KuppingerCole Blog

Blockchains go mainstream – IBM and Crédit Mutuel Arkéa blockchain implementation for KYC

IBM and the French Crédit Mutuel Arkéa recently launched the completion of a blockchain project that helps the bank verifying customer identities and remain compliant with KYC (Know Your Customer) requirements.

In contrast to common, transaction-focused use cases for blockchain implementations, the focus in that case is on having a tamper-resistant, time-stamped ledger that supports the bank in identifying their 3.6 million customers. Customers, even more in banks with a lot of branch offices, have a variety of systems for managing customer identities.

With the blockchain implementation based on IBM technology and the open-source Hyperledger project, the bank has realized a solution that federates information from various existing banking systems and delivers a (logically) centralized ledger that supports the consistency, traceability, and privacy requirements.

Blockchains are by nature ideal for such use cases, given that they create a tamper-resistant, time-stamped, and distributed ledger. In that implementation, a permissioned ledger is used, given that it is a bank-internal project that does not have to deal with specific requirements for anonymous users and public use cases such as e.g. the Bitcoin-Blockchain.

The ledger provides all information about e.g. all relevant identifying documents customers have signed with the bank. Thus, customers don’t need to re-sign when using other services or in different branch offices – plus the advantage, that the bank has a unique view on the customer, which is relevant from both a compliance and a customer service perspective.

The project has been implemented in rather short time. From my perspective, it is a great example for the breadth of use cases blockchains can serve. Blockchain will increasingly become a standard infrastructure element, as e.g. relational databases are today. This is greatly demonstrated by that particular project. Crédit Mutuel Arkéa has further plans for expanding the capabilities, e.g. by providing verification services to 3rd parties.

I strongly recommend analyzing the potential of blockchains for your business. There are many interesting use cases in virtually every industry. Blockchains will not solve everything, and it needs a thorough understanding of blockchain technology to identify the right blockchain type with the appropriate consensus model, depending on use cases and specific requirements. But clearly, there are far more use cases for blockchains than just cryptocurrency and smart contracts. Start analyzing the business potential of blockchains now. There is plenty of KuppingerCole research available, with a number of new reports to be published within the next few days – and you also can rely on KuppingerCole advisory services when starting to look at blockchains.

GDPR and the post-Brexit UK

The Brexit-Leave-Vote will have substantial influences on the economy inside and outside of the UK. But the impact will be even higher on UK-based, but also on EU-based and even non-EU based organisations, potentially posing a major threat when it comes to various aspects of business. Especially seen from the aspects of data protection, security and privacy, the future of the data protection legislation within the UK will be of great interest.

When asked for his professional view as a lawyer, our fellow analyst Dr. Karsten Kinast replied with the following statement:

"On the 23rd June, UK carried out a referendum to vote about UK´s EU membership. About 52% of the participants voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.

The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.

Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, 'if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018'.

Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force."

So it is adequate to distinguish between the phase before the UK actually leaving the EU and the time afterwards. In the former phase, starting right now EU legislation will still apply, so in the short term organisations might be probably well advised to follow all steps required to be compliant to the GDPR as planned anyway. With the currently surfacing reluctance of the British government to actually initiate the Art. 50 process according to the Lisbon treaty by delaying the leave notification until October, this first phase might even take longer than initially expected. And we will most likely see the UK still being subject to the GDPR as it comes into effect by May 2018 and before the actual exit.

For the phase after the actual exiting process the situation is yet unclear.  What does that mean for organisations doing business in and with the UK as soon as GDPR is in full effect?

  • In case they are UK-based and are only acting locally we expect them to be subject to just the data protection regulations as defined in Britain after the exit process. But any business with the EU will make them subject to the GDPR.
  • In case they are based in the EU they are subject to the GDPR anyway. In that case to have to be compliant to the rigid regulations as laid out in the EU data protection regulation.
  • In case they are based outside of the EU but are doing business with the EU as well, they are again subject to the GDPR.
  • We expect the number of companies outside the EU doing business only with a post-Brexit UK (i.e. not with the EU at all) to be limited or minimal. Those would have to comply with the data protection regulations as defined in Britain after the exit process.

