FSTUS14 by GDS International

TRUSTWORTHY TITAN US Bancorp’s Richard Davis on why reputation counts in unsettling times RECIPE FOR SUCCESS Manage the ingredients of risk correctly, and you’ll be left with a veritable feast

www.usfst.com • Q1 2011

HANDLE WITH CARE How to maintain diligence when protecting important financial data

Wiki... leaked RICHARD SCOTT, GUARDIAN LIFE P64 Cover FST.indd 6

The financial services industry faces a host of new ‘hacktivist’ threats. Is it ready?

| JOHN PARKINSON, AXIS CAPITAL P70 | CATE LUZIO, JP MORGAN P74 25/02/2011 13:45

MICROSOFT AD2.indd 2

22/02/2011 11:05

QUEST AD.indd 1

22/02/2011 11:05

QUEST AD.indd 2

22/02/2011 11:05

ATRADIUS DPS1.indd 1

22/02/2011 11:04

ATRADIUS DPS1.indd 2

22/02/2011 11:04

RIM.indd 2

17/11/2010 09:34

RIM.indd 3

17/11/2010 09:34

McAFEE AD.indd 1

15/02/2011 15:09

FROM THE EDITOR 9

An ever-evolving threat As security re-emerges as a corporate priority following the Wikileaks DDoS attacks and other recent events, how are financial institutions responding?

s I’m typing this, the internet in the office has just gone down. Server maintenance? Data packet overload? Faulty network connection? Or something more sinister? In the current climate where online threats abound, it’s easy to feel paranoid. In the past year alone we've had the Stuxnet Worm, the WikiLeaks affair, China originating attacks against Google and others, and the Egyptian internet blackout. And while cyber security never really went away, it’s true to say that given the events of recent months it’s now firmly back on top of the financial industry’s list of priorities. It’s not simply a case of same shit, different day either: the threats financial institutions face today are light years removed from those of even just a few years ago. Botnets, Trojans, viruses and worms are still prevalent, but they’ve now been supplemented by techniques such as spear-phishing and clickjacking. The rise of social networking has also opened companies and individuals to threats from a variety of hackers, spammers and plain old crooks. Indeed, all the corporate soul searching and mandated risk assessments that have sprung up in the wake of such attacks have made one thing painfully clear: some of the most damaging security breaches originate from inside an organization’s own firewall. And it’s not just careless Facebookers who are causing the damage. According to the 2011 Cyber Security Watch Survey conducted by CSO magazine, security breaches caused by once-trusted employees and contractors account for one in five attacks across all industry sectors. Moreover, the consequences of such events can be significant: insider security breaches are more costly than those by outside hackers, according to one-third of the survey’s respondents.

Ed Note.indd 9

So what can banks do to mitigate the threat? In this issue of FST, we take a look at both the threats and the possible solutions. Our cover story examines what the fallout from the WikiLeaks affair means for financial institutions, while elsewhere we look at the steps – both obvious and more complex – banks need to take to ensure security is an integral part of the organizational culture. We also hear from Annelie Schnaar-Campbell, Group Director of Risk Management at Standard Bank, on why banks need to take a new approach to risk in the wake of recent incidents. Financial services are increasingly dependent on interlinked high-frequency transactional systems – exactly the type of globally connected platforms that cyber malcontents like to hit – and as such institutions need to beef up their resilience to potential assaults. It’s a major challenge, because if we don't get better with security, we run the risk of people losing trust in the internet – and by extension, in the financial services industry itself. Following hot on the heels of the reputational damage caused by the financial crisis, that’s a scenario the sector just cannot afford.

“A bank is a safe haven when you don’t have a place to put your money, a place to go when you have a dream you need to accomplish, and a collection of people who independently have a mission greater than funding and collecting deposits because they’re changing the world a little bit” Richard Davis, CEO of US Bancorp (p32)

Ben Thompson Managing Editor

25/02/2011 13:35

NCR MULTI AD.indd 1

15/02/2011 15:09

CONTENTS 11

Under attack

38 32

Subsequent attacks following the WikiLeaks fall out caused a furore in the ďŹ nancial services industry. Lorna Davies asks: Is there anything organizations can do to protect themselves?

Know your enemy Mark Logsdon of Barclays discusses the need for a tough approach when battling against security threats, and explains how his organization is winning the war

In safe hands

Managing Editor Ben Thompson looks at how US Bancorp is plotting a steady course through the recession that has both customers and investors purring

The right ingredients Risk is a standard ingredient in the recipe of any bank, but as Annelie SchnaarCampbell explains, itâ&#x20AC;&#x2122;s how you manage those risks that will leave you with the taste of success or failure

CONTENTS.indd 11

25/02/2011 13:50

STISYSTEM AD.indd 1

15/02/2011 15:10

CONTENTS 13

60 Facing down the security threat In the battle to beat security fraudsters, banks increasingly have to pull rabbits out of hats

64 It’s all in the teamwork Being the CTO of a national organization working with thousands of employees is no mean feat. Richard Scott of Guardian Life Insurance tells FST how he stays on top of the challenge

70 The sandbox system AXIS Capital’s John Parkinson outlines how important the role of innovation is becoming for ﬁnancial institutions

74 The new migration Cate Luzio, Head of International Commercial Cards at JP Morgan, explains why global card programs bring great beneﬁts

82 Agility: the insurer’s insurance policy A new report highlights key drivers to promote growth for insurers in 2011

86 Business as usual Vinod Kachroo of MetLife talks to FST about the importance of leveraging new technologies in order to maintain and improve your organization’s ‘business as usual’ objectives

INDUSTRY INSIGHT

68 Experiencing turbulence Citigroup’s Christine Kincaid fans away the confusion to unveil the true core of cloud computing

58 Venkat Mullur, Tibco 44 Tim Upton, TITUS 44 Anthony Macciola, Kofax

74 In profile

EXECUTIVE INTERVIEW 56 Brian Contos, McAfee 80 Bob Tramontano, NCR

Paypal’s President Scott Thompson

ASK THE EXPERT

50 Allan Carey, Netwitness 72 Barry McCarthy, First Data 84 Doug Cox, GMC Software Technology

DETAILS

70 CONTENTS.indd 13

94 Top tips for today’s leader 96 City guide 99 Books 100 Objects of desire 102 Agenda 104 Photo ﬁnish

25/02/2011 13:51

Find Out More – Contact FST (+1) 212 796 2952

www.fstsummitus.com 5-7 April 2011 The Four Seasons Hotel, Miami

Legal Information The advertising and articles appearing within this publication reﬂect the opinions and attitudes of their respective authors and not necessarily those of the publisher or editors. We are not to be held accountable for unsolicited manuscripts, transparencies or photographs. All material within this magazine is ©2011 FST.

Chairman/Publisher Spencer Green Worldwide Sales Director Oliver Smart Finance Director Jamie Cantillon Design Director James West Managing Editor Ben Thompson Editor Lorna Davies Contributors Ian Clover, Lucy Douglas, Nicholas Pryke, Sharon Stephenson Print Director Andrew Hobson Associate Designers Dan Clayton, Élise Gilbert, Michael Hall, Crystal Mather, Cliff Newman, Catherine Wilson Online Editor Jana Grune Project Director Heather C. Briden Sales Manager Lee Carlson Sales Executives Lauren Mittleberg, Brandon Harp, Rebecca Sachs Production Director Lauren Heal Production Coordinators Renata Okrajni, Aimee Whitehead VP North America Jason Green Operations Director Ben Kelly IT Director Karen Boparoy

The FST Summit is a three-day critical information gathering of the most influential and important executives from across America. The FST Summit is an opportunity to debate, benchmark and learn from other industry leaders.

A Controlled, Professional and Focused Environment

Marketing Director Jake Mazan

Subscription Enquiries +44 117 9214000, www.usfst.com General Enquiries info@gdsinternational.com (Please put the magazine name in the subject line)

Letters to the Editor letters@gdspublishing.com

It is a C-level event reserved for 100 participants that includes expert workshops, facilitated roundtables, peer-to-peer networking, and coordinated technology meetings.

A Proven Format This inspired and professional format has been used by over 100 executives as a rewarding platform for discussion and learning.

CREDITS.indd 14

GDS International GDS Publishing, Queen Square House 18-21 QueenSquare, Bristol, BS1 4NH Tel: +44 117 9214000 E-mail: info@gdsinternational.com

25/02/2011 13:27

SIEMENS AD.indd 1

24/02/2011 10:00

UPFRONT

22 28

FSTUS 14 UPFRONT.indd 16

What does President Obama’s 2011 Budget Proposal reveal about the state of America’s finances?

CUTTING 25/02/2011 14:54

NEWS IN BRIEF 17

G TOO DEEP? FSTUS 14 UPFRONT.indd 17

25/02/2011 14:54

NEWS IN BRIEF 18

Obama must remember his former voice to enable long-term sustainability n the day when many awoke to red roses from loved ones or were manically spending their hard-earned dollars on expensive candy, President Obama had more stringent spending in mind. He proposed his 10-year budget plan on Valentine’s Day, Monday February 14, and spent the next few days defending it. Touting his $3.73 trillion budget, Obama urged the kind of teamwork that was achieved late last year in extending tax cuts for Americans. “I recognize that there are going to be plenty of arguments in the months to come, and everybody’s going to have to give a little bit,” he said in the hour-long news conference. Mr Obama’s budget proposal is seen as an opening bid in the long process of negotiation with House and Senate leaders of both parties as Republicans press for deeper cuts. “I think it is important to make sure that we don’t use a series of symbolic cuts,” the president urged. “It’s going to be about everybody having a serious conversation about where we want to go, and ultimately getting in that boat at the same time so it doesn’t tip over.” Working together seemed to be top of the president’s agenda, or was it? Hours after Obama said he wanted to work with Republicans

FSTUS 14 UPFRONT.indd 18

to reduce the deficit he threatened to veto a Republican bill to reduce spending. It all shows how difficult it’s going to be to find a common ground to reduce the nation’s $14 trillion debt. “Let’s use a scalpel, let’s not use a machete,” said the president, but Republican’s are asking, is this enough? Amid harsh criticism that it does little to rein in the burgeoning US deficit and costly entitlement programs such as Medicare and Medicaid, the President came to the defense of his 2012 budget. The proposal aims to cut $1.1 from the nation’s deficit over the decade. “You cut back on what you can afford to focus on, what you can’t do without. And that’s what we’ve done with this year’s budget,” the president said in his first news conference of the year. “What my budget does is to put forward some tough choices, some significant spending cuts, so that by the middle of this decade, our annual spending will match our annual revenues. We will not be adding more to the national debt,” he said when asked about the GOP criticism. “We’re not going to be running up the credit card anymore.” Obama describes the proposal as a “down payment” on future cuts to the US budget deficit. He said “we can’t sacrifice future” with drastic cuts, a view the Republicans do not agree with. “Presidents are elected to lead and address big challenges,” Republican House budget committee chairman Paul Ryan of Wisconsin told reporters. “The big challenge facing our economy today is that our country

25/02/2011 14:54

NEWS IN BRIEF

tomorrow is facing this debt crisis. He’s making it worse, not better.” This more gentle approach is in contrast to the president’s 2009 comments. Upon taking office, Obama promised that his administration would confront difficult challenges and not “kick the can down the road.” In 2010, under pressure to honor this promise, he created a bipartisan deficit commission to address the unsustainable spending growth in programs such as Social Security, Medicare and Medicaid. “This can’t be one of those Washington gimmicks that lets us pretend we solved a problem,” he said at the time. “I refuse to pass this problem on to another generation of Americans.” In 2011, after the commission reported specific entitlement reforms, Obama is, effectively, kicking the can down the road. The Washington Post gave the opinion that Obama, faced with permanent trillion-dollar deficits, produced a budget that abandoned the reforms of Social Security, Medicare and Medicaid necessary to prevent an eventual fiscal and economic calamity. Deficit commission co-chairman Erskine Bowles concluded that the president’s budget is “nowhere near where they will have to go to resolve our fiscal nightmare.” Senate Budget Committee Chairman Kent Conrad, North Dakota Democrat, added that the budget proposal “puts at risk the economic security of this country” and “cannot be the answer for this country’s fiscal future.” Countries that finance US debt certainly noted that Mr. Obama‘s budget includes no plan for long-term fiscal sustainability. The question is how long they will continue lending to a government that us making smaller cuts rather than confronting budgetary reality. In the absence of entitlement reform, Mr. Obama touted his proposed five-year freeze of non-security discretionary spending – a freeze that he says eventually would reduce this spending to 1950s levels as a share of the economy. Mandatory spending is expected to continue to rise. The proposal includes cuts to low income home energy assistance and community service lock grants as well as cuts in the Environmental Protection Agency’s budget – including reducing funds restore the Great Lakes’ environmental health. Mr. Obama wants to spend more on education, announcing plans to spend more to train math, science and engineering teachers and to expand effective programs. The Energy Department gained a boost to its budget, with a 12 percent increase from 2010 – including increases for clean energy programs. These new priorities see areas long favored by Democrats slashed to make room for increases aimed at boosting the economy. After months of trying to forge a friendlier relationship with the business community, Obama’s new budget plan is a worrying deja-vu for many executives. Oil and gas companies, banks and multinational firms have to face more than $200 billion in higher taxes – an idea that has previosuly inflamed corporate America. With law makers and Republicans clamoring for bold action, Obama’s cautious proposal has ruffled feathers. He has left many big decisions out – how to hold back rising health care costs, how to make Social Security self-sustaining, how to pay for new transportation projects, but would Republicans be happy if harsher cuts were made? The budget will still leave spending at historically high levels because of mushrooming health and retirement programs, but it will reduce the federal deficit over time. Although unlikely, if Congress accept all the president’s proposals and the economy recovered, the federal deficit would fall from 10.9 percent of GDP this year to three percent, Obama’s goal in 2017 – an optomistic thought.

President Barack Obama’s budget proposal for the fi scal year 2012

Media queue up to receive advance copies of President Obama’s fiscal year Budget

Under scrutiny: US Senate Budget Committee staff assistant Sam Armocido unpacks President Obama’s fiscal year 2011 Budget

FSTUS 14 UPFRONT.indd 19

25/02/2011 14:54

INTERNATIONAL NEWS

International News

GUINEA

FRANCE

Guinea’s President Alpha Conde has said the military junta that held power before he was elected has left the country bankrupt. Mr Conde told the BBC the army leaders had spent more money in two years than in the 50 years from independence in 1958. “It was like they were spending money as if there is no tomorrow,” he said. In December, Mr Conde, a veteran opposition leader, was declared the winner of Guinea’s ﬁrst democratic election in 52 years. He took over from the military junta that had seized power in December 2008 on the death of the previous president, Lansana Conte, who had ruled for 24 years.

Goldman Sachs is buying a minority stake in AppSense for $70m and putting managing director Peter Perrone on the British software company’s board. The money will be used to expand AppSense in the US, in a sector expected to boom to as much as $2bn in the coming years. AppSense, based in Warrington, England, specializes in “user virtualization” software, which allows a company’s employees to access documents and programs in any location on any device. The 12-year-old company already has ofﬁces in the US, Germany, Australia and the UK, and is on track for 60 percent revenue growth this year.

French search engine 1plusV is the latest to join a rally of complaints surrounding search engine giant Google. The complaint about Google’s alleged anti-competitive behavior follows similar complaints from price comparison site Foundem and legal search ejushice.fr last year. These complaints triggered the ongoing European Commission probe into Google’s business practices. Google said that it was working with the EC, adding that there was “always room for improvement” .“We have been working closely with the European Commission to explain many different parts of our business,” the ﬁrm said in a statement. 1plusV – the parent company of eJustice. fr – said that between 2008 and 2010 Google prevented vertical search ﬁrms from using it’s online advertising service AdSense.

FSTUS 14 UPFRONT.indd 20

25/02/2011 14:54

LIBYA

CHINA

JAPAN

Tensions rise and fighting continues between opposition and supporters of Colonel Muammar al-Gadaffi in Libya. The leader of 41 years has so far denied reports he’s fled the country. He gave a brief statement saying: “I am in Tripoli and not in Venezuela. Don’t believe those dogs.” Wheat has extended a collapse and corn and soya beans also fell as traders speculated that a jump in energy costs caused by protests across North Africa and the Middle East will curb growth in demand for grains. Riots already ousted leaders in Egypt, the world’s biggest wheat importer, and in Tunisia, and opposition groups have seized control of eastern cities in Libya.

Workers in China injured while making touchscreens for cellphones – including iPhones – have written to Apple chief executive Steve Jobs asking him to do more to help them. Around 137 workers suffered adverse health effects following exposure to a chemical, known as n-hexane. The Taiwanese factory owner, Wintek, has given compensation – but they say it’s not enough. Wintek said that it used the chemical in place of alcohol because it evaporated more quickly, thus speeding up touchscreen production. It has now reverted back to alcohol after workers experienced faintness and tiredness, sweaty hands and feet, numbness in hands and swelling and pain in feet. Some claim they are still suffering ill effects.

Moody’s Investor Services has cut its outlook on Japan’s credit rating to “negative” from “stable” causing concerns about the country’s debt levels. Moody’s currently rates Japan’s government debt at an Aa2 level. In January, Standard & Poor’s – a rival company to Moody’s – downgraded Japan’s credit rating from AA to AA-, also citing debt concerns. The heightened concern that Japan’s economic and ﬁscal policies may not prove strong enough to achieve its deﬁcit reduction target prompted the action.

FSTUS 14 UPFRONT.indd 21

25/02/2011 14:54

BREAKING BOUNDARIES

WHAT DO I KNOW?

Development

Research

Peter Hobbs has widespread experience of advising investors across European, US and Asian markets. As Senior Director of Group Business Development at IPD (Investment Property Databank), he is focused on developing the commercial strategy of the company. This includes responsibility for three main areas of IPD: product development, marketing and overall research. FST asked him to share some of his expertise in heading up a successful company in this challenging time. What would you say are the biggest trends and challenges affecting the research industry right now? Over recent years, real estate has become established as the dominant ‘alternative’ asset, driven by its performance behavior and attractiveness to institutional investors around the world. But it remains an ‘alternative’ and has been deeply impacted by the global fi nancial crisis, so research continues to play a big role in helping the industry to mature. Th is revolves around improved understanding and better risk management throughout the industry. How has IPD tackled these challenges and grown throughout the global fi nancial crisis? The fi nancial crisis has generated significant stress throughout the industry. Th is stress has increased demand for better information and improved risk management, and IPD has responded to these trends by focusing its ac-

FSTUS 14 UPFRONT.indd 22

tivities on those markets (such as US and UK) and industry sectors (such as banks and global real estate managers) with the greatest need for assistance in these areas. What advice would you give to those in the financial services industry wishing to succeed in a harsh economic climate? The experience of IPD through the crisis reaffi rms three important themes that have driven IPD’s growth through its history. First: strong technical development to enable the creation of innovative business tools and applications. Second: a focus on the needs of customers and the ways they vary through the economic cycle, from country to country and by segment. Th ird: the building of a wellco-ordinated and collaborative team straddling global markets, to ensure local innovation whilst preserving a strong global framework and brand. Founded in the UK in 1985, IPD began by compiling data and developing benchmarking services for leading commercial property investors. Building up its propertyby-property information, IPD soon became the UK’s first reliable index of property returns, and the approach started to be deployed in markets outside of the UK. Today, with a staff of over 300, we operate in over 20 countries including US, Canada, Australia, New Zealand and Japan. Earlier this year we were awarded the Queens Award for International Trade, after already having received the award in 2005.

25/02/2011 14:54

The industrialization of hacking

Prior to joining IPD, Dr. Hobbs was Managing Director at Deutsche Bank, working as Global Head of Real Estate Research for RREEF, the real estate division of Deutsche Asset Management. He was responsible for leading the company’s global research coverage. IPD is a global real estate information business with services related to the commercial real estate market, producing research and analysis for some of the world’s leading real estate investors, occupiers, advisors, lenders, analysts and researchers. The company is the world leader in performance analysis for the owners, investors, managers and occupiers of real estate. To guarantee independence IPD do not participate in real estate investment markets and do not offer consultancy advice on investment decisions or other real estate issues. IPD offer: real estate performance analysis; market indices; research and publications; and events and training in most of the real estate markets it operates in. “The way we work is designed to give you clear, timely information and the research and the training you need to understand the world of real estate and performance analysis and making it work for you. In order to meet your evolving needs we are continually refi ning our services and adhere to the highest standards of real estate data collection, validation, processing and reporting.” IPD says.

ust as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today’s cybercrime industry has similarly transformed and automated itself to improve efﬁciency, scalability, and proﬁtability. The industrialization of hacking coincides with a critical shift in focus. Previously, hackers concentrated attacks on breaking perimeter defenses. But today, the goal has changed. The objective is no longer perimeter penetration and defense. To paraphrase a popular political slogan, “it’s the data, stupid.” Today’s hacker is intent on seizing control of data and the applications that move this data. Today’s complex hacking operation now utilizes teamwork, global coordination and sophisticated criminal techniques designed to elude detection. The machine of choice is the botnet – armies of unknowingly enlisted computers controlled by hackers. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. Today’s consumer must learn to rely on automatic operating system updates and anti-malware software to protect personal data and avoid becoming part of the botnet army. The real burden, however, falls on enterprises, which must protect sensitive data and shield applications from malicious attacks. These organizations can adapt to the evolving threatscape by adjusting security strategies to deal with the growing number of automated and highvolume attacks by: Fighting automated attacks with: • CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). This technique attempts to distinguish humans from bots by presenting a distorted picture that users must correctly identify before admittance into the application. An example of CAPTCHA:

• Adaptive authentication: This technique mitigates several automated attacks, including password and cross-site request forgery attacks. When dealing with highly sensitive transactions and when automation is suspected, applications must be armed with additional authentication dialogs throughout a user session. These additional authentication steps rely on previously supplied personal information from the user, such as a pet’s name, favorite movie star, or a mother’s maiden name. • Access and click rate controls: This technique monitors and detects the difference between a human browsing the Web versus faster, automated, botnet-controlled Web browsing. Quickly identifying and blocking the source of malicious activity: Knowing the IP address of commonly used attack platforms can quickly reduce attack volume. Strategically enhancing defenses with forensics from recent attacks and introducing reputation based controls: Leveraging unique and identifiable characteristics from third party attacks to better help filter Web traffic. Today’s cyber warriors cannot use yesterday’s technology to fight tomorrow’s cyber war. Attack campaigns are constantly launched not only against high profile applications but against any available target. An application may be attacked for the value of the information it stores or for the purpose of turning it into yet another attack platform. Protecting data using database and application level security solutions is a must for any organization to succeed against a strengthening foe. About Imperva Imperva is the global leader in data security. Our customers include leading enterprises, government organizations and managed service providers who rely on Imperva to prevent sensitive data theft by hackers and insiders. The award-winning Imperva SecureSphere is the only solution that delivers full activity monitoring for databases, Web applications and file systems. To learn more about Imperva’s solution visit http://www.imperva.com.

