5 min read

Agile Cryptography for Turnaround Business Models of Retail Banks

Agile Cryptography for Turnaround Business Models of Retail Banks

Going forward, it is imperative for existing banks to develop a strategy for sustaining their current operations and expanding in a digitized, cyber-secured full-service model. Those who have the best chance of succeeding with a hybrid/ecosystem strategy are banks that already have a large share in a concentrated market. These organizations should be investing in digital capabilities to maintain their status and to bring relevant services that their customers want and that will help expand their base. This will better their odds against the competition they will face from other banks who invest in an expanded digital business model and new entrants like Neobanks and Fintech.

Opportunity Still Exists for Smaller Banks

Read White Paper

Banks that already have a good share in a moderately concentrated market are still at a good size for investing in a digitized full-service banking model. They also have a good chance of building a successful ecosystem by offering options beyond banking if they move for more consolidation. Otherwise, these banks will likely see competition from Neobanks and Fintech which are offering financial services and other options that customers seek that they do not offer.

But what about smaller banks with smaller market shares in fragmented markets? What strategic direction should they be focusing on? These banks lack the scale that would make it sensible to invest in a digitized full-service model or to create an ecosystem. While larger and stronger banks traditionally took the route of consolidation to grow, smaller organizations need to focus on the open bank options. Why? Because this may be their major viable option to secure their relevance (manifested through a critical mass of financial services and the flexibility to follow market trends and to offer consumer-centered services). This means dealing with third parties and brings about the increased need for cryptographic services to protect customers' personal information and financial transactions.

It is interesting to see that also stronger banks are opening up to back-end-sided open banking strategies, although their strategies will vary in some crucial aspects from those of smaller banks. 

Embracing Back-End Services to create a financial services platform

In our article on Back-End Services, titled: “Open Banking - Success through Agile Alignment of Security Infrastructure, Strategy and Technology”, we introduced the options of connecting to back-end services:

  • Connecting to ready-made cloud-based services (“brownfield”) in the cloud
  • Building up own services (“green field”) alone or in cooperation with (ecosystem-) partners in the cloud

This is a point where international players and smaller banks will potentially diverge. The big ones will potentially focus on green field services to build up their own ecosystems of financial services, either alone or with 3rd suppliers. They have the bargaining power to shape cloud service providers toward their expectations, policies and terms and conditions. This does not mean that all services will be built from scratch.

But for smaller banks, the options are promising too, when they follow the “brownfield” approach, meaning to connect to platforms that already include a full-fledged portfolio of “internal” and “external” services. "Internal" means homegrown in the service-providing platform. "External" means coming from a surrounding ecosystem of service providers, which are seamlessly integrated into the platform. Rapidly growing examples of such platform-ecosystem constellations are Microsoft Dynamics and SAP Hana.

The good thing about such platform solutions is that banks do not need to worry about harmonized data models or stringent policies. A major security-related advantage is that banks only face one homogeneous cryptographic structure across the platform. 

How to maintain control of back-end security

Download white paperTo maintain data security and privacy, remain compliant with banking regulations, but also to preserve ownership of their own data (which is a major asset in today’s banking world), banks need to keep control of their data and prevent unencrypted visibility to any third party. 

This control is accomplished through a “bring-your-own-key” strategy. Data remains encrypted in transit and at rest. Encryption keys are never accessible to any third party outside the cloud-based and banking-grade HSM.

The bank brings its own cryptographic keys and manages them throughout the whole key life-cycle, centrally, from a banking-grade key management system located in a central data center of the bank.

Cryptomathic’s Key Management System integrates into major banking service platforms (brownfield) as well as into green field infrastructures like MS Azure, Google Cloud or proprietary clouds using IBM z15 mainframes. The key management system enables end-to-end encryption across various hybrid cloud platforms and the local data center. All is managed from one location. Decades of experience assure mature systems. Cryptomathic’s involvement in cloud security architectures since the beginning of CSP infrastructures led to tested and compliant solutions with minimized implementation time. 

How Can Banks Get Started to Turn Around Their Business Models?

Whatever direction a bank chooses to go with, it must know what value proposition it will offer to its target market and what business and operating model is needed to achieve this. When investing in their scale and relevance, banks should consider a three-phase strategy:

  • Reviewing their current position against that of their current and potential future competitors (think along the lines of SWOT analysis). They will need to analyze current trends, including how customer behaviors are changing and the impact that has on their business. They will also need to determine what they need to do to maintain relevance with customers.
  • Evaluating their potential options for business models based on their competitive advantages, what capabilities are needed, and realistic return on investment. This can be done by pressure testing the options against realistic market scenarios.
  • Developing a roadmap, including identifying gaps in their key capabilities, and prioritizing their investments in use cases that are most valuable to their organization.

But how to sufficiently blend required strategic and technical decisions?

Agile strategic-technical decision-making processes as a prerequisite for a successful turnaround

When a bank shapes its turnaround strategy, the decision-making process (namely the O for Opportunities in the SWOT) will include evaluations of service platforms (as well as non-platform services like e.g., the Diebold Nixdorf services). Cryptography needs to be considered at an early stage to make sure that the bank’s decision does not negatively impact its agility in the medium and long term:  Will the bank’s opening up maintain the freedom of decision or will it even lead to a 3rd party vendor lock-in with a limited scope of maneuver in all future decisions? 

Download white paperIn the article on back-end services, we introduced the following agile decision-making process, allowing to align strategic and technical aspects through an iterative approach:

  1. Identifying and prioritizing commercialization opportunities and use cases
  2. Selecting potential financial services and service partners
  3. Selecting potential (cloud) infrastructures 
  4. Defining operating models and technology requirements
  5. Developing clear paths to implementation

Once the general turnaround strategy and architecture have been decided upon, the decision on orchestrating external services will be a continuous process. The decision-making process will move from the board to the management level. Portfolio management decisions are made continuously, based on demand, market analytics, strategy, trends, etc.

When a service platform like MS Dynamics or SAP Hana is connected, cryptography and policies are not an issue anymore. All is seamless and in place. Once a new service is activated, whether internal or external to that platform, cryptography works automatically, with keys in the cloud-based HSM, and managed from the local data center (key management system).

Major decisions of portfolio management might remain in stages 1 and 2 of the agile decision-making process. Just when a solution cannot be accomplished in the existing hybrid cloud (existing platforms, ecosystems and own data center), the decision-making process will iterate further down, including stages 3 - 5.


Never before has strategy, opportunities and cryptographic architectures been so comparably interwoven for the banking industry. Once having reached corporate culture of strategic-technical alignment and cooperation, it will pave the way for continued growth throughout the beginning decade.


Read White Paper


Build New Capabilities Now (2019), By Thorsten Brackert, Chaojung Chen, Jorge Colado, Laurent Desmangles, Muriel Dupas, Pierre Roussel, Holger Sachse, Sam Stewart, and Monica Wegner. In: Global Retail Banking 2019 The Race for Relevance and Scale, Boston Consulting Group.