Reliable facts for the post-Brexit era are not yet available. Nevertheless, CEOs and CIOs of commercial organisations have to make well-informed decisions and need to be fully prepared for the results of the decisions. An adequate approach in our opinion can only be a risk-based approach: organisations have to assess the risks they are facing in case of not being compliant to the GDPR within their individual markets. And they have to identify which mitigating measures are required to reduce or eliminate that risk. If there is any advice possible at that early stage, it still remains the same as given in my previous blog post: Organisations have to understand the GDPR as the common denominator for data protection, security and privacy within the EU and outside the EU for the future, starting right now and effective latest by May 2018. Just like Karsten concluded in the quote cited above: To facilitate trading in the common market the UK will have to provide a framework similar to the GDPR and acceptable to the EU.

So any organisation already having embarked on their journey for implementing processes and technologies to maintain compliance to all requirements as defined by the GDPR should strategically continue doing so to maintain an appropriate level of compliance by May 2018 matter whether inside or outside the UK. Organisations who have not yet started preparing for an improved level of security, data protection and privacy (and there are still quite a lot in the UK as well, as recent surveys have concluded) should consider starting to do so today, with the fulfilment of the requirements of the GDPR adapted to the individual business model as their main goal.

We expect stable compliance to the regulations as set forth in the GDPR as a key challenge and an essential requirement for any organisation in the future, no matter whether in the EU, in the UK or outside of Europe. Being a player in a global economy and even more so in the EU single market mandates compliance to the GDPR.

Managing the customer journey

Every one of us, whether a security professional or not, is also a part-time online customer or a subscriber of digital services. Providing personal information to a service organisation, to a social media platform or a retailer is a deliberate act. This will be even more the case with the upcoming GDPR being in full effect soon. Ideally the disclosure of potentially sensitive information should always lead to a win-win-situation with both directly involved parties, the customer and the provider of services benefiting from information provided by the end user.

So organisations need to make sure that managing customer information needs to be performed at an utmost level of diligence to the benefit of both the customer and the organisation. That means that the customer identity is to be put into the centre of all processes. And organisations need to understand that there are more sources available within (and outside of) the organisation, where information about a single customer is available, providing social, behavioural, interest, transactional and much more data, including historical data. Combining and consolidating this data into a single unified customer profile while maintaining scalability, security and compliance is most probably one of the essential challenges organisations will have to solve in the future.

Customers interacting with a service provider or any other internet-facing organisation typically start with eight registration process, either from scratch by creating a new account or by reusing and complementing existing 3rd party account information, e.g. from social logins. From that moment on they are interacting with the system and thus they implicitly provide a constant flow of information through their behaviour. But Customer Identity and Access Management strategically goes far beyond that. Information about a single specific customer might already be available in the enterprise CRM system, providing in-depth insight into former interactions, e.g. with helpdesk. Previous purchases or subscriptions will be documented in their respective systems and more information might be available in the enterprise IAM system (especially when the organisation needs to understand, that a customer is also an employee) or the corporate ERP system.

These types of information and valuable when it comes to understanding customer identity as a whole. The actual task of retrieving and leveraging this information should not be underestimated: in many organisations these different systems are usually run by different teams and different parts of the organisation and this often leads to so-called information silos. Getting to a unified customer profile necessarily requires breaking up the barriers between those organisational and technical silos. Cross-organisational and cross-functional teams are typically required to consolidate the information already available within a single enterprise. Aligning different sources of information and different semantics resulting from different business purposes to get to a meaningful pool of consumer profiles requires expertise from various teams.

After having done their“homework”(by exploiting their already existing knowledge about each customer identity), many organisations are also looking into integrating information available from third parties, which means data sources outside of the organisation. Potential sources are manifold: they range from social media (Facebook, Twitter, Google+ and many others, including regional and special interest social media services) and the reuse of profile data (including likes, recommendations, comments) to sources of commercial marketing data, and from existing sources for Open Data to credit rating organisations.

When it comes to comparing effort and benefit, it becomes obvious, that greedily collecting each and every information available cannot be effective. Identifying the right set of information for the right business purpose is one of the major challenges. Having the right information available for the end user to improve his user experience and for the organisation to support decision-making processes has to be the key objective. Nevertheless, the definition of an adequate set of “right” information is a moving target that needs to be adjusted during the life time of a customer identity and the underlying CIAM system.