FSTUS 14 UPFRONT.indd 23

25/02/2011 14:54

Factfact Bank closures in poorer places The number of bank branches in the US fell from 99,950 to 98,517 last year, official figures show, the first drop in 15 years. However, the data shows that while banks closed in poorer areas, they expanded in wealthier ones, despite complaints about regulation.

Mark Madoff suicide

NEWS IN BREIF

M 24

We’re still spending too much pparently nothing can stop the majority of U.S. inhabitants from overspending at the mall. Consumer spending rose 0.7 percent at the end of 2010 – a bigger jump than expected and more than double the 0.3 percent rise in the month before. The problem lies in the fact that the income of the average American only rose 0.4 percent – meaning spending rose nearly twice as fast as income. Top US GDP forecaster Herrmann says the world’s largest economy will expand in 2011 at the fastest pace in six years as American consumers boost spending. John Herrmann, a senior ﬁxed-income strategist at State Street Global Markets LLC, forecasts for gross domestic products. His estimates were the most accurate over the past year according to data compiled by Bloomberg News. He now estimates that all goods and services produced will grow three percent this year, the most since 2005. He said household purchases will also climb three percent after rising 1.8 percent in 2010, as stock-market surge lines the the ﬁrst gain in three years. wallets of the wealthy. It appears well off shopAt the other end of the specpers are driving the increase trum – Wal-Mart Stores Inc., the in consumer spending with world’s largest discount retailer sales up at Tiffany & Co. and has reported that “everyday Coach Inc., helped by demand Americans” are living paycheck for $6000 diamond pendants to paycheck as they await an imand $1200 leather handbags provement on job prospects.

FSTUS 14 UPFRONT.indd 24

ark Madoff, the eldest son of disgraced financer Bernard, was found hanged in his Manhattan apartment in December. This latest casualty is another in the saga that sent Bernard Madoff to prison and swindled thousands of their life savings. The suicide took place on Saturday December 11 – the second anniversary of his fathers arrest for the worst investment fraud in American history. Mark Madoff, 46, was found dead in the living room of his Soho loft. He was hanging from a black dog leash while his 2-year-old son slept nearby. Those closest to Mark Madoff said he was despondent over press coverage of his father’s case, an ongoing criminal investigation of Madoff family members in the multibillion-dollar scheme and his struggle to rebuild his life. The convicted Ponzi-schemer Bernard will not attend the funeral of his son out of consideration for his daughter-in-law and grandchildren, attorney Ira Sorkin said. Bernard, 71, is at the Butner Federal Correction Complex, a medium security prison in eastern North Carolina, where he is serving a 150-year prison sentence. Madoff fooled investors out of their money by masquerading as the head of a legitimate investment firm while using funds from new investors to send payments to his earlier investors, falsely portraying them as proceeds when they were actually stolen money, prosecutors said. Madoff’s criminal activities began a tidal wave of civil actions against Mark Madoff, his mother, siblings and hundreds of other defendants, accused of profiting off the Ponzi scheme by withdrawing more money from Madoff’s fund than they invested, money they presumably thought was investment income.

25/02/2011 14:54

Businesses work their cash

Head to head Apple is still the No. 1 smartphone manufacturer, as it has been for over a year, but there are signs that the iPhone is approaching saturation in the developer community. In a Millenial survey, Android was the No. 1 platform developers plan to support in 2011, with Microsoft’s Window Phone 7 and the iPad tied for second. The iPhone was relegated to fourth place, after the Blackberry. The extraordinary growth of Google’s Android phones can be traced in six months of smartphone advertising data from Millenial Media, the largest independent mobile ad network. Through a series of pie charts, they show Android overtaking Research in Motion’s (RIMM) Blackberry between June and July in ad impressions, gaining rapidly on Apple’s iPhone between July and September and ﬁnally coming even with iOS in October with a 37 percent share apiece. However, Millenial’s November report shows that Android and iOS tied for the second month in a row, at 38 percent each. After six months of gains, there is now something that looks like equilibrium.

NEWS IN BREIF

tandard & Poor’s 500 companies have reduced cash and shortterm investments to $2.4 trillion from a record $2.46 trillion, the first decline since mid-2009. The data compiled by Bloomberg from their most recent quarterly reports also showed that Capital spending increased $22.3 billion, the biggest quarter-to-quarter jump since the end of 2004, to $142.8 billion, the highest level in two years. S&P bellwethers Cisco Systems Inc., General Electric Co. and Coca-Cola Co. have increased budgets for stores and new plants and distribution centers. While some money is being sent abroad, company officials say they are dipping in to the home turf budget as well. A rebound economic demand, President Barack Obama’s efforts this year to court business leaders, and Republican gains in Congress have helped build confidence to invest and start adding jobs, executives and investors said. Cisco Chief Executive Officer, John Chambers said: “What you’re seeing is business and government learning to work together. There are good steps starting to occur, but they are just initial steps,” in an interview with Bloomberg. Cisco is the largest provider of networking equipment. The company had $326 million in capital spending in each of its two most recent quarters, the most since the height of the global financial crisis in October 2008. Last year US companies’ accumulated record cash last year after they slashed pending, shut factories and fired workers in 2008 and 2009 to cope with the worst recession since the 1930s. The lack of investment took its toll on the nations job market, with the unemployment rate averaging at 9.6 percent in 2010. An increase on spending this year may help lower the rate to 9.2 percent, the average estimate of 87 economists in a Bloomberg poll. The US financial system is fitter than it was before the recession and is well placed to provide the funding needed for the economic expansion, Treasury Secretary Timothy F. Geithner has said. “The core of the American financial system is in a much stronger position than it was before the crisis,” Geithner told reporters in Washington. US banks had a net income of $87.5 billion in 2010, the highest since 2007, the Federal Insurance Corp. said. The Standard & Poor’s 500 index has jumped 64 percent since March 2009, and corporate bond spreads have narrowed. “We can say with much more confidence now that the US banking system and the US capital market are much more likely to be in a position to finance the capital needs that come with recovery,” Geithner said.

Factfact Wall Street paid out $20.8 billion in cash bonuses in 2010, the ﬁfth-highest amount on record, though the average payout fell 9 percent from a year earlier as ﬁnancial reform drove banks to offer higher base salaries and defer more compensation. The average cash bonus in 2010 was $128,530, according to a report by New York state comptroller Thomas DiNapoli.

FSTUS 14 UPFRONT.indd 25

25/02/2011 14:55

Google unveils One Pass system

COMPANY INDEX

oogle has launched a new payment system that allows users to subscribe to online content for a 10 percent commission fee. The move comes after rival Apple was criticized for charging 30 percent of the sale price for its payment system. One Pass will work on tablets, smartphones and Google-related websites and will launch initially here in the USA, as well as Canada, the UK, France, Germany, Italy and Spain. The announcement was made on Thursday, February 16 – just one day after Apple announced new rules for publishers selling subscriptions on its iOS platform. Apple says companies must now offer users the option to buy directly through an iTunes account – handing 30 percent of the price to Apple. Previously, vendors were allowed to direct customers to an external website, keeping all the profi ts. Lee Shirani, the company’s director of business product management, wrote on a blog posting: “Publishers can customize how and when they pay for content while experimenting with different models to see what works best for them.” Google’s new approach is being described as a competitive blow aimed directly at Apple’s online subscription business. The search engine giant describes One Pass as: “A payment system that enables publishers to set the terms for access to their digital content. It offers purchase-once, view-anywhere functionality, so users can view the content they buy across all of their devices,” on the official Google blog – where the new service was first introduced. Users will have single password access to content on mobile, tablet or online to access all their content. The intention is that current subscribers won’t have to re-subscribe when accessing content in different ways. One pass will allow customizable methods of charging for content “offering subscriptions, metered access, ‘freemium’ content or even single articles for sale from their website or mobile apps.” Google hopes that the service will help increase the number of publishers currently cautious of creating paid for digital content. Google Checkout integration will mean that payment will be processed and managed via One Pass, so doing away with the need for third party payment systems. Developers opting for One Pass will find they retain 20 percent more revenue than what Apple will keep from in app subscriptions. Apple may face competition investigation over their demands, which may lead them unfairly dominating the market. The Wall Street Journal has said: “Publishers, for example, might claim that Apple dominates the market for consumer tablet computers and that it has allegedly used that commanding position to restrict competition. Apple, in turn, might define the market to include all digital and print media, and counter that any publisher not happy with Apple’s terms is free to still reach its customer through many other print and digital outlets.”

FSTUS 14 UPFRONT.indd 26

COMPANY INDEX Q1 2011 Companies in this issue are indexed to the first page of the article in which each is mentioned. Atradius ................................................................................................................................................ 4 Amazon ............................................................................................................................................... 38 Axis Capital ........................................................................................................................................ 70 Barclays................................................................................................................................................46 Berkshire Consultant Ltd ...............................................................................................................94 Blackberry ............................................................................................................................................. 6 Cap Gemini ......................................................................................................................................... 82 Cisco .....................................................................................................................................................88 Citigroup ............................................................................................................................................68 First Data ...................................................................................................................................... 72, 73 Frost & Sullivan ................................................................................................................................ 60 GMC Software ........................................................................................................................... 84, 85 Guardian Life Insurance .................................................................................................................64 Imperva ........................................................................................................................................ 23, 27 iStrategy ............................................................................................................................................. 92 JP Morgan .......................................................................................................................................... 74 Kofax .................................................................................................................................. 90, 91, OBC MasterCard ........................................................................................................................................ 38 McAfee ..................................................................................................................................... 8, 55, 56 Meettheboss TV...............................................................................................................................101 MetLife ................................................................................................................................................86 Microsoft ...........................................................................................................................................IFC Moody’s Analytics ......................................................................................................................... IBC Nuance ................................................................................................................................................98 NCR ......................................................................................................................................... 10, 80, 81 NetWitness .................................................................................................................................. 50, 51 PayPal ............................................................................................................................................38, 78 PWC ..................................................................................................................................................... 60 Quest Software ...................................................................................................................................2 Radware .............................................................................................................................................. 38 Siemens ............................................................................................................................................... 15 STI Systems ...................................................................................................................................12, 83 Standard Bank ....................................................................................................................................52 Tibco ..............................................................................................................................................58, 59 TITUS ............................................................................................................................................ 44, 45 Unisys ..................................................................................................................................................66 US Bancorp .........................................................................................................................................32 Vendorcom ........................................................................................................................................ 38 Visa ...................................................................................................................................................... 38 Xerox ............................................................................................................................................. 37, 42

Don’t miss… Leveraging new technologies to improve your business (p86) Top tips to be a better leader (p94)

General Motors back on track

eneral Motors has reported its first annual profit since 2004, topping an impressive turnaround for an automaker previously plagues with troubles. The profit has come from a rebound in US sales, strong growth in China – now GM’s largest market – and a much lower cost structure after a 2009 journey through bankruptcy. GM’s bankruptcy was financed by the US and Canadian governments and allowed the company to get rid of mounting debt, four of its weaker brands, excess factories and many other costs. The nation’s largest automaker, GM earned $4.7 billion for the year. This total ends a string of five years of losses during which the debt topped $100 billion. The profit was the biggest at the company since 1999.

25/02/2011 14:55

IMPERVA AD.indd 1

22/02/2011 09:10

Top 10 emerging financial centers 1 Toronto

The city recently unveiled a plan to become “one of the two leading financial clusters in North America and one of the top five to seven global centers.” In regional terms, Toronto is already a player: it’s the third largest North American financial services center after New York and Chicago, based on direct employment, as well as the fastestgrowing. It’s also the hub for Canada’s banks, security firms, insurers and mutual funds.

TOP 10

2 Luxembourg

Luxembourg is growing as a ﬁnancial center because of its Swiss-like secrecy rules. There’s plenty to ﬁnd attractive: it claims to be the second largest investment fund centre in the world after the United States, the premier captive reinsurance market in the European Union and the premier private banking center in the Eurozone. It’s also the second-largest mutual fund market after the US.

Paulo 3 Sao As Brazil emerges as Latin America’s leading economy, investors are increasingly looking to Sao Paulo. Brazil’s bank-

FSTUS 14 UPFRONT.indd 28

ing sector is relatively underdeveloped and security remains a concern in Sao Paulo, but there’s much on the upside: the country has exhibited stability across its banking system through the current crisis, and a high degree of IPO activity means it is strong in non-banking ﬁnancial services too.

4 Zurich As British regulators continue to go after bonuses, bankers are fleeing to Switzerland. Long a financial center known for equity and foreign exchange markets, Zurich does well in international rankings, with traditional strengths in asset management and private banking sectors. However, Switzerland’s competitiveness has been impacted somewhat by the continuing difficulties experienced by major Swiss banks.

5 Shanghai In April 2009, the Chinese government declared it wanted to make Shanghai an international ﬁnancial center by 2020. And when the Chinese government declares something, it usually makes it happen. Adding to the surge is China’s

25/02/2011 14:55

continued economic growth and potential ﬁnancial reforms, like index-tracking ETF funds, foreign companies listing on local exchanges and ﬁnancial and commodity futures.

6 Hong Kong

Hong Kong has long been an Asian financial hub because of its gateway role to China and banking-friendly special administrative status. Hit by the financial crisis, it still had the most IPO proceeds in the world last year, plus strong hedge fund and M&A activity. It has a deeper pool of financial services than Shanghai, with insurance, law, accounting and other professional service firms already well established.

7 Singapore Singapore’s developed and efﬁcient banking sector make it an important player on the global stage. An October 2009 Bloomberg Global Poll found that the tiny country had topped New York as investors’ preferred place for doing business, second only to London. Still, Singapore’s playing catch-up to Hong Kong: the special Chinese region has more hedge fund, IPO and M&A activity.

is reeling from the financial crisis and faces crushing government debt. But Japan’s financial sector is healthy, the country’s banks are sizeable and efficient and similar strengths are seen across non-banking financial services such as IPO and M&A activities and insurance. It’s still an important regional hub.

9 Johannesburg

Unusually, Johannesburg is poised to be the ﬁnancial hub of a whole continent – a region that represents more than 900 million consumers and is one of the world’s fastest growing markets. The South African city has the most developed business infrastructure south of the Sahara, and South Africa generally gets strong marks for its ﬁnancial sophistication.

10 Dubai

Asian ﬁnancial center despite doubts about Japan’s economy, which

FSTUS 14 UPFRONT.indd 29

TOP 10

8 Tokyo Tokyo remains a critical

In 2009 Dubai was forced to take a $10 billion bailout from Abu Dhabi and remains in serious financial trouble. Still, it is the regional headquarters for financial powerhouses like Goldman Sachs, Citi and JPMorgan Chase, and the Dubai International Financial Center offers perks including 100 percent foreign ownership, zero percent tax on income and profit, no restriction on foreign exchange and the freedom to repatriate capital and profits without restrictions.

25/02/2011 14:55

Nokia Siemens in talk

okia Siemens Networks Chief Executive Officer Rajeev Suri said the joint venture of Nokia Oyj and Siemens AG is in talks with “a few” private equity firms. If the pair were to add another owner the benefits would include new capital for “strategic flexibility” and “expertise and knowledge” including advice on purchases to round out the company’s portfolio, Suri told reporters in Espoo, Finland on Tuesday, February 22. Investment from private equity firms doesn’t necessarily imply a rejection by the parent companies, Suri said. He didn’t comment on the timetable for talks.

Apple puts sharp focus on camera development

NEWS IN BREIF

pple have released a ﬂurry of imaging related patents showcasing the effort it’s putting in to improve the camera on the iPhone. The development came out on top of the iPhone’s High Dynamic Range feature that Steve Jobs demoed last September. They indicate, as Patently Apple’s Jack Purcher put its, “the importance that Apple is facing on cameras within the context of the greater iOS device revolution.” Purcher highlights three of the patents: One for correcting blurry photos, another for masking skin tones and a third for reducing radically-based chroma noise.

Google’s most searched

pple’s iPad lost by a hair to number one Chatrouletee in Google’s list of the fastest rising search terms for 2010. Twitter was number eight and Facebook number ten. Android did not make the list. In the consumer electronics category, the iPad was number one and the iPhone 4 number two. Android didn’t make this list either, but an Android phone- the HTC Evo 4G- did.

FSTUS 14 UPFRONT.indd 30

25/02/2011 14:55

Gender pay gap rears its ugly head

Jobless claims reduced

FSTUS 14 UPFRONT.indd 31

to a seasonably adjusted 405,000, when polled by MarketWatch. In recent US trading, stocks fell as investors concentrated their attentions on the rising price of oil amid the latest reports of unrest in Libya. Over the past six months weekly claims have fallen gradually from a peak of 503,000 last summer. At current levels, claims appear to be consistent with a modest pace of hiring. The economy’s gained an average of 83,000 jobs a month over the past three months.

Lehman lose out

New York Bankruptcy judge has rejected claims that Barclays Bank cheated Lehman’s creditors out of billions of dollars during the chaos in the week after the investment banks collapse, and that it should be ordered to pay an additional $1.1 billion. The victory means an end to concerns that Barclays would have to renegotiate the deal that transformed it overnight into a Wall Street powerhouse when it brought the Lehman Brothers US broker-dealer business and many of its trading assets out of bankruptcy. The bank should now be able to unlock and revalue some of the disputed assets it bought as part of the deal. Its lawyers and ﬁnance executives are still working to assess the implications of the complex ruling.

NEWS IN BREIF

espite women taking up almost 50 percent of management positions in professional industries throughout the US a mere six percent of Fortune 500 companies have women as their top earners. And it’s not just at the very top of the pay scale that gender divisions exist – throughout every level of the employment tree women are either underpaid or under-recognized, reveals a report by recruitment giants Adecco. The recent Adecco survey, conducted among British, American and German female workers, ﬁnds that a third of those questioned believed they were being underpaid by as much as 25 percent when compared to a male counterpart performing an identical or similar role. The same study also showed that a third of women are hankering after a pay increase of up to four percent this year, which is slightly more than the pay aspirations of men. In contrast, men were shown to be more likely to know what they should be earning, and were more likely to bring the matter to the attention of their bosses should they feel their contributions were being undervalued. “It’s particularly disturbing that female workers have the perception that they are underpaid but are not conﬁdent in understanding what they may be worth in the jobs market,” said Andy Powell of Adecco. “We would actively encourage both male and female workers to understand what the market rate is for their role, taking a realistic view of their skills and experience.”

ver the past month, the number of people applying for jobless beneﬁts has averaged 402,000, marking the lowest level since July 2008, according to Labor Department data. New applications fell by 22,000 between 14th-22nd of February to 391,000 – suggesting that a slow but steady improvement in the US labor market remains on track. Economists has expected ﬁrst-time jobless claims in the week ended February 19 to fall

25/02/2011 14:55

THE BIG INTERVIEW

Big Interview.indd 32

25/02/2011 13:50

IN HANDS SAFE

THE BIG INTERVIEW 33

Trust isn’t necessarily the ﬁrst word that springs to mind when discussing the nation’s banking fraternity, especially given the events of the past few years and public perceptions of bankers as corporate fat cats. But US Bank’s Richard Davis has been plotting a steady course through the recession that has both customers and investors purring. By Ben Thompson

f banking were a popularity contest, Richard Davis would be feeling plenty of love right now. The Chairman, President and CEO of US Bancorp was recently voted No. 2 on TheStreet.com’s list of the 10 bank CEOs that analysts and other industry insiders like the most, which described him as “one of the most strategically focused CEOs” in the business. The Minneapolis-based US Bancorp has certainly weathered the recession better than most under the quietly spoken Davis: it earned $2.3 billion in the first nine months of 2010, up 41 percent from a year before, while Wall Street has been wowed by the fact that Davis has US Bank stock trading around $27 per share – nearly back to pre-recession levels. In 2009, the firm was named the best bank in the US by Euromoney magazine for its performance throughout the downturn, and Davis is generally seen as a safe pair of hands with a useable balance sheet – perfect qualities for these troubled times.

Big Interview.indd 33

25/02/2011 13:50

THE BIG INTERVIEW

Indeed, in an industry that in recent years has been characterized by freewheeling speculation and spectacular falls from grace, the few banks that eschewed such unnecessary risks are now seen as paragons of virtue. Foreclosure activity, subprime lending, making loans with asset-based lending to customers who were counting on property values rising rather than cash flow: the long list of things that US Bank could’ve done but didn’t in the last few years largely explains why America’s fi ft h largest lender has emerged from the fi nancial crisis with its reputation (not to mention its assets) intact. And as the firm’s unassuming yet candid chief executive explains in a recent interview, that focus on sound fi nancials has allowed it to capitalize on the recent recession better than many of its competitors. “We didn’t do a lot of the things a few years ago that we would’ve made a lot of money doing, and therefore we don’t have the consequence today of either trying to replace it and not being able to, or having to pay for it because we made mistakes,” he says. “My point isn’t: ‘look how smart we were’; we were luckier than we were smart, it was the hand we were dealt. But since the recession started, we actually have been spending and investing and acquiring and growing through this whole three-year period. We’ve been able to reset our foundation and reset our trajectory coming out of the recession. Instead of locking down, we said ‘Let’s actually go do something when it seems least likely to do it’. I liken the recession to a headwind. It’s hard to walk into a headwind but if you’re going to fly, you actually look for the headwind because you intend to use it.” It’s a key part of Davis’ strategy for US Bank: turning the company from a walker into a flyer. “We’re not afraid to talk about it or leverage it, because our shareholders deserve it,” he insists. “They were with us three or four years ago when people were asking ‘Why aren’t you growing like everyone else, why aren’t you making all these loans?’ We just said, ‘We don’t know how they’re doing this, we’re just doing it our own old-fashioned way’. So we’ve actually become more aggressive in a period of time when others aren’t. And I think that should serve us quite well.”

