Resilience and Resurrection - For private circulation September 2018 - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Resilience and Resurrection For private circulation September 2018
Resilience & Resurrection
Contents
Foreword by CII 02
Message by Deloitte 03
Introduction04
Business: External business ecosystem 06
Business: Internal operations 12
Technology16
Cyber threats and privacy 23
Human Capital 26
Summary 32
Abbreviations33
About CII 34
About Deloitte 35
Acknowledgements36
01
Resilience & Resurrection Foreword by CII The banking sector is the fulcrum of Indian economy which is one of the fastest growing in the world. Not only are the banks in India sufficiently capitalized, they are well regulated, too. Credit, market and liquidity risk studies suggest that the banks in India are also resilient enough to withstand external factors. Enhanced spending on infrastructure, speedy implementation of projects and continuation of reforms are expected to provide further ground for growth of the banking industry. In recent times, the banking industry has seen the roll-out of some innovative models such as payments and small finance banks. India’s Immediate Payment Service (IMPS) is the only system at level 5 in the Faster Payments Innovation Index (FPII). The promulgation of the Banking Regulation (Amendment) Act 2017 has altered the financial landscape. Efforts are also underway for the resolution of stress in the balance-sheets of banks and corporations in a time-bound and effective manner. The Government’s in-principle approval for the consolidation of PSBs through an ‘Alternative Mechanism’ and the massive recapitalisation plan for PSBs are aimed at meeting the fast-growing credit needs of the economy. RBI has done well to limit India’s exposure to the sub-prime crisis of 2008. Though the government is working hard to control inflations, the industry expects full implementation of Basel III (currently banks in India are following Basel II). This will require a considerable credit raise, especially for public sector banks. However, the stress in the banking sector continues as gross non-performing advances (GNPA) ratio has risen. The profitability of scheduled commercial banks (SCBs) has fallen, partly reflecting increased provisioning. While this has added pressure to SCBs’ regulatory capital ratios, the provisioning coverage ratio has increased. Credit growth of SCBs picked up during 2017-18 notwithstanding sluggish deposit growth. A number of technological reforms have come about since then – Jan-Dhan, Aadhaar, BHIM, to name a few. Another major development is demonetisation which is fast creating conditions for large-scale adoption of digital payment systems. After the success of POS machines to the National Electronic Fund Transfer, the Unified Payment Interface, the country has also introduced payment banks. It is predicted that by 2020, large number of Indians will embrace digital and biometric systems, which will in turn lead to a slew of new models – Cognitive Technology & Artificial Intelligence, Block Chain Technology, Robotics Process Automation, Fintech and of course Cyber Security. In technology-based banking, IT and electronic funds transfer system are being seen as the twin pillars of modern banking development. With ‘Resilience and Resurrection’ being the theme of the CII-Deloitte Report, considerable time and energy has been devoted to identifying the key factors – both external and internal – impacting the banking and financial sector in India. Not only has the CII-Deloitte team prescribed a set of business models which would be suitable in the current scenario, it has also prescribed how the stakeholders should go about it in the changing market dynamics. We hope that the readers would find this report useful. Jagi Panda Chairperson, CII Eastern Region 02
Resilience & Resurrection
Message by Deloitte
India has been undergoing a number of changes and developments in the form of reforms in last few years. The reforms
have led to higher growth rates, stable economy, and improvement in macroeconomic stability, global integration, etc.
Further, there is an improvement in the business environment with the implementation of stable governance standards.
However, the economic slowdown in the last few quarters has raised a number of questions on the country’s growth
potential to be answered by the leaders across domains. These include the following:
• Is the Indian growth story over?
• What are the new opportunities for India’s growth potential?
• What sets of policies might be needed to revive growth?
One of the major priorities have been to fix the banking system in the country. The country should aim at developing a
dynamic banking sector that encourages innovation and simultaneously is keeping a track of the inefficiencies. A robust and
well-capitalized banking sector helps in capital formation and stabilizing economic activity. The system enables circulation of
financial products between savers and borrowers. Thus, it plays an important role in channeling the savings into productive
investments. The International Monetary Fund (IMF) opined that the Indian banking system apprears resilient; however, it is
subject to considerable vulnerabilities and capital requirement.
In order to recover from the slowdown in reform and build-up the macroeconomic sustainability, India has exhibited a
renewed spirit for revival. The Government has made changes in the institutional and regulatory frameworks.
The government implemented reforms in a number of areas ranging from a new inflation targeting framework, reduction
in the level of subsidies by energy subsidy reforms, containment of the level of fiscal deficit, re-instatement of the fiscal
deficit frameworks, strengthening of the fiscal federalism, and improvement in the the quality of fiscal expenditure. The
implementation of the Insolvency and Bankruptcy Code (IBC) has improved the legal landscape and is expected to fasten
the recovery of bad loans in the country. Other focus areas include corporate governance reforms and improved financial
supervision. The banking system should strengthen the lending standards for lending to sensitive sectors and bigger
projects as well as make provisions for the expected losses. All these reforms will lead to a significant improvement in the
macroeconomic stability and building a strong banking system.
03
Resilience & Resurrection
Introduction
Redefining the financial services landscape
To ensure a strong economic growth, a nation needs
a robust and a resilient financial services sector. It
becomes a critical component of the governance.
Currently, the sector is facing challenges such as
an adverse global environment, increasing level of
defaults and bad loans.
We focus on the theme of Resilience and
Resurrection for the banking sector
• Resilience – If there is any impact (through external
or internal factors); then how well is the industry
(or the bank) ready to withstand the impact i.e.
how resilient are the bank’s operations
• Resurrection – Should there be an impact, then
how strong is the bank to resurrect or rebuild itself
and make a comeback.
One cannot eliminate risk 100% from the banking
system; however, efforts can be made to minimize the
risk by adopting several pre-emptive measures.
