systems reduce the scope for mistakes and enable banks to handle larger flows of business effectively.

But the sheer volumes of activity entailed in transaction banking mean that the potential damage caused by any criminal activity would be all the more serious.

So security is at a premium – an absolutely fundamental requirement for banks operating in this area, and all the more important as some financial messaging tasks and payment processing are outsourced to independent technical service providers.

Cyber fraud and identity theft attacks are increasingly sophisticated and frequent. Of course, it is possible to devise hugely complex and rigorous procedures to guard against these dangers.

However, the real test is to establish security systems that are effective but are not so onerous that they deter customers and undermine their business efficiency.

Turning cost into opportunity

Companies and banks are exploring ways to make their communications more secure, for example, through advanced systems for confirming the identity of users and tracing the path of transactions and who has authorised them at each stage.

Potentially, of course, this is a huge additional expense, imposed on banks and, indirectly, their clients – just when it seemed that the application of online systems was allowing them to bring costs down.

But Nigel Hayward, chief technology officer for JP Morgan treasury services – speaking at the recent Sibos 2013 in Dubai – put the case for looking at this in a positive way: if investment in cyber security enables a bank to remain operational and actually increase the volume of business that it handles, then it can be seen as not only a cost centre but also an enabling factor.

Hayward said that his bank would spend a further $250m on cyber security over the coming years.

But, of course, not all banks have such resources at their disposal, and, even in relative terms, many seem cautious about pouring a significant share of their investment budget into cyber-security.

A poll of audience members at the session addressed by Hayward found that 27 per cent expected to increase their expenditure on cyber security by at least 10 per cent in 2014, with a further 32 per cent expecting to step up spending by smaller amounts.

But this means that more than 40 per cent of those surveyed did not foresee an increase of even  one per cent in their cyber security outlays next year.

That suggests that even among bankers with a particular interest in electronic security issues, a substantial number do not yet accept the case for sustaining additional investment in this area.

This is particularly striking because the threat is posed not only by external criminals outside the banks, or anti-capitalism hacker activists. Many bankers also expressed concern about the risk of internal fraud by their own staff or contractors.

Such concerns underpin the case for dual verification controls, which help to protect the risk of fraud being committed by a rogue employee or contractor.

Transaction banking concerns

All this is good reason to worry about the security of a transaction banking sector that is already highly automated and set to become even more reliant on electronic processes and online links.

However, there are also some grounds for reassurance. Specialist technology providers have developed systems that can enable banks to maintain a high degree of control, with levels of security reinforced as the scale of a transaction and the potential risk attached increase.

For example, one technology provider describes how rigorous authentication systems can be incorporated as a prerequisite for any major money transfers by a corporate customer to go ahead.

For some banks, one of the practical requirements they set for technology providers is that ability to offer a range of authentication systems and devices to meet the needs of both business and retail customers, but which are compatible with the same back-office software.

This enables the bank to maintain internal systems that are efficient and comprehensive, but to offer customers the differing levels of security appropriate to their needs.

Furthermore, this can also be a positive asset for the bank’s sales pitch to potential customers. Oman Arab Bank, for example, sees its ability to offer these varied security solutions as a key part of its appeal to clients, whether in government, business or the personal banking market. And Saudi Arabia’s Al Rajhi group is happy to explain how it uses modern encryption methods to protect information about its customers’ finances.

But in meeting the needs of corporate customers a further security consideration also comes into play: within a company, employees and managers have varying rights to information and differing levels of authority to make payments, transfers or carry out other key functions.

Some staff carrying out specific technical roles may only need access to information directly related to their work. Whereas team leaders, senior technological personnel or senior executives and managers will need access to a much wider and more substantial amount of data.

The National Bank of Kuwait exemplifies the way in which major Middle Eastern banks have developed their technology to cater for these situations.

It offers an online banking interface that takes account of the differing levels of authority within business client companies.

The system has been specifically designed to offer varying levels of information and authority, customised to the needs of the customer.

This means that arrangements can be made for multiple user staff at a client business to have access to the system – but with the extent of what they can learn or what they can authorise tailored to their specific roles.