However, it must be made sure that the reuse of all the above mentioned information is only possible, when the owner of this data, i.e. the customer, has agreed to this processing of the information for additional purposes. User consent is key, when it comes to recombining and analysing existing information.

Know and Serve Your Customer: Why KYC is not enough

Know and Serve Your Customer: Why KYC is not enough

Today’s connected businesses need to communicate, collaborate and interact with their customers in a way that’s more flexible than ever before. Knowing and, based on that knowledge, optimally serving the customer is key to success in the Digital transformation.

Customer-facing IAM needed

With the accelerating digital transformation, we intrude deeper into the subject of customer identity management than ever before. Several external drivers change economic partnerships, such as a different competitive landscape, ever-changing regulation and at the same time an increasing number of cyber-attacks. There are also internal drivers such as the need for more agile, innovative and flexible organizations. Both internal and external drivers are encompassed in overarching core topics like smart manufacturing, the Internet of Things (IoT) and Know Your Customer (KYC). To be successful in digital transformation we need to change our customer contacts. For this we need to deploy a string of key enabling technologies, e.g. identity relationship management, security and privacy, big data, right up to blockchain and distributed ledgers.

In order to reach a competitive advantage, we also have to improve our customer relationships and the way we handle data. We need to be able to deal with customers and their identities better than ever before. In times of the cloud advantages can’t be reached simply by better IT and lower costs any more. The cloud delivers equal services to everyone at an affordable price.

What’s needed is a customer-facing IAM (Identity & Access Management). While companies were traditionally only looking at employees and some external business partners in their IAM deployments, with focus on administrative efficiency and compliance, in recent times federation and the management of partners became more and more important as a B2B element. Now, finally, the customers play a role as well. And they should, obviously, given that the customer is where the money comes from. There are also, e.g., ecommerce processes that have to supported. In the future, we need to take all resources into focus. How can we, for instance, serve the customer better and safer in the cloud? How can we deal with the customer with ever-changing business partnerships and in new business models?

Besides cloud services and the access to them, we also need to manage mobile devices such as computers, tablets, smartphones and wearables as well as logins to social networks and, last but definitely not least, IoT and operational technologies (OT) in manufacturing environments. We also need ways to protect the ownership of customer data. This requires the further development and perfection of identity relationship management (IRM), as one important element. In a sense this is the advancement of IAM in the digital context. How can I still steer and control access in this much more complex world?

Holistic look at identity

Identity Relationship Management (IRM) means having a single identity model across different identities, from employees, customers, partners, but also services, things and devices. It needs to be scalable internet-wide, not only on an enterprise dimension. Most companies have many more customers than employees. Customers often deploy a number of various devices. This means other quantity structures and thus performance and scalability requirements. The people responsible for CRM (Customer Relationship Management) need to see their system in a context of IAM, since this is the biggest identity store in most companies. It provides a whole customer history. This is actually a point I already wrote about ten years ago. Other IAM sources are, for instance, ERP, Finance (credit history) and Governance. We need to add and understand context information, social logins and access paths. What is really happening there? What does the customer look like and how can he get access? Is he at the same time an employee of the company? Are there any conflicts arising out of this, e.g. when employees manage their own customer data sets?

Instead of information silos, a cross-system approach for IAM is necessary, along with an improved customer experience, faster time to market and context-sensitive, adaptive security measurements. If someone wants to get access via a relatively weak social login, another risk evaluation is needed than if she or he gets authorization via a registered account or an ID card. We need to understand the respective risk and context and adapt our evaluations accordingly. The more information we have the more precise will be each risk evaluation.

Daily breaches show that passwords are not enough anymore, especially not the same across various services. However, access has to remain user friendly to be accepted by customers. One useful additional security feature could be, for example, adaptive push authentication and notification. A new KuppingerCole Webinar provides more information about this method (in German).

KYC goes beyond CIAM

How can you know and optimally serve your customer during the whole lifecycle? Important elements here are customer self-service and integration of customer data. KYC (Know Your Customer) goes even further than CIAM (Customer Identity & Access Management). It encompasses Customer Tracking & Marketing Automation as well as Analytics (Big Data) and Privacy & Information Protection. The customer needs to give his consent about what’s being done with his data and for which reason it might be used. He must be able to withdraw this consent any time. This brings the concept of Life Management Platforms closer to reality than ever before.