The key focus points of the paper include the
following:
• Technology is a driver, not a disruptor anymore
• Future successful institutions and leaders will
have to look at an integration of the physical and
virtual world
• With the advent of technology, cyber threats and
privacy become a real challenge that banks have
to deal with
• Regulatory regime continues to dictate health of
banks
This report discusses resilience and resurrection in the
banking space through five sections, namely External
Business Factors, Internal Operations, Technology,
Cybersecurity & Privacy and People. Through these
chapters, the report discusses a number of external
and internal factors impacting the sector, identifies the
disruptions to the current business model and how
prepared institutions are to face the changing market
dynamics.
04
Resilience & Resurrection
05
Resilience & Resurrection Business: External business ecosystem Digital Disruption in the Banking significantly better onboarding and targeting specific segments within Landscape service experience for customers. the overall SME space, and specific The Indian banking industry is seen retail customer segments marked witnessing significant disruption Further, banks have traditionally by differences in availability of with financial technology companies structured their retail products keeping documentation). This customisation/ (“FinTech”) driving innovative standardisation as the focus with customer led approach has been seen business models and use cases and limited emphasis on customisation driving a relatively higher adoption and capturing market share from the based on the different customer usage of products designed by FinTech. existing established players. While segments/unique needs. While this the banks have traditionally relied one size fits all approach makes Banks under pressure to rethink on their branch infrastructure to implementation and operationalisation credit acquire and service customers, of the products easier for the banks, Among the various areas that FinTech emerging players are leveraging digital it does not provide the customisation are focusing on, lending/ credit channels to directly reach out to their and personalisation that the new has been noteworthy. It has seen customers. This has enabled them generation of customers now desire. significant disruption by FinTech. Given to keep the costs lower and achieve In contrast, FinTech are seen tailoring credit is the primary driver of revenue scale; benefits of which are passed their products to target the unique for banks, such disruption by FinTech is on to the customers. Not only this, needs of specific target customer likely to directly affect the business of digital channels have been offering a segments (for instance, FinTech are the banks. 06
Resilience & Resurrection
Banks have typically relied on a formal Figure: Illustrative list of FinTech across lending segments
documentation based approach
involving significant manual effort
(including document collection, Original
P2P Lending P2P Lending
Seen and Verified (OSV) processes, credit
appraisal etc.) which has traditionally
taken a week or longer. Additionally
if the customer doesn’t have these
documents or has insufficient credit
Personal Loan Bill Discounting
history (“thin-file customer”), this
process typically takes even longer
period or in some cases even leads to a
rejection of the application.
Auto Loan SME Loans
FinTech have focused on addressing
these two challenges traditionally faced
by banks i.e.,
a) longer turnarounds
b) credit for thin-file customers Gold Loan Home Loan
and carved out a niche for
themselves. FinTech have created
efficient service delivery platforms
leveraging the following key
technology capabilities: Credit Card Line of Credit
1) Drive automation for processing
documents to reduce turn-around
time. For example a leading NBFC
leverages Digilocker1 to collect 2) Profiling customers through Later construct; allowing customers
authorized documents digitally (e.g. alternate data to develop credit to avail credit who earlier might have
PAN Card, Aadhaar Card, Driving proxies e.g. Buy Now Pay Later been denied a credit card or credit
License, Income Tax Return etc.), FinTech like Simpl, ePayLater, products based on limited formal
thus, reducing time for OSV and LazyPay etc. collect extensive data documentation available for them.
authenticity checks. Additionally, about the customer such as social
data being collected from Digilocker media data, contact details, SMS, Riding on these innovations, FinTech are
is readable by the system which mobile information, transaction seen to have carved out a business niche
enables automated data population data2 etc. to evaluate customer’s for themselves with the likes of Capital
and enrichment. Such technology credit worthiness and extend short Float being able to build a loan book
initiatives helps digitize and reduce the term credit at select merchant of over Rs. 1,200 crore3 and disbursing
credit disbursement cycle for FinTech. locations under the Buy Now Pay loans at a monthly run-rate of Rs. 250
1.
https://blog.digitallocker.gov.in/indiabulls-showcases-how-nbfcs-can-integrate-with-digilocker-for-digitised-document-verification/
2.
https://play.google.com/store/apps/details?id=com.simpl.android; https://play.google.com/store/apps/details?id=in.epaylater.android.consumer
3.
https://yourstory.com/2018/04/capital-float-closes-series-c-round-secures-22-m-equity-funding-amazon-inc/
07
Resilience & Resurrection
crore a month. Similarly, Lendingkart has been able to
disburse loans to over 13,000 SMEs 4 and aims to have
a loan book of over Rs. 2,500 crore by the end of FY 18-
19. While growing loan books has been one of the core
business objectives for the FinTech, some of the players
are also focusing on identifying markers for potential
delinquents (e.g Algo 360 tracks customer’s mobile
phone app, email behaviour to find out if the customer is
reaching out to multiple credit providers for new loans).
In order to do so, FinTech are either developing internal
capabilities or are tying up with other FinTech which
enables them to understand loanee’s credit behaviour,
for e.g. shopping for new loans across lending platforms/
FinTech, missed bill payments, browsing history etc. to
generate data proxies which can proactively predict or
minimize cases of delinquencies (e.g. Capital Float is using
the customer credit profiling capabilities of Perfios to
develop customer credit worthiness proxies which goes
as an input to the credit decisioning by Capital Float 5).
All these technology led initiatives have helped FinTech
differentiate themselves as preferred credit provider
for their target customer base. This shifting preference
towards FinTechs to avail credit facilities poses a risk for
banks of loosing out on current customer base as well as
future business from these customers.
Partnership – a useful response to disruption
Banks across the public and private sector, small and
large scale, have or are in the process of embracing
these digital technologies and are enhancing their value
proposition to provide both asset and liability products
on their banking platform.
