Data security is a key issue for financial services firms ­ it is central to their reputation as a safe place for customers’ money. Computing recently hosted a two-part roundtable on IT security in financial services firms.

After identifying the key security challenges in the first half of the debate (Are the bank robbers winning? www.computing.co.uk/ 2201252), our expert panel analysed potential solutions. The panel comprised:

*Richard Hackworth, ex-chief information security officer at HSBC.

*Marcus Alldrick, ex-chief information security officer at Abbey.

*David Luijerink, head of fraud risk management at KPMG.

What do you think are the major security issues and how can they be addressed?

MA: My major issue was data theft: the breadth and depth of it and how the situation seems to be exacerbating, not diminishing, in terms of solutions. We need to look more in depth at preventative and corrective controls, as and when events arise.

RH: It’s important to bear in mind there is a range of IT security issues for financial services management.
Many of these issues are internal, such as staff use of technology and how to get good corporate governance of technology risk, which is a challenge. We also recognise the internet has a high profile for financial services.

I think the main problem is how to authenticate the identity of remote customers when they use internet banking, how to prevent identity theft and how to balance that security process in an attractive way that supports customer service.

Consumer confidence is obviously important and difficult to q uantify. How important is it for banks to evaluate consumer confidence?

RH: In all aspects of banking customer confidence is paramount. We know from a number of consumer surveys that many people won’t use internet banking because they distrust the technology and its ability to look after the data they provide the bank.

The technology is pivotal because customers using internet banking only have an experience of using that bank through that technology. The brand is represented through the technology. It’s the sole customer touch point.

If customers are not comfortable with that then there is something seriously wrong, particularly given that many banks are going to be seeking to encourage more of their customers to use internet banking because of service and efficiency benefits to the bank.

DL: If institutions and others in the financial services sector have an issue and can contain it, that is good. But in some of these cases concerns can extend wider.

There is an impact on other banks, customers and regulators ­ that latter is very important, because they need the relationship with regulators to run smoothly. Therefore, there are many implications ­ not directly IT-related ­ that arise from IT security issues.

Should fraud be reported to banks rather than police?

MA: I don’t think it represents a conflict of interests. Because of the reporting procedures and mechanisms in place, banks are better placed to aggregate and correlate the resulting information. Banks have sophisticated fraud departments in place and co-operate very effectively.

But on a personal level, if I suffer a crime my natural response is to report it to the police. But I don’t think this detracts from the fact that the banks are well-placed to handle fraud reporting.

RH: I think the reality is we will have to learn from practical experience. This has not been running for very long and it would be interesting to see what we have learned after 12 to 24 months.

It is worth bearing in mind that the primary relationship for an internet banking customer is with their bank. The bank provides the technology, the advice and the payment service.

From the point of view of the police, the banks can present a richer picture of crime. They can aggregate data and look at several events over a period of time. I agree with Marcus, though, there is this thought that if you have been a victim of crime, you go to the police.

But the relationship between the banks and the police in this field is, in my experience, pretty open and not competitive. Everyone has a common agenda.

Are police doing enough about fraud?

DL: The government has been undertaking work in this area. There is the Fraud Act of 2006 and initiatives to help better understand the types of loss. The UK payments association, Apacs, is pretty effective at working out card losses. But there are other types of losses within financial institutions that are not measured as rigorously, or which are dealt with differently by organisations.

The Fraud Act has tried to define what fraud might actually mean. If you look at the authorities and the volume of incidents happening, there are many thousands of cases of various types of card fraud ­ the sheer volume creates problems for the police. They have to deal with and register each of these issues, so maybe it is not surprising the first port of call has become the institutions.

As well as the account holder there is the institution: they will be quite keen on making sure it doesn’t happen again. The quicker they can get that information and put in place rectified controls, the better.
If you are looking at card systems and speed of transactions, that is a very short time ­ and the controls need to be effective: these things happen within minutes or less. The quicker the institution can deal with these issues, the better.

