Alan Calder, Chief Executive, IT Governance
With EU privacy laws on the verge of being significantly tightened, financial institutions are wise to ask themselves how to ensure the safety and security of customer data in a world where staff use of mobile devices is inexorably on the rise.
It is no secret that easy communication combined with access to data on the move offers a multitude of efficiencies, which is why, according to the 2011 iPass Report, 95% of workers are now thought to have smartphones. Unfortunately, however, there are also many potential vulnerabilities to mobile working, especially in terms of data protection. All too often, we learn that personal information on a stolen laptop, for example, has been accessed and sold for illegal purposes, exploited in a case of identity theft – or simply publicised to betray privacy.
Indeed, according to data provided by the Metropolitan Police’s National Mobile Phone Unit, 250,000 – 300,000 company-issued and personal devices are being stolen and reported to the police on an annual basis, not to mention the hordes of lost and misappropriated smartphones and mobile phones that go unreported. If these devices contain saved user name and password data, but have not been encrypted and are without password protection, it is clear that such negligence leads to easy pickings for fraudsters and exposes organisations to significant risks.
Tightening privacy laws
The punishments for those companies and institutions guilty of these avoidable acts of negligence are set to intensify, thanks to the way in which both technological progress and globalisation have changed how data is collected, accessed and used. In January 2012, the European Commission (EC) proposed a comprehensive reform of the EU’s 1995 data protection rules, with the aim of strengthening online privacy rights and, at the same time, boosting Europe’s digital economy.
In addition to requiring technical measures such as the encryption of e-mail, this law will remove divergences in enforcement. The upshot of this is that the current fragmentation and costly administrative burdens on institutions should be lessened, pointing to hoped-for savings for businesses of an estimated €2.3 billion a year, according to the EC’s Justice department. The department also notes that the new rules will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs and innovation in Europe.
Another, perhaps less palatable, knock-on effect is, however, that the data protection regulatory environment is set to become far more demanding. Under these circumstances, a company’s chief information officer (CIO) might be forgiven for finding the protection of the data employees take out of the door to be an all-too Herculean task. For better or for worse, however, mobile computing and communication is here to stay, and so are the associated data protection vulnerabilities. The objective is not to abandon the idea of the mobile enterprise in despair, but to find a way to achieve all the benefits of staff mobility without taking any unnecessary data protection risks.
Where is the threat?
In the modern world, there are so many forms of removable storage media that enable enormous quantities of data to be literally carried around – data that ranges from SMS / text histories to private and business contacts, financial data or even confidential corporate e-mails and sensitive voice-mails. And, with Bring Your Own Device (BYOD) policies now becoming a commonplace for both public and private sector organisations in the UK, privately-owned devices such as laptops, memory sticks, iPads and smartphones have immense potential to expose personally identifiable company data to security breaches.
While these devices create opportunities in the way we do business, they are also all subject to loss, theft and damage. Furthermore, they open doors to electronic attack. New technologies, in particular, bring new risks, as hackers immediately seek ways to exploit weaknesses before the appropriate electronic shields are put in place.
Potentially, everybody is vulnerable. Moreover, without adequate safeguards, every company not only risks a data protection breach, and all that that entails, but also the consequent regulatory punishment. All UK organisations that hold or process personal data must comply with the EC’s new legislation. However, if you are not really sure if your organisation is compliant with the proposed EU Data Protection regulation, which requires organisations to take all appropriate technical measures to protect personal information, there is every chance that you are currently falling far short of requirements.
One of the most vital steps to protect what is known as your organisation’s ‘porous perimeter’ is to encrypt personal data on all removable and portable media, such as laptops. Carrier networks have good encryption of the ‘airlink’ in every case, but the remainder of the chain between client and enterprise server remains open unless explicitly managed. Always use a virtual private network (VPN) connection when dealing with sensitive data, and ensure that any such data is only available to authorised users. Encryption of corporate smartphones, if possible to the FIPS 140-2 standard, is another must, as this restricts access to individuals with the correct encryption key. The physical destruction of redundant computer drives, magnetic media and paper records, for example, is another must and in line with a clear data retention timetable. The industry best practice covering this area is the ISO27001 international standard, which sets out how to manage data systems securely.
The right technologies and processes are inevitably essential to ensuring the best possible information security, but never forget the value of the right corporate culture too. Make sure that you win the ‘hearts and minds’ of your employees: if excellent policies are ignored, then those same policies become worthless.
Through proper training, staff can become your best allies in the war against data loss. At the moment, for example, most people seem to complacently imagine that mobile phones are immune to viruses. The sensible data hygiene approach is to be as cautious when using a mobile phone as you are when using a PC. For example, staff should not connect unsecured wireless networks, visit arbitrary websites or download any unauthorised content and, when it comes to smartphones, for example, should use remote ‘wipe and apply’ encryption in addition to standard security steps. Ultimately, all employees must be trained to follow and enforce security policies, in and out of the office, by understanding their value and necessity.