Figure: Engagement Model with FinTech
Tight integration on the bank's platform
Drive integration with key players on bank’s
own platform (deliver all use cases on the
bank’s platform)
Private APIs Open APIs
Identify key and emerging fintechs. Go beyond Allow emerging FinTech to tap into banking
just the bank’s platform. Connect multiple eco-systems through standard APIs
platforms to create a true ecosystem
4.
https://yourstory.com/2018/02/lendingkart-secures-87m-but-theres-more/
5.
https://economictimes.indiatimes.com/small-biz/money/fintech-company-perfios-raises-about-rs-40-crore-from-bessemer/articleshow/58001193.cms
08Resilience & Resurrection
To provide these offerings, banks have started engaging with FinTech through the partnership route which provides banks the
flexibility of developing capabilities quickly, driving innovations and at the same time trying to minimize their business risk.
Figure: Drivers for bank FinTech partnerships
CUSTOMER-CENTRIC INTELLIGENT CAPITAL LIGHT, REGULATORY
Support differentiated AUTOMATION REDUCED OPEX COMPLIANCE
customer experience by Simplified processes, Digital Lending Flexibility in complying
collecting intelligence products and Platform’s design and to new regulations while
and then acting on it architecture. Leverages nimble architecture maintaining existing
(build into products and a high degree of requires comparatively standards to enable
services). Flexibility, automated end-to-end low capital expenditure. faster response with
building personalisation customer focused Should have low agility, minimizes time
into products and processes, less complex technical debt by lost in attending to
services and into every suite of products consolidating and inquiries, and stay ahead
interaction. Should with high levels of revising components of the curve.
support seamless Omni- personalisation, and within the architecture
channel experience. embrace exponential to support innovation
tech to deliver a and growth investments.
anywhere anytime self
service digital.
PLATFORM BUILT ON PERFORMACE AND EASE OF INTEGRATION SECURE AND TRUSTED
OPEN APIs SCALABILITY Opportunity to be Secure at the core.
Platform-as-a-service Efficient scalability digital at the core, not The development and
model, open platform; is a qualifier for just IT enablement deployment of all of the
towards owning the competing in today’s of the channels. Built elements in the lending
“lending operating digital environment. on a modern agile platform architecture
system” and sharing Components within the digital architecture that must be designed with
those assets with lending platform must embraces open source security in mind.
partners; leverage API provide effortless, rapid, technologies, reduce
economy to increase near linear scalability TCO and increase speed
digital revenue; support without an exponential to market.
tools to manage pricing, increase in cost.
provisioning, metering
and billing.
09Resilience & Resurrection
While each engagement model has its the bank’s objectives and thus, providing of Aadhaar details, data sharing
own pros and cons, the private API/ a win-win proposition for each other. consents) and Indian regulations (such
FinTech incubation programs have as Data Sharing and Data Localisation)
seen active interest by several banks Similary, in order to grow their share in needs to be taken into consideration
as it enables banks to identify FinTech the credit market, banks have started when such FinTech programs are set-up
which align to the bank’s strategy and partnering with FinTech which allows and leveraged to improve bank’s service
allow them to work with the FinTech them to evaluate customer credit delivery and product proposition.
to develop bank specific use-cases. worthiness based on alternate data.
For example, Bank of Baroda has Some of the leading FinTech focusing To drive compliance with the regulatory
constituted a FinTech alliance within on alternate data based credit profiling requirements, these FinTech initiatives
the bank and already has more than such as Perfios, CreditVidya, Lenddo must be backed by bank’s management
25 such FinTech partnerships6, and etc. have seen interests from the banks and the objectives for the same must be
based on such alliances is targeting a such as SBI, HDFC Bank, RBL Bank, clearly defined within the organisation
revenue of Rs. 4,000 crore7; Similarly Kotak Mahindra; where in banks are so as to remove any ambiguity among
other leading public and private sector using the insights generated by these the partnering organisation(s). This
banks such as SBI8, HDFC Bank 9, ICICI platform to evaluate the customer would help banks align and drive their
Bank10, Kotak Mahindra11, Axis Bank12 creditworthiness13. business objectives while ensuring
etc. have constituted formal Hackathon/ compliance to the guidelines. Some
Appathon/ FinTech incubation centers While the intent of these partnerships of the key parameters that any such
with the objective of finding FinTech with FinTech is to bring banks back into bank initiative needs to consider are
having a compelling/disruptive value- the reckoning by customers, various mentioned in engagements in appended
proposition which can be aligned with regulatory guidelines (such as sharing Figure.
Figure: Consideration for FinTech engagements
What? How?
Objectives: Commercial Framework Technology Framework
Segments and needs; (Partnership model; Private API;
Business Growth; Governance model, Open API;
P&L Optimisation Monetisation model) Security Considerations
Regulatory and program governance
Data Consent Data
Collection Mechanism Localisation
6.
https://www.bankofbaroda.com/the-fintech-alliance.htm
7.
https://economictimes.indiatimes.com/markets/stocks/news/bob-eyes-rs-4000-crore-gains-from-fintech-by-fy20/articleshow/64378442.cms
8.
https://www.livemint.com/Technology/eY73pPWdQirAfJmngcpqfO/SBI-launches-national-hackathon-next-month.html
9.
https://www.hdfcbank.com/htdocs/aboutus/News_Room/pdf/HDFC_Bank_kicks_off_Digital_Innovation_Summit_2017.pdf
10.
https://www.icicibank.com/aboutus/article.page?identifier=news-icici-bank-announces-winners-of-icici-appathon-its-mobile-app-
development-20161904163528712
11.
https://www.kotak.com/content/dam/Kotak/about-us/media-press-releases/2018/kotak-mahindra-bank-and-nasscom-launch-a-new-collaborative-
platform-for-start-ups.pdf
12.
https://www.axisbank.com/docs/default-source/press-releases/axis-bank-s-thought-factory-aids-its-start-ups-to-expand-opens-up-avenues-with-
investors-and-companies.pdf?sfvrsn=4
13.