KYC can best be seen as the intersection between CRM (and Marketing automation), IAM and Privacy, i.e. the marketing view of the customer, the technical or identity view of the customer and the (not only) legal perspective. Active interaction plays an important role here as well as governance. The question is: Who in the company may do what in which form with the customer? Drivers of this development are compliance topics such as anti-money laundering (AML). Technologies such as IRM are really helpful in this context to understand how different identities are connected to each other.

The term KYC is also not really accurate, since it is not only about knowing the customer, but also optimally serving him. Thus I’d prefer the term KSYC, Know & Serve Your Customer, an appropriate evolutionary step of doing CRM. If enterprises in addition finally start looking at their employees as a special kind of customers, who are granted access to more applications than others, it will improve enterprise IAM as well, bring different business divisions smoothly under one roof and help getting rid of unnecessary discussions about special applications for the management of consumer identities.

CIAM - Customer IAM explained

Martin Kuppinger talks about CIAM and explains what Customer IAM means.

GDPR now!

The news is already getting quieter around the GDPR, the general data protection regulation as issued by the European Union. Several weeks ago it has been discussed in detail in many articles, and background information has been provided by many sources, including lawyers and security experts, but in the meantime other topics have taken its place in the news.

But unlike some other topics, the GDPR won't go away by simply ignoring it. It is less than two years from now, that it will reach legally binding status as a formal law for example in Germany. Probably one of the most striking characteristics of the new regulation that is constantly underestimated is the scope of its applicability: It actually applies in all cases where the data controller or the data processor or the data subject is based in the EU. This includes all data processors (e.g. cloud service providers) or data controllers (e.g. retailers, social media, practically any organisation dealing with personally identifiable information) which are outside the EU, especially for example those in the US. They, however, seem to be gaining the lead in taking the right first steps already in comparison with European organisations.

So the GDPR will be a major game changer for a lot of customer facing services. For many organisations changing the processes, the applications and the infrastructure landscape to be compliant with the regulations of the upcoming new requirements as laid out in the GDPR will be a massive challenge.

The following image focuses just on some of the “highlights” of the European General Data Protection Regulation. But apart from this each and every organisation should review the current version of the text which goes far beyond that. It is available on the Internet, e.g here, and detailed and profound commentary is available e.g. here. My fellow analyst Dr. Karsten Kinast provided a great short wrap-up during his keynote at EIC 2016 in Munich earlier this year.


While two years sound like a long period of time actually the opposite is true. The requirements as imposed by the GDPR are at least partially substantially different from existing national data protection regulations. Every organisation has to identify, which steps are required to implement proper measures to comply to these regulations for their own processes and business models. When looking at the amount of time required to implement all changes identified, somewhat less than two years no longer appears to be overly plenty of time.

Unfortunately, especially industry associations appear not to be willing to supply adequate support or advice and often enough end up in commonplace remarks. Instead of providing appropriate guidance often the opposite is done by repeatedly praising Big Data as the basis for next generation business models. While this might nevertheless be true for some organizations, it can only be true when being compliant to the upcoming GDPR in every relevant respect.

Many important decisions will have to be left for court decisions in the end. This might turn out as a difficult challenge with only little practical advice being available as of now. But doing nothing is not an option at all.

Compliance to legal or regulatory requirements is rarely considered as a value in itself, but it is - and will be even more - a sine qua non when it comes to data protection, customer consent and privacy very soon. On the other hand: Assuring a high level of security and consumer privacy ahead of the legal requirements can be a competitive advantage. So if you have not yet started making your organisation and your business ready for the GDPR and its upcoming regulations, today might be a good day to take the first steps. 

Microsoft announces Project Bletchley on Azure Blockchain as a Service (BaaS)

KuppingerCole has long noted the importance of blockchain technologies, whilst also noting that the key challenges to the adoption of blockchain technologies remained standardisation, privacy & security, as well as dilemmas regarding the types of blockchain technologies to adopt. In regards to these final two points, the main arguments have centred around the use of permissioned vs unpermissioned blockchains, as well as anonymous, pseudonymous or identified blockchains.

