Key Management: New Digital and Security Models for Banks

In rethinking their strategies, traditional banks have eight digital business model options to consider in order to remain competitive against untraditional newcomers to the industry.

Several of these options are ones that their new competitors already implement:

1. Digitized Full-Service Banks

With the digitized full-service bank model, vertically-integrated banks maintain an offering of proprietary products through their own top-notch digital channels and branch network. This might seem like an evolution of their existing business model. However, this strategy involves a digital transformation and the simplification of their products and end-to-end processes.

2. Open Banks

In this model, the traditional bank creates and distributes its own products to its customers. However, they also work in partnership with third-party product and service partners. Because it is a highly digitized model, there is a need for seamlessly connecting with these partners.

3. Ecosystems

With an ecosystem digital model, a full-service bank becomes the platform for not only its product and service offerings but also those offered by an extensive network of partnerships. This includes collaborations outside of the banking and finance industry, also. Like the open bank model, a seamless connection is required between the bank and all partners, which also includes the ability to capture and share data from various sources to provide value to customers.

4. Product Engines

With this digital model, the bank is the manufacturer of products mainly distributed through third-party channels. The bank accepts the risk that they could lose relevance with their customer interface as investments in the product platform are prioritized. But the reward of their investment is becoming a partner of choice for the customer interface. This model has a highly competitive delivery cost.

5. Direct Banks

New entrants to the banking industry are using the direct bank digital business model. This model offers the features that a full-service bank would; however, it does this without a network of branches. Its focus is securing deposits.

6. Neobanks

The Neo bank digital model is designed for mobile on a new tech stack. It has a narrower product focus than its own products. However, it imports products and services from its third-party partners. Traditional banks can use it as a digital growth option.

7. Specialist Providers

The specialist provider's digital business model focuses on providing a narrow range of products. Typically, this is a single product or service, such as mortgages. Again, this could be an area for new digital growth for an existing bank.

8. Marketplaces

A marketplace digital banking business model provides a choice of products offered by competitors, including non-banking offerings. This type of model has a first-class user interface and capabilities. It can be used to expand a current bank’s offerings to its customers.

Direct Impact on the Security Architecture

All 8 digital models imply - in slightly different shapes - a rapid evolution along the following axis:

Increased level of digitization of banking processes
Opening up the banking APIs to external players (supply side and/or distribution side)
Stretching of the critical banking IT across the Hybrid Cloud
More dynamic product offerings with faster innovation cycles and shorter life cycles of a specific offering

Technically, the bank will be orchestrating composite services across a digital value chain, including

On-premise (potentially decentralized) data centers with local security infrastructure (e.g., mainframes, HSMs)
Cloud deployments of own (often containerized) applications (e.g., on the MS Azure Platform, Amazon AWS, or the Google Cloud)
Inclusion of third-party services like MS Dynamics or the SAP Banking Services 9.0 on the supply side
Inclusion of third-party services on the distribution side, such as retail banking applications

Normally we do not find any of the above 8 archetypes in a pure form, but rather a blend of several of them. Consequently, each security architecture needs to be adapted to each specific case.

To be able to respond to the model's individual requirements, the bank must combine multiple service modules into a composite solution.

Technical factors such as service availability, latency, or cyber resilience must be evaluated on a case-by-case basis, but privacy is always of utmost importance.

Given that the bank is the keeper of the grail of customer privacy and its financial assets, private data must never be exposed to third parties (unless it has the end-user’s explicit consent).

Simply put, whatever model the bank will implement, it needs to be the owner of the cryptographic keys throughout the complete key life cycle. Being the owner ensures that no third party has ever access to unencrypted data or the key itself. This not only ensures data privacy but also business dynamics.

As dynamic value nets can only be maintained when a bank is not locked-in with a specific supplier. Cryptographic lock-in is introduced to the bank’s infrastructure when the key ownership is given to a 3rd party (cloud service provider or SaaS provider).

The necessary step is a banking-grade and auditable bring-your-own-key strategy (BYOK), which is able to support all the various flavors of the digital.