AT A GLANCE Minneapolis-based US Bancorp, with $308 billion in assets, is the parent company of US Bank National Association, the ﬁfth-largest commercial bank in the United States. The company operates 3069 banking ofﬁces, 5310 ATMs in 25 states, and provides a comprehensive line of banking, brokerage, insurance, investment, mortgage, trust and payment services products to consumers, businesses and institutions.

A changing landscape Indeed, just because US Bank is retaining a focus on its traditional values – fi nancial security, prudent investment, reasonable returns – it doesn’t mean the organization is not responding to the changing financial landscape. And it will need to: according to Davis, attitudes to credit, risk and personal fi nancial security have been irrevocably altered by the crisis. “We are looking at things that we didn’t look at before, because we’re looking at situations we’ve never seen before,” he stresses. One such trend is the almost unprecedented levels of public saving banks are currently witnessing. “As a bank, we have an insight based on people’s willingness to borrow and willingness to save. And we’re seeing unprecedented savings levels, where people are holding onto money. I think it’s because they are afraid not to have the money in case they need it – it’s a defensive posture. Mohamed ElErian from PIMCO calls it ‘self-insurance’. His perspective

Big Interview.indd 34

25/02/2011 13:50

THE BIG INTERVIEW 35

is that it will force us into a double dip – he’s quite negative about it. The point is that it’s a significant measure – we’ve never seen such levels of cash before.” The amount of people not taking advantage of existing lines of credit is also growing. For example, Davis explains that two years ago just 37 percent of customers didn’t use their credit lines, but that now that figure stands at 42 percent. “People who have access to credit are choosing not to use it; the corollary to that is they are putting more cash on the balance sheet and they’re not stretching it or trying to do anything they haven’t done before. They’re simply hoarding cash.” Such a scenario will not only prove challenging for financial institutions as an increasing number of consumers resist the urge to sign-up for new financial products, but could also provide a threat to the economic recovery itself. Davis likens it to the years following the Great Depression, when an entire generation of consumers was left mentally scarred by the prospect of fi nancial ruin. “I was raised by parents who were Depression-era children: we didn’t use anything that we didn’t need and we saved everything we had,” he explains. “My parents were victims of that moment in time that says ‘I’m just never going to be caught unaware again’. In the same way, for the younger people who went through this current recession, it will forever have an impact on the way they behave, the way they incur debt, the way they spend, the way they save. It will be a permanent change. And generally things are going to be painfully slow.”

Big Interview.indd 35

It’s a problem exacerbated by current attitudes to efficiency amongst the business community, he adds. “Businesses, both small and large, have started to test themselves on just how productive and efficient they can be, how far can they go without adding one more person, one more plant, or one more PC. They realized about a year ago: ‘Wow, we’re still thriving and we’re amazingly more efficient’, and now they’re banking on it and putting it into their new operating models. They’ll save longer, they’ll incur less debt and they’ll be more efficient. We’re seeing that behavior across the board.”

The age of austerity In fact, Davis believes we are entering what he calls an austerity decade. “Around the globe we will reset what we do, how much we spend, how much we use and what we expect,” he says. “And it’s going to slow everything down.” And while he insists the future is not all doom and gloom, suggesting that “probably 85 percent of the world will be largely unaffected by what happens”, he is realistic enough to acknowledge that those “on the edges” will be affected greatly. For one thing, access to fi nancial services for those already struggling will be greatly reduced. “We’re going to make it very, very difficult for people on the marginal fi nancial edges to get banking services; that’s not a threat, it’s an absolute fact,” he warns. “Credit cards and checking accounts will all be less available. So if you’re in the mainstream, you’ll feel a little difference, and the slowing economy will be troublesome, but you aren’t out

Below: At a recent White House meeting, CEOs from some of the nation’s largest banks told President Obama that their companies are vital to the economic recovery – and that they want to work with the government to achieve it. From left: Ed Yingling, President of the American Bankers Association; Robert Kelly, CEO of Bank of New York Mellon; John Stumpf, CEO of Wells Fargo; and Richard Davis, CEO of US Bancorp.

25/02/2011 13:50

THE BIG INTERVIEW

of a job and you’re not without viability. But if you are on the edges, it’s like bobbing your head above the water. If you’re well above the water, you can handle a wave. But if you’re gasping for your last breath and a big wave comes by, you are pretty much gone. So I think it’s going to move the margin line way up, and leave a lot of people unbanked and unemployed. “The new cost of doing business means I can’t afford to have a marginal customer who will either create a fraud loss or a charge-off loss for me if I can’t fi nd a way to create an insurance policy against having a charge for that,” he continues. “So I just won’t. My shareholders didn’t ask me to subsidize anybody and so that will be part of the exaggeration of the divide between the haves and have-nots.” And while that’s bad news for those already on the edge, what it will mean for organizations such as US Bancorp is the emergence of a key strategic opportunity: what Davis calls ‘”fl ight-to-quality”, as more customers look to bank with institutions that offer a safe haven for their hard-earned investments. “Every time there’s a story written about the banks that did well and are going to do well, we keep showing up, locking in our position in the eyes of consumers and businesses as a safer place to either put your money or to get your money,” he explains. Such factors become more important in tough times – much more so than innovative bells and whistles around new product offerings. In fact, Davis believes that in an industry as traditionally conservative as fi nancial services, new product innovation can often be seen as clutter. “Th is industry isn’t that innovative by defi nition: it’s been around hundreds of years, and it hasn’t particularly changed what it does,” he insists. “It’s a gatherer of deposits for safekeeping and a lender of monies to those who look like they could pay it back. We make leverage of 1-to-7 on that deal – end of story. All the other stuff is just making it noisy.” What has changed, however, is the channels themselves. “It’s not just about traditional branches anymore. It’s about branches in grocery stores, in airports or in universities. We have the largest number of non-traditional branches of any bank in America – around 840. We’ll see if that pays off or not. We thought years ago that a branch in the corner next to the mall was no longer as appropriate as having a branch where you work or where you’re going to be all the time. We’ll see.” And the next step beyond the non-traditional branch is mobile banking and the advent of transaction-based activities, including banking on the move – something US bank has been investing heavily in. “Five years ago we would not have been investing but waiting for others to do it first before being a quick follower. So I’ve actually changed the company, taking it into the fi rst group of adopters – not bleeding-edge, but no longer waiting for others. So we’re more involved now in that, but innovation isn’t going to save banking, it’s going to be a defensive act every step of the way. It’s not going to change – I’m not going to get 20 million more customers because I’m the first with something, but I might lose customers if I’m third or fourth.’

Big Interview.indd 36

Investing in people For Davis, then, it’s all about taking calculated risks – which of course, is essentially what fi nancial services is all about. “I come to work every day to make sure that whoever invests in this company gets their return, and a better one than they could anywhere else. That’s what I live for: the shareholder,” he says. However, he is at pains to point out that shareholders can only achieve true value if the company engages other key stakeholders effectively. “We have four constituencies: employees, customers, shareholders and communities,” he explains. “We never were an employee-focused company, but in this recession we decided to invest in that. Now I start everything with the employees to ensure that they are engaged, feel positive about what they do, that quality work comes through and their pride comes through, and the shareholder becomes the beneficiary if we do these other things right.” For instance, five years ago at the height of the boom when US Bank was refusing loans that its competitors were saying ‘yes’ to, Davis says he could understand why employees (who got paid on the basis of whether those loans got sold or not) might have questioned why they worked for the company rather than its rivals; he sees the fact that a lot of them didn’t leave, however, as proof that many of them knew the more stringent provisos in place at US Bank were actually a smarter way to do business. “I think the employees are here because they decided on it intentionally,” he explains. “They want to be part of this company, doing this mission, doing it this way. My value proposition for the employees is no longer ‘it’s not better somewhere else’, it’s ‘this is the place you want to be part of’. So our value proposition has changed: it is not about the shareholders at all costs. It’s employees who will affect customers, which will change the community view, all of which will feed the shareholder.” It is that idea of community – of employees, customers, shareholders and local partners all coming together to make things happen – that really drives Davis’ outlook. As co-chair of the Twin Cities’ United Way effort, he is intensely aware of the difference an active and engaged community can make, as well as the important role banks have to play with those communities. “We have always been a community partner,” he concludes. “That’s what banks are – the place you go to get things done. Of course, as CEOs we’ll always have responsibilities to our shareholders, but if we can get there by being good community stewards – I’ll call it social partners – I think there’s room for that. A bank is a safe haven when you don’t have a place to put your money, a place to go when you have a dream you need to accomplish and you can prove you’ve got the wherewithal to do it, and a collection of people who independently have a mission greater than funding and collecting deposits because they’re changing the world a little bit. And for me that value proposition didn’t change; it just got crystallized by the downturn.” 

“This industry isn’t that innovative by definition: it’s been around hundreds of years, and it hasn’t particularly changed what it does”

This article is based on an interview given for PwC’s 14th Annual Growth Survey. For the full interview, please visit: www.pwc.com/gx/en/ ceo-survey

25/02/2011 13:50

Xerox ads.indd 1

24/02/2011 10:00

CYBER SECURITY

Under

attack Financial services have become resilient in protecting themselves against most security breaches. ‘Hacktivism’ – the new term referring to hackers wishing to make a point rather gain ﬁnancial beneﬁts – has a different agenda in mind. Lorna Davies explores the truth behind the headlines.

Wikileak.indd 38

25/02/2011 13:42

CYBER SECURITY 39

he recent cyber demonstrators who affected websites and card payment services in revenge for cutting off services to the whistle-blowing website created by Julian Assange, WikiLeaks, caused a storm in fi nancial services organizations. The ‘hacktivists’, known as Anonymous, have warned they will continue their campaign for total internet freedom. The group disrupted sites belonging to finance giants MasterCard and Visa by bombarding their websites with millions of bogus visits during a campaign they called ‘Operation: Payback’. The attacks came after the credit card companies and PayPal announced they would no longer process donations to the anti-secrecy organization. While most countries have plowed much more attention and resources into cyber security in recent years, most of the debate has focused on the threat from militant groups such as Al Qaeda or mainstream state-on-state conflict. But attempts to silence WikiLeaks after the leaking of some 250,000 classified State Department cables seems to have produced a popular rebellion amongst hundreds and thousands of tech-savvy activists. Anonymous appeared to be using social networking site Twitter to coordinate attacks on websites belonging to entities it viewed as trying to silence WikiLeaks. Senator Joe Lieberman, Sarah Palin and others who criticized Wikileaks or stopped doing business with the document-sharing project were also hit. The WikiLeaks fall out has gone into a frenzy since the site began releasing diplomatic cables in November that have proved embarrassing for the US government’s diplomatic efforts. At the time of FST going to print seven people accused of being connected with the attacks had already been arrested. Police in the Netherlands arrested two teenagers in early December suspected for participating in the Anonymous

Update On Tuesday, February 15, US Representative Peter King, Chairman of the Committee on Homeland Security, re-introduced legislation that will give the Department of Justice additional tools to prosecute future disclosures by WikiLeaks founder Julian Assange or similar organizations. ‘The SHIELD Act’ (The Securing Human Intelligence and Enforcing Lawful Dissemination Act) HR 705, amends the current law to clarify that it is an act of espionage to publish the protected names of American intelligence sources who collaborate with the US military or intelligence community. King has previously called for the arrest of Assange – calling on Attorney General Eric Holder to prosecute the WikiLeaks founder under the Espionage Act.

Wikileak.indd 39

‘Operation: Payback’ attacks. The pair is awaiting trial for computer crimes. UK police arrested five males suspected of being part of Anonymous in January. These new threats showcase a new wave of cyber activity. While the motivation of attackers has evolved in recent years into typically one of fi nancial gain, ‘hacktivism’ has been treated as a non-financial motivation. However, this latest example shows us that hacktivism is growing and can now be considered a synonym of cyber-retaliation.

Botnet attacks Last year WikiLeaks came under intense pressure to stop publishing secret United States diplomatic cables. Corporations either stopped working with or froze donations to the website, bowing to government pressure. This then caused the botnet attacks. Botnets are usually created by criminals who use viruses and other methods to sneak malware onto computers that then allows them to commandeer the machines for distributed denial-of-service (DOS) attacks without the computer owners knowing it. But within the Anonymous attack botnets took on a different role. “It’s usually somebody that’s created the soft ware who can download it onto lots of host machines around the world, and normally that happens through scam e-mail attacks and people open the link and they don’t realize that a piece of soft ware is being downloaded onto their machine,” Paul Rogers, the Chairman of Vendorcom, a membership organization that represents key stakeholders in the cards and payments industry, explains. “But in this particular case the malicious soft ware is knowingly downloaded by members of the public who want to make a protest, want to make a point, particularly to the larger card brands that are taking down the service to WikiLeaks. There are usually a whole variety of malicious soft ware tools that attack computers in different ways. But this is a very concentrated attack, focusing on card schemes and PayPal.” Th is is what makes these attacks more interesting and, perhaps, more daunting – because in the past, dot-net-style attacks have usually happened where computers are taken over and the owner is innocent, unknowingly downloading the virus. This is a situation where many of the perpetrators have purposely downloaded the malicious soft ware onto their computer, to participate in hacktivism. The hacktivist activity poses several threats to the card payments industry. The first being denial of service – as opposed to the financially motivated attacks the industry is used to. “This is the first time that we see that the attacks were not targeting any fi nancial target,” agrees Ron Meyran, Director of security products marketing at Radware. “So I think that the threat today is that cyberspace is becoming like a playground where activists are the gangsters. They don’t like something, and then they misbehave or take the law into their hands.” These attacks have certainly fi lled column inches and made headlines, revealing the importance of the card payment system to our everyday lives. Rogers says that the impact to the infrastructure of the industry in terms of processing transactions has been slight. “It can only register in

25/02/2011 13:43

CYBER SECURITY

“These attacks have certainly filled column inches and made headlines, revealing the importance of the card payment system to our everyday lives”

terms of annoyance and minor inconvenience. That’s not to dismiss the effect that any delay might have cardholders who expect instant access and speedy payment processing. Any impact of this type, however minor, is something that everyone involved in providing a safe and reliable card payment processing service strives every day to eliminate.” But how did the hackivists go about attacking card payment giants such as Mastercard? The attacks created a huge amount of data and traffic on the victims website. “In the case of the card schemes, this would’ve been different sorts of inquiries, it could be very simple things, but it’s just a lot of communication hitting those servers,” Rogers explains.

Riot ready Rather than bringing the industry to its knees, however, Rogers argues the attacks proved the ready-for-anything attitude of card payment industry. “The cards and payments industry is well used to these sort of attacks. These are not new. They’re not common, but they are to be expected, but obviously they’re not perpetrated by the type of people we’re seeing these attacks being perpetrated by; they normally originate from fraudsters that are intent on credit card fraud.” The media was, however, full of headlines like,

Wikileak.indd 40

‘Mastercard down – WikiLeaks responsible’, so something must have happened that was substantially noticeable for consumers. The attacks hit the card scheme servers hard due to the sheer level of traffic to the sites – in particular in relation to e-commerce transactions. The servers ran slower than usual, meaning many cardholders thought the services were unavailable. “From having spoken to banks and payment processors and to one of the card schemes, I can

Julian Assange – simultaneously one of the most hated and revered people in the world – was arrested in London in December on a Swedish accusation of sexual assault. The US government has indicated that Assange could be in legal jeopardy for disclosing classiﬁed information because he’s “not a journalist”. The federal government may seek his extradition to the United States, which has reportedly already been the topic of discussions between US and Swedish ofﬁcials.

25/02/2011 13:43

Xerox ads.indd 2

24/02/2011 10:00

CYBER SECURITY

say that there was at no time a situation where cardholders were unable to process safe and secure transactions,” Rogers assures. The nature of the attacks is such that standard network security tools like firewall and intrusion prevention systems are unable to prevent intrusion. “Companies affected, such as Amazon, MasterCard, Visa and the Swiss Bank, must have the best firewalls and intrusion prevention systems in place, but yet they’ve been down for hours and more than once,” Meyran explains. What advice for organizations hoping to prevent themselves from this new kind of attack would Radware recommend? “To successfully mitigate against these attacks requires multiple network security tools and technologies including signature detection technology (IPS); hardware accelerated DoS protection to mitigate network flood attacks; and network behavioural analysis (NBA) with real-time signature to mitigate application misuse attacks, all part of Radware’s DefensePro patented technology. Human experts that gather intelligence are also key,” he says. “This combination is what provides the appropriate and effective ammunition to win the battle against new and emerging network attacks, including the destructive DDoS

attacks ignited by WikiLeak fans, and what has enabled Radware’s customer to prevail against them.” Tech-savvy WikiLeak supporters also set up ‘mirror sites’ for WikiLeaks in response to various domain name services and data visualization companies refusing to support the site. From all the new sites continually being set up and taken down again the question remained as to the identity of many of Anonymous. The attackers could be traced, but as the attack was very distributed there were tens of thousands of sources to be plowed through to search the users at fault. The sources were also widespread globally – not just in the US – but also the UK, Russia, China and Japan – again complicating the web of sources for prosecutors to trawl through. Then there is the question of an actual crime – no information was stolen, no ransom was requested and no user account breached. The attacks were a protest, people wanting to make a point, but the outcome for the card payment industry could have resulted in some fi nancial loss or – perhaps more importantly – the trust of consumers for their security. Alongside possible financial losses from sites being taken down, the potential reputational damage to fi rms

“The nature of the attacks is such that standard network security tools like firewall and intrusion prevention systems are unable to prevent intrusion”

News New evidence leaked online by the Anonymous collective seems to indicate that well-connected private security firms were targeting journalists sympathetic to WikiLeaks. The news comes as corporations, governments and web collectives such as WikiLeaks and Anonymous engage in continued online combat. Emails hacked from corporate security firm HBGary Federal that targeted Anonymous imply that they and others were pitching hit pieces on journalist Glenn Greenwald of Salon.com and monitoring James Ball of The Guardian and Jennifer Lee of the New York Times, along with other journalists. HBGary Federal’s computer systems were hacked by Anonymous after the fi rm publicly announced they were close to unmasking the identities of high-ranking members. Shortly after the announcement, Anonymous members posted a cache of 60,000 emails belonging to HBGray Federal CEO executive Aaron Barr on the popular The Pirate Bay website as well as others. Source: Fastcompany.com

WIKILEAKS UNDER ATTACK: TIMELINE SUNDAY, NOVEMBER 28 2010

FRIDAY, DECEMBER 3 2010

DDoS attack hits WikiLeaks as ﬁrst set of US diplomatic cables is published.

WikiLeaks.org stops working after everyDNS. com ends support. WikiLeaks shifts to Swedish domain.

WEDNESDAY, DECEMBER 1 2010

SATURDAY, DECEMBER 4 2010

Tableau Software removes public views of graphics built using information about diplomatic cables – the ﬁrst company to distance itself from WikiLeaks.

PayPal permanently restricts account used by WikiLeaks.

Lieberman calls for WikiLeaks to be taken ofﬂine. Amazon removes WikiLeak’s content from its EC2 cloud service.

Wikileak.indd 42

25/02/2011 13:43

CYBER SECURITY 43

is massive. MasterCard has been mocked widely across the net as users re-worded its distinct advertising slogans: “Freedom of speech: priceless. For everything else there’s MasterCard.” This behavior highlights the importance of the prevention of attacks such as this. The education and training of staff plays a vital role. Staff today must be aware of this new kind of threat – meaning human resources and technology play hand-in-hand. “You need both a human factor and technology for behavioral analysis of incoming traffic sources,” says Meyran. “In many companies they concentrate on technology but they don’t invest in the human factor, so they fi nd out that even though you have the tools, you don’t have the people behind them to operate them effectively. The traffic should be suspected, and then it will be prevented.”

The FBI has executed more than 40 search warrents in the US in its Anonymous investigation

Mobile threat While most denial of service attacks use botnets to hijack other computers to overload websites, Meyran suggests these attacks were different as attackers were using their own computers, downloading soft ware from Anonymous. With mobile banking becoming increasingly common, will users be more at risk from attacks? Meyran thinks so. The banking industry is one of the prime targets of cyber attacks and although technology has just caught up with installing firewalls and other protective agents onto computers, there is not the same protection for iPhones and Android devices. “The danger falls on mobile banking simply for the reason that new devices are introduced with lower security,” says Meyran. “People are less aware of the risks of low security mobile devices – so I don’t think it’s going to slow down the trend [of mobile banking].” The attacks have sparked a trend that is growing rapidly – attacks on business applications that are not necessarily out to shut down organizations but to misuse them. “So if there’s a gaming site or a gambling site, there will be fake users which will start playing in gaming codes, or if its an online business they will become new users, adding unwanted traffic to the site,” Meyran explains. “Every work-

Paul Rogers is the Chairman of Vendorcom, a membership organization that represents key stakeholders in the cards and payments industry in Europe. Its primary aim is to promote innovation, create a platform for thought leadership, provide a forum for knowledge sharing and issues resolution for its members and encourage capability development across the cards and payments industry. Ron Meyran is the Director of security products marketing at Radware. He leads the strategic plan of Radware’s IPS solutions for the enterprise, eCommerce and carrier markets. He has also been published in IT and security industry magazines and represents Radware at various industry events and trainings. Prior to joining Radware as Product Manager in 2003, Meyran worked at BrightCom Technologies, where he served as Product Manager for the company’s Bluetooth product line based on a fabricated chipset and software.

place would like to believe that the users accessing their websites are real users, but machines can be controlled by the competition. We [Radware] are developing the technology that would let businesses identify whether the sources or the users that are generating transactions are real or fake.” New awareness, technology and education will aid a successful protection for the card payment industry. The website attacks launched by supporters of WikiLeaks show 21st-century cyber warfare evolving into a more amateur and anarchic affair than many predicted. Cyber security has taken on a new meaning and must evolve to counter a phenomenon that is set to become an actual method of hostile engagement.