Poor information security should be one of the most pressing concerns for a modern company or organisation. The implementation of a business-driven access control policy, alongside the use of the latest security software and a staff culture of responsibility, will help to minimise the risks. Make sure that your organisation is taking the safe route toward a mobile future.
Alan Calder is chief executive of IT Governance, the single-source provider for books, tools, training and consultancy for IT governance, risk management and compliance, and the author of ‘IT Governance: An International Guide to Data Security and ISO27001/ISO27002’, now in its fifth edition
tel: +44 (0) 8450 701750
Why insurance needs Tesla’s autopilot too
By Christian Wiens, CEO of Getsafe
Digitization is the industrial revolution of the 21st century. What does this mean for a data-driven industry like insurance? The answer is simple: Turn everything on its head and reinvent yourself under high pressure- the future of insurance is digital.
“Hello Timo, nice to see you. I’ll be glad to help you.” Carla records claims 24 hours a day, seven days a week and takes less than two minutes to evaluate and process them. Carla works for a digital insurer and is a chatbot by profession. While she is answering Timo, she contacts the bank in the background, which pays Timo back his money – the same day. This is not a dream, but already reality.
In the digital age, intelligent machines are the new workers on the assembly line, and data is the new raw material. This applies to almost all industries and applies in particular to the insurance world as insurance is based on mathematical models and probability calculations – in short: on data. The more data on which the calculations are based, the easier it is to derive and price risk profiles. Data therefore changes the core of the product “insurance” in three essential areas; the offer phase, in the event of a claim and in the long-term customer relationship.
In the offer phase, we will experience long-term personalized product bundles that fit customer needs much better – away from standardized and inflexible policies. If the insurer can better assess the needs of the customer on the basis of his past history or behaviour, he is in a position to put together tailor-made insurance packages.
For example, it would be conceivable to automatically adjust the insurance cover as soon as the customer’s life changes, for example if the customer gets married, buys a car or a property or travels abroad.
Customer experience in the event of a claim will also change dramatically. Fraud is still the biggest problem in the system, with 2 percent of the customer base causing 40 percent of the system’s inefficiency. According to estimates by the Association of British Insurers (ABI), one insurance fraud is detected every minute – amounting to economic losses of £3bn every year. Of the estimated worth of total fraud cases a year, £2bn goes undetected.
But what if insurers are better able to assess customers on the basis of data and know which customers they can trust – and which not? Credible customers could then benefit from immediate payment of the loss incurred, while the few “black sheep” would not even be accepted as customers or would be checked more closely in the event of a claim being reported.
The computer does not act uncontrolled, but within certain parameters defined by humans. This is comparable to processes in the manufacturing industry: Here, too, people define the exact parameters that are to be checked – controls are implemented by machines that are significantly less prone to errors. The situation is similar when it comes to insurance fraud: people make value judgements and specify which indicators can point to a case of fraud. They retain sovereignty over the entire process. The smart algorithm, on the other hand, is only the tool for evaluating and linking the many individual data points. Smart algorithms will reduce employees’ workload, but will not replace them.
Finally, digitization will also change the long-term relationship between insurer and insured. Tomorrow’s insurance will not only settle claims, it could even prevent them arising. A better database will not only make it possible to calculate the probability and amount of loss more precisely, it will also make it easier to calculate the risk of loss. Digital systems and sensors can also help prevent possible claims. Telematic tariffs in motor vehicle insurance are already moving in this direction by promoting a prudent driving style.
Sensors on washing machines and industrial plants or intelligent smoke detectors are one thing – monitoring people in the health sector is another. Some health insurers reward sport activities, for example, if the customer can prove this with smart fitness watches. It remains to be seen to what extent customers are willing to exchange this personal data for premium refunds. In the long term, the legislator will also be asked to take action to ensure that the solidarity principle is not undermined.
However, the danger of increasing surveillance is countered by a clear increase in customer service, individualised services and flexibility on the customer side: Digital insurers rely on customer’s self-determination and a positive insurance experience in an industry that sometimes appears to be immobile and non-transparent.
Digitalisation has reached the insurance industry, but has not yet shaken its foundations. That will change: Tomorrow’s insurance will have little in common with today’s structures and processes. The autopilot at Tesla will also come for insurance. Not all companies will be able to master this switch to become digital insurers.