Microsoft made some wise decisions in response to these challenges. Initially, by announcing Blockchain as a service (BaaS) offerings on Azure last November, and subsequently announcing many new partnerships with various blockchain technology start-ups and consortiums, it gave organisations the opportunity to quickly begin experimenting with various blockchain tools easily and without the need to make decisions about which specific technology to use at this early stage of maturity of blockchain technologies.

­Microsoft now has further progressed its BaaS offering with Project Bletchley. Finally, organisations can begin to make use of concrete benefits of blockchains whilst still remaining agnostic in regards to which specific blockchain used to deliver these benefits.  

In short, Project Bletchley enables the use of blockchains-powered middleware solutions. The first of the two major tools offered by this latest announcement are called “Cryptlets”. This blockchain and development-language agnostic tool allows an organisation to leverage the power of time-stamped decentralised ledgers (blockchains) to secure organisational data without compromising the confidentiality of this data. For example, non-repudiation of a transaction between systems which process confidential data can be ensured by referencing some encrypted, time-stamped information stored on an external blockchain, while ensuring that this information remains completely useless to any other third party not engaged in the original transaction.

Cryptlets thus enable a whole new category of Project Bletchley middleware tools that can provide additional security, scalability and performance to typical middleware use cases even if the blockchains used to provide these features do not natively allow such types of features. Some key examples of this toolset include identity, encryption and key management features. This new blockchain-powered middleware stack will work with existing Azure services such as Key Vault and Active Directory.

By using this combination of centralised, authoritative systems such as middleware, public key infrastructure and authentication stores along with features of decentralised, algorithmic consensus-based technologies such as blockchains, it becomes possible to overcome the limitations of both types of technologies whilst also providing new hybrid technologies with better security and performance characteristics.

Centralised systems are necessary to most organisations, yet the authoritative management nodes of these systems often become the targets of malicious actors. Once these key root nodes are compromised, it is often very difficult to recover from a successful attack as it is very difficult to establish the ‘last known good state’ of the sensitive data. By decentralising this information on time-stamped blockchains, it becomes much harder for an attacker to manipulate the information on a compromised authoritative node.

Project Bletchley finally provides some concrete tools for enabling these hybrid centralised/decentralised secure systems which up until now have mostly only been theoretically discussed. What is important again here is that this project is blockchain technology agnostic. Just like TCP/IP, the value from blockchains (or networking for that matter) does not come from the use of a specific blockchain implementation, but how it can support a given use case.

 

 

 

Blockchain is more than Bitcoin

Martin Kuppinger about Blockchain and that it is more than just a part of the Bitcoin cryptocurrency.

Blockchains and Their Impact on the Finance Industry

There is a lot of talk about the impact blockchains will have on the finance industry. The same holds true for FinTechs. However, what will be the real impact? Will we still have the same banking system in five or ten years from now? Or will some groups of banks (the small community banks such as Volksbanken, the large banks such as Deutsche Bank) disappear and becoming replaced by new players? Or will the banks absorb the FinTechs? 

Before approaching this question, a brief overview of the fundamental characteristics of blockchains and key concepts is useful. A blockchain is a distributed data structure, brought to worldwide attention by the bitcoin cryptocurrency, that maintains a growing list of transaction records in a way that is extremely resistant to tampering. Algorithmic consensus is the key defining feature of a blockchain. While a public blockchain such as bitcoin’s is completely decentralised as well as distributed, the bitcoin blockchain’s is better defined as a specific type of blockchain: a distributed ledger. Consensus is key, as blockchains replace implicit trust with a consensus algorithm share by all participating nodes, be they public or “permissioned”. A permissioned blockchain is a restricted-access blockchain where, unlike bitcoin, only authorised node may perform or validate transactions on the blockchain.

Consensus is the mechanism by which all the participating nodes reach agreement about the integrity of the existing distributed transaction log and allow new entries to be written to this append-only, linear data structure. The only way that nodes participating in a blockchain can attain consensus is by the use of a published mathematical algorithm. The consensus mechanism is termed sometimes termed “trustless” – though not all blockchains only operate with completely anonymous/pseudoanonymous nodes – as the nodes do not need to trust whatever the other nodes state as truth, they only need to all share the same consensus algorithm which is used to verify blockchain integrity and permit new transactions onto the distributed log after a majority of nodes can perform the same algorithmic checks.