TUESDAY, DECEMBER 7 2010 Visa withdraws ability to make donations or payments to WikiLeaks.

MONDAY, DECEMBER 6 2010

TUESDAY, DECEMBER 21 2010

Mastercard withdraws ability to make donations to WikiLeaks.

Apple removes an unofﬁcial WikiLeaks app from sale in the iTunes App Store just three days after it went live.

Postﬁnance shuts down one of Assange’s bank accounts.

Wikileak.indd 43

SATURDAY. JANUARY 8 2011 It emerges that the US justice system has obtained a court subpoena demanding that Twitter hand over all details of the accounts and private messages of ﬁve WikiLeaks supporters and members – including Assange as well as Bradley Manning (the alleged army leaker) and Icelandic MP Brigitta Jonsdottir.

25/02/2011 13:43

INDUSTRY INSIGHT

Don’t be the next WikiLeak: preventing document leaks starts with your users Tim Upton explains how recent security breaches highlight the need for ﬁnancial services to step up their data loss prevention, and it starts with their own employees.

ast December, both MasterCard and Visa’s websites were sabotaged by supporters of WikiLeaks after the companies opted to no longer offer card processing services for those donating to the controversial organization. These high profi le attacks, along with the WikiLeaks phenomenon overall, serve to illustrate how very vulnerable fi nancial services organizations actually are. While these attacks were denial of service attacks that shut down both company’s websites, the single biggest vulnerability within a fi nancial services organization is not outside hackers, but their own employees. The damage to the organization, both fi nancially and to its reputation, when a public leak occurs is just too great to ignore.

Understanding data loss prevention Currently, most fi nancial services organizations have technologies in place to prevent malicious, intentional attacks such as the ones faced by Visa and MasterCard, but these attacks account for less than one percent of data breaches. The single greatest risk of data loss is from the authorized user, who mistakenly sends a document or email to the wrong person. Usually is it a harmless mistake, but it can have serious repercussions including loss of money and customers, public embarrassment, fi nes, lawsuits and more. The stark reality is that Data Loss Prevention (DLP) is a major concern for fi nancial services institutions. The 2010 Financial Services Global Security Th reat survey conducted by Deloitte found that DLP is the second highest priority after preventing external attacks, and that data loss prevention technologies will be one of the most piloted technologies in 2011. From a technology point of view, many fi nancial services companies have deployed large scale DLP solutions in an effort to address this issue. Traditional DLP solutions, while largely effective at the server level, fail to address a critical piece of the DLP puzzle – the user. User driven security solutions which actively engage and educate employees on how to manage data is needed to create a complete approach to preventing data loss. Furthermore, information has to be shared quickly and effectively, or business suffers. Financial services companies need to be able to send emails, documents and customer information to their various stakeholders without worrying about the information getting into the wrong hands. The business should not be delayed because a DLP solution has quarantined or prevented communications.

Titus.indd 44

Building a secure information sharing environment Data leakage prevention efforts should be focused on building an end-to-end approach to handling sensitive documents and emails – an approach that includes users. Users are the key to stemming the tide of data leakage. While traditional DLP technology is an integral part of secure information sharing, the value of these systems should be extended through the addition of classification and labelling technology at the user level. Th is technology should be intuitive and easy to use so it speeds up the process of sharing information. DLP solutions alone are simply not sufficient in the current regulatory and security environment. Systems need to be able to accurately identify risks and violations without disrupting productivity. Additionally, this approach provides security officers with greater visibility into whether or not leaks are happening, and provides them with the ability to address issues before then can turn into a public disaster. Often, employee education concerning security policies and how to handle data has been done via procedural manuals, employee orientation or emails from the IT team. Security policy on the whole has always been a challenge for fi nancial institutions as busy employees simply may not be thinking about security on a day-today basis. User driven security solutions actively engage users in the organization’s fight against data leakage. Information workers or content owners within the fi nancial services industry deal with sensitive information every day and are best equipped to determine the level of sensitivity of the information being handled. Engaging users in the process enables the organization to actively and consistently educate them about the organization’s policies, while protecting the organization against inadvertent policy violations.

Summary In the current regulatory and security climate, financial institutions need to step up their efforts around document leakage or risk the costs of recovering from such an incident. Extending current investments in data leakage prevention, though the addition of user driven security technology as well as classification and labelling solutions, deliver a proven and practical way to create a secure information architecture, while increasing end user awareness and engagement in preventing leaks. 

Tim Upton is Founder, President and CEO of TITUS, a company that provides security and compliance solutions for email and documents to large enterprises, military and government around the world. He has an extensive background in security and information protection best practices, and provides the overall vision for TITUS products and services.

25/02/2011 13:53

TITUS AD.indd 1

15/02/2011 15:10

INFORMATION SECURITY

KNOW YOUR

ENEMY

Mark Logsdon.indd 46

25/02/2011 13:36

INFORMATION SECURITY 47

Barclays’ Mark Logsdon is on the frontline in the bank’s fight against internal and external threats to its allimportant data. It’s a war Barclays is winning, but Logsdon says he won’t allow complacency to catch the bank off guard – ”not even for a millisecond”.

Any information loss at a bank can escalate into a serious incident and a loss of customer conﬁdence. Does the myriad of threats to data make you slightly paranoid or keep you awake at night? Mark Logsdon. I’m always a reasonable sleeper so the threats don’t keep me awake. However, we need to be on our toes collectively and understand the risks that are out there and ensure we’ve got sufficient controls to manage the risks accordingly. We’ve got a great team that help us do that and this helps me sleep a little easier, although one is never complacent, not even for a millisecond. We continue to monitor the threats so that we hopefully don’t get caught out. There is a whole [response] team here who are able to instantly respond to an incident. They are constantly monitoring systems and events as we speak and use some sophisticated programmes around fraud detection and prevention. As the bank’s Head of Information Risk Management, what are the main challenges you face at Barclays when tackling the issue of information security? ML. Dear old Willie Sutton (American bank robber and gangster during the Great Depression) was once asked why he robbed all the banks that he did and his response was ‘Because that’s where all the money is, stupid’. I think that’s still the case today. We are naturally a target because we’ve got money that people are going to seek to steal. That said, we’ve still got a lot of people’s personal data and it’s important to us that having been entrusted with that data by our clients, that we protect it in a manner entirely appropriate to make sure that it’s not lost. The traditional electronic scams like phishing and now social engineering have been around for a while just the same as con men, fraudsters and tricksters have been. What I call old fashioned crime is still committed today but people are more tempted to do it electronically. And there is still the problem of disgruntled insiders although instances of that are rare. One important things is to ensure that we do have secure technologies and that we have great processes around them because if there’s a weakness in the process it can circumvent all that great technology and the controls. We also spend an awful lot of time making sure that people are aware of the risks that we potentially face, and that they know how to respond and deal with them, should they either suspect or spot something. So we have a huge awareness campaign in place that helps them to understand the risks and what they should do accordingly. When you mention threats to people’s personal bank information, people may think of external attacks from ‘hackers’ but data loss is more likely to come from within. How do you protect against these risks? ML. The particular risk of data loss has always been with us; it’s not a new risk. If one thinks about it, letters have always gone missing in the post. The file in your filing cabinet – we’ve always lost them. And there has always been the risk of the fax machine where someone inadvertently punches in a wrong digit and the document gets sent to the wrong number. So there has always been that case for a genuine mistake or a momentary lapse of concentration and I don’t think it is any different today. The difference now is that there is more chance to lose data quicker; one can keep an awful lot information on a memory stick as opposed to in a fi le.

Mark Logsdon.indd 47

25/02/2011 13:36

INFORMATION SECURITY

How do you combat it? ML. We have some good technologies that help us to control things and make sure that in cases where colleagues have got access to some sensitive data they can’t just simply plug a USB stick in and download it all from their laptop or desktop. It comes back to awareness of the issues. Mistakes will always happen and there always will be that momentary lapse of concentration. We all have them. We didn’t mean to send an email, but, unfortunately, we did. With those colleagues around particular sensitive areas of the bank, those with privileged access, there are further controls to ensure what they’re doing is appropriate, that monitoring tools are there and that they’re backed up with good HR-type policies. It’s about good technologies, good processes and good people management. I don’t think there’s anything new in that. I think that the danger is that there’s just a focus on one of those things, technology. And the other risk is that people don’t join the three things up, and they happen a little bit in isolation and are not joined up to manage the risk appropriately. Our job here is to ensure that with information risk management we look at all kinds of information in whatever form it resides, be it in people, hard copy or electronic and that we try and join all these things up. And there is no patch for stupidity, as the saying goes within IT security circles. ML. That is an old quote from [ex-hacker] Kevin Mitnick. I think there is merit in it but I prefer to call it a momentary lapse in concentration. At Barclays we employ bright, committed people who, given the right information at the right time, will make the right decisions. Our job is to give them that information so when they do happen to have that momentary lapse of concentration, which hopefully is very rare, at least they know what to do next to try and minimize what happens next. The public sector has seen its fair share of spectacular data losses. How do you get staff to appreciate the value of data and educate them on correct procedures? ML. Let’s be clear, I’m not saying this has happened in Barclays but people with good intentions send documents from A to B but with no thought about what happens if they go missing in the post. They are not aware that they might need to encrypt the documents. The reason they did not follow the correct process might be because it was so cumbersome and so inhibitive that it prohibited the business from doing what it was seeking to do. In my view, there has got be a balance of pragmatism against the need for control. In some cases, the need for control wins but users will fi nd a way around it if they can. As I said, a lot of the time it comes down to genuine mistakes. For instance, how many times do we see the phone left outside somebody’s household address? It contains people’s names and addresses, right? It comes down to user education; they often don’t know they are supposed to put these things on an encrypted disk, use a double envelope of whatever it might be. They don’t understand what is expected of them in this day and age

Mark Logsdon.indd 48

and make an honest mistake. While the technology and processes might be right, do the people understand what is expected of them?

Above: Mark Logsdon, Barclays’ Head of Information Risk Management

”We employ bright committed people who, given the right information at the right time, will make the right decisions”

How do you deal with staff mobility and work being carried out on laptops, smartphones and now tablets, 24/7 globally? ML. Staff mobility presents us with magnificent opportunities for ways of working. Sure, sometimes there are challenges around the way we do things, but we have to manage those challenges in a pragmatic way which enables a business to meet and realize some of the opportunities mobility allows. It is about a risk-based approach because for some people in some jobs it may not be appropriate for them to have remote access in an internet café. For other people in other parts of the business, it may be because the information they’ve got access to isn’t particularly sensitive at all. So we need to manage it appropriately but not in a way that stops the business from realizing the opportunities. We have a big push at the moment exploring the use of iPads but we need to manage it in an appropriate way because it may be right for some staff to use them and others to stick with a desktop. It needs to be managed accordingly without saying to people, ‘You can’t have that or you can’t have that’. It’s about risk managing the process. Data losses can also occur when operations are outsourced. How do you approach this to ensure information doesn’t fall into the wrong hands? ML. Th is is a third-party risk and we share this concern. More recently, we have offered some awareness material, free of charge, to third parties looking aft er our data so they are aware of what we expect of them. Th is isn’t aimed at the

25/02/2011 13:36

INFORMATION SECURITY 49

large companies but more towards the SMEs who haven’t necessarily got the resources to spend on that sort of stuff. It’s also targeted at the people on the ground handling our data. We mandate that high and medium-risk suppliers are properly trained and it has proven to be hugely successful. The myriad of consultants and contractors that are constantly working with us and provide an invaluable service have an account on the network just like I have too. So you need to understand what sorts of third parties you are talking about because the risk profi le might be different and the controls you put around them as a consequence might change as well. With regard to what information they have access to, we have a segregation tool that allows us to make that call. We put the suppliers into high, medium and low risk categories and the controls we put into place around this reflect the risk potential they pose to us. Of course, we back this up with a performance review to ensure they are doing the right things. We’ll go back at a later stage and say, ‘You said you’re doing X, but can you prove it to us?’ What key trends do you foresee in information risk management over the next few years? Where will the threats come from? ML. The traditional threats will stay the same – fraudsters, organized criminals and insiders – and these threats will remain constant. Another is around consumerization and the plethora of devices people are wanting to bring into the organizaton and use, which creates some interesting challenges. The one that interests me, going forward, is around identity and people accessing networks. If you think about it, we all have multiple identities. I just wonder how this can be sustained so we might have to look at that.

Mark Logsdon.indd 49

Seeking security The web has become a playground for hackers and malcontents eager to phish, defraud and steal wherever and whenever they can. Policing this landscape is a logistical nightmare, and battle lines are being drawn and redrawn many thousands of times a day – which perhaps hints at why many millions of us are a little uncomfortable with the idea of storing our sensitive data in third-party environments. “The security space is a tough problem, and it’s going to be a tough problem for quite some time,” believes Crawford del Prete, Chief Research Ofﬁcer at IDC. “You have many complex forces coming together, and the threats are changing dramatically because they involve people and the way people approach attacks – and people can be very clever. As a result, online security will continue to evolve for quite some time; it will not commoditize anytime soon, which is why it represents an attractive area for companies to invest in.” The mobile nature of most next-gen devices has opened up the security perimeter of the internet to previously unheralded outposts, an evolution that has made it even harder to secure. Businesses reliant on the convenience of these devices are becoming more exposed to the dangers lurking out there. “We now have mobile devices that are truly becoming handheld computers,” says del Prete. “If you look at Nokia’s N900 Smartphone, it is a 32 gigabyte device. It wasn’t so long ago that 32 gigabytes was on your desktop or laptop. The company has also just announced their new operating system, with native USB support, so you will soon be able to plug a USB drive into a Nokia phone and it will recognize it as another disk drive, further increasing portability. So securing this data at the very edges is going to be an immense challenge.” Current security methods range from the incredibly ingenious to the incredibly crude. “I know of security guys who literally squirt epoxy resin into their USB ports so that they become unusable,” says del Prete. “But we now have to become much smarter. We have to develop software tools that allow CIOs and their staff to effectively know what is being put out to ports, and the ability to remotely turn ports on and off. This is going to happen on mobile phones as well, where things like remote kills become increasingly prevalent and important. The next big hurdle is going to be securing the data that is on these truly mobile computers that are in people’s pockets. There are tools to do this, but they are not nearly sophisticated or widely deployed enough.”

25/02/2011 13:36

NETWITNESS AD.indd 1

15/02/2011 15:10

ASK THE EXPERT 51

Visibly transform security Allan Carey explains how enterprises are becoming more agile to defend against a dynamic threat landscape.

yber security has maintained a heightened level of attention in the media. Wikileaks and its aftermath, Stuxnet, Aurora, and other attacks against corporate and government entities have clearly demonstrated an increasing level of sophistication by adversaries. Modern network-based emerging threats initiated by state-sponsored actors and organized criminal communities are utilizing a combination of cyber and social obfuscation techniques to completely evade current security prevention techniques. Facing this level of sophistication, enterprises can no longer afford to wait months, weeks, or even days before new threat vectors are identified and made public. According to the Growing Risk of Advanced Threats study by the Ponemon Institute, 80 percent of respondents said it takes a day or longer to detect an advanced threat and 46 percent said it takes 30 days or longer. If an information security strategy involves waiting until security vendors release signature updates or soft ware vendors release patches to close the gap on exposed vulnerabilities, the enterprise is already compromised. Todayâ&#x20AC;&#x2122;s enterprises employ a variety of preventative security tools that have been perimeter-based, primarily at Layers 3 and 4, and require signatures or a foreknowledge of an attack before action could be taken. These network defenses do not provide adequate visibility into the current threat landscape or allow a security team to be nimble in their response. Combating advanced threats requires a new strategy with more focus on detection than prevention. For detection of advanced problems, such as zero-day malware, command and control traffic and sensitive data exfi ltration, enterprises need complete visibility into what is happening across the network at all times. This can only be achieved through a network security monitoring capability that accurately analyzes all network traffic, fuses threat intelligence from the global security community, and gathers data generated by applications, networks, users, and security systems in real-time. Th is capability includes the requirement for visibility into threats and encrypted malicious traffic hiding in approved traffic types, and using approved ports and services. Many seasoned security experts have used network data for forensics purposes for years. Historically, most network forensics work has been associated with small-scale, postfacto analysis in support of incident investigations, or in less frequent situations, as part of an organized cyber threat intelligence team. As a result, automated threat intelligence and real-time network forensics have grown to be critical

Netwitness.indd 51

components of defense in depth and continuous network security monitoring strategies. During the last few years, top security teams across critical infrastructure organizations such as communications, fi nancial services and government have adopted real-time network security monitoring as an absolute requirement for day-to-day security operations. Network security monitoring is not the same as log management or security information and event management (SIEM), which are valuable to the extent that data sources have useful information and are properly integrated, but they lack event context. With network security monitoring, the security team is working with full packet data which contains the richest network data with traffic reconstruction and provides context to all data sources. Forward-thinking organizations have benefited from integrating their SIEM with a network security monitoring capability to create precise real-time analytics and actionable intelligence that drive more effective and efficient remediation efforts and support the organizationâ&#x20AC;&#x2122;s security objectives. A successful strategy against cyber threats begins with the recognition that your organization will be compromised. The challenge is to develop a comprehensive network security monitoring program that incorporates the best aspects of existing investments with exciting innovative approaches to network visibility and data analysis to achieve real-time, precise advanced threat detection and incident response. Real-time network security monitoring provides a new and powerful capability for security teams to obtain the level of visibility and agility necessary to confront complex IT security issues. Security teams can be empowered to dramatically improve existing incident management, investigations, and overall security operations, and achieve a powerful advantage toward mitigating significant risks to the organization. ď Ž

Allan Carey is currently a Director at NetWitness. He has previously advised Fortune 1000 organizations on information security strategies through in-depth market analysis and industry intelligence.

25/02/2011 13:52

RISK

n the world of banking, risk is king. Get it right and watch as your profits soar and clients stick to you like glue; get it wrong and watch as the proverbial dealer swipes your chips off the table and moves swift ly on. There are those who thrive on risk, and those who rely on it – but regardless of perspective, all know the golden rule: there is never a guarantee. And while that rule is as poignant now as it was last decade, the brains working with risk have learnt how to manage it exponentially better. Algorithms, IT architecture and a more confident grasp of risk traits have all pushed the envelope of risk management – and for some countries, it has quite literally evolved their markets. Nowhere is this more prevalent than South Africa, a nation tarred by the international press in years gone by with the brushes of racism, violence, crime and political instability. But things are on the up once more, and for Annelie Schnaar-Campbell, Director of Group Risk Management at Standard Bank, that equates to more challenges and the chance to implement further risk management programmes on a global scale from the bank’s Johannesburg-based headquarters, benefitting not only the company, but its clients and security frameworks too. “To me, one of the key reasons we have big programs for risk management is because we are a global bank, we have lots of operations to geographically disperse across the globe,” begins Schnaar-Campbell. “So what these big programs

SchnaarCampbell_V2.indd 52

enable us to do is to set a minimum of standards and frameworks in place, which further enables us to ensure a consistent approach to risk management. One of the benefits of using this type of program is that we then have the ability to build up a pool of resources, which we can allocate to these big projects. In doing so, we can develop the components that we need for effective risk management quicker than if we had to conduct separate, smaller projects instead.” Essentially, as Schnaar-Campbell puts it, employing bigger projects opens up the doors to think more strategically. By combining smaller projects, which take up more time and tend to be disparate in nature, she believes you can look at the overall approach and outcome, in turn helping to prioritize resources appropriately and to build something that would make more of an impact in the long-term. Indeed, one of the key priorities for Schnaar-Campbell right now is interpreting the requirements and proposals that have been defi ned by the banking committee.

Overcoming hurdles “We analyze all of them as they become available and make sure that we know potential changes would need to be made to our risk management framework. We’re also focused on making sure we have an integrated view of risk – both in terms of the legal entities within our

25/02/2011 13:57

RISK 53

Risk is a standard ingredient in the recipe of any bank, but as Annelie Schnaar-Campbell explains, it’s how you manage those risks that will leave you tasting success or failure.

group as well as having a view of our consolidated risks across different risk types. So, we’re looking at ways in which we can pull data from various sources and bring it together, analyze it and be able to provide the results in the format of a dashboard to the correct management or board committees.” And, as per usual, standing in the shadows of the top priorities are the biggest challenges facing risk and compliance – with new regulations taking the gold in both contexts. But Schnaar-Campbell also cites having operations in more than one company and the need to stay abreast of all relevant requirements as other factors that need consideration. “Also, if you look at more specific risks, the level of sophisticated crime – in the context of syndicates that have created very well organized threats towards banks – is also a problem. And it’s not just about syndicates from South Africa, but also from cross-border threats. We’ve also

SchnaarCampbell_V2.indd 53

seen that fraud is moving from credit cards to debit cards, so I think whenever the bank closes gaps in being able to identify and frustrate fraud, then people move to a different area and continue their business. In terms of physical crime, we’ve also seen what we call associated robbery, where people are approached by criminals close to the location of the bank or near ATMs.” Another obvious area for criminal exploitation is e-crime. With many presuming that because it’s online, companies can implement tools and technologies to up security measures and manage risks, the reality is that it affords the criminal element the same leverage. Schnaar-Campbell cites developing the right security technologies at the right time and executing them with precision as one of two ways to protect customers from e-crime and continue to make secure online transactions; the other being education. “Many times it’s ensuring the customers are also aware of the situation, so that means helping them to become more aware of the potential risks and being more cautious about what they do. For example, it doesn’t matter if you’ve got a fantastic system – it’s more about taking the technology as far as you possibly can to protect the information of the customer while still ensuring that the customer is up to date about what they should be looking out for.” But in the current business climate, getting the balance right between potential risk and compliance programs and their fi nancial implications is pivotal to maintaining success across the board: efficiency is key. “The key thing is to understand exactly where the biggest benefits are and that you’re focused on those,” explains Schnaar-Campbell. “To me, everything we do from a compliance point of view has to be looked at to assess how it strategically fits in with the overall risk management objectives that we have, and ensure that the programs achieve the outcomes to benefit the business or risk management in question. Essentially, when you implement something, implement it well – but from the start, make sure that you get the optimal benefit from doing that.”