Clients: https://creditvidya.com; https://www.perfios.com
10Resilience & Resurrection
11Resilience & Resurrection
Business: Internal
operations
With increased cyber frauds occurring • Periodic reconciliations to identify Recent case studies in financial
across various banks and financial any mismatches in accounting services across the globe, with
institutions across the globe, entries and any exceptions/ breaches in cyber security
management considers cybersecurity overrides that may be passed in the In line with the types of cyber frauds
as a top focus. Regulators have system mentioned above, highlighted below are
increased their focus and ring-fenced specific cases wherein cyber crimes have
their guidelines to take into account the Various types of cyber frauds been conducted due to breaches in the
increasing cyber frauds. The frequent types of cyber frauds internal controls of the bank or financial
committed across banks and financial institute in India and globally.
Financial institutions have set up internal institutions are detailed below:
• Business Case 1:
control environments in their existing
• Skimming and cloning A Pune-based bank was a victim
system architecture and resource
Fraudulent transactions were of a malware attack, where cyber
framework to prevent breaches, which
done from the bank accounts of hackers, hacked into the banks’
may lead to cyber crimes. Indicative
13 customers at a public sector servers and transferred Rs. 94
controls adopted to achieve the same
bank. Skimming and cloning of the crore to accounts in India and Hong
are as follows:
customer debit cards with a total Kong. The attack was through the
• Governance mechanism with loss of Rs. 2.23 lakh was identified. cloning of Rupay and Visa debit
clearly identified and board A skimmer was inserted in the ATM
approved cyber strategy. Cyber machine of the bank.
security preparedness indicators,
cyber crisis management plan, • Swim swap
cyber resilience objectives are A customer was duped of Rs. 6 lakh
incorporated. An independent cyber through a swim-swap fraud, where
security team is assigned to cater to the fraudster installed a malware
cybersecurity. which shut the phone until the
fraud was conducted. The amount
• Adequate maker, checker and
was debited when the customer
authoriser roles basis the priority
authenticated the usage of a wallet.
and transaction amounts. The
transactions matrix defines the • Bypass OTP
amounts that can be approved In a recent case, a targeted customer,
along with product wise bifurcation. provided his card details on a
• Multi-factor authentication access phishing link; however, the OTP was
to the systems, which requires not received by him and Rs. 50,000
users to input login credentials and was debited from this account. In
further authenticate the transaction such instances, the fraudster uses
through biometrics or OTP. codes to bypass the OTP.
• Limits in the system on parameters • ATM Jackpotting
such as withdrawal limits at a The scheme requires instalment
customer level and caps basis the of a breaching software to alter
location/region/product. the amount of cash withdrawals;
• Adequate system interface and the software breaches the internal
integration between the systems controls of the bank, to facilitate
and sub-systems utilised by the huge cash withdrawals through fake
bank and financial institutes. cards at ATMs.
12Resilience & Resurrection
cards for over 15,000 transactions. Analysis of the case: The internal number be incorrect, the customers
NPCI stated that their systems were controls on the limit threshold should go to the link mentioned in
secure, and the breach occurred was breached, allowing unlimited the message and update their correct
due to a malware in the banks’ withdrawals from ATMs account numbers.
technology environment. The
money was taken from the banks’ As the account number mentioned
• Business Case 2
operative accounts. in the message was incorrect,
Cyber fraud duped customers
customers visited the link (which
through messages sent, supposedly
The ATM cashout was through theft looked similar to the government
from a government agency. As the
of funds from ATMs, by accessing agency site), and updated their
first deadline for filing of returns
bank customer card information account details. The same details
was nearing, customers received
and misuse of network access. Prior were used to convince the targeted
text messages from the fabricated
to the ATM cashout, the hackers customers to pay fines, due to
Income Tax department. The message
removed controls at the financial irregularities in their returns.
mentioned that the customer’s
institution such as limit on the
“refund” had been approved. The
maximum withdrawal amount and A nalysis: Absence of internal
message also included a random
any limit on the number of daily controls and real time research to
bank account number, with a note,
customer ATM transactions. identify fraudulent internet domain
stating that should the account
registrations.
13Resilience & Resurrection
• Business Case 3:
Cyber criminals transferred $2 million • Establishment of an IT strategy and cybersecurity
(through unauthorised remittances) committee
from the bank to lenders overseas • Independent cybersecurity team
Governance
via the SWIFT financial platform, to
accounts in Dubai, Turkey and China. • Board approved cyber security policy
Policy
• Board approved change management
Analysis: Absence of transaction
policy
matrices and adequate system
integrations. • Defined cyber security
preparedness indicators, a cyber
Process
crisis management plan, and cyber
• Business Case 4: resilience objectives
A leading British bank, was forced to
halt its online transaction business,
as money was stolen from current Technology • Vulnerability assessments,
accounts of 20,000 customers. critical asset identification
Analysis: The breach occurred due
to absence of adequate controls in
the bank’s IT infrastructure.
FFIEC Cybersecurity Assessment Banks invest in softwares to detect
• Business Case 5:
Tool. fake websites.
A foreign bank was the victim
of a cyber fraud of $101 million, • Implementation of a vulnerability • Banks have shifted from the
in a case where the money was scanner (e.g.: Nessus, Qualys). The conventional penetration and stress
transferred from the Federal scanners perform activities such testing exercises, to cyberwar games.