Are links between the police and the banks still strong after the National Hi-Tech Crime Unit (NHTCU) became part of Soca?

MA: I think the banks are flowing the information to the police. It is in their best interests to do so. There is a common enemy here and the police are playing a major part in law enforcement and catching the criminals. The banks can’t do that on their own.

With the change from the NHTCU into Soca, the Serious Organised Crime Agency, at an operational level some financial institutions have suffered because they relied on the NHTCU to assist them with things such as phishing attacks.

But just as the banks direct their efforts to where the major risks and big losses are, the government has done the same with Soca. It is going for the organised criminal gangs.

This is not on a localised level but on a global basis, so it needs strong communication with and co-operation from other countries. Strategically, it seems to be the right approach, but operationally I think some institutions have suffered.

What will financial services firms be concerned with in five years’ time?

RH: At a certain level the issues we have today are not going to be that different. The one-line descriptions will not change that much: problems with vendor software, problems with customer authentication, challenges from regulators.

But I think there will be some changes. There will be more people on the internet: it is quite sobering to look at the level of commercial business currently carried out on the net.

We have the impression that it is a high proportion of business. In fact, some of the reliable figures I see suggest it is actually quite small. In the US, there is only about three per cent of retail business, by value, carried out over the internet.

That is really quite low ­ what will the internet look like when we get to 10 per cent or 15 per cent?
The general growth of the use of technology will add more challenges. And underlying this will be further challenges: our customer base will become more aware and familiar of security issues. It is happening now.

Our more articulate customers are challenging the way we design and operate our systems. Possibly banks today would see this more from corporate customers than from those in retail. But our retail customers are becoming increasingly knowledgeable. Banks are going to have to step up to the plate on this and demonstrate that they are doing more and justify it more strongly.

I think we will see a change in the regulatory environment ­ regulators have become more interested in managing technology risk.

What I hope we see is a higher level of international co-operation between regulators on some of these issues.

We will also see more competition between financial services companies and other online retail organisations. Technology will assume more of the mantle of the organisation in the marketplace. It will be seen less as an add-on and more as a core vehicle.

DL: Having a more integrated approach as we are going forward is very important. We have had the issues about financial crime which has developed in most institutions now ­ just about all of them have processes around card, money laundering and intelligence gathering.

I think counteracting fraud will get more sophisticated and there will be greater links with the business units. That is absolutely key because they are the people who see the types of transactions and activities and the problems they face.

There also needs to be a more robust approach when looking at risk and being able to challenge processes, rather than just waiting to see what happens. None of the institutions actually say they wait, but if you look at them, sometimes they have not gone through that thought process of actually challenging it.
The customer is part of the control mechanism.

If you start giving two-factor authentication and those kinds of technologies, such as password security online, you are relying on customers performing their role properly and, more importantly, that if something happens they will bring it up with the institution.

So customers are part of the control framework to some extent. It needs to be understood how robust they are and what are the fallback positions. I think to sum up: what is needed is a more joined-up approach about how we look at risk in the organisation and our products.

Is security reactive?

MA: I don’t accept that security is a reactive process. I think it can be proactive and should be proactive. It is all about cost-effective risk management. It is very difficult to stay one step ahead of the criminals because they are always going to find a way to exploit weaknesses and if they can’t get past your defences they will go to someone else.

You have to constantly monitor what is happening on the technological, organisational, cultural, socio-economic and geopolitical fronts ­ all these aspects come into play when determining your risk profile. You then have to determine what controls are still relevant, which ones will be effective moving forward and which ones need tinkering with and replacing.

DL: It is very hard to kill off the appetite of a fraudster. If you have effective security in one area they migrate elsewhere and look for softer targets.

If we look at further extinguishing a risk, we have to look at where it is likely to crop up again and in what format.

The internet now means that fraud has become international: you no longer have to be in London to commit a fraud in London.

Watch the video of our IT security roundtable at www.computing.co.uk/tv