Avoid the risk? The other side of the coin is compliance – a hot topic in the general arena of business since the global fi nancial downturn – with many wondering whether compliance can ever completely eliminate risk. But as Schnaar-Campbell explains, the answer isn’t as clear-cut as that, with it being extremely unlikely that risk could ever be completely eliminated. Furthermore, banks are in the business of managing risk and

25/02/2011 13:57

RISK

using it to leverage opportunities – so it wouldn’t be in their best interests to eliminate it even if it was a possibility. “I think it’s more up to the board, as well as senior management, to ensure that there’s actually a risk culture in the bank. In addition, ethics training is absolutely key – and that should never be about compliance. It should be about the best risk management that a bank can produce. For me, it’s more about risk management than trying to eliminate risk, and banks are in the best possible position to do that – something compliance alone could never achieve. “We need to be able to have a forwardlooking view of what the potential risks that we have to face are; that we can measure it in a way that makes sense to us; we can price it and we can then use it to our competitive advantage. So we really need to be able to track areas where there may be potential risks arising so we can measure and manage it. That’s more important than trying to avoid it.” Of course, the idea of banks preferring to manage risk as opposed to attempting to avoid it is far from being groundbreaking news, but with risk becoming far more diverse and quicker to prevail in the current climate, perhaps the wish of companies like Standard Bank has come a little too true. But for Schnaar-Campbell, more risk translates into more opportunity. So where does she see priorities moving over the next 18 months? “Well, it’s looking at the integration, consolidation and aggregation of risk information across geographically split areas, as well as across risk from a systems point of view, tracking the new BCBS proposed changes to the regulations. What we’re also focusing on is looking at data rationalization and making sure that we have the data available for management decisions at the right time, so making our systems more efficient in order to get the information available as fast as possible. That’s from a systems point of view. “From a governance point of view, if I can call it that, we’re interested in streamlining the decision-making process, and for that we need to have the information available in a format that can be understood and analyzed very quickly in order to be incorporated into the decision-making process. Delving into more specific areas, we’re also dealing with ongoing methodologies. We started conducting stress testing by building specific pockets of stress tests, for example in market risk, which has already been a requirement for a couple of years. As we’ve become more and more sophisticated in our stress testing, we’ve also seen a very good group level entity stress test with results, which we can then measure back against risk.”

SchnaarCampbell_RISK.indd 54

For Schnaar-Campbell, the remaining focus centers around coming up with the appropriate stress correlations between risk types: how to aggregate the different risk stress results in the best possible way – from the macro-economic to a complete stress event – enables a better perspective of the complete picture. Indeed, as SchnaarCampbell asserts, they already have a total picture available, leaving them enough maneuverability to work with the next level of stress tests. “Our other focus is in the bank,” continues Schnaar-Campbell. “At the moment, we’re busy implementing the AMA approach for operational risks, so we started with a formal program in January last year – and it’s now one of the biggest programs we have running. Obviously, that takes plenty of resources and a

lot of focus, but again, it comes down to making sure that we get the right benefits and the optimal value out of that. “For me, the key is whenever you do something, make sure it fits in with your risk management vision and framework, and don’t do things in isolation,” concludes Schnaar-Campbell. “But I also believe that these are the key risks that international active banking groups with banks in different locations have to face at the moment. Make sure that you’re able to get your data quickly and are able to analyze it and provide it in a way that people can make those key decisions as fast as possible. That’s what you want to achieve in the end, so make sure that every component you’ve bought is aligned to that overall vision or framework that you have.”

The ﬁght against e-crime

s Schnaar-Campbell affirms, you can have the best technology in the world, but without educating your customers on the risks of e-crime – and how to overcome them – criminal activity will continue to prevail at a blistering pace. With that in mind, back in May of this year Standard Bank became the first South African bank to provide its customers with free anti-phishing software that also protects against online fraud by malware, by offering protection against divulging sensitive financial details to unscrupulous third parties when banking online. Itumeleng Monale, Standard Bank Director of Self Service Banking, said: “Phishing globally costs customers and the financial industry billions of dollars annually. While financial institutions like Standard Bank have spent a great deal of time on consumer education and internal mechanisms to secure our systems, customers still find themselves out of pocket when defrauded by unscrupulous fraudsters over the internet when responding to phishing emails. “Standard Bank believes that with the introduction of the free Rapport secure browsing software, it has provided our customers with an effective mechanism that will help prevent them from divulging sensitive and personal financial information to third parties over the internet.” And, with over 500,000 phishing sites identified across the web in 2009 – with an average of 294 financial institutions targeted globally – Standard Bank is certainly putting the best foot forward for its customers. Unlike conventional security software, which blocks known attacks but can’t keep up with the sophistication and speed of new ones, Standard Bank’s online banking software can detect new threats where conventional applications like anti-virus software often fail to detect a phishing threat. On top of that, the software also has the capacity to inform the bank of potential bogus sites so that the bank’s security division can take proactive action to prevent further acts of fraud. “Very often customers have little recourse in claiming back funds from banks if they have compromised their personal financial details over the internet. Standard Bank believes that the introduction of our new security software will greatly reduce customer exposure to online threats like phishing,” concluded Monale.

25/02/2011 13:46

McAFEE AD.indd 1

15/02/2011 15:09

EXECUTIVE INTERVIEW

The consumerization of IT within the financial services industry: ready or not here it is Brian Contos explains why it is imperative for financial institutions to embrace IT consumerization into their overall strategic objectives. What is the consumerization of IT? Brian Contos. The division between end-user devices being supplied by corporate IT and consumer electronics that employees feel they need to conduct business, has blurred. Users are fi nding that the laptops, tablets and smartphones they purchase for personal use are generally more powerful, capable and all around ‘sexier’ than what is supplied by their employers. From techies to business executives, this has resulted in explosive growth in the use of personal technology for business. The needs of today’s users have evolved past traditional computers and PDAs. Users require more versatile devices such as those offered by application-ready tablets and smartphones, as well as the cloud-based services those devices are designed with in mind. These devices and the services they use overlap personal and business use. Th e solutions are viral; once a few people fi nd that a certain device and or application makes their life better, or improves business productivity, adoption explodes. What are the business benefits? BC. There are several business advantages to the consumerization of IT such as enhanced productivity, lower organizational procurement costs brought upon by BYOC or bring your own computer, and less demand on IT for endpoint support. These advantages can be realized across three areas commonly associated with the consumerization of IT: mobile devices, laptops and desktops, and virtual desktops. Many fi nancial services organizations have developed custom applications that are optimized for mobile devices, giving employees a competitive edge: fi rst to get back to a client with an answer, first to update the database, fi rst to solve the problem. From collaboration tools like email and calendaring to line of business applications such as CRM and enterprise databases, designing solutions that give employees access regardless of their device or location makes business sense. In addition to custom applications for employees, many public applications also yield value. Many in the sales force live and die by contacts in the cloud such as those offered by LinkedIn. Human resources likely uses Facebook as part of the recruiting process, and marketing no doubt leverages services such as YouTube and SlideShare. With the next generation of customers viewing traditional websites and email like cave paintings and hand written letters, mobile applications are also becoming

McAfee.indd 56

25/02/2011 13:52

EXECUTIVE INTERVIEW 57

customer facing. It was once big news to have customer self-service portals; those are now evolving into sites optimized for mobile devices to check account statuses, receive updates, transfer funds, trade stocks and more. While this mobilization of applications and corporate data has a positive impact on productivity and IT resource utilization, it’s not without is challenges. A very common, important question is: “How can we protect our assets and sensitive data when personal devices are connecting?” What are the security risks intrinsic to the ﬁnancial services industry? BC. The fi nancial services industry encompasses a wide range of businesses from commercial and private banking to stock brokerages and hedge fund management. Because the nature of the business is complex, highly sensitive and personal, fi nancial institutions are heavily regulated with national and international mandates, industry regulations, state disclosure requirements and internal governance. In support of new business initiatives, fi nancial services organizations have been leveraging security controls to protect sensitive information and achieve compliance for years. The last few years, however, have introduced new challenges. From the mortgage collapse to diminishing customer loyalty, fi nancial services organizations are searching for ways to address these issues by achieving greater profitability and better serving their customers. The consumerization of IT is one logical solution, but this embrace is not without risks. The ‘consumerization of IT’ challenge isn’t enabling email delivery to mobile phones. The challenges are rooted in two key areas: protecting how data is being manipulated and controlling network access across mobile devices, laptops and desktops, and virtual desktops. Tasks that have been rudimentary for traditional corporate-owned, end-user devices such as provisioning and revocation, are now opaque because it’s not always clear who owns the device, and further who owns the data on that device. How can risk be mitigated? BC. There are three areas across the consumerization of IT that need to be looked at in order to address the primary issues: mobile devices, laptops and desktops, and virtual desktops. Mobile devices require scalable solutions that help IT secure and manage the entire device and the data. IT needs a centralized way to enable easy, self-service provisioning to included access mechanisms like VPN and Wi-Fi, set and enforce policies independent of the ever-growing end-point types, and do so in a way that is persistent and can’t be undone by users through careless or intentional acts. There also has to be accountability for the employee device. During the initial authentication process when accessing the corporate network each device needs a unique ID that is associated with a particular user, and as such, that user’s groups, roles and permissions. With these dots connected, determining network

McAfee.indd 57

access, and access to enterprise and line of business applications, risk can be mitigated. From a compliance perspective, consider the Sarbanes-Oxley requirements around tracking changes to fi nancials. Regardless of an employee accessing fi nancials and making changes from a traditional desktop or smartphone, the actions are associated with an individual per the mandate. Other capabilities should allow IT to perform full or partial data wipes. Partial wipes are critical for employeeowned devices where only corporate data should be removed, thus preserveing photos, music, applications and other noncorporate resources. Remotely tracking the phone’s location, locking it, and performing backups and restoration are also important mobile device security capabilities. Laptops and desktops can be controlled by leveraging network access control (or NAC) with multiple zones based on access criteria. For example, a visitor with an unmanaged device may get internet access via an un-trusted guest network but no internal access. Old anti-virus.DATs or an un-patched OS may get a device on the trusted network, but deny access to sensitive business assets. Only when full system interrogation evaluated against policies is preformed, is full, trusted access provided – and even then, only within the limits of the user’s identity and role. Thus regardless of managed or un-managed laptops or desktops, or end-point types, access can be controlled. Virtual desktops are a common mechanism for mitigating risks surrounding the consumerization of IT. A virtual image can be installed atop a smartphone, tablet, laptop, etc. A user leveraging a virtual image can interact with the corporate network and sensitive data based on policies and permissions that might limit the ability to download data, take screen captures, access certain applications, etc. While a powerful control, the virtualization promise of any device anywhere has historically been limited by traditional security controls. For example, installing anti-virus on every virtual image is a network, system, and virtual image density drain. Virtual images should be used in conjunction with specialized security solutions designed to optimize virtual environments. Some examples of this optimization are offloading anti-virus from individual virtual images to a dedicated image, intelligently caching so for example when HR sends a PDF to 1000 employees, it is scanned only once for malware, and the result is distributed to the other images, and standardizing end-point security by moving anti-virus solutions off the end-point and into the data center. The consumerization of IT should be embraced. Saying ‘no’ won’t scale, and could lead to missed business opportunities. By focusing on mobile devices, laptops and desktops, and virtual desktops it is possible to mount an effective risk mitigation strategy built atop mobile device management, NAC and security for virtual images that also yields operational efficiencies. Users need easy and secure solutions. IT needs centralized, scalable and integrated solutions that address security and compliance across networks, end-points and content security controls. 

Brian Contos, CISSP, is director of global security strategy at McAfee. He is a recognized security expert with more than 15 years of security engineering and management expertise. He is a published author, Ponemon Institute Fellow, and graduate of the University of Arizona.

25/02/2011 13:52

INDUSTRY INSIGHT

Spanning the analytics spectrum Venkat Mullur explains how ﬁnancial services ﬁrms continue to evolve from reports to selfservice analytics.

he transformation of data into information should be seen as a continuum, from static reporting (which still has its place in most businesses), dashboards (mainstay in managing repeatable operations), to more sophisticated self-service analytics tools that answer forward-looking questions. Timely and accurate data has always been critical to financial operations such as trading, lending, hedging and disclosure. Over time, the types of questions business users have come to ask of data have changed, and business software has evolved accordingly. Timely insights are now critical to a sustainable competitive advantage. The first generation of data queries sought to gain an accurate picture of the business, mostly from a historical perspective – “which region performed best in Q4?”, or “what was the revenue from credit cards, for each month in the preceding 12 months?” Accurate source systems and robust databases capable of returning results fast was the need of the hour. The soft ware industry responded and we saw a boom, from about 1980 to 1998, in enterprise databases and reporting systems. The next generation of data queries involved more sophisticated questions that sought to glean second-order insights from data. Financial institutions, faced with increasing competition caused by deregulation, were seeking new ways to be profitable independent of business cycles. Business users were forced to look at performance metrics both temporally and across other classifications. So questions often took the form of “what are my top three products, both across a line of business and across geographies?”, “what was the daily 200-day moving average for treasury yields over the past two years, and on what days did yields fall five percent below and rise five percent above that average?” As a result, the boom in reporting soft ware soon gave way to business intelligence software, or BI, characterized by dashboards, pivot tables and multidimensional data cubes. But despite the massive investment in business intelligence soft ware since 1997, financial services firms have continued to rely on after-mart approaches to extracting more insights out of data. The most famous of these approaches involves the pervasive use of spreadsheets to conduct ad-hoc analysis, perform statistical transformations and study the effect of core assumptions – involving such metrics as interest rates, inflation rate or correlations – on entire portfolios of assets. While this is not the article to discuss the pros and cons of using spreadsheets, it is fair to say that it takes significant skill and persistence to extract critical third-order insights buried in spreadsheet data.

Tibco.indd 58

Optimal decision-making hinges on a thorough understanding of underlying causes behind observed metrics, understanding relationships between performance measures and cost drivers, visualizing risk drivers and their effect on measures, and gaining sufficient confidence to assign causality. Such questions have applications in risk management, profitability analysis, and most importantly, in shaping future investments and new growth strategies. Examples are “what would demand be for our products in the coming quarters or years?”; “will our insurance premiums be sufficient to pay out claims over a period of five years?”; “who is most likely to respond to credit card offers?” While high-end statistical and optimization soft ware do exist to answer such questions, the specialized skills needed are often beyond the average business user. This situation is untenable because the chasm between those that provide the answers (modelers) and those that act on the answers often results in sub-optimal, or even wrong, decisions. As an example, absent knowledge of stochastic distributions, it is hard to intuit that VaR at 99.99 percent confidence level can be five times the VaR at a 95 percent confidence level! Understanding this is crucial to an accurate estimation of economic capital at a bank! Analytics tools that interpret complex quantitative measures and present the ramifications to end-users in an easy to interpret format represent the next generation of business intelligence tools. The separation between reports, dashboards, and analysis is fast blurring, and we are now witnessing the first generation of tools that span the analytics spectrum and still appeal to the broadest range of business users. 

Venkat Mullur is an experienced business consultant and leader in the business analytics space. He has been a consultant and advisor to global banks, and specializes in risk and compliance issues. Mullur holds an MBA (ﬁnance) from Northwestern University’s Kellogg School of Management (USA), is an accredited risk manager, and has held the FRM designation since 2002.

25/02/2011 13:52

TIBCO AD.indd 1

22/02/2011 09:14

SECURITY

Facing down the

security attack In the battle with security fraudsters, banks increasingly have to pull rabbits out of hats.

By Sharon Stephenson

FINANCIAL SERVICES.indd 60

25/02/2011 13:44

SECURITY 61

s urban myths go, this one is a beauty: some time ago, a large African nation introduced a biometric element to the delivery of its welfare payments. Beneficiaries, so the story goes, were required to be fi ngerprinted and swipe their right index fi nger on an ATM machine every time they claimed their weekly payments. Human nature being what it is, some unscrupulous individuals decided a good way to defraud the system would be to murder people, cut off their right index fi ngers and use these to claim additional payments. Fact or fiction, this grisly story is a salutary tale of the lengths some people will go to subvert the system. And of the need for financial institutions to stay several steps ahead the criminal fraternity when it comes to data security and fraud issues. It’s no secret that fi nancial institutions are great movers and repositories of sensitive and valuable data, which makes them an attractive target for criminals. According to soft ware company Symantec, fi nancial institutions are among the most frequently targeted industries and the severity of fraud is often greater as they are more likely to be a target for profit versus nuisance. Globally, there’s little doubt that fi nancial institutions are struggling to keep pace with the increasing frequency and severity of information security risks and online fraud. Indeed, security and fraud management is one of the top 10 strategic IT priorities identified worldwide by research company Financial Insights, while recent studies indicate that security-enhancement technologies, data warehousing and content/document management technologies are among the top investment priorities for European banks. It’s a sentiment shared by Allen Chilver, Senior Consultant - Advisory at PricewaterhouseCoopers (PwC) who says European fi nancial institutions’ data security faces attack on four fronts. “There’s the loss of data from staff or customers that creates a data protection breach, as well as the loss of customer identification credentials that facilitate unauthorized payments from customer accounts such as card and other channels including the internet and telephone banking,” says Allen. “Two additional threats are the loss of data that exposes a bank’s trading positions, which allows competitors to trade against them knowing what their trading positions are, and the loss of the bank’s own confidential data which may compromise its strategic plans.” The key issues that result from such data loss are often “depressingly mundane” rather than high tech, says Chilver, and include data leakage through insecure systems, often not the bank’s own, as well as data leakage because of dishonest staff, particularly in UK and overseas-based call centers where low-paid staff and high turnover can be an unfortunate combination. “We know that criminal gangs will actively place people working for them in call centers with the deliberate

FINANCIAL SERVICES.indd 61

intent of retrieving confidential data. It’s becoming more prevalent and has put the focus onto staff recruitment screening techniques to target those issues.” Significant amounts of data can also be lost through an institution’s lax processes, such as inadequate waste disposal, transporting or careless handling of information. Of these, probably the most significant criminally fraudulent practices in terms of visible mitigation are card and internet fraud, otherwise known as ‘phishing’. Matia Grossi, Research Manager for Physical Security at Frost & Sullivan, says phishing involves trying to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication exchange. “Communications pretending to be from popular social websites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public,” says Grossi. “Phishing is typically carried out by email and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one.” Or via the telephone where the caller asks for someone’s bank details and/or to verify personal identification numbers (PINs). “Despite banks continually telling customers never to give their details over the phone, they still do. One European bank recently conducted a fake trial where it rang customers and asked them for their PIN and something like 20 out of 100 people gave their details straight away.” Surprisingly, there is little difference between European nations when it comes to banking fraud. “Take the credit card area, for example, which is a global issue,” says Chilver. “Any bank anywhere could potentially fi nd itself in a position where its card data was being compromised because the point of compromise isn’t necessarily linked to the bank nor to the country in which the bank operates. In many cases, internet banking fraud is perpetrated overseas perhaps in Eastern Europe or in South East Asia.” One of the major strides made by banks in the past few years in the fight-back against payment fraud has been the introduction of chip and PIN technology. Chilver estimates this has reduced the incidence of such fraud from around 18 basis points of turnover in 2001 to 12 basis points in 2008. “Basically we’re talking about combating the physical counterfeiting of cards. It’s possible to skim, or illicitly take a copy of the magnetic stripe data on a card and transfer that onto a counterfeit card that can then be used at the point of sale. If you could also compromise the customer’s PIN, you could then use the card in an ATM. What chip and PIN technology has done is to introduce a much more sophisticated way for the card to prove that it’s genuine – ie data authentication.” There are two types of data authentication, Static Data Authentication (SDA) and Dynamic Data Authentication (DDA). The former uses chip data in the form of a digital

25/02/2011 13:44

SECURITY

signature that allows the point of sale terminal or ATM to validate it using a technology called Public P Cryptography. With SDA, the signature is pre-calculated by the bank and written to the chip, so it is always the same and the counterfeiter can record it from a genuine card and play it back from a counterfeit card. The second, DDA, actually calculates a different digital signature each time, which makes it a much more powerful authentication mechanism. It is able to defeat any type of skimming attack because it can’t be predicted by the counterfeiter. Initially, most European-issued credit cards featured the static authentication method, mainly because of the time taken to personalise each card (it’s around eight times slower to produce a DDA card than an SDA card) and the cost of chips, which require an additional component to calculate the signature. However, the costs are coming down and Chilver says vendors such as Visa and MasterCard have already mandated their members to use DDA for all offl ine-capable cards issued after 01 January 2011. “It’s important, though, to recognise that chip and PIN isn’t a silver bullet. What it has done is to eliminate specific types of threat, but then the threat has simply shifted elsewhere, namely to card-not-present fraud which has expanded significantly since chip and PIN was implemented in the UK.” Likewise, in countries that don’t use this technology, namely the US, card skimming remains a very real threat. “The US doesn’t have chip and PIN technology and may not adopt it because of the sheer complexity of getting thousands of merchants, third-party processors and other stakeholders who don’t come under a single regulatory umbrella and who may not have any kind of fi nancial incentive to adopt this technology.” When it comes to delivering sensitive security information such as PINs and other credentials, mail is still the preferred channel for most fi nancial institutions. Th is, of course, leaves such information vulnerable to mail inter-

to achieve a relationship with the customer and communicate with them. The issue is how to achieve that other than through some kind of physical means of transfer.” Step on up, biometrics. Many banks have either dabbled in, or are enthusiastic users of, biometrics as a form of online security and although they’ve been around for some time, the big hitters remain fingerprint and voice recognition because of their ability to identify customers without requiring those customers to do too much. “Of course, there is the initialization or registration process that requires a physical interaction between the customer and the bank. But once that is completed, having your voice or fi ngerprints on your credit card can support a virtual relationship that may extend long into the future.” Ditto voice authentication technology where customers can speak to an ATM, to a phone or to a teller without the need for verification of signatures. It is designed so that at any point, the relationship between the bank and its customers should be easier and less time consuming. However, both Chilver and Grossi say full implementation of voice authentication is still some way off . “There’s an awful lot of downstream technological changes that have to happened in order to translate this into reality,” says Grossi. “For example, you need technology in every branch as well as a considerable amount of back-end infrastructure to be able to record voices, turn them into a digital pattern and compare them to a voice on a database.” And then there’s the issue of speech/voice interpretation. Says Chilver: “You have to get this right before you use voice authentication. So I’d want to know that the bank understands and clearly interprets what I’m saying to them before I use voice authentication. This creates huge security issues for banks because they need to be very, very sure that they reliably authenticate genuine customers before a transaction takes place.” Likewise, when customers use internet capabilities to phone their banks (Voice Over Internet Protocols or VOIP),

“One European bank recently conducted a fake trial where it rang customers and asked them for their PIN and something like 20 out of 100 people gave their details straight away” cept. “Banks will normally use tamper evident documentation, but even then they are well aware of the threat of mail interception particularly with certain destinations such as shared accommodation which history tells us are particularly vulnerable to mail intercept.” Banking is, however, increasingly challenging mail as banks’ preferred channel to communicate statements, payments and servicing information to customers where, says Chilver, the security issue is serious enough for larger banks to deploy security units devoted full time to counter the threat. “The basic need is for some kind of trusted way

FINANCIAL SERVICES.indd 62

it means that the call is not being routed through the traditional telephone exchange but through the Internet. “VOIP uses open internet protocols and was never designed with security in mind, so it presents all sorts of challenges for both banks and customers. All manner of interception and call spoofing techniques that are now happening over the internet which have serious consequences for how to manage these risks.” Another new generation technology aimed at making life easier for the customer and bank and harder for the fraudster is contact-less ATMs which can, for example,

25/02/2011 13:44

SECURITY 63

be accessed via cell phones. These could do away with the need for the customer to collect something physical from the bank because they’ll have their own cell phone through which they can virtually deploy the necessary information and credentials to the customer. “Instead of inserting a card and tapping out a PIN you do the actual authentication using your cell phone while you’re waiting in the queue waiting to withdraw cash. Then when you get to the front of the queue, instead of inserting a card all you do is tap your cell phone on the contact-less pad on the ATM and it dispenses your cash.” Of course the drawback is the cost of technology for each ATM, which runs to around $1700. But Chilver predicts that as the price per unit drops, touch-screen ATMs could go the way of Tyrannosaurus Rex. Contact-less cards are also the next big thing, and they are already being deployed by Barclays Bank in the UK.