Reserve Bank of a country to a as, auditing the configurations The game is organised around a
fictitious account. The incident of the third party cloud services, business scenario, structured to
was tagged as a money laundering performing remote and local checks, simulate a real attack. Participants
activity. The incident occurred discovery of live hosts and open include employees from information
due to compromised access to the ports, reviewing the configuration security, application development,
SWIFT system of the bank. files of the network devices, etc. operations, and customer service
–– Penetration testing of a breach departments. The participants are
A nalysis: Unauthorised access to
due to cyber risk, to evaluate the provided with incomplete data and is
the bank’s systems. incident detection and response. exercised in the UAT environment.
–– Performance of a general • Machine learning and artificial
Internal controls adopted by financial controls review. intelligence to analyse the network -
services institutions to mitigate cyber the machine learning correlates the
• Conducting security analytics to
frauds activities performed through the
detect cyber security breaches
With the increasing rate of cyber crimes network to identify patterns. (e.g.:
such as unusual changes in the ATM
and fraudsters devising new ways to find Draktrace, Splunk)
switches, predictive attacks due to
loopholes in the existing technology,
compromised ATM switches, cash
there is enhanced focus on internal Case studies of practices adopted by
withdrawal limit checks, etc.
controls and tools to mitigate this risk, key entities to mitigate cyber crime
by taking into account the governance • Banks are subscribing to cyber Based on the internal controls adopted,
framework, policies, processes and insurance policies to safeguard highlighted below are case studies of the
technologies. This is highlighted in the themselves for cases of a cyber practices adopted by banks and financial
diagram below. breach. The cyber liability insurance institutions globally.
cover takes into account ransomware
• Performance of IT risk assessments: • SWIFT has implemented a real–time
attacks and minimising losses due to
Strengthening the performance and payment controls service, which
cyber crimes.
frequency of the IT risk assessments. allows the customer to screen their
–– Implementation of a cybersecurity • Real time dashboards to identify payment messages, basis selective
assessment tool such as the instances where the banks’ websites/ parameters. This enables customers
Graham Leach Bliley Act (GLBA)/ payment pages have been replicated. to detect unusual flow of data/
information.
14Resilience & Resurrection
• A payment security specialist has safeguards the customer by allowing limits at a minimum of Rs. 0/Rs. 5.
formulated an 8-point action plan the customer to set daily ATM Customers can activate/deactivate
to mitigate cyber crimes at financial withdrawals limit and allows instant the limit by sending an SMS. The
institutions. The key feature of disabling of remote purchases on limits are updated on a real time
the plan includes a multi-factor their cards. basis.
authentication for users to log into • A foreign bank has implemented a
the switch application and conduct biometric authentication system Conclusion
a credential based vulnerability at ATMs. Customers do not require Banks and financial institutions need to
assessment scan. a card or a pin to withdraw from evaluate their cybersecurity framework
• Hong Kong Monetary Authority the ATM; the ATM solely functions periodically to be abreast with the
(HKMA) has set up a cybersecurity on vein and fingerprint hybrid paradigm shift from conventional
fortification initiative with the authentication. breaches to technologically advanced
banking industry, where a Cyber • The state bank in a foreign country breaches. As the quantum of cyber
Resilience Assessment Framework, plans to restrict the hours of breaches increases, the focus needs
a cyber intelligence sharing platform withdrawal from an ATM, as a to be on strengthening the internal
and a professional development majority of skimming instances are controls. Analytics play a key role to
program is set up14. performed at night. identify recurrence of cyber frauds in a
• An international bank has launched specific location/geography or to identify
• A co-operative bank in India allows
a “digital safety campaign”, which new breaches.
its customers to set debit card
14.
https://www.hkma.gov.hk/eng/key-information/press-releases/2016/20160518-5.shtml
15Resilience & Resurrection
Technology
Moving from technology resilience to seamless service integration, landscape which was built around the
digital resurrection application portfolio rationalisation, concept of pushing core banking services
The banking landscape both in India omni-channel enablement, cyber- through physical channels is under
and globally has changed significantly security, data-driven decision making, pressure. In majority of the cases, new
over the last decade. Key forces process automation, and optimisation. age channels and offerings have been
driving this change include increased However, what most banks fail to layered onto an aging core infrastructure
customer expectations, the emergence realise is that most of these elements which has severely limited their ability
of new disruptive technologies, new- cannot be adopted in a silo, and to integrate seamlessly and respond to
age technology competitors and instead, they have to be deliberately the changing business demands. This
evolving regulatory requirements. ingrained deeply into the core already stressed technology is seen
Banks, especially the incumbents, are enterprise architectural fabric which in to be an easy target of cyber-attacks –
now being forced to re-imagine their turn must be driven by a lean, agile and which have become more sophisticated
strategy and associated investments dynamic operating model. over the years – thus, resulting in
around technology. Some of the frequent system outages and business
primary elements of this renewed focus Traditional banks around the world are disruption.
are: agile and resilient infrastructure, at a crossroads today. Their technology
Figure: Emerging disruptions impacting emerging technology landscape
Disruption Impact on IT function
Robotic Process Automation
Blockchain
API Economy
Infrastructure Applications
Big Data Analytics
FinTech Service Integration Channels
Payment Banks
Cyber Security Data Driven
Omni-channel
Processes Operating Model
eKYC and CKYC
UPI and IndiaStack
Taxation laws - GST
Financial Inclusion
New Technology Trends
Shifting Market Trends
Evolving Customer Requirements
Government Mandates
Source: Deloitte Analysis, 2018
16Resilience & Resurrection
Drivers disrupting the banking study conducted by Morgan Stanley
Competition is not limited to
industry landscape and Deloitte Customer Survey20, 64% of
banking players only
Digital Technologies – From disruptor Indians will be millennials by 2021 and
Telecom providers like Airtel and Jio
to driver will spend $330 billion annually, these
and retail players like Amazon have
While the traditional banks are still millennials are increasingly demanding
entered the competition in Indian
playing the catching game of trying to “Amazon/Facebook” like experience
banking sector. In addition, India
‘look digital’, the new generation digital with round the clock availability and
Post Payment Bank has potentially
banks and FinTech are turning the support from the banks. Millennials
opened up a new unbanked section
tables upside down by disrupting the and now Generation Z (people born
of rural Indian market.