Another key feature is independently-verifiable tamper-evidence. It is trust mechanism for consensus that allows the other key feature of and independently-verifiable distributed log integrity. Just as the nodes make use of the algorithm for achieving consensus, a third party can audit a blockchain and be able to attest to its integrity.

 

Figure 1: Example of how a Blockchain works (Source: World Economic Forum)

 

While blockchains are seen by many as having the potential to be a key enabler for a wide range of applications, from the Internet of Things to Life Management Platforms, here the focus will be on key use cases in the Financial sector. With the above core concepts in mind, it is possible to examine some possible blockchain use cases in the financial sector.

Asset Registries

Blockchain technology asset registries could be deployed to manage virtually any asset class (e.g. ships, aircraft, automobiles etc.) and provide a complete unalterable audit trail of ownership, maintenance and valuation.

Regulatory Reporting

By its nature the Blockchain is an unaltered chronological record of transaction history, delivered in a fully transparent and accessible form.

Many regulatory processes require a document to have gone through certain states before any given state (e.g. AML, KYC processes).  Recording these state changes in the Blockchain conclusively demonstrates compliance with these processes without the need of an intermediary.  This could be extended to include proof-of-audit/control whereby each new version of a document could be denoted to have changed according to a defined set of rules.  The result of these rules-based processes could potentially dramatically reduce the cost of governing regulatory compliance

International Funds Transfer

The current process for cross-border payments, SWIFT, relies on intermediaries (correspondent banks) before reaching the ultimate physical location.  The process is slow with expensive customer fees and bank risks due to weaker banking standards in some jurisdictions. Blockchain offers a new approach, with no geographical borders, middlemen or opacity that has plagued legacy cross-border payments with the added benefits of fast processing and no correspondent fees.

Also, as the recent breach of the Bangladeshi Reserve Bank demonstrates, centralised systems for the processing of electronic payments are a key target for well-funded attacks by cyber criminals. The SWIFT system is geographically distributed, but it depends on trusted, centralised control nodes maintained by all banks participating in the payment network. By compromising a single node, the criminals were able to fraudulently make transfers of almost a billion US dollars. A decentralised system with a trustless consensus mechanism such a blockchain instead would require 51% of all the participating nodes to be compromised in order to be able to add fraudulent transactions to its distributed ledger.

Securities Issuance and Settlement

The Securities Exchange Commission has approved the issue of public securities via Blockchain-based technology.  This is often termed-post trade processing, allowing complex security agreement between multiple parties to be agreed to and stored in a distributed ledger, thus reducing administration costs and the risks of a party reneging on a trade.

Insurance Contracts

Blockchain can facilitate the setup and management of insurance contracts using Smart Contracts technology to ensure data accuracy, correct payment and settlement of premiums, brokerage, commissions and claims.  All parties to a contract will have access to identical exposure data which will resolve existing data quality issues and help to leverage better modelling models to measure aggregate exposures and to make capital allocation decisions. 

While the potential for blockhain technology to have disruptive effect on the finance sector, and rattle the up until now comfortable market position of the largest players in this market such as global banks and insurance companies, some researchers think it is too early to hail the demise of traditional financial services providers. They cite a number of challenges to mainstream blockchain adoption, the greatest of these is regulatory resistance to the use of blockchains. This position is understandable, not necessarily due to any inherent technical limitations, but largely due to a perception of blockchains that has been dominated by the bitcoin cryptocurrency and the difficulties of non-technical regulators to grasp the core concepts behind blockchains. A fundamental paradigm shift in thinking is required when examining algorithmic consensus systems and approaches to insuring information confidentiality. Blockchains, permissioned or public, can easily make use of hashing and cryptographic algorithms to store confidential data, and the very nature of consensus only works if the consensus algorithm is known by all the participating nodes and all third-party auditors.

Another key hurdle is standardisation. Blockchains must be seen as platforms, over which applications and ecosystems can be built to leverage its key strengths, and platforms, more than any other technology require the adoption of standards to provide business benefits. The blockchain landscape today is still very new, and quite far off from widespread agreement over the adoption of some of the many standards proposed. 