FINANCIAL SERVICES.indd 63

Any debit card you now get from Barclays has contact-less capability so that the user doesn’t physically have to insert it into a device in order to make a payment. They just have to tap a reader with the card and key in the pin. One security-based technology still in the nascent stage of development that has experts excited is DNA biometrics. According to Grossi, this has huge potential for large-scale applications in the next 15-20 years. “The integration of iris and retina recognition biometric systems and 2D and 3D face recognition systems are anticipated to gain widespread adoption in the next seven to 10 years with their low error rates. Multimodal biometrics such as fingerprint, face and iris are expected to become the standard biometric for high-end applications in government, border control and airport security by 2020. And the banking sector probably won’t be too much further behind…”

25/02/2011 13:44

TECHNOLOGY FOCUS

IT’S ALL IN THE

TEAMWORK

Being the CTO of a national organization with thousands of employees and a constantly evolving technology base is no mean feat. Richard Scott of Guardian Life Insurance explains how he stays on top of the challenge.

n case you didn’t get the memo, the world of IT is in the midst of a transformation. Again. A constantly evolving sphere of clouds, virtualized data-centers and revolutionary devices, today’s technology landscape is rife with challenges for the IT executive, and while the likes of Google, Microsoft and other major players in the tech sector are paving the way for the future of the industry, keeping abreast of that innovation and integration in a business that uses technology but does not produce it is no mean feat. So how can corporations worth billions of dollars, and with a staff base in the thousands, manage the constantly evolving technology across the whole organization? “That’s a huge challenge,” says Richard Scott, CTO at Guardian Life Insurance Company of America. For Guardian, an insurance fi rm with around 5400 members of staff, technology is a key enabler of the business strategy. “We’re not unlike a lot of companies where we have individual lines of business that all have their own driving forces,” says Scott, adding that the key to implementing innovation and development is socialization: ensuring that there is a constant conversation between the various departments of the organization to develop the best strategy for the whole business. “We’ve got to be out there,” he says. “We’ve got to be talking to the lines of the business – the tier business people, the application side – and then look for the greater good. That’s not always possible. You can’t always have a solution that meets everybody’s needs, but to the extent that we can, that’s what we focus on.” Still, in order for innovative new technologies to be implemented throughout the business, they have to be present in the fi rst place. “For us it’s about unleashing the creative power of our organization and enabling people to innovate,” explains Scott. “We encourage people to go out

Guardian Life.indd 64

to different vendors to look at the trends in the industry. We will support them in internal trials, but we also have a strong governance process that requires any new technology to go through a series of vetting steps before it can be made live or get into an area where it might impact our compliance or regulatory reporting requirements. It’s really just allowing people to do it rather than trying to confi ne innovation to a group of three or four people in the R&D team. That doesn’t work very well.” The pendulum can swing both ways though, and while Scott actively encourages an innovative culture, there comes a point where the best interests of the business take precedence. Scott explains that only once an idea has reached maturity can it be considered for implementation across the organization. It is at that stage, he explains, that the collaborative internal culture kicks in. “That’s when we bring in different departments to look at this as a group,” he explains. “We have representatives from all different areas that come together and say, “Is this a technology that can benefit Guardian as a whole?” Th is seems to be a recurring concern for Scott in his capacity as CTO. Taking what he describes himself as a “horizontal view of all of IT”, he is fi rm to ensure that new technologies are beneficial to the greater interests of the whole fi rm, and he highlights that Guardian operates a governance process to ensure the right technologies are emerging into the business. “It’s not one person saying, ‘You can’t do that’, and putting the hammer down,” he explains. “We have a representative group from business, from technology, security, infrastructure, all these different areas asking, ‘Is that really in the best interests of the company as a whole?’” And in the two years since this process has been operating, Scott explains that Guardian is reaping the rewards. “Just knowing that the process is in place has caused people to rethink trying to introduce anything and everything to the business, just for the sake of it. Ideas are very well-vetted before they get to that level, and they tend to go straight through because they are well-defi ned, well thought through and clearly address a business need.”

Clouds ahead With regard to the technologies that are currently revolutionizing the business world, Scott speaks candidly. “I personally don’t like the term ‘the cloud’,” he reveals. “It means too many things to different people. I like to look at

25/02/2011 13:51

TECHNOLOGY FOCUS 65

the cloud as a utility. We look at where the cloud is taking us, and it’s becoming a commodity; so if I need to run a business process, I’ll simply reach out and run it on the cheapest commodity-based compute, platform I can fi nd out there, or if I need storage for the business, I’m going to fi nd the least expensive storage option available to me.” Like his approach to innovation, Scott sees little to be gained from just adopting a new cloud-based system for the sake of doing so. “I envisage that within the next 12-18 months we’ll probably dip our toe into the world of development,” he says, underlining his fi rm’s caution when it comes to taking on a new technology infrastructure that might compromise sensitive company information. “I couldn’t take, for instance, some of the customer data we deal with and put that in the cloud today,” he says. “It’s just not mature enough.” He also highlights the concern many technology executives share: will external soft ware providers have the fi rm’s best interests at heart? “If we pick a vendor to host

“We have representatives from all different areas that come together and say, “Is this a technology that can benefit Guardian as a whole?” our stuff, are they going to have the right maturity, the right service levels, the ability to pay the same amount of attention as we do to our own environments today?” asks Scott. “Are we going to get the same or better or a guaranteed level of service?” Still, Scott is optimistic that these are just kinks that will work themselves out with time. “As the technology evolves and security techniques become tried and tested and the comfort level raises, these concerns will go away. I don’t think that there’s anything that will stop this, but it is a concern today.” He remains realistic that a move to the cloud is an ultimate inevitability for businesses’ IT infrastructure, and explains that despite his reservations, his department is looking towards it as the next generation of technology platform. “We’ll try to get some of our IT folks to begin to make provisions for environments in one or two cloud providers so we can begin to free up our own infrastructure for production use, and have this more dynamic infrastructure in the cloud for development. It’ll probably go from development to test to user acceptance testing and one day to production. “I still can’t forecast when that production date is. There’s some neat technologies that are being introduced today that will allow us to do some of this work internally before we push it out, and then seamlessly move the workload into the cloud without a lot of modifications. Our focus is going to be on investing in and preparing ourselves for that eventual date. It’s going to happen. We need to do what we can to prepare ourselves to make that transition as seamless and painless as possible.” 

Guardian Life.indd 65

REAPING THE BENEFITS According to a report published by the Center for Economics and Business Research, cloud computing will allow financial services business to break free from the shackles of old legacy IT, generating some $250bn and creating a staggering 207,000 jobs. Cloud computing is transforming the way companies consume and pay for IT. Under the cloud model, IT applications and services are provided by a third-party over the internet, and by buying up server space and computer applications as a service via the web, banking tech teams can bypass old systems. Alan Goldstein, CIO for BNY Mellon Asset Management, believes cloud computing allows banks to provide IT resources quickly, increasing their business agility. “From an institutional standpoint, the benefits of cloud computing are concrete. You’re able to more rapidly deploy infrastructure and applications and to scale-up horizontally.” That means you cut the time it takes to get a product to market, he adds. The advance of cloud computing also means businesses no longer have to buy or develop costly proprietary IT systems and applications, and can consume tech services on a pay-as-you-go basis. Although slower to adopt the technology than some other sectors, the financial services industry is beginning to embrace the phenomenon and is set to reap major benefits in terms of saved costs, increased productivity and job-creation. CEBR’s Cloud Dividend report predicts that 60-80 percent of all businesses in the banking, financial and business services sector will have adopted some form of cloud computing by 2015. But not everyone is convinced. According to one head of equities trading technology at a major broker, cloud computing is not yet robust enough to apply to all areas of the financial services environment, and many banks will continue to deploy and run their services in-house, particularly in the IT-intensive trading space. Michael Fahy, Global Head of IT Infrastructure at investment bank Nomura, adds that the cloud-computing pay-as-you-go commercial model also needs time to mature. “The commercial model is not yet sufficiently developed to operate on the scale we want to operate on, and there are still questions around data security.”

25/02/2011 13:51

UNISYS AD.indd 1

24/02/2011 10:00

UNISYS AD.indd 2

24/02/2011 10:00

CLOUD COMPUTING

As cloud computing continues its sometimes-confusing march towards industry ubiquity, Nick Pryke helps identity its silver lining.

EXPERIENCING

TURBULENCE ChristoneKistanic.indd 68

n the overlapping worlds of commerce, where definition is currency and understanding unveils the path of profit, there remains a no man’s land filled with confusion and frustration – partly because it’s not land at all. It’s a cloud. And just like those white balls of weathered noise that float on by above our heads, the world of cloud computing continues to rain down conflicting standards, differing technologies and a plethora of methodologies that serve to obstruct our ability to fully decipher it. So whilst we can grasp it’s principles, understanding exactly how it can add to the industry while remaining business specific is not such an easy task – and becomes all the more difficult when put into the context of financial services. Of course, we all know the underlying idea of the cloud as we made it, but its implementation has caused countless heads to be scratched and meetings to be called in a bid to work it out. However, for all those head-scratchers, there remain a few who know what needs to be done and the best way to go about doing it. Better placed than most, Christine Kincaid, SVP of Global Security Strategy at Citigroup, understands the need for companies and industry to not only grasp the principles of cloud computing, but run with them until they’ve harnessed their own specialized interpretation of the next generation of network computing. “We have a lot of the same challenges that plenty of other companies are seeing,” begins a confident Kincaid. “Although some of the things Citigroup faces are probably not as common just because of the size and complexity of the company – so when we look at sheer infrastructure and global reach, the only other entities close to our environment are other banks, but even then Bank of America isn’t as big. Chase is probably approaching the complexity because of the way they have other subsidiaries in other countries, but it’s still hard to compare.” Indeed, one of the areas many companies struggle with cloud computing is trying to compare what another company has done, or intends to do, with their cloud and attempting to tailor it to your needs: like trying to fit a square block into

25/02/2011 13:40

CLOUD COMPUTING 69

“It’s a natural evolution of technology and computing. We need to stop being naysayers from a compliance, risk and complexity point of view and allow things to enter our business”

ChristoneKistanic.indd 69

a round hole, it’s just not going to work. So, whilst we refer to it as cloud computing, Kincaid prefers to call it “a really fancy way of saying ‘we’re going to do what we were doing 20 years ago’. “I have yet to hear clear statements of what is planned or available to be technologically delivered. It’s easy to point to Software as a Service (SaaS) as it makes logical sense to market it. But if you’re looking to leverage and include the potential for virtualized hosting, which is what some of the physical center hosting companies do today – like Rackspace for example – then you’re going to want to have that technology, but you’re not going to want to hire, build a space for, maintain and ultimately create all that additional overhead. You can talk about cloud until you’re blue in the face, but a hosted environment isn’t really cloud. Hosting companies have been offering SaaS for a while; it’s a thin client application delivery that really started 20 years ago with Star Panels and the fact that hard drives didn’t exist. We’re literally watching technology evolve full circle.” In highlighting this evolutionary circle, Kincaid manages to encapsulate part of the problem when it comes to cloud computing confusion. The first time round it didn’t work as technology became feature rich, slowing down the inherent processes needed. Or as Kincaid puts it, “it was like trying to suck a tsunami through a straw”, which is exactly why we saw the evolution towards desktop computing and process power. “Technology to a business can seem like an obstacle; security and compliance governance can seem like that but in reality you do it every day,” continues Kincaid. “Every time you pick up your foot and walk across a room you’re doing all kinds of mathematical equations and physics in your brain that you never think about. If you practice it enough you’ll stop thinking about it and just do it. It’s a natural evolution of technology and computing. We need to stop being naysayers from a compliance, risk and complexity point of view and allow things to enter our business. You have to know that what you are delivering as a core technology or core services are built correctly and with flexibility. It has to be adaptive so that it can be used and tested on multiple devices.” Indeed, one of the biggest failings of technology initiatives is the failure to test them in ‘reality’. Sure, developers and system administrators can test every hour of every day, but ultimately they’re not the end users. “There’s a reason why toymakers build prototypes,” explains Kincaid. “Rapid prototyping in product development is always a smart move as sometimes you have to be able to see it and hold it. When we’re talking about technology it’s very complicated; people’s eyes start to glaze over. You have to understand the language that your company speaks as it delivers to its target market and amongst its peers. You forget that you’re technology. You are the business.” In a world where business is crying out for simplicity, Kincaid believes that simplification can be engineered through technology and at points – such as the ideal of a standardized and comprehensive cloud – make life easier. But first, an understanding also has to be met that sympathizes with the fact that vendors are going to want to sell. “Arm your

business to see you as a resource so that they [the vendor] will trust you to make sure you’re not sold snake oil. “A lot of technology organizations are still ‘us versus them’, and they get mad at the vendors for talking to the business. Just because you outsource aspects of your technology organization to third parties who are experts at what they deliver, doesn’t mean that you can do IT without IT”. Fundamentally for any industry looking to expand into the cloud, it comes down to trusting that it will ultimately allow any given industry to become more technologically agile. As Kincaid analogizes it, instead of every company building their own car and manufacturing their own parts, vendors act as a mechanic – sourcing and acquiring the necessary parts you want on your car and then adjusting it accordingly. “Cloud should become the ubiquitous ability to pick and choose,” she affirms. “It’s the free enterprise approach that we’re supposed to get with deregulation of the phone and electrical industries. It takes time and starts as it evolves and learns from its own mistakes and its own processes of adoption. I won’t be a pleasant or smooth transition but I do believe that we’re seeing the next evolution in major technology strategy – not just from how we build it and what we do with it but how we use it and how we think about it.” “Stick your toe in the water. Stick your feet in the water. Do it on a small scale and see if it fits. The first business area or focus area that comes to you and says, ‘Hey, I can do this,’ don’t just automatically kneejerk and say no or that you want to do it internally and build it yourself. Why do we continue to build our own clouds? Why do we continue to rebuild the same thing over and over again? It’s not rocket science. A UNIX server’s a UNIX server. Why do we use UNIX? Well, because it’s an operating system on certain types of hardware. It does certain things better than anyone else. “Microsoft does certain things better than anyone else, as do IBM. They’re there for a reason. There is a selection of ten or less of those companies for a reason. I understand that the cloud has to go through that process too, but right now everybody wants to label whatever they’re doing as being cloud. I’m waiting to see what’s left over.” It’s a savvy move from Kincaid, as she sticks to her projection that in a few years from now, some of the big companies we’re witnessing at the moment could very well decide to walk away from the situation when they realize that the cloud isn’t their core function. And with such a large uptake of major technology in the past three years through vendor acquisitions, Kincaid is also quick to assert that it makes her nervous. It wasn’t until our final words passed that the true nature of the cloud as it floats now was appreciated. Surprised that Kincaid didn’t use as many acronyms as her peers – a somewhat trivial observation – she quickly replied: “I joke at the office, saying ‘Okay guys, I didn’t bring my cereal decoder ring with me. So you’ve got to tell me what that acronym meant’.” Ultimately, in an arena that wants to function effortlessly in the cloud, it’s got to first decipher exactly what everything means. Then, and only then, can we start to put down our cereal decoders and look at the tasks ahead.

25/02/2011 13:40

IT INNOVATION

The sandbox system As comprehensive IT continues to combine with progressive technology to move towards the cloud, AXIS Capital’s John Parkinson outlines how important the role of innovation is becoming – and outlines why the sandbox isn’t just for kids anymore.

ifteen years ago, if you had any workable knowledge of IT systems and business computing, it was more than likely that you’d pour it straight into the now legendary back-end MS-DOS. Th at’s right, that vacant black-screen parading endless lines of blinking, emerald-green code that remained about as effi cient as toasting your bread with a lighter. Th ing is, back in those days, MS-DOS was all we had. Fast-forward to today, and you’d be lucky if a handful of the millennial crowd could even explain the largely defunct program of yesteryear. Yes, today’s technology is fi lled with usability fi rst, understanding a serious second – which works well for consumer technology; but in the

AXIS Capital.indd 70

world of business IT and security systems, grasping that understanding is equally as important as maintaining a system’s usability. One without the other, and you’ve got some serious kinks in your cables. Straightening out those kinks while ensuring the cables are as efficient as possible is John Parkinson, SVP for AXIS Capital’s Global Program Office. With AXIS sitting between both IT and business levels, Parkinson’s role encompasses every project or program that aff ects either of those runs through the management group that he leads. The biggest problem he faces at the moment? Getting the founders of AXIS – “smart people who know exactly what they’re doing in their business context” – to

25/02/2011 13:50

IT INNOVATION 71

value technology more than they currently do. As Parkinson explains, as pivotal and knowledgeable as they are, they have no “visceral connection to what technology makes possible”. “The challenge they face today is that that doesn’t scale very well, so they can’t work 24 hours a day. The fi rst time that they can’t peer review a risk because there’s no time, they have to start trusting technology to do some of the work”. The question that needs answering by Parkinson is how to educate his superiors to that they become better decision makers about what technology can do to help them do their jobs. Unfortunately, the solution isn’t as clear-cut as the problem. “We’re still craft ing an answer to that,” admits Parkinson, “but it’s a combination of implanting technologysavvy, business-focused people into the operating side of the business, so there are voices they trust that they interact with every day. It’s in part listening to how they talk about what they want to do, what they want from a business perspective, what they want to achieve and then translate that into longer-term architectural and platform decisions that IT can make behind the scenes – building the right plumbing, wiring and platforms so that when they come to us in three months, six months or a year, we will already have most of what it will take to satisfy what they need.” What Parkinson alludes to is a change from IT and operations that have been rather reactive in the past, towards listening to more about the longer-term implications of what the business wants to do. In doing so, it is hoped that Parkinson and his team can become better custodians of the capital that’s entrusted to them to build the technology behind the proverbial scenes. The hard part? Well, according to Parkinson – and a sentiment that is obvious to anyone in his shoes across the industry – it continues to come back to annual budgets. But with AXIS functioning specifically on a three-year plan now, as opposed to the traditional one-year plan, looking at results every quarter within that time period, it allows for a slightly longer planning horizon. “The questions that come back to IT and operations about that approach allude to educational opportunities,” continues Parkinson. “Everyone is coming and saying ‘Why are we doing it this way?’ And we have the chance to sit down and say, ‘Well we have to make decisions now that we can’t change easily for three to four years, so we want you to tell us where you think you’re going to be in that time period so we arrive at the same place.’” In order for this to not only be successful but also as efficient as possible, Parkinson chopped the budget into a number of different pieces and included a 20 percent portion to ensure space for unallocated capacity into the plan. “If you go back and look at the past five years, every year we’ve done about 20 percent of something that we weren’t told we were going to be doing at the beginning of the year,” explains Parkinson. “So history says that we need that 20 percent.” But for all the IT systems, allocated budgets and business motivations floating around at AXIS – and there are

AXIS Capital.indd 71

a lot – none of it means anything if it isn’t supported by the strongest possible network of innovation. Naturally for a man the likes of Parkinson, this gave him the motivation to truly think outside the box – the “sandbox” to be exact. “Over 10 years ago when I used to work for Ernst & Young, I ran corporate innovation for a couple of years. I looked at all the literature at the time and decided it was all fantasy. Most people had this consulting model of innovation, where you build something off to one side and you fed it money and pizza until it turned out great ideas. The problem was that never worked.” Instead, what Parkinson came up with was a grass roots innovation program. Essentially, it involved mining about 5000 ideas from employees across the board – from junior executives through to top management – and then throwing them into a system of group voting. Once the ‘winning’ ideas were extracted, it was time to take them to Parkinson’s business “sandbox” to fi nd out precisely what each idea would need to function on a business level. “We built it deliberately crude with manual tools and processes, a little bit of technology that would get the ball rolling, and then just saying to someone ‘Okay, go and run a business in the sandbox for 180 days, and if at the end of it you can show us that you’ve found some customers and the product worked, it was legal and the cost to deliver was less than the cost of all the rest of it’, then we’d put some more money in and we’d launch them as a business. In two years we took $400 million of costs out and built $1 billion in new revenue,” explains Parkinson. “Out of about 5000 ideas that went through the fi lter, we ended up with about 20 that were worth trying out. Roughly 50 percent of the ideas were health and hygiene – better coffee, helping with better parking, the elevators don’t work – that kind of thing. We fi xed them easily as they mean a lot and don’t cost much to do and you get a lot of credibility for it. We ended up with about 250 ideas that were about new business, so we went through and conducted adjacent analysis. After that, we carved off about 100 ideas that weren’t bad ideas, but they were never going to be anything we were going to do, so we sold them to business incubators instead. “Finally, we looked at the rest and ranked them and said, ‘Okay, so if this idea is going to cost $1 million to deploy and it’s going to make us one dollar more, then you know it’s profitable. But then if we had one that cost a dollar but was going to make us $1 million, then obvious that would take priority”. What Parkinson ended up with was a blueprint for working viable innovation into not only technology, the annual budget and the psyche of his superiors – his initial intention – but towards understanding the importance of IT and secure systems within the context of progressive business. And what does he think of the current situation when it comes to the cloud, perhaps the biggest non-entity being preached crossindustry at the moment? “Lots of vapor”. And from a man who accrued $1 billion in new revenues in two years, his words speak as loud as his actions. 