entire banking technology landscape. from the mid-1990s to the early 2000s)
The new digital forces namely machine With RBI providing new licenses for not only demand simplified product
learning and artificial intelligence (AI), payment banks in 201517, not only and services from their bank but
big data analytics, robotic process FinTech but companies from different they expect unique and personalised
automation (RPA), open banking, sectors are entering this space. Banks journeys throughout their interactions
blockchain, chatbots and internet of are devising the strategy to leverage the with the bank.
things (IoT), etc. have resulted in a FinTech ecosystem and are partnering
storm to position technology from with them to become the aggregator The implications are clear – multiple
being a business enabler to a business of product and services. For example, banks are leveraging technologies to
driver. a large private sector Indian bank has re-imagine product and services along
partnered with various FinTech across with the delivery channel. For example,
Indian banks have responded positively banking value chain to emerge as the a large public sector India bank has
in adopting digital technologies, for aggregator of product and services18. launched SIA-AI powered Chatbot and
example, a leading private bank in Governments across the world are lifestyle and banking app specially
India has launched IRA (intelligent pushing the open API economy to bring catering to the needs of the millennials21.
robotic assistant) to provide smooth banks, FinTech and other interested
customer experience15. Banks are also parties together to respond to consumer Regulators – From changing the rule of
exposing their APIs to aggregate new and business expectations. For example, the game to changing the game itself
services. For example, a private Indian the Monetary Authority of Singapore Globally, regulators are providing
Bank is digitising B2B supply chain by (MAS) published “Finance-As-A-Service special push and incentives to
launching API banking services16 . API PlayBook" to develop and adopt digitise banking/payments related
open Application Programming Interface processes and are even re-shaping
Banking Ecosystem – From (API) based system architecture19. long established processes and
competition to partnership changing the landscape. In India,
The growth of digital banks and Evolving Customer – From needs to recent initiatives like BHIM platform
introduction of new age technology wants (UPI, USSD, Aadhaar Pay), Immediate
competitors like FinTech are disrupting Customers’ expectations and demands Payment Service (IMPS), Aadhaar Vault
the banking industry with their agility, are shifting towards smarter, more and Bharat Bill Payment System (BBPS)
responsiveness and personalised transparent and seamless omni- etc. have completely changed the
offerings. channel experience. As per a joint Indian payment landscape.
15.
https://cio.economictimes.indiatimes.com/news/enterprise-services-and-applications/hdfc-bank-launches-ira-2-0-the-advance-version-of-its-
interactive-humanoid/63936738
16.
https://www.livemint.com/Companies/BcqXQgey9fieFps9xVZxrK/How-Bajaj-Electricals-uses-blockchain-to-pay-suppliers.html
17.
https://www.rbi.org.in/SCRIPTS/BS_PressReleaseDisplay.aspx?prid=35010
18.
https://www.business-standard.com/article/finance/icici-bank-s-digital-push-sets-up-innovation-lab-enters-fintech-tie-ups-118052500580_1.html
19.
https://abs.org.sg/industry-guidelines/fintech
20.
Morgan Stanley, Statista and Deloitte customer survey, 2017
21.
https://www.livemint.com/Industry/68ipadKiLQwxGUKTxXd3pL/SBI-launches-chatbot-to-help-customers-in-banking-services.html
17Resilience & Resurrection
The next revolutionary idea which is from the four disruptive forces factor in the impact of these disruptive
being envisioned is ’India Stack‘ – which mentioned in the above section, the forces on their overall technology
are a set of open APIs and currently situation has been further strained by landscape and core architectural fabric
include services like Aadhaar for recent IT outages and cyber-attacks and devise a new strategy of “Where
eKYC, eLocker for storing and sharing which have resulted in frequent to Play” and “How to Play” leveraging
documents electronically, eSign for system breakdowns and disruption of digital technologies.
paperless agreements and UPI for business. For example, a recent case of
digital payments. While the customer cyber-attack on an Indian co-operative Where to play: Choosing the right
is likely to enjoy the benefits of these Bank has resulted in significant battleground to win
services and FinTech are expected financial losses 23 . Robustness and Digital technologies have become
to build new product and services resilience of IT systems have taken the critical driver to deliver business
leveraging the ‘India Stack’, banks will a front stage and each technology objectives and is impacting the entire
need to devise their own strategy to failure is further amplified due to social banking value chain, applications
respond to these regulatory initiatives. media and 24X7 media. Banks have landscape, business processes and
Apart from regulators, governments paid a heavy price in terms of penalties operating model. However, technology
are also promoting and providing the imposed upon them by regulators and transformation cannot be achieved
playground for interest parties to not to mention the loss of reputation. overnight; and hence, it is imperative
embark on the digital revolution. For To stay afloat, banks will need to to define the transformation vision,
example, Maharashtra government strategy and roadmap to start with.
has announced the opening up of In this regard, banks should consider
How to remain relevant?
a ‘sandbox’ where start-ups can performing a comprehensive cost-
To remain relevant in changing
register and open their APIs for the benefit analysis (considering both
times, the banks need to resurrect
consumption of financial institutions 22. tangible and intangible benefits)
themselves and adopt technologies
while defining the target landscape,
to drive the digital transformation,
Technology as a driver: Where to play considering the availability of
new business models, and agile
and how to play resources and budget to execute
processes and simplify management
At a time when the traditional banking necessary steps.
of IT.
technology was already under strain
22.
