Key Management: New Digital Models for Banks and New Security Models, Too

In rethinking their strategies, traditional banks have eight digital business model options to consider in order to remain competitive against untraditional newcomers to the industry.

Several of these options are ones that their new competitors already implement:

1. Digitized Full-Service Banks

With the digitized full-service bank model, vertically-integrated banks maintain an offering of proprietary products through their own top-notch digital channels and branch network. This might seem like an evolution of their existing business model. However, this model does require a digital transformation along with simplifying their products and end-to-end operations.

2. Open Banks

In this model the traditional bank creates and distributes their own products to their customers. However, they also work in partnership with third-party product and service partners. Because it is a highly digitized model, there is a need for seamlessly connecting with these partners.

3. Ecosystems

With an ecosystem digital model, a full-service bank becomes the platform for not only their own product and service offerings, but for those offered by an extensive network of partnerships. This includes partnerships outside of the banking and finance industry, also. Like the open bank model, seamless connection is required between the bank and all partners, which also includes the ability to capture and share data from various sources to provide value to customers.

4. Product Engines

With this digital model, the bank acts as the manufacturer of products that are mainly distributed through third-party channels. The bank accepts the risk that they could lose relevance with their customer interface as investments in the product platform are prioritized. But the reward of their investment is becoming a partner of choice for the customer interface. This model has a highly competitive delivery cost.

5. Direct Banks

The direct bank digital business model is one that new entrants to the banking industry are using. This model offers the features that a full-service bank would, however, it does this without a network of branches. Its focus is securing deposits.

6. Neobanks

The neobank digital model is designed for mobile on a new tech stack. It has a narrower product focus of its own products. However, it imports products and services from its third-party partners. It can be used as a digital growth option by traditional banks.

7. Specialist Providers

The specialist provider digital business model focuses on providing a narrow range of products. Often, this is one specific product or solution like mortgages for example. Again, this could be an area for new digital growth for an existing bank.

8. Marketplaces

A marketplace digital banking business model provides a choice of products offered from competitors, including non banking offerings. This type of model has a first-class user interface and capabilities. It can be used to expand a current bank’s offerings to their customers.

Direct Impact on the Security Architecture

All 8 digital models imply - in slightly different shapes - a rapid evolution along the following axis:

Increased level of digitization of banking processes
Opening up of the banking APIs to external players (supply side and / or distribution side)
Stretching of the critical banking IT across the Hybrid Cloud
More dynamic product offering with faster innovation cycles and shorter life-cycles of a specific offering

Technically, the bank will be orchestrating composite services across a digital value chain including

On premise (potentially decentralized) data centers with local security infrastructure (e.g., mainframes, HSMs)
Cloud deployments of own (often containerized) applications (e.g., on the MS Azure Platform, Amazon AWS or the Google Cloud)
Inclusion of third party services like MS Dynamics or the SAP Banking Services 9.0 on the supply side
Inclusion of third party services on the distribution side such as retail banking applications

Normally we do not find any of the above 8 archetypes in a pure form, but rather a blend of several of them. Consequently, each security architecture needs to be adapted to each specific case.

To be able to respond to the particular model’s specific requirements, the bank needs to interweave various service modules into a composite solution.

Technical aspects like service availability, latency, or cyber resilience need to be considered on a case by case basis, but privacy is always of utmost importance.

Given that the bank is the keeper of the grail of customer privacy and its financial assets, private data must never be exposed to third parties (unless it has the end-user’s explicit consent).

Simply put, whatever model the bank will implement, it needs to be the owner of the cryptographic keys throughout the complete key life cycle. Being the owner means that no third party has ever access to unencrypted data or the key itself. This ensures data privacy, but also business dynamics.

As dynamic value nets can only be maintained when a bank is not locked-in with a specific supplier. Cryptographic lock-in is introduced to the bank’s infrastructure in the very moment where the key ownership is given to the 3rd party (cloud service provider or SaaS-provider).

The necessary step is a banking-grade and auditable bring-your-own-key strategy (BYOK) which is able to support all the various flavors of the digital.