“If you go back and look at the past five years, every year we’ve done about 20 percent of thing that we weren’t told we were going to be doing at the beginning of the year”

25/02/2011 13:50

ASK THE EXPERT

The vanishing checkout lane: will today’s point of sale satisfy tomorrow’s retail customers? The retail point of sale is fundamentally changing. It is moving from traditional checkout lines to wherever the customer may be: shopping on the internet, walking a store’s aisles, traveling, or lounging on the beach. Are you prepared for what this means to capturing and retaining customers? Asks Barry McCarthy

ot so many years ago, returning a rental car was often an exercise in anxiety and frustration. Typically, you would be racing to the airport to catch your fl ight. You’d drop off the car, gather up your possessions and drag them to the rentalreturn counter with paperwork in hand. If you forgot to write your mileage or fuel on the paperwork, you would dash back to the car, write down that information and then sprint back to the car-return counter. While completing the paperwork and processing your credit card, the counter attendant might try to engage you in idle chitchat. Meanwhile you were rapidly losing patience.

Those were the days Now, of course, returning a car is much simpler. You pull into the lot. An attendant walks over to you, scans a bar code on the car and checks the mileage. The attendant asks if you want to keep the charge on your card. He hands you the receipt, and you’re done, almost before you’ve fi nished taking your luggage out of the trunk. Th is new process seems so natural that it’s easy to forget those not-so-good old days. Today’s travelers have quickly grown to expect this level of service and even take it for granted. From the car rental company’s point of view, changing the way it checked in a rental return and completed a sale was inspired by one simple idea: rather than bringing the customer to the point of sale (POS), let’s take the POS to

FirstData.indd 72

the customer. New wireless technology made this possible and the results were dramatic. But that’s not the end of this story. It is, in fact, the beginning of a much bigger story, one that is unfolding right now and will have a profound impact on the way many kinds of retailers transact sales and interact with their customers.

ment methods, according to selfserviceworld. com. Today there are about 7 million checkout lanes in US retail establishments that are capable of doing electronic checkout and processing cashless transactions. As consumers, we take these changes for granted, while retailers benefit from more efficient and secure transactions.

“A Nilson Report found that debit and credit card transactions now account for more than half of all transactions, compared to 29 percent a decade ago.”

What can a retailer do now?

What do customers really want? Several years ago, market research firm Yankelovich reported that half of all consumers polled, at all income levels, say lack of time is a bigger problem for them than lack of money. Anything a retailer can do to save shoppers time and make the shopping experience more convenient would pay dividends in increased loyalty, greater frequency of visits and fewer lost sales. Changing POS technology has also changed people’s attitudes about how they pay for things. A Nilson Report found that debit and credit card transactions now account for more than half of all transactions, compared to 29 percent a decade ago. And 90 percent of retail consumers surveyed say they prefer or don’t mind using cashless pay-

Here are some practical suggestions for staying ahead of the curve. Explore ways new POS technologies can make the shopping experience faster and more pleasant for your customers. Consider if there are ways to use new POS technologies to actually expand the reach of your business. Even if you’re just replacing end-of-life POS terminals or buying equipment for new stores, consider incorporating a ‘mobile POS’ mentality into near-term purchase decisions. Recognize that your system has to be open and capable of accepting contactless transactions and transactions from wireless devices. Get the help of payment processing experts, such as First Data, in exploring opportunities and developing a strategic POS plan. Traditional retail points of sale are changing rapidly. To remain competitive, merchants must think strategically about this key customer touch point. Barry McCarthy leads two key equity alliances in First Data’s Government and Education business and oversees the RAS business in the Asia Pacific region. Previously, McCarthy led the Mobile Commerce Solutions business and Point-of-Sale businesses, working closely with a variety of industry partners including large wireless carriers, young start-ups, technology providers and terminal manufactures.

25/02/2011 13:44

FIRSTDATA AD.indd 1

15/02/2011 15:09

PAYMENT CARDS

Cate Luzio, Head of International Commercial Cards at JP Morgan, explains why global card programs bring great beneďŹ ts.

any multinational corporations and regional fi rms are now migrating to regional or global travel and entertainment (T&E) card programs. Th is new movement, which has been gathering speed for several years, is achieving real momentum as the credit crisis increases economic pressure on businesses. Energy providers, banks and airlines were early adopters of global card programs. Now globalization has pushed all industries to achieve economies of scale via

strategic sourcing and consolidating/centralizing processes throughout the entire procure-to-pay cycle. As companies focus more on optimizing global cash management, every aspect of this activity is being centralized and handled on a regional, if not global, level. Because they offer attractive economies of scale and can significantly leverage travel spend, T&E card programs have typically been included in these initiatives. As fi rms have globalized over the past decade, the capability of card technology platforms has developed from rudimentary to state-of-the-art. Firms have been able to

new m e Th ation igr

JP Morgan.indd 74

25/02/2011 13:41

PAYMENT CARDS 75

enhance their control of T&E as better technology becomes more widely available to track expenses and leverage spend. Controlling expense now requires data that is more accurate and complete – for example, detailed point-of-sale information that is more comprehensive than the simple clearing and settling of a transaction. The better the data, the easier it is to ensure travel policy compliance, automate employee expense reporting and negotiate preferred rates with suppliers. The management features of a good T&E program – automated expense management and reconciliation, local cardholder service, globally consolidated data and centralized supplier negotiations – can save firms significant amounts of money. The technology now available makes these capabilities more accessible to more companies than ever before.

Expanding beyond borders Most firms defi ne their card program’s objectives and quantify the benefits of consolidation at the onset, thereby ensuring they have clear benchmarks to measure success. When seeking to expand a card program globally, firms should develop a well-articulated business case for senior management that details the following: direct cost savings to the company associated with the implementation of a regional or global T&E card program; process efficiencies of the program for company travelers, treasury, fi nance and procurement; and potential for realizing fi nancial rebates. To support this case, a simple questionnaire can be developed to gather information on the company’s local payment practices and enable data comparisons across countries and regions. Companies embarking on a card program should take a number of steps to ensure their program is a success. First, identify any existing card programs and statistics, then establish potential metrics for the new program and identify strategic suppliers. Next, determine whether there are any existing program barriers. Finally, profi le fi nancial systems, including enterprise resource planning (ERP), general ledger systems and expense management systems; document current payment procedures; and identify and publicize a company-wide T&E policy that properly accounts for regional and cultural differences around the world. Th is policy should ensure that all legitimate T&E is mandated on the card, maximizing volume and consequently maximizing rebates.

A global challenge: card acceptance Card acceptance across borders presents a high hurdle. For companies still without a global T&E card program, the ability to use a broader acceptance platform may be a powerful incentive. But these firms must look carefully at whether the card they are considering is accepted in the places their employees are likely to do business. Th e level of card acceptance will impact cash usage and reporting for the company. If their card is not accepted, employees must use their personal card or cash to pay for T&E expenses.

JP Morgan.indd 75

Why implement a global corporate card program? • Improved control of spend • Better employee compliance • Enhanced employee satisfaction • Increased purchasing power from leveraging spend • Reduced administration costs • Reduced funding costs • Better reporting and data delivery to identify misuse as well as to negotiate better rates with vendors

Non-acceptance creates more difficulty for companies than employee inconvenience. The transaction becomes paper-based, generating no management information reports. If salient details such as merchant category information are not captured, everything about the paper transaction is lost to automated reporting. In addition to missing any rebate opportunity on this transaction, the company also opens the door to employee misuse through handling a paper invoice. Visa and MasterCard have impressive technology in place for merchant acceptance, particularly in ‘emerging’ regions like Eastern Europe. As these regions join the global business economy, they become increasingly important in terms of managing T&E spend. Global companies are therefore looking for card solutions that will operate in less-developed economies. US companies once preferred to locate in Western Europe, but this has changed in recent years, with many firms now situating shared service centers in Eastern Europe, where the costs for well-educated labor are lower. As less-developed economies increasingly come online, your fi rm should consider the possibility of conducting business in these countries over the next few years, and look at what kind of platform will be necessary to support T&E there.

“Most firms define their card program’s objectives and quantify the benefits of consolidation at the onset, thereby ensuring they have clear benchmarks to measure success”

Pre-RFP review of key program issues Whether they opt for a regional or a global approach, expanding firms must plan and execute a country-by-country rollout. Major concerns in selecting a provider include card acceptance, cost management, secure reporting and integration, consistency of service and fraud protection. While considering all this, companies must also bear in mind that the firm’s CEO and indeed all its employees will be carrying the card that is selected. Any issues that employees, at whatever level, may encounter in using their card – such as non-acceptance – will reduce adherence to the firm’s travel policy. It’s critically important, therefore, to ensure that any potential snags in the program are identified and addressed in advance. It is important to conduct a thorough review in advance of the company’s RFP process. This review should include a wide array of factors and should carefully detail

25/02/2011 13:41

PAYMENT CARDS

the scope of the new program before the fi rm reaches out to potential providers. Firms should fi rst look carefully at the following key factors in this review: the countries the fi rm is expanding into; the currencies they wish to deal in; the volume of transactions they expect; and the particular level of card program expectations within the company. Some additional organizational questions to consider include: How much additional effort will be required of the company to set up card programs in different countries? What is the projected cash flow impact of setting resources against this project? Is the company accustomed to making centralized buying decisions? Can the firm’s corporate office mandate travel policy to all of its regions/employees? The firm will need to ensure that adequate credit lines are in place in each country. Th is frequently requires managing many contracts, very often an expensive and timeconsuming process. Your fi rm should be sure to select a provider that can manage and provide oversight of existing contracts. Having the right people with the right responsibilities in place is particularly key to success in this regard. Firms should consider the level of protection they will require from unauthorized charges, including protection from employee misuse. For example, will they need a reporting package that can identify out-of-pattern spending? Other security and protection concerns include pre-set spending restrictions as well as regulatory compliance, disaster recovery, data protection and privacy issues.

Global implementation concerns Implementation challenges in different countries include obtaining buy-in, securing lending, coping with regulations and managing contracts. Accordingly, the speed and ease of implementation are major concerns for most firms, especially for large companies with complex structures.

JP Morgan.indd 76

FX fees can stamp out additional proﬁts

Implementation is an extremely detailed process. For example, when a fi rm is contemplating implementation of a card program in 20-30 countries, their project management concerns must necessarily drill down to a significant level of detail. One example of such detail is how each employee will receive their card, as well as how they will access the necessary training to use the new system. A global implementation approach streamlines and simplifies this process. Experienced providers ensure successful cross-border implementations by making one global relationship manager responsible for the project. Implementation personnel should have a direct line of reporting to this individual. It is essential to build clear accountability, personal responsibility and pre-determined escalation routes into the implementation plan in order to ensure that the rollout is completed to the fi rm’s satisfaction. A detailed, phased implementation project plan – both at the local level and by region or country – should be utilized in order to guide and track the entire project. This plan should include project milestones and dependent steps.

What to look for in a global card provider: • Up-to-date products leveraging the newest technology • A pipeline of newer products already proven • Experience in both prepaid and corporate card issuance • Ability to consolidate management information and deliver across the globe • Features and functionality such as online statements, 24/7 cardholder support and superior web-based management tools • A dedicated global relationship manager • Coverage in all key economies globally

25/02/2011 13:41

PAYMENT CARDS 77

Once the rollout is completed, the provider’s consultative implementation support should be ongoing. Firms should periodically evaluate the program after the implementation is completed. Initially, this should occur on a bimonthly or monthly basis, eventually shift ing to quarterly or semiannually as the program matures. Monitoring of this kind can facilitate adding capabilities, modifying liability arrangements or adding more advanced controls if necessary.

Pay attention to data management, reporting and integration

“A key dynamic in selecting any T&E card provider is the company’s desire to leverage rebates”

From the ability to integrate data into their fi nancial systems to the ease of use of their web-based reporting interface, there are multiple reporting-related issues that any company must consider in selecting a T&E card provider/program. A major concern is the sophistication of reporting functionality. For example, will reporting be conducted locally, regionally or centrally? How will the card program support any unique tax-reporting requirements? Does the company require the charges to be billed in local currencies? Will each operating unit pay the bills for its cardholders, or will bills be paid centrally? Are reporting and settlement integrated? Data mining capabilities are increasingly important, particularly as they help companies drive down the cost of airlines and hotels. In some cases, providers can deliver hotel and airline spend reports down to a very detailed level. When planning to use reporting capabilities, fi rms should consider their objectives. How useful are these capabilities in helping the fi rm consolidate their spend, obtain a snapshot of their current spend or aggregate data across business lines?

Financial offer A key dynamic in selecting any T&E card provider is the company’s desire to leverage rebates. When assessing any fi nancial offer of this kind, factors for careful consideration include the rebate size (including reductions based on spending factors), any fees (e.g. annual fees, cash access fees, late fees, etc.) and flexibility on payment options. The differences of a few basis points in foreign exchange fees can turn out to be quite significant over a large volume of spend. For instance, if a client’s card program is $100 million annual spend and 20 percent is overseas spend, then a 0.10 percent FX fee differential between issuers would cost the client an additional $20,000 per year in fees. A 0.30 percent differential in FX fees would cost the client an additional $60,000 per annum in fees. Finally, it’s important to note that liabilities and payment terms differ as do local laws and practices in various countries. To avoid potential difficulties, be sure your provider has experienced people on the ground in the region your fi rm is considering. Cate Luzio is responsible for JP Morgan’s International Commercial Card business. JP Morgan’s provides commercial card solutions in more than 95 countries and 28 currencies and continues to expand.

JP Morgan.indd 77

Overseas overview Complex laws and regulations govern cards GERMANY • Complex data protection laws • All air travel generally booked to central travel accounts • Strict labor laws require any new program to be reviewed by a ﬁrm’s Workers Council • Checks rarely used • B2B electronic payments more prevalent than card use

FRANCE • Very stringent data protection and privacy laws • P-card enhanced data only available from domestic French issuers • Level 2 and 3 data looks different in France than in other countries • Direct debit is most common payment method

EASTERN EUROPE • Relative to the US, UK and Western Europe, the commercial card market is immature and principally consists of just the small and medium-sized business segment • Business card usage is on the increase but accounts for a very low percentage of market share • P-Card is known only on a conceptual basis in this region and there is no true P-Card functionality or enhanced data available

25/02/2011 13:41

PAYMENTS

The importance of getting it right PayPal Inc.’s Scott Thompson discusses the challenge of moving money electronically around the world – and why it’s important to stay humble.

hat keeps us awake at night? For most of us, it’s the usual money worries: how to pay the mortgage and put food on the table. When Scott Thompson, President of global online payments giant PayPal Inc., tosses and turns at night, it’s a sure bet he’s worrying about the technology that allows millions of us to pay for goods and services electronically. “When you’re running a technology-based organization like PayPal, you constantly worry that the system is working as it’s supposed to. Are we, for example, delivering the experiences that the product should deliver?” Because while the business of moving money around electronically may look easy, it’s actually a complex technological beast. “Payments are a very complicated business. As a consumer you probably look at this and say, ‘Wow, this is easy, it works all the time, it works as I expect it to work’. But when you’re down inside the belly of the beast and trying to understand how you build products, how you move transactions around, how you clear and settle things around the world, it’s very, very complicated.” Insomnia aside, Thompson has ample reason to be happy. He helms a company with 81 million active accounts that straddle 190 markets and 24 currencies globally. And uses leading-edge technology to do so. Yet

Paypal.indd 78

while he’ll admit to being PayPal’s biggest cheerleader, humility is still his default setting. “We have terrific momentum in the business of PayPal and we have it all over the world. Don’t get me wrong, I’m very proud of the success we’ve had up to this point in time, but it’s still very, very early in the alternative payments and online payments space. People look at us and say, ‘Wow, they are a big company’ but we’re actually a very small company in comparison to the people we compete against and certainly in comparison to the opportunity. But it’s very important to be humble because we service customers all day long and the minute we lose that humility and we don’t treat customers the way they’re expecting, then we lose the franchise that we have and we’ve lost the opportunity.” Thompson, who oversees all aspects of global payment systems, including the product roadmap, architecture, information management and operations, says because his business deals with people’s money, they have to get it right every time. “It’s a very intimate relationship we have with people and their money, and customers have a zero defect expectation. It’s got to work every time just as you expect it to. So anybody who has that relationship and breaks that trust, well you don’t have a relationship with those people over the long term.”

Paypal Inc has 81 million accounts that straddle 190 markets and 24 currencies

25/02/2011 13:37

PAYMENTS 79

Scott Thompson

The key, he says, is to have a sense of perspective. Perspective of where you are, the game that you’re playing, what the opportunity is. “The idea is then that every day we wake up, we come into the office to service customers with that critical mindset – here’s what we’re doing, here’s what our priorities are and, most importantly, here’s how we service customers and we do it with humility in all cases.” It’s a philosophy that has helped PayPal weather the financial crisis when, despite the economic skies falling in, it facilitated US$60 billion in total payment volume. “I guess it just goes to show that when things are turned upside down, people still have buying occasions – you still have to buy gifts for your parents, your nephews, your nieces, your friends. Sure people were taking more time to do research, taking more time to find the best price for the thing that they wanted and then usually finding the best price online. So while things were actually disjointed and there were some discontinuous events during that period, the fact was that people were still buying, particularly over the internet, and we got the opportunity to service those customers in a very meaningful way in a growing section of the market.” So another global company that’s managed to survive and thrive in the past few years. So far, so ordinary. What elevates PayPal into a category of its own is the fact that it caters to 190 different markets, 190 different customer expectations and 190 different payment systems. “Each country has its own set of expectations and its unique systems, so that’s a level of complexity most businesses don’t have to deal with. You have to get it right in all those languages, all those contexts and all those currencies. It’s built into the DNA of PayPal that we’re going to do it right, even though it’s complicated, every single time. But that’s the fun part of this company and that’s the real challenge of what we do globally.” Challenge is a concept Thompson knows a lot about. Since graduating from Boston’s Stonehill College with a degree in Accounting and Computer Science, he has worked

Paypal.indd 79

“You could say we’re inventing the future”

for organizations such as Visa USA, where he was the Chief Technology Officer and Executive Vice President of Technology; as Chief Information Officer of Barclays Global Investors, where he implemented a new strategic technology platform and global infrastructure; and for Inovant LLC where he was responsible for the development, support and maintenance of Visa’s Global Payment system, which processed tens of billions of transactions. He joined PayPal Inc. in 2005 as its Senior Vice President of Product Development, Technology and Operations, before moving into the President’s chair in January 2008. Still, it hasn’t escaped his attention that the road to the top job isn’t usually paved with an IT background. “It is unusual for a CIO or CTO to become the president of an organization but people who grow up in technology are possibly the best problem solvers on the planet because that’s what they’re trained to do – to take something very big and complex, break it down into its smallest pieces, figure out how to reassemble it in a better way and build whatever it is that you’re embarking on. As the CEO of a company, problem solving is a skill you need to have because in most cases you’re inventing new things, determining new ways to service the customer or to build new products to attract new customers. That’s all about understanding the dynamics of the business that you’re in, then breaking it down to its elements and building it back up into a great product. That’s problem solving.” So what’s next for PayPal? Thompson says he’s currently putting his energies into fully localizing the product into more markets around the world so that both consumers and merchants in their 190 markets can fully utilize the product. “It’s an interesting time to be in this business, because people are increasingly doing transactions online, so in a way payments are coming to us and that’s what we do, we move money around online. So of course we’re working to grow the addressable opportunity that we have.” Beyond that, Thompson says PayPal is entering an exciting phase of exploiting innovation in its operational platforms: “So if you’re a developer who doesn’t work for PayPal and you want to build a business that involves money of some sort, then build it on top of PayPal”. Next generation technology – for instance using PayPal via your mobile – is the new frontier and Thompson is rightly “psyched” by the innovation that is being applied to these applications. “You could say we’re inventing the future.” So what would this father of three be doing if he weren’t tasked with establishing PayPal as the leading global online payment service? “Well I’m assuming that I’m actually too old to pitch for the Boston Red Sox, but if I could turn back the hands of time and I was a little better, I would love to have done that. But, to be honest, I don’t spend any time thinking about what I would do if I weren’t here. I’m really enjoying myself because I have this great opportunity to work with a team of people who really want to do something very special. “So I get up every morning and I just can’t wait to get to work. I guess at some point when that feeling rubs off, that’s when I’ll decide what comes next or what different path I’ll take but for right now, this is it.”