https://www.livemint.com/Industry/68ipadKiLQwxGUKTxXd3pL/SBI-launches-chatbot-to-help-customers-in-banking-services.html
23.
https://economictimes.indiatimes.com/industry/banking/finance/banking/cosmos-banks-server-hacked-rs-94-crore-siphoned-off-in-2-days/
articleshow/65399477.cms
18Resilience & Resurrection
Figure: Technology Enablers
Achieve cost & operational
01 Business Growth 02 efficiency
03 Digital DNA
EVALUATE DEVELOP new REDUCE cost USE analytics to IDENTIFY INTEGRATE
existing products products / draw insights customer touch- digital channels
/ services services points
IMPROVE ACQUIRE new ENABLE sales AUTOMATE BUILD brand PERSONALISED
customer loyalty customers force repetitive tasks awareness experience
Technology Drivers
Enterprise CRM Analytics Mobility API Economy DevOps
Blockchain Gamification IoT Robotic Process Cloud
Automation (RPA) Computing
Process Social Media Portal Knowledge Digital
Digitation Transformation Management (KM) Marketing
Source: Deloitte Analysis
Business Growth
FinTech have made a deep dent in the loyal customer base of
traditional banks. Globally, banks already seem to have conceded
the payment space to FinTech like Alipay, Ripple and PayPal
etc. and, now with the foray of tech titans like Amazon, Google,
and Facebook etc. in the payment services space the boundary
between the banks and FinTech is fast diminishing in India as well.
To survive in this fiercely competitive landscape, today’s banks will
need to consider moving from being a provider to an aggregator of
product and services.
Cost and operational efficiency
Banks with siloed, tightly-bound and complex application
landscape are unlikely to be able to survive the onslaught of
digitally enabled competitors. Hence, moving from the traditional
architecture to a platform and or service oriented architecture,
digitisation of the front, middle and back office processes and
adopting agile and consumption based infrastructure are seen to
be the key to reduce cost while improving operational efficiencies
in new digital world. Basic banking services like account opening,
loan processing, remittances etc. may need to be repurposed and
integrated into customer journeys to provide ease of use and quick
turnaround time.
19Resilience & Resurrection
Digital DNA The technology components which were untouched till now are
Quick fix and piecemeal solution to ’look digital’ has created getting transformed in the wave of new digital technologies.
more problems for the banks than solving it. An agile and open Leading banks in India and across the world are adopting
enterprise architecture needs to be at the core of a bank’s different strategies across the landscape to leverage digital
digital business strategy. New business models would need technologies and move higher in digital maturity.
to be centred on technologies like machine learning, AI, RPA,
open API, blockchain, data-driven analytics, chatbots, user How to play: Approach to build a technology driven bank
experience etc. Banks need to consider having agile back end and front end
capabilities to be able to be customer centric in their approach.
Digital technology drivers are impacting entire banking However, the current technology landscape in most traditional
landscape including architecture, business processes, and banks was not conceptualised and designed to operate with
operating model. today’s scenarios in mind thus becoming a barrier for customer
Figure: Technology Driver impacting – Implications on Architecture, Process, Operating Model
Technology Digital Drivers Impact on Technology Components Examples
Components
Infrastructure • s-a-Service consumption models
A ICICI Bank of India is using hy-
Cloud Computing
leveraging cloud. brid cloud to streamline busi-
ICICI
• Right mix of deployment models like ness processes and build an
Bank
public, private and hybrid and the ecosystem of FinTech
services are lowering
Applications Mobility • Hotspots for new application UBank's online home loan
acquisition are CRM and Digital application process disrupted
Marketing solutions retail banking by delivering a
Gamification UBank
• CRM is the driver for digitization of simpler, better and smarter
Portal Transformation
cumbersome on boarding processes, customer experience
standardize customer servicing
Service API Economy
• The current wave of digital technologies Partnered with FinTech com-
Integration are focused on secure and seamless panies to leverage ideas and
BBVA
integration of external agencies to banks expertise for digital products
DevOps
core systems ‘API Economy’ like payments, SME loans, etc.
Channels IoT • rchestrate customer journey across
O Offer Hashtag banking, which
digital channels providing hyper KOTAK allows user to access account
Social Media localised and contextual customer Mahindra balance, transaction history,
experience leveraging AI, IoT, machine Bank mobile/DTH Recharge, etc.
Enterprise CRM
learning and robotics through a simple tweet
Cyber Security • ank needs to take a broader
B SBI launched a national
Blockchain
approach to cybersecurity hackathon, “Code For Bank”,
encompassing people, process and SBI for developers, startups and
technology. students to come up with
innovative ideas
Data Driven Analytics
• he digital data trail generated by
T Analyzes customer pro-
social, wearables , IOT, demographic files and market reports to
and geographic data attributes provide offerings to wealth
IoT DBS
are allowing banks to create micro management clients
customer segments and provide hyper
personalized customer journeys.
Processes RPA
• RPA and cognitive automation Built three separate internal
eliminates the repetitive tasks and Blockchains within labs to
Process Digitation
allows a process to be executed by Citi test the technology, focusing
digital labor, instead of extensive primarily on international
manual labor. payments
Operating KM • he new operating model for the
T When Canada's largest online
Model digital bank needs to implement bank rebranded from ING
and orchestrate the digital solutions Direct to Tangerine, its intro-
in tandem with each other around Tangerine duction strategy was as inno-
customer journeys and perfectly vative as it was successful
balances the external forces of
regulators and competitors
Source: Deloitte Analysis
20Resilience & Resurrection
and product innovation. Banks need to upgrade themselves to a service-based architecture, designed to ensure quality, improve
business agility and deliver the product, services, processes and functionalities that are useful for both the customer and the
bank.