How ISO 20022 migration is changing the landscape in payments
By Paul Thomalla, Global Head of Payments at Finastra
The ISO 20022 standard is a catalyst for change in digitalisation and payments. The current edition of the standard was published in May 2013, and it’s been clear since then that the standard represents the future of payments messaging. This is due to the rich information, process automation and interoperability it enables. What started off in the Automated Clearing House world with the Single European Payments Area is increasingly becoming the de-facto standard for instant payments and for high-value payments worldwide. In fact, we estimate that all major payment systems and currencies will have moved over to ISO 20022 by the end of 2023.
Banks, meanwhile, will be able to get closer to their customers and offer better services. As this happens, the nature of the entire payments supply chain will change: there will be no one owner. Instead, consumers, corporates, banks, software vendors, fintechs and other stakeholders will all play a part.
Migration to ISO 20022 is moving at pace with one of two adoption models being taken. In the first approach, a ‘like-for-like’ migration occurs, which means data fields and messages are gradually moved over in compliance with the new ISO 20022 standard. However, the bank and client aren’t reaping the potential of the new standard as no further action has been taken. ‘Going native’ is the second approach. This allows extensive data sharing between banks and corporates unlocking a range of benefits including deeper insights into customers and partners, better accounting and financial data and more efficient payment processing. Data-rich messages can provide corporates with all the information they need to automatically reconcile transactions the moment they happen.
Banks deciding which way to move forward must remember that corporates have been waiting eight years for this new ISO 20022 functionality and if their bank is not able to deliver the promised benefits, they could decide to take their business elsewhere.
Planning the migration process
Deciding which approach to take is the first step in the migration process for banks. The main transition models being deployed to the market are: the ‘like-for-like’ translation model, or; for an ‘ISO-Native’ approach – either the complete overhaul model, or the hybrid model.
The translation model approach translates incoming MX messages to the SWIFT MT format and vice-versa for outgoing messages. This model is less disruptive and has a lower upfront cost. However, it involves high dependence on third parties resulting in less interoperability with fintechs and no new customer insight. The complete overhaul model allows organisations to execute a wholesale architecture transformation. This approach gives access to leverage rich data across the business including new insights on the market and customers. One negative aspect of this approach is the fact it is disruptive and requires a large upfront investment. Finally, the hybrid model works well for global banks where translation is needed across the board. This approach offers flexibility and the ability to localise strategic response, however it adds a level of complexity to users. The leading model is unclear, but banks must remember to align their payments operations with their chosen model.
That’s not to say that the adoption of ISO 20022 will be plain sailing. One challenge is that the standard describes an asynchronous messaging process. For banks which currently rely on return messages to confirm the successful completion of a payment transaction, this will cause significant upheaval, and is a change that underscores the need for everyone in the payments ecosystem to get ISO 20022 migration right. Banks will need to overhaul their business processes and operations to adapt to asynchronous messaging. This will in turn require new systems, such as Confirmation of Payee and Request to Pay.
The new format requires a fundamental change to the payments world, so the decision on which transition model best suits their needs isn’t to be taken lightly. Internal and external considerations will help banks determine next steps to successfully implementing ISO 20022. Internally, banks must ensure they have the right people to deliver this transformation, have processes in place to easily review and adapt back office functions and have the correct technology required for the migration. Our approach at Finastra has been to build a payments hub that is ISO 20022 native from the start – ready for widespread adoption across the industry. Banks must also look at external factors like customer impact, market share, competitors and regulatory constraints.
Benefits across the payments value chain
The adoption of ISO 20022 allows for additional, enriched data to be transferred within the payment instruction. The new format has more granular and better organised data elements as well as a consistent data dictionary across the payments chain to speed processing and improve compliance. This prevents misinterpretation and expensive manual interventions. All of this will facilitate improved processing and allow all agents in the payment to make more informed compliance decisions.
In the short term, including additional party and remittance information will help reconcile transactions. For example, QR codes are being used more widely on invoices, clearly identifying the beneficiary and facilitating automation in the back office. Looking at the medium term, institutions will be able to limit the resources they have to dedicate to exception handling and one-off investigations due to missing information or unstructured input that cannot be easily integrated into automated workflows. And finally, the benefits of ISO 20022 in the long term mean data that is properly structured and adhered to will support better regulatory compliance practices and financial crime monitoring.
The rewards of ISO 20022 make any temporary disruption more than worth it. We’re excited to enter a new era of payments messaging that will drive collaboration, innovation and efficiency through interlinked partner ecosystems.