Security & Privacy by Design is Agility by Design – time to rethink Banking IT

81 million dollars, that was the sum hackers stole from the central bank of Bangladesh this year in April by breaching the international payment system SWIFT. Three other SWIFT hacks followed quickly in other banks. SWIFT reacted by announcing security improvements, including two-factor authorization, after first remarks that the reasons for the successful attacks lie with the robbed banks and their compromised systems.

Whoever has made a mistake here, maybe all involved parties, the growing number of cyberattacks against banks is not really surprising, since hackers tend to go where the money is. And even if the Bangladesh case might have been the biggest assault so far, it is just one in a long chain of attempts and conducts of online bank robberies. Cybercrime has become the biggest risk for financial institutes today. The reason behind this are – besides the money - often the heterogeneous legacy systems of many institutes, which simply weren’t originally built for the cyber world. They open huge doors for successful attacks. What does that mean for financial institutes? First, they urgently need to consider a huge paradigm shift concerning IT and information security.

For years the last bastion against digitalization, many banks successfully withstood the cloud and all later developments like IoT without their business models having to suffer. They maintained their own infrastructures in secluded data center silos and kept running their own monolithic systems for core banking applications. Customers, both B2B and B2C, accepted this. It seemed to be safe and normal. (It had also to do a lot with regulatory requirements, of course.)

This initial situation has however changed dramatically: More and more young and dynamic competitors enter the market. Most of these fintechs specialize in a certain aspect of financial services and use the latest technologies to communicate and deal with clients when needed everywhere in real-time. Traditional banks already notice the heavy winds of change through a decreasing number of younger customers, “millennials”, who like to bank mobile “on the go” and put more trust into peers than into classic institutions.

To stay relevant by becoming more agile and satisfying the needs of connected consumers, banks have, at least partly, begun to integrate the new world into their business models. However, this also demands rethinking of information security questions. In a hyperconnected world the old perimeters like firewalls are not of much use any more, if at all. With IT being anytime everywhere and more and more people, devices and things becoming connected with each other, the attack surface grows exponentially. New threats arise in these internal and external relationships, elaborated phishing and privileged user attacks just being two examples.

The perimeter shifts to the identities of people, KYC (Know your customer) compliance being one example, but also devices and billions of ever new things. In this context the further development of blockchain technology with advanced identity and access management prospects promises a huge leap for worldwide secure and transparent financial transactions (unforgeable records of identity, no double spending possible, automated verification, self-executing contracts, encryption, data integrity through time-stamps, hashing etc.), even though certain limits to this innovative technology still

need to be addressed. Could they e. g. better be solved with permissioned, private ledgers, where only known users are enabled to participate? SWIFT seems to be already experimenting on this.

Whatever the solution(s), Security and Privacy may not be an afterthought anymore. Both need to start right with the development of products and solutions. Many industries have already understood that. It’s time for the digital finance world to internalize the concept of security and privacy by design too. I can almost hear those who say that this will hinder and agility and slow processes down. In fact, it is clearly the other way round and cannot be emphasized enough: Security and Privacy by Design help any business to become even more agile than ever before. They’re actually the foundation of successful and economic Agility by Design.

Of course many banks already considered “security by design” even in their old mainframe infrastructures. In fact, they were often really good and quite progressive at it, with dynamic authorization (ABAC) and so forth. Sadly, these efforts don’t count much in a highly dynamic and digitalized world. Agility by design can today only be reached by thinking security by design anew and by also realizing the regulatory demands of privacy by design. If they do both aspects right, financial institutes stand a good chance to persist also in completely new competitive and risk environments. This won’t work with the old core banking IT however, since it is neither agile nor secure enough and it also doesn’t fulfil modern privacy requirements.

Stay Connected

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Blog

Spotlight

Learn more

Connected Consumer

When dealing with consumers and customers directly the most important asset for any forward-thinking organisation is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance. Handing over personal data to a commercial organisation the consumer typically does this with two contrasting expectations. On one hand the consumer wants to benefit from the organisation as a contract partner for goods or services. Customer-facing organizations get into direct contact with their customers today as they are accessing their [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00