Key principles defining service architecture include:
Figure: Key Principle Defining Service Architecture
One click processing – Agile implementation – Data analytics – GoLoSoMo –
Use pre-emptive technology Drive with phased data and Use advance data analytics Global, local, social, mobile;
enabled processes to remove rapid implementation keeping to deliver personalised all platforms and customer
complexity. in mind the end state. experience. channels should be served
“an omni channel experience”
across the channels they
access.
Source: Deloitte Analysis
The future of a bank is a complex environment of technology and business models and the bank is likely to need a very different
architecture to adapt to the changes. More applications and functionalities are likely to be hosted in the cloud, requiring strong
governance on risk, compliance, data and information sharing standards. Similarly, many specialised services are expected to
be provided by FinTech, which will be enabled by an API fabric which will help fulfillment of these services across organisational
boundaries.
Figure: Bank Architecture of the Future
Cloud based Core Banking
Solution
Digital
Touchpoints
Blockchain driven Cross Border
Payments
Interoperability Layer
Aadhar eKYC and
CKYC store
Enterprise Key
Service Bus Management
Big Data
Analytics
API Integration
Rules Based
Management
processing
API Fabric for FinTech Service
providers
Cloud based CRM and Cloud based blockchain for P2P and
MDM solutions B2B payments
Source: Deloitte Analysis
21Resilience & Resurrection
By now, it has become evident that this is the right time for banks to invest in technology transformation and strong business case
exists to justify the same. However, before embarking on this transformation journey a key consideration needs to be addressed
–how can a bank make this transformation to deliver new-age digital services while ensuring profitable growth for survival? Key options
which are available with banks are as follows:
1. Enhance existing core system;
2. Build your own platform – big bang or phased;
3. Partner with or acquire a new age Bank/Fintech.
These three options have been elaborated further in the figure below.
Figure: Approach for Digital Transformation
Partner with or acquire a
Enhance Existing Core Build – Big Bang
new age Bank/FinTech
• Bank retains its core system and • Installation of a completely new • Banks can consider to partner
overlays new digital channels core system in place of legacy with or acquire a company built
linking front and back offices; system; on a digital platform;
• Typically, a complex exercise, • Important to have well defined
• Complex and high risk approach,
time consuming and fails to FinTech strategy and crucial
and entails long time frames.
address the requirement of to identify a suitable partner
agile and service oriented to create a long term mutually
architecture; beneficial partnership.
• Banks are upgrading their core
banking applications which in A large French bank has acquired a
turn are providing capabilities for Build and Migrate German direct bank as part of their
digital transformation. digital strategy.
• New core is developed to support
A large private sector bank in India a new digital bank; FinTech are helping a new private
carried out complex core banking sector Indian bank acquire customers
• Business sub-sets are migrated
migration with zero downtime for for its credit products.
to new core gradually.
channels and new system reduced
turnaround time in transaction. A large bank in the Nordic region
processes by 25% serving 11 million customers is
undergoing a major core replacement.
Source: Deloitte Analysis
Conclusion:
Banks and financial services institutions might have survived to date by leveraging technology as a business enabler (i.e.,
support function). However, with changing customer needs, growing competition, disruptive digital technologies and increased
regulatory pressures, it is imperative for banks to upgrade their enterprise architecture and the associated technology landscape
to drive business and innovation. The recent wave of technology innovation has shaken the banking landscape, a similar wave of
sophisticated cyberattacks and media amplified IT outages has shaken the customers’ and regulators’ confidence. Hence, banks
will have to focus on building an architecture which is resilient, secure and scalable to ensure minimal disruption to business
during unforeseen scenarios and help resurrect the banks position to digital savvy customer’s needs.
22Resilience & Resurrection
Cyber threats and privacy
Banking industry is witnessing
rapid changes in terms of digital
transformation and agile culture
development. With increase in
consumption of smart phones and
introduction of 4G services in India,
banking consumers have developed
a preference of digital payments and
online banking.
In the industry where customers have
developed a digital mind set and moved
towards adoption of digital services,
customer centricity and enhanced
digital experience have become one
of the top most priorities for the banks.
As part of providing an enhanced
customer experience, the banking
sector has adopted an Omni-channel
customer engagement environment
that includes channels like online
banking, mobile payments, in-branch
services and social media management
teams.
One of the major factors that continues
to affect the banking industry is
regulatory requirements. The Reserve
Bank of India (RBI) governs the banking
sector in India through various legal
The following areas reflect the major information stored in the magnetic
and regulatory requirements. These
cyber threats pertaining to the banking strip.
regulatory requirements focus on
industry: Mobile banking exploitation:
•
areas such as Information Security,
Electronic Banking, Technology Risk • hishing and social engineering:
P Mobile devices are targeted to steal
Management and Cyber Frauds. The Cyber criminals manage to break in personally identifiable information
regulatory authority also cover the with the help of social engineering such as pre stored payment
aspects of risk management and code and phishing. E.g. Phishing email sent information etc.
of conduct in out sourcing of financial to bank employees, fraudulent calls
services by Non-banking financial to banking customers etc. With the increase in cybercrimes,
companies (e.g., IT service providers) Sector specific malware:
• the banking industry continues to
Increased use of banking Trojans invest in cyber security solutions
Rapid changes in technology and and ransomware to achieve data and hiring the right talent to manage
disruptive transformation have enabled exfiltration. cyber frauds and incidents. Following
more sophisticated cyber attacks and are a few examples that banks are
Card skimmers: The attacker
•
a wider attack surface. With adoption implementing/adopting:
attaches a skimmer either on
of Omni-channel models for providing the outside or inside of ATMs to Defense in depth: Implementation
•
various banking services to customer, collect card numbers and personal of layered approaches that provide
the attackers have also improvised their identification numbers, or uses point redundancy and slow down the
penetration methods. of sale terminals to extract card attacks in progress.
23You can also read