Agile thinking in times of uncertainty
By Caryn Skinner, Co-Director of Sharpstone Skinner
“Several times lately, I have finished my work, closed the laptop and sat staring out of the window of my spare room office worrying that I don’t have the answers. That my team are looking to me for guidance about the future…and I simply don’t know.” Paul Jackson-Cole, Executive Director of Engagement, Parkinson’s UK
A genuine, honest reflection from an impressive and successful leader. He has gravitas, is trusted and a great coach to his senior reports. He is also highly intuitive, with an innate ability to be a pioneering visionary who can then work with others to ground that vision into reality. And yet, he is stuck. He still has his instincts, yet with the world, in flux, he is finding it hard to convince his team to go with him because they need more tangible evidence to ground his ideas.
Gut-feel judgement is part of agile thinking which is a crucial leadership skill. In the financial world you may have finely honed other types of thinking as you need to show evidence, use data and put forward your thoughts in a rational way.
Agile thinking has five main features:
Systems thinking – investigating an issue from a broad perspective to understand the interdependencies
Possibility thinking – to be open-minded and generate a wide range of possibilities, the classic brainstorm
Logical analysis – to reach valid conclusions using clear, rational logic
Evidence-based thinking – identify core issues by analysing evidence from relevant resources
The fifth one is gut-feel judgement – relying on your gut instincts to provide valuable input for decisions.
Richard Branson says, “I rely far more on gut instinct than researching huge amounts of statistics”, and he’s not done too badly.
Mr Branson may make you shudder though, as it is quite an extreme view. Most of us use all or a few of them combined. Yet in this world of unknowns, your instincts may need to be more finely tuned. It isn’t easy to find evidence and interdependencies if we have never been in this situation before. Rational logic needs something tangible to test it against, the world feels nebulous at the moment. Being open-minded looks like a good option yet can get stifled because the possibilities are almost endless.
Here are some ways to tap into and use your gut-feel judgement:
- Know that your instincts are not woolly ideas but based on your years of experience. The thought has come from somewhere, an experience you have had, something you have read a conversation you had with a colleague.
- Feed and grow your instincts. The more exposure you have to your market the harder your instincts will work. Keep getting out and about, visit your people, talk to them, learn from them about the front-line challenges and successes.
- See your business through the eyes of your customer or client. Why do they like doing business with you, what would they like you to do better and does your business align with their needs.
Make your own observations about what’s next for your business rather than staring at spreadsheets of cold data. I heard about a trader who regularly walks the shops to see what’s selling and what isn’t, it informed her instinct about where the next investments might be.
- Keep in touch with the world around you, tune into what’s coming over the horizon. A client of ours was in marketing for a bank, he regularly spoke to his teenage nieces and nephews about how they communicated, how many digital “languages” they spoke and which social platform they used for what. They were his future customers and the conversations fuelled his instincts in discussions with the senior team around the bank going online and changing the way they communicated with customers.
- Trust your gut then test it against other types of thinking to ground it and help you sell it in. Others may not get your vision so painting the picture for them with more solid evidence will make your job easier.
It is an exciting area of leadership and one that, perhaps, has been overlooked in a world that can access evidence, stats and data at the swipe of a screen.
Next time you find yourself staring out of your home office window, let your thoughts wander, don’t evaluate them or crush any ideas that come to you, it might be that your gut is trying to tell you something.
Rising to the Challenge of the Pandemic
For over seven decades, Development Bank of the Philippines (DBP) has been the Philippines premier development financing institution, supporting inclusive...
Who Needs an Offshore Bank Account?
By Luigi Wewege is the Senior Vice President, and Head of Private Banking of Belize based Caye International Bank Even today,...
Why insurance needs Tesla’s autopilot too
By Christian Wiens, CEO of Getsafe Digitization is the industrial revolution of the 21st century. What does this mean for...
What The Pandemic Has Taught Us About Remote Work
By Anthony Lamoureux, Strategy and Development Director at Velocity Smart Technology Before the turn of the decade – which already feels like...
The art of change management for finance and accounting teams
By Magali Michael, Director at Yooz The Covid-19 crisis has had a dual impact on businesses across the world. On one...
Humans vs Robots: Which Is Better for Managing Investments?
By Anton Altement, CEO of Polybius and OSOM Finance, In an era of technological advancement, innovation, and fear-mongering sci-fi programs,...
Why content should be at the heart of successful agile marketing
By Yogesh Shah, CEO, iResearch. During this time of unprecedented business change, campaigns today need to be agile, flexible and responsive and companies...
Can companies really afford to WFH?
By Carmen Ene, CEO of 3StepIT. Firms scrambled to enable Working from Home (WFH) at the beginning of the Covid...
FICO UK Credit Market Report September 2020 Shows Card Spend Rise Stalling
Analysis based on UK card issuers’ data also shows high level of unused credit could be a risk as festive...
Investors’ growing appetite for private markets means firms must improve their regulatory governance
· Both large and small firms are struggling to meet regulatory demands due to poor governance of deal distribution, inaccurate investor...