This article discusses the need for retail banks to continue moving forward with their digital transformation in the age of COVID-19 and explains why cryptography (when done right) can be a key enabler of a successful self-disruption process.
At a time when retail banking was already facing the challenges of circling its wagons and shifting its existing business and operating models, the COVID-19 pandemic has proven itself as the ultimate disrupter with its true damage not truly known as of yet.
Not only is this industry facing competition from newcomers to the banking sector, but now it must deal with an uncertain global economy and other sobering economic realities and losses that appeared to be signaling the real possibility of a recession unlike others dating back to the Great Depression.
While the pandemic setback has been a major bump on the road to streamlining business and operating models as banks move forward with their digital transformation, it is not a sign to ease up.
Now, more than ever, it is more important for retail banks to self-disrupt as they adjust to the “new normal.”
Retail banks must create a solid digital strategy, revamp their core processes, and implement the right IT infrastructure to:
- Reduce business risk
- Make processes digital from the beginning to the end
- Maintain compliance
- Ensure process security
Urgent Need to Update Compliance Priorities Embracing Fully Remote Working Processes
The COVID-19 pandemic has forced a need for compliance teams to access their projects and determine what processes they need to implement to minimize their organization’s risks while still meeting their commitments to their stakeholders. The bank’s compliance officers need to assess the strength and adaptability of their current operating models and consider how they are likely to be impacted by COVID-19.
One extremely critical issue facing retail banks is the shift to remote working for many bank employees. This introduces a great risk to retail banks that needs to be addressed by compliance teams to ensure that critical data is kept safe.
Adding to the urgency of this situation is that banks are under pressure to make up for lost revenue because of COVID-19 while preserving their high standards with respect to anti-money laundering (AML) and market conduct practices.
The European Banking Authority (EBA) advises to ensure “business continuity, adequate ICT capacity and security risk management.” EBA underlines the need for digital operational resilience. In the light of COVID-19, the updated Guidelines on ICT and security risk management (November 2019) will help focusing on priority areas, also with respect to compliance.
A second critical issue is that the customers act remotely. This includes, more than ever, the beginning of the contractual relationship, where physical presence is not possible or not desired.
A full end-to-end digitization of all customer processes requires a cryptographically sound and compliant on-boarding process, where the digital identity of a new customer can be created remotely in a fraud-protected way.
All this builds on the European Commission’s integrative set of regulations and standards including qualified trust services for electronic transactions to enable highly fraud-protected processes which do not require direct human contact.
A Need for Anticipating Impact Downstream
Like most other industries, retail banks are in unchartered waters because of the COVID-19 pandemic. This is not isolated to just one region because for the first time, all regions around the world are affected. The impact will vary across industries and will require banks to invest in extremely detailed scenario planning depending on the industry sector.
It will be necessary for banks to revisit their business continuity plans, not just considering current impacts, but how far the effects will spread 12 to 18 months from now. This includes payment & liquidity and credits. These plans now must extend to operating models that ensure banks have adequate controls for processes like Cybersecurity and AML.
The Push for Digitization
Yes, banks around the globe are facing great risks with the upheaval brought on by COVID-19. But they are at a higher risk for their hesitance in shaking up their institutional norms and practices at their core. For the most part, tactical improvement efforts that the banks have made so far have failed to deliver on the needed transformation. Considering the unprecedented challenges brought by the pandemic, the need for digitization is even more urgent.
Risk, treasury, and compliance functions are necessary to help retail banks respond to the present COVID-19 crisis. They are crucial to building strategies to ensure their long-term success going forward. Advanced technologies and practices including AI, and machine learning will play a critical part in streamlining the process of self-disruption. They can help deliver predictive, real-time insights that will allow for more efficiency and faster execution.
To make this a reality, it is imperative that the need for cryptography, to protect data, doesn’t become a bottleneck, but rather an enabler for self-disruption; while providing the security and flexibility for business continuity as the foundation for future prosperity.
The Need for Agile Cryptography
Many fundamental aspects of our modern digital world – finance, communications, e-commerce, national security – are built on the bedrock of cryptography.
With the growing threat of cyber attack, the broadening reach of privacy legislation, such as GDPR, and the increasing ease of employing encryption technology, the trend is towards encrypting all private data, especially data that is particularly sensitive or valuable in some way (e.g. personal or financial data).
The drive to encrypt everything, along with whole new rafts of applications associated with blockchain and IoT, creates an ever-increasing number of keys to manage. A flexible, centralized, enterprise key management system should be introduced before the scale of the problem gets away from you and your ability to protect cryptographic keys properly and demonstrate compliance are gone.
If quantum computing becomes a reality before reliable quantum-safe algorithms are available, then there will likely be a resurgence of symmetric key cryptography for key establishment, resulting in the need to manage, protect and securely distribute even more keys, maybe even using Quantum Key Distribution.
For applications that demand very high levels of assurance, hardware security modules (HSMs) are the best choice today and probably will be for many years to come. But it will become increasingly important to find better ways to manage HSMs and to decouple management of cryptography from the development of applications in order to increase crypto agility and simplify compliance.
High-assurance cryptography and cloud computing will remain uncomfortable bedfellows for the foreseeable future, but whatever solutions you apply to managing keys, using HSMs and increasing crypto agility, you’d better be sure they support the inevitable migration of applications to the cloud.
There is an emerging class of solution, which includes Cryptomathic’s Crypto Service Gateway (CSG), that takes standard HSMs and turns them into a service, hosted anywhere, and accessible to both cloud and on-premises applications alike.
This has numerous benefits, including efficiency, resilience and ease-of-use.
Simpler APIs reduce the burden on developers whilst putting control over cryptographic policy in the hands of a single, specialist team.
This promises to deliver the holy grail of crypto agility, as cryptographic parameters such as the choice of algorithm and key size can be managed centrally and thus changed quickly without impacting the applications that make use of them. This appears to be a promising solution to some of the challenges mentioned elsewhere in this article and is therefore likely to become increasingly popular over the coming 5-10 years, whilst Cloud HSMs remain immature.
There is no doubt that the next 10 years are going to see major developments in digitization and cryptography, and there are doubtless other topics we haven’t even touched on. The only constant is change - are you ready?
References and Further Reading
- Global Risk 2020: It’S Time for Banks to Self-Disrupt (2020), By Gerold Grasshoff, Matteo Coppola, Thomas Pfuhler, Stefan Bochtler, Norbert Gittfried, Pascal Vogt, and Carsten Wiegand at Boston Consulting Group
- Read more articles about secure banking-grade key management of MS-Dynamics (cloud or on premise) together with other cloud or datacenter applications (2019 - today), by Stefan Hansen, Ulrich Scholten and more
- How Value Creation Is Reshaping the Payments Industry (2017) by McKinsey Company
- McKinsey on Payments (January 2020), by McKinsey Company, Volume 12, Issue 30
- Composite Solutions for Consumer-Driven Supply Chains (2010), by Simone Scholten, Ulrich Scholten and Robin Fischer. In: Bogaschewsky R., Eßig M., Lasch R., Stölzle W. (eds) Supply Management Research. Gabler
- Banking-as-a-Service - what you need to know (2016), by Ulrich Scholten