25/02/2011 13:37

EXECUTIVE INTERVIEW

Deliver an exceptional customer experience across all your channels Bob Tramontano talks about growth in technology enabling enhanced customer service in a multi-channel marketplace.

Bob Tramontano is vice president of ﬁnancial industry marketing at NCR, a leading global provider of payments, assisted and self-service solutions, with over 125 years of experience and knowledge.

How has the growth in consumer orientated technology increased a bank’s opportunity to better service their customers? Bob Tramontano. Internet-enabled devices have created increased customer service expectations in two key areas and banks that recognize these trends can signifi cantly increase their level of service and improve loyalty. The fi rst area is convenience. Internet-enabled devices are portable and they are always turned on – which means that a customer can shop, schedule appointments and transact with their bank from just about anywhere. These devices enable consumers to re-defi ne convenient service as instantaneous, in real-time, at any time, and from anywhere. The second expectation is around personalization. Internet-enabled devices are personal communication portals that create a huge opportunity for banks to interact with their customers on a more customized and individual basis. Mobile banking applications, text messaging, alerts, and email are now enabled in a single consumer device, so it becomes critical for banks to understand how to effectively use these diff erent mediums for interacting with their customers according to their presence (where they are) and preference (what they want). What is NCR doing to help banks differentiate themselves in this new multi-channel environment? BT. NCR serves consumers when they shop, travel, visit the doctor, entertain themselves and bank. We help these industries deliver multi-channel solutions that reinvent the consumer experience. Th is multi-industry perspective helps us break down the delivery channel silos to provide consumers with a more seamless multi-channel experience. Let me give you a few examples. The hottest thing in deposits is remote deposit capture, which lets a customer make a deposit using their home scanner or mobile phone. Nearly all the products on the market are standalone services – they don’t work in conjunction with the other channels or services that the customer is using. For the customer, this means they have to have to use a separate application or go to a different web page, have a separate logon ID, and keep track of a diff erent password. NCR is integrating our mobile deposit capture capability, called APTRATM Passport, into our online and mobile banking applications. So the customer can access the service using whichever channel they prefer.

NCR.indd 80

Another way NCR can help banks is with customer communications. It’s increasingly harder for a bank to reach today’s time starved mobile consumer with service and marketing messages. NCR has a solution called APTRA eMarketing that helps banks develop targeted personalized one to one marketing campaigns, and deliver messages wherever the customer might be, either at the ATM, via a text message, or by email. But again, the key difference is that it’s all integrated together to give the customer the confidence that their bank knows who they are, and how they want to be communicated to.

“I believe that success will be defined by a bank’s ability to truly understand and deliver the expected consumer experience. We know the consumer wants a seamless experience across all channels with control over their channels and preferences” What are the key drivers to long term success for banks in the multi-channel marketplace? BT. There are many keys to success, but I’ll focus on two. First, I believe that success will be defi ned by a bank’s ability to truly understand and deliver the expected consumer experience. We know the consumer wants a seamless experience across all channels with control over their channels and preferences. They expect messaging that provides evidence that the banks is listening, regardless of channel and responding in ways that are relevant to them personally. Th is creates an opportunity for banks that deliver a seamless experience across all its channels. And second, banks need to give real consideration to the track record, stability, and long term vision of their technology providers. There’s a lot of buzz in some areas, but it’s mostly coming from start-up companies that can only deliver one piece of the multi-channel puzzle. But multi-channel is much more than throwing a mobile banking app on to iTunes or spamming customers with email marketing. Multi-channel is about creating a holistic experience that will build loyalty in your customer base. Success for banks will ultimately come down to choosing a partner that can help them deliver the experience that consumers expect.

25/02/2011 13:42

NCR PASSPORT AD.indd 1

15/02/2011 15:09

INSURANCE FOCUS

Agility: the insurers’ insurance policy According to the ﬁndings of a new report, reducing operational expenses while enhancing business agility will be key to driving growth for insurers in 2011.

aving lost investment income during the fi nancial crisis and faced with changing customer preferences and regulatory environments, insurance companies around the world are refocusing on operational efficiencies and business agility, according to the 2011 World Insurance Report, produced by Capgemini and the European Financial Marketing Association. The study explores ways insurers can dissect their business to identify opportunities that will make fundamental and lasting improvements to their core operations, with a focus on enhancements to claims transformation. The report draws on research insights from 14 countries – including Belgium, Canada, Denmark, France, Germany, India, Italy, the Netherlands, Norway, Sweden, Spain, Switzerland, the UK and the US – and covers both non-life (including health) and life insurance segments. Based on a comprehensive body of research, it includes in-depth focus interviews and extensive surveys with 58 insurance executives.

to achieve sustained growth, they must also refocus on core drivers of operational excellence.” The research makes clear five key conclusions regarding the need for insurers to transform claims to meet customer needs while driving results; stabilize reliable claims processing platforms; manage indemnity expenses more effectively; leverage claims data for enterprise-level decision-making; and ensure critical business agility, especially if seeking to thrive over the long-term.

Meet ‘brand promise’ while driving results With a less-than-satisfactory claims experience prompting one-in-five customers to switch insurance providers, claims transformation is where many insurers, especially non-life insurers, are fi nding both opportunities for operational efficiency improvements and the tangible substantiation of their brand platform necessary to deliver on customer commitments. According to the 2011 World Insurance Report, opportunities exist for nonlife insurers to capture operational efficiencies in claims, where costs are rising fast. In fact, from 2006-2009, the claims ratio rose in nearly every country (except the Netherlands) and outpaced the expense ratio at a greater rate of 4.6 percent to 0.3 percent (acquisition plus operational). Inefficiencies – stemming from environmental, technical and organizational factors – are all driving the imperative to transform claims processing. While the potential for driving efficiency varies by firm, strategy, country and service segment, within claims, three areas can have immediate impact on achieving efficiency. They include creating a reliable, predictable claims processing platform, managing indemnity expenses to the right levels and leveraging claims data for enterprise decision-making. First of all, suggests the report, insurers should implement and stabilize a reliable claims

“Insurers need to leverage the full value of claims data by making sure the right data is captured and used to support business decisions” “By the second half of 2009, the economy had started to improve but many insurers were still faced with the challenge of meeting their financial obligations despite losses in investment income, increases in premiums and other less than ideal operating conditions,” explains Jean Lassignardie, Vice President of Sales and Marketing for Capgemini’s Financial Services Global Business Unit. “The financial crisis is a stark reminder for insurers that they cannot rely on investment income alone to deliver results. Instead,

CRM.indd 82

platform that leverages technology to enable integrated claims processing, enhance process efficiency and cost effectiveness, reduce cycle times, and allow performance measurement. By closing process gaps, insurers should be able to reduce existing loss-adjustment expenses and drive continued improvements. Managing indemnity expenses will also be key. While much attention is paid to the cost of paying and administering claims, there is also a significant need for insurers to tackle contingent liabilities (for example, overpayments in vendor transactions or suboptimal recovery practices). Insurers should optimize fraud management to reduce costs (and ultimately improve combined ratios) by making sure fraud is detected quickly and effectively, without undermining customer satisfaction or unduly raising litigation costs or creating net new costs. Finally, fi rms should leverage claims data for enterprise-level decision-making. For an insurer, the ideal business information system makes efficient use of enterprise-wide data to support business decisions. Insurers need to leverage the full value of claims data by making sure the right data is captured and used to support business decisions – delivering benefits in terms of profitability, efficiency, strategic planning and regulatory compliance. Ultimately, in an intensely competitive insurance market, differentiation through innovative claims management practices is going to be the most important and effective way to maintain market share and profitability. Claims transformation not only improves everyday efficiency and effectiveness, it also enables insurers to deliver on their brand promise and enhance brand value for the long-term. It can help drive top-line and bottom-line growth by improving client acquisition, client retention, procedural efficiency and effectiveness, as well as risk management. Without it, insurers will be challenged to differentiate themselves and maintain and evolve their market position.

25/02/2011 13:44

STISYSTEM AD.indd 1

15/02/2011 15:10

ASK THE EXPERT

Core communications Meaningful communications are the lifeline between ﬁnancial ﬁrms and their clients. How do you make this a core capability of your business? Doug Cox, Director of North America Enterprise Business, GMC Software Technology, explains.

ignificant changes in the fi nancial services industry over the past few years are bringing increased regulatory scrutiny, new compliance policies, and heightened public skepticism. For financial services firms, accelerated recovery and success depend upon customer acquisition, satisfaction and loyalty. Consequently, every consumer contact presents an opportunity to regain customer trust, reach new markets and differentiate the firm from its competition. The ability to successfully implement a comprehensive communication strategy will most likely be the single biggest challenge — and opportunity — for every financial institution over the next few years. Positioning for success in this new market environment is dependent upon having access to the information clients want — and being able to deliver via the channel they prefer — morning, noon, or night via print, electronic, the web, and mobile devices. Leveraging the power of multichannel campaigns requires having the ability to determine the communication preferences of each client and the solutions in place to deliver compelling content through that channel. However, just as important as communicating through multiple channels is ensuring the delivery of easy-to-understand statements and other communications when doing so. For example, if an individual has a profi le that suggests they may be interested in converting to a new retirement plan, the communication solution should have the ability to personalize their next statement with information highlighting the retirement options available and of interest to them. Having the technology in place to access the data an organization already has on its

GMC.indd 84

members can ensure the ability to put their needs front and center with every communication sent to them. There are several common hurdles that all fi rms face when integrating multichannel communication options with current architecture. The first involves the ability to obtain quality data. Data is often stored in disjointed silos across the enterprise and it can be a challenge to obtain and consolidate useful data about each client. Be sure the communication solution you choose can tap into the broad range of data sources that drive your business, and that the solution makes it easy to merge and consolidate this data. The next is being able to coordinate and integrate communications across all channels. For instance, the ability for the next statement run to take advantage of feedback obtained through an e-channel (like email) is a critical aspect of a successful multichannel framework. The content delivered to a client on their printed statement may be in a completely different format and layout than the content delivered to that same member via a different channel. Because of this, another critical success factor for a multichannel communication solution is creating flexible content that automatically changes to match the delivery channel. Without this kind of flexibility, designing for multiple channels can become a painful and complex process. Managing content, logic, users and roles, interfaces, and change control practices for a multichannel solution can seem like a daunting task. It involves providing an integrated framework that can leverage critical data across the entire solution. For instance, user roles and permissions should be honored anywhere in the framework. Additionally, the ability to manage content — independent of the documents and channels that receive them — is crucial. Be sure the solution used has these management capabilities, or your organization may be overwhelmed with process and content complexities. Organizational commitment, accountability and having the right technology in place for managing the client base across all media channels are the key ingredients to overcoming the challenges and ultimately succeeding when it comes to customer communication management. Multichannel communications are not the wave of the future for financial firms. Your clients are already in control today and their expectations as to how you communicate with them are on the rise. Implementing a well-thought-out customer communication strategy can help ensure retention by getting important information to clients more quickly — and with a personal touch via the channel they prefer.

Doug Cox is the Director of North America Enterprise Business for GMC Software Technology, a provider of document output for customer communication management. GMC Software Technology offers a seamless, easy-to-use, and powerful solution that enables business users to reduce the complexity and costs of customer communication management across business silos. The company’s secure, scalable, and reliable solution produces personalized and regulatory compliant communications that can be delivered to members via the channel or choice. He can be reached at d.cox@gmc.net.

25/02/2011 13:40

GMC SOFT AD.indd 1

25/02/2011 08:48

PERFORMANCE MANAGEMENT

BUSINESS AS USUAL Managing the performance of a ﬁnancial IT department can be a thankless task, especially in the current climate of rules and regulation. However, as Vinod Kachroo of MetLife tells FST, ‘business as usual’ can be achieved by leveraging some of the newer technologies to assist your organization’s needs.

s the Vice President of Technology Services at insurance giant MetLife, Vinod Kachroo is happiest when everything is business as usual. Responsible for multiple technology service and engineering teams across many different areas of the company, Kachroo’s main priority is to support MetLife’s business strategies and goals through the integration and implementation of future and current technologies. As performance management activities go, Kachroo’s role is all encompassing, and a constant opportunity for development and advancement. “My responsibility is to run all of the technologies related to the mainframe, such as server technologies, storage technologies, and any kind of application infrastructuretype technologies,” says Kachroo. “So whether it’s .NET, web sphere, portal, document management, image and workflow, content management or any kind of package application support – you name it, my team is responsible for it.” In ensuring that MetLife’s technology services are best supporting the business, Kachroo’s ‘business as usual’ approach requires constant attention. The company’s technology infrastructure has a pretty mature shelf life, having evolved through a lengthy and intense period of optimization to reach a stage where Kachroo is now able to highlight a few key tenets where he and his team are looking to invest. Such investment and attention in certain areas is designed to enable MetLife’s technology services to continue to provide ‘business as usual’ capability for the immediate and foreseeable future.

VinodKachroo.indd 86

25/02/2011 13:45

PERFORMANCE MANAGEMENT 87

“We have been on this journey where we have been optimizing our infrastructure over a long period, for the last three to four years,” explains Kachroo. “We have gotten a lot out of programs like virtualization, and are now completely virtualized when it comes to the mainframe. We are also completely virtualized when it comes to our UNIX AIX environment, and we are currently on a journey to consolidate our Wintel environment on a blade server technology with virtualization. Our storage is completely external and consolidated. All of the storage is NAS, and all storage is consolidated into SAN.”

striving for maturation is mobile technology. Th is space is equally volatile, subjected to hyperbole and scrutiny in equal measure, and an immensely interesting topic of discussion for technology executives throughout the fi nance industry. Kachroo identifies with the potential of mobile technology, and has earmarked a number of challenges and opportunities to leverage the technology to assist with his performance management duties for MetLife. “We have some push around the mobile technologies and have been leveraging them for our auto and home business,” he says. “We have agents out there with corpo-

Producing performance

“Our planned capacity on demand is also on track. We have reduced some cycle times on acquiring and deploying computer capacity and storage capacity to our customers. So we are well positioned to leverage some of the new advancements in this space, such as cloud technology”

During the past six years, Kachroo has focused on the application development side of the MetLife business, supporting its retail arm in providing new business systems for underwriting, image and workflow. He has also been involved in the infrastructure of the business and so has seen, from all angles, how to better assist and support the company to reach its corporate objectives. As a result, Kachroo is able to identify where MetLife can improve, do better, become more efficient and generally mature, highlighting issues such as capacity on demand, cloud computing and the adoption of mobile devices as potential areas for greater leverage. “We are already very mature in terms of capacity management and capacity planning processes,” says Kachroo. “These strategies lead into our project portfolio management and portfolio governance processes, where we are also pretty mature. Our planned capacity on demand is also on track. We have reduced some cycle times on acquiring and deploying computer capacity and storage capacity to our customers. So we are well positioned to leverage some of the new advancements in this space, such as cloud technology.” Although cloud computing’s status as an industry hot topic remains unchallenged, the actual technology – and the concerns surrounding it – are still cause for careful consideration for many companies; MetLife included. “I have some questions around the viability of cloud technology and the mapping of that technology to corporations like ours,” admits Kachroo. “Security is a big concern too, but I think a lot of people are working on it and it should be something that is solved pretty soon.” Despite the industry-wide buzz, Kachroo believes enterprises that yearn for a cloud-computing model to enable them to deliver better performance need to position themselves in a way that will best leverage this technology for their business needs. “Cloud computing itself is not a new paradigm, but it does create a new paradigm; these are opportune times if we can reach a realization of how to truly benefit from the cloud. And I think the true realization of the cloud comes from soft ware as a service, where you get the standards on how you interface, standards on how services are constructed and how they are deployed.” The potential of cloud computing lags some way behind the hype. If security concerns can be solved, and every company can truly leverage the technology in a way that best suits their business, then the cloud landscape will continue to mature. Another technology that is still

VinodKachroo.indd 87

rate-provided mobile devices that have their applications enabled and capable. So we do see this becoming a more open space and are devising a strategy for ourselves on overall end-user computing and unified communication and collaboration, with the device being just one aspect of it.” Kachroo argues that the mobile device is only a single part of how to deliver a solution, with his team working towards the capability of the mobile space as a wider method of delivering business as usual outcomes for MetLife. The fi nancial industry has stumbled through some tumultuous times in the past couple of years, creating a landscape that has made it increasingly difficult for Kachroo and his team to provide business as usual solutions to the company. Trust between client and organization has been eroded and exacerbated by the current economic gloom. Frayed customer interaction is an issue that requires urgent attention. Cost-cutting practices have become commonplace throughout the industry and the challenge to do more with less is increasingly being pressed into the palms of CIOs and technology executives throughout the land. So how, in this current climate, can business ever be ‘usual’? “In our industry there is a lot of pressure coming from a regulation perspective and a risk management perspective,” says Kachroo. “We have a lot of catch-up to do; our industry is lagging in issues such as risk management, a proper understanding of the new regulations that are coming and how to adhere to these regulations. For a company like MetLife, which is becoming more global in nature, these regulations are complex year round, and that complexity is only going to get higher and higher. Different regulations and data privacy needs differ from region to region, so as we grow these regulations add an extra layer of complexity for us, and this is going to be an extremely difficult challenge if we wish to continue to maintain business as usual moving forward.”

25/02/2011 13:45

CISCO AD.indd 2

12/3/10 14:29:55

CISCO AD.indd 3

12/3/10 14:29:57

INDUSTRY INSIGHT

GMAC leverages Kofax capture to automate processing of commercial loan documents Anthony Macciola explains how General Motors has utilized Kofax’s capture solution to aid difﬁculties in document search and retrieval

eneral Motors, known for its trucks and cars, also operates one of the largest commercial fi nance businesses in the industry. The company’s fi nancial group, GMAC Commercial Mortgage Corp., is one of the leading global providers of fi nancing programs for commercial property real estate. The Horsham, Pennsylvania-based company provides loans ranging from property acquisition and construction to refi nancing and renovation for properties such as general office, industrial, retail, apartments and healthcare. The worldwide operation processes hundreds of thousands of documents at its 60 regional locations throughout the U.S. and at office sites in Europe. To streamline the processing of loan documents and to provide access to these documents to employees in an anytime/ anywhere operating scenario, the commercial mortgage group instituted a distributed document capture system with the goal of shift ing to an electronic document processing operation. Kofax Capture is a key component of the company’s paperless objective, performing critical document and data capture tasks and, as a result, significantly enhancing the company’s commercial loan process.

The challenge Each day GMAC Commercial Mortgage processes more than 100,000 loan documents related to a wide assortment of income-producing properties. As the largest commercial mortgage underwriter in the U.S., the company elected to improve overall operating efficiency by consolidating its documentation processing at a single location. The company handles a variety of document types, including Excel spreadsheets, email text, Acrobat PDFs and AS/400-generated reports. “We have 60 origination offices servicing 47,000 loans and are the largest providers of Fanny Mae, Freddy Mac and FHA loans,” said Larry Hoffman, GMAC Commercial Mortgage director of imaging and workflow. “We also provide escrow administration, client relations, asset administration and service monitoring, payment processing, risk management and investor and IRS reporting.” Prior to implementing a document capture solution with Kofax Capture, the company stored information in both electronic and paper formats which exacerbated the difficulties with document search and retrieval. “GMAC Commercial Mortgage processes 3,591 document types and 30 different index fields, making it a very complicated document management environment,” Hoff man said. “Today, 90 percent of all documents received are scanned the same day with less than 24-hour turnaround.”

worldwide. Kofax Capture is the foundation for Kofax’s strategy to help organizations streamline business processes. The solution included: Kofax Capture, the world’s leading automated information capture platform and Kofax Transformation Modules (KTM), which streamline the transformation of business documents into structured electronic information by automating the processes of document classification and data extraction. The Kofax solution automatically identifies forms and performs highly accurate recognition of handwriting (ICR), machine print (OCR), check marks (OMR) and barcodes to extract even the toughest data from scanned images. Kofax Capture manages the process, indexes and validates the captured content, and then releases it seamlessly through a library of custom integration modules developed for all major document and content management systems. Kofax Capture enables GMAC Commercial Mortgage to move paper documents from its remote offices directly to the company’s central workflow system without incurring the time and cost of shipping hard-copy documents. The company centrally administers remote scan locations and schedules data transfer in off-peak hours to better leverage available network bandwidth. With the Kofax solution, GMAC Commercial Mortgage can capture and index content from the company’s imaging centers in Horsham; San Francisco; Pasadena, California; Chicago; New York; Vienna, Virginia; Richmond, Virginia; Birmingham, Alabama; Mullingar, Ireland and Paris, France. GMAC Commercial Mortgage paired Kofax Capture with Hyland Soft ware’s OnBase, which serves as the enterprise soft ware framework that combines document imaging, COLD/ERM, document management, and workflow into a single Web-enabled application. GMAC Commercial Mortgage also found Kofax Capture’s easy-to-use customization features highly beneficial in creating an integrated document and data management solution to meet their enterprise requirements. The customization features make it easy for GMAC Commercial Mortgage to react to changes in the document management environment.

The results With the implementation of Kofax Capture, GMAC Commercial Mortgage is now processing more than 16 million pages electronically per year. Document imaging technology enables the company to process loan documents more quickly, usually within 24 hours. Thanks to document imaging technology, GMAC Commercial Mortgage has achieved tremendous payoffs in loan processing speed and operational efficiency, Hoff man said.

The solution GMAC Commercial Mortgage deployed Kofax Capture, a flexible scanning and automated indexing solution for documents, at locations

KOFAX.indd 90

Anthony Macciola is Chief Technology Ofﬁcer. He originally worked for Kofax from 1990 to May 2000, when he left to become the Vice President of Worldwide Marketing for Lantronix, Inc. In 2002, Anthony returned to Kofax.

25/02/2011 13:36

KOFAX AD.indd 1

22/02/2011 09:13

iStrategy AD_B2B.indd 1

22/02/2011 11:02

Leadership

Travel

Books

Gadgets

Agenda

Skills to lead

36 hours in Salvador