Post-COVID Retail Banking: Agile Cryptography And Digital Transformation

This article discusses the need for retail banks to continue moving forward with their digital transformation in the post-COVID age and explains why cryptography (when done right) can be a key enabler of a successful self-disruption process.

At a time when retail banking was already facing the challenges of circling its wagons and shifting its existing business and operating models, the COVID pandemic has proven itself as the ultimate disrupter, with its real damage not truly known as of yet.

Not only is the banking industry facing competition from newcomers, but now it must deal with an uncertain global economy and other sobering economic realities and losses that appeared to be signaling the real possibility of a recession, unlike others dating back to the Great Depression.

While the pandemic setback has been a major bump on the road to streamlining business and operating models as banks move forward with their digital transformation, it is not a sign to ease up.

Now, more than ever, it is more important for Commercial banks to self-disrupt as they adjust to the “new normal.”

Retail banks must continue to enhance their digital strategies, revamp their core processes, and implement the right IT infrastructure to:

Reduce business risk
Make processes digital from the beginning to the end
Maintain compliance
Ensure process security

Urgent Need to Update Compliance Priorities Embracing Fully Remote Working Processes

The COVID-19 pandemic has forced a need for compliance teams to access their projects and determine what processes they need to implement to minimize their organization’s risks while still meeting their commitments to their stakeholders. The bank’s compliance officers need to assess the strength and adaptability of their current operating models and consider how they will likely be impacted by COVID-19.

One extremely critical issue facing commercial banks is the shift to remote working for many bank employees. This introduces a great risk to retail banks that needs to be addressed by compliance teams to ensure that critical data is kept safe.

Adding to the urgency of this situation is that banks are under pressure to make up for lost revenue because of COVID-19 while preserving their high standards concerning anti-money laundering (AML) and market conduct practices.

The European Banking Authority(EBA) advises ensuring “business continuity, adequate ICT capacity, and security risk management.” EBA underlines the need for digital operational resilience. In light of COVID, the updated Guidelines on ICT and security risk management (November 2019) will help focus on priority areas, also concerning compliance.

A second critical issue is that the customers act remotely. This includes, more than ever, the beginning of the contractual relationship, where physical presence is impossible or not desired.

An end-to-end fulfilment of all customer processes requires a cryptographically sound and compliant onboarding process, where the digital identity of a new customer can be created remotely in a fraud-protected way.

All this builds on the European Commission’s integrative set of regulations and standards, including qualified trust services for electronic transactions to enable highly fraud-protected processes which do not require direct human contact.

A Need for Anticipating Impact Downstream

Like most other industries, retail banks are in unchartered waters because of the COVID-19 pandemic. This is not isolated to just one region because, for the first time, all regions around the world are affected. Depending on the industry sector, the impact will vary across industries and require banks to invest in extremely detailed scenario planning.

It will be necessary for banks to revisit their business continuity plans, not just considering current impacts but how far the effects will spread 12 to 18 months from now. This includes payment & liquidity, and credits. These plans now must extend to operating models that ensure banks have adequate controls for processes like AML and Cybersecurity.

The Push for Digitization

Yes, banks worldwide are facing great risks with the upheaval brought on by COVID-19. But they are at a higher risk for their hesitance in shaking up their institutional norms and practices at their core. For the most part, tactical improvement efforts that the banks have made so far have failed to deliver on the needed transformation. Considering the unprecedented challenges brought by the pandemic, the need for digitization is even more urgent.

Risk, treasury, and compliance functions are necessary to help retail banks respond to the present COVID-19 crisis. They are crucial to building strategies to ensure their long-term success forward in the future. Advanced technologies and practices, including AI, and machine learning, will play a critical part in streamlining the process of self-disruption. They can help deliver predictive, real-time insights that allow more efficiency and faster execution.

To make this a reality, it is imperative that the need for cryptography to protect data doesn’t become a bottleneck but rather an enabler for self-disruption; while providing the security and flexibility for business continuity as the foundation for future prosperity.

The Need for Agile Cryptography

Many fundamental aspects of our modern digital world – finance, communications, e-commerce, national security – are built on the bedrock of cryptography.

With the growing threat of cyber attacks, the broadening reach of privacy legislation, such as GDPR, and the increasing ease of employing encryption technology, the trend is towards encrypting all private data, especially data that is particularly sensitive or valuable in some way (e.g. personal or financial data).

The drive to encrypt everything, along with whole new rafts of applications associated with blockchain and IoT, creates an ever-increasing number of keys to manage. A flexible, centralized enterprise key management system should be introduced before the scale of the problem gets away from you; your ability to properly protect cryptographic keys and demonstrate compliance is gone.

Suppose quantum computing becomes a reality before reliable quantum-safe algorithms are available. In that case, there will likely be a resurgence of symmetric key cryptography for key establishment, resulting in the need to manage, protect and securely distribute even more keys, maybe even using Quantum Key Distribution.

Hardware security modules (HSMs) are the best choice for applications that currently demand very high levels of assurance. But it will become increasingly important to find better ways to manage HSMs and decouple cryptography management from the development of applications to increase crypto agility and simplify compliance.

High-assurance cryptography and cloud computing will remain uncomfortable bedfellows for the foreseeable future. Still, whatever solutions you apply to manage keys, use HSMs and increase crypto agility, you’d better be sure they support the inevitable migration of applications to the cloud.

There is an emerging class of solutions, which includes Cryptomathic’s Crypto Service Gateway (CSG), that takes standard HSMs and turns them into service, hosted anywhere and accessible to both cloud and on-premises applications alike.

This has numerous benefits, including efficiency, resilience, and ease of use.

By centralizing cryptographic policy management, simpler APIs can relieve developers' pressure while allowing for expert oversight.

This promises to deliver the holy grail of crypto agility, as cryptographic parameters such as the choice of algorithm and key size can be managed centrally and thus changed quickly without impacting the applications of using them. This appears to be a promising solution to some of the challenges mentioned in this article and is, therefore, likely to become increasingly popular over the coming 5-10 years, whilst Cloud HSMs remain immature.

There is no doubt that the next 10 years will see major developments in digitization and cryptography, and there are doubtless other topics we haven’t even touched on. The next decade will undoubtedly bring forth significant advances in digitalization and cryptography, among other areas we haven't even begun to scratch the surface of. No matter how stable things seem, they will inevitably shift at some point in the future. The only constant is change - are you ready?