Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
17 October 2005  
Untitled Document
Sections

Market
Management
Technology
 Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Express Hospitality
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Technology - Article

Vendor Accent

De-risk outsourcing of banking operations

Security is critical when outsourcing banking operations, says Captain Raghu Raman.

The moment you outsource, you expose. The degree of safety in outsourcing is in inverse proportion to the cost. In recent times, many organisations (including banks) have been forced to outsource due to the pressures of expansion, competition and widespread cost-cutting initiatives. It’s not unheard of for the banking CTOs and process heads to be asked to implement up to 15 percent cost cutting measures every year. But all this comes at a price.

When a choice has to be made between visible manifested cost saving and invisible unmanifested security exposure, it’s a small wonder that the short term and immediate strategy most banks adopt is to show an instant saving by outsourcing.

It’s a cliché for most bankers
to say that no matter how much you spend you can never achieve 100 percent security. And like all clichés, there is some truth in the statement

Yet, year on year, the price that banks are paying to cover breaches or frauds has been constantly increasing. While it’s alright for a bank to cover its losses (though not alright in the sense that these losses are ultimately passed to the customers and the shareholders), it’s dangerously irresponsible of them to create any sort of a situation wherein its customers are exposed. For instance, if the details of high net worth clients were not safeguarded, they could well become the target of underworld extortionists.

Similarly, the financial conditions of individuals such as their net worth, credit rating, default of loans etc. are treated as highly classified information in any modern financial structure. But with outsourcing, all these safeguards come tumbling down. This is why you now have agencies that can provide you with personal and financial details of any individual.

While on the subject, it’s rather ironic that the supposed establishments of faith and trust are not beyond dealing in ‘stolen’ goods themselves. For instance, some banks have outsourced their cold-calling and rather aggressive style of selling home loans and credit cards to third parties that have illegally obtained access to cellphone numbers. Don’t the banks know that these companies are using contraband intellectual property to cause harassment and financial losses to thousands of individuals? Also, by employing illegal means, aren’t they condoning the crime? They most certainly are. And yet they find it convenient to take shelter under the pretext of having outsourced this activity to another company. At the same time they expect the companies to whom they have outsourced their basic banking operations to maintain the sanctity of information security. Now isn’t that a paradox?

Outsourcing customer interface

Most bankers will tell you (though not on record) that defaulting volumes are on the rise. DSAs use every trick in the book—some of them downright unethical—to achieve targets. And it’s not just the banks that are the victims. Customers get shoddy and incomplete paperwork (I have a copy of a loan document which has been signed by a reputed bank which is blank in the page of collateral documents, and another copy for the same loan acknowledging that they are holding those documents). In any other circumstance this will be dealt with as fraud. But the bank conveniently passes it as the inefficiency of the DSA!

Data integrity

Banks have to accept that there is a price they are paying for saving costs. For instance, most banks have several applications that are developed by their local teams because they are cheaper. These instances of applications are then tweaked by the branches to suit their particular nuances. Hundreds of hours of backend data entry is done every day across their branches to get their MISs out. At the end of the day everyone knows that data integrity is at its best, average. It’s a classical case of penny wise and pound idiotic.

Threats bankers must address

  • A structurally-flawed framework that will allow opportunities of fraud to present themselves

Quite common in many banks, including larger ones. Let me give an example. One of the largest banks in India uses the caller’s ability to give details of any two transactions on a bank account as a verification mechanism in their tele-banking facility. It has not struck them that a hacker can deposit money into the account of the victim twice and can use them to get access through tele-banking. The process needs to be modified to use only outbound transactions as a verification mechanism—NOT any two. It seems so obvious, doesn’t it? Yet this process was developed by a team that had more than 100 years of banking experience behind them.

  • An unmonitored environment which will allow those opportunities to be exploited

It’s a cliché for most bankers to say that no matter how much you spend you can never achieve 100 percent security. And like all clichés, there is some truth in the statement. Unfortunately, this statement also hides a more important aspect. Securing an environment is of no use until the detection processes are more mature than defence mechanisms. While no organisation can achieve even an 80 percent security level why speak of 100 percent? There is no limit to reducing the lag between breach and detection. It’s a well-known fact in the law enforcement world that the fear of detection is always more of a deterrent than the challenge of prevention. And it’s cheaper. For example, department stores have tried two approaches to prevent shoplifting. One is physical tying down using steel cables etc (especially used in high ticket, but easy to carry out items like laptops/cameras etc). The other approach has been to use electronic tagging and CCTV to detect shop lifters. The second method is about 30 percent cheaper and five times more efficient. The same logic holds good for banking security. If a bank had 100 dollars to spend on security, we would recommend spending 30 on prevention and 70 on detection. This may seem paradoxical until bankers are told that the fear of detection is the greatest prevention!

  • And the belief that bankers can build good security

They can’t. Their core competence is in deployment of assets, not in protecting them. Again this is a startling proof of the fact that while so many aspects of banking have changed, certain notions remain unchanged. Do people really put their money in banks to keep currency safe? Is there even any currency now? When was the last time you deposited notes into your account?

We forget that the core competence of banks is deploying money in a manner to grow it, not to safeguard it. The concept of a bank has moved a long way from steel safes to electronic banking. And yet the notions have not. Bankers still believe that they possess the competence to out-think criminals or frauds whose core competence is to break into secure systems.

I am reminded of an instance that took place some years ago in Europe. Apparently, BMW decided to add an unpickable lock as a differentiator of their premier models of cars. Their team of engineers worked for months to develop a sophisticated lock whose intricate mechanism ensured that no thief could even insert his pick into the slot of the lock, much less operate it to turn the levers that opened the car door. After the much-vaunted security system was deployed, cars were still being stolen. Here is what the thieves did. They cut a tennis ball into half. Put one half of it against the lock and hit it hard. The air pressure created travelled through the mechanism of the lock and hit the cylinder with enough force to pop up the locking lever and open the door. An expensive, sophisticated locking mechanism could be opened using half a tennis ball!

Ironically, the BFSI community continues to make the same mistakes that have been made, and conceptually can be learned from, in several other domains in the world of crime. And, until the community realises that securing their business requires a paradigm shift in thinking and competence, they will continue to save money in security spends and write off much larger ‘losses’ in the lines of P&L statements that have innocent sounding names and are spoken about in hushed tones.

The author is CEO, Mahindra Special Services Group.

He can be reached at raghu@mahindrassg.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.