With the rise in technology adoption by financial institutions, the role of CTO has increased manifold as the selection of right technology even by smaller institutions can give the larger establishments a run for their money, says K G Subramaniam, Director- Technology, Barclay’s Bank, in an interaction with Poulami Chakraborty of Elets News Network (ENN)
What role does a CTO play in business development of a financial institution?
The role of CTO has never been as critical and powerful as it is today in shaping the destiny of the institution. Today’s disruptive landscape presents a great opportunity even for a small institution with the right technology to compete and achieve scale at par with the Goliaths of the sector and that too, very quickly. In that sense, a CTO of a larger institution carries even a bigger challenge to help the firm protect its market share and grow as well.
So, in addition to ensuring the best technology for the firm, if the CTO is able to leverage recent developments and create technical options for both existing businesses as well as for new businesses, it will help fulfil a critical mandate of that role.
In particular, the CTO would need to partner with the business development in incubating new businesses for the firm that exploits technology breakthroughs, giving an invaluable head-start and thus mitigating the risk of being left behind.
How do you look upon the tech implementation among Indian financial institutions?
Besides addressing key user functionality, the technology implementations in general can be defined by its ability to scale, support inter-operability, resilience and reliability, accessibility as well as its security and controls – to cite a few critical parameters.
Against that, the tech implementations in most of the Indian financial institutions tend to fall short in one or more of these parameters and thus constraining its agility and ability in delivering a secure technology, easily accessible to the firm’s end customer.
In terms of processes as well, the tech implementations have largely followed the SDLC life cycle vis-à-vis the agile processes that could be more relevant in the current context.
What Technology has been adopted for internal operations within your institution?
For our internal operations, depending on the need and keeping in with the developments, we have adopted a mix of home-grown and vendor-based software. In addition, we do leverage on fintech and hackathons to try and achieve breakthroughs, which would help work around constraints created by legacy technology, till its strategic replacement is in place.
What kind of challenges does the convergence of social media, mobile banking and cloud pose for banking sector? How are you addressing those challenges?
The convergence of social media, mobile banking and cloud have brought about a paradigm shift in the delivery of financial services, but they also bring challenges relating to data privacy and regulatory adherence – key being the user credentials, availability, interoperability and security issues. To address these challenges and ensure a seamless user experience for the end customer, amongst others, we focus on the following:
- Appropriate choice of platform for customer data
- l Implementing mobile security container solutions (to prevent it from being run on jail-broken/rooted devices) and publishing the app in trusted app store
- Data encryption/tokenisation as required and local encryption of data-at-rest
- Full due diligence of social media integration, and
- Continuous surveillance and adequate security governance (such as appropriate security clauses in contract, regular audit and vulnerability management).
Are the new payment applications being launched posing a threat to mobile-based transactions? Is there any regulation for nonbanking payment mobile applications?
It is true that many payment applications are being launched in the market, and they do bring new data protection challenges due to the evolving payment models and processes, which need to be addressed on their merit. The threat increases due to pervasiveness and ease of mobilebased transactions, and so a risk-based decision may be explored to introduce lower transaction limits depending on the channel, to manage the exposure.
The relevant regulations for the payment mobile applications would be the Prepaid Instrument (PPI) Licensing guidelines from the RBI under the Payments and Settlements System Act (PSS Act 2007) as well as the PSS Regulations, 2008.
Is Barclays exploring technologies such as biometric to authenticate users’ identity? What are the present ways adopted to authenticate users?
Barclays continuously evaluates emerging technologies such as the biometric to authenticate users’ identity, as these have been permitted by local regulations as well. Leveraging on those benefits the bank as well as the customer.
What kind of security mechanism is required to make mobile banking applications foolproof?
Without doubt, a mobile banking offering comes with a challenge of playing a fine balance between innovation and risk even while customers implicitly trust the banks to safeguard their information. So, from a security viewpoint, effective design and implementation plays a key role – how to securely create and store the user credentials, strong user authentication controls, application code security and data security.
This would include protection of data at rest and in transit using encryption to secure data within the app sandbox and also encrypting individual data elements as needed for the data transfer.
Added to that, a risk-based approach to functionality offering in the device, the ability to gauge the security of the underlying device, having remote wipe capabilities, real-time fraud detection and AML capabilities would definitely enhance the controls. Also, keeping a watch for fake bank apps in the App Store resembling the firm’s app is also a must as limited user awareness can be exploited by seasoned threat actors.
Barclays continuously evaluates emerging technologies such as the biometric to authenticate users’ identity… Leveraging on these benefits both the bank as well as the customer
What are your thoughts on unified payment interface? Can it address the security concerns linked to payment and banking applications?
Out of the key benefits that the NPCI’s Unified Payment Interface (UPI) seeks to bring, I would point out two – one for the end customers, who are individual payment senders and beneficiaries, and the other for the merchants, who have to receive payments from their customers.
For the end customers, the single-click two-factor authentication combining the innovative Virtual Address feature and the MPIN go a long way in keeping the payment ecosystem simple and secure while accomplishing instant payments. The personal data (credit card and debit card etc) sharing is done away with.
The other key benefit is the easy debit capability provided by this platform through the Pull functionality, which enables the merchants to initiate collections from their customers, which is instantaneous and at low cost.
ustomers, which is instantaneous and at low cost. Given its inherent strong end-to-end security framework offering data protection, the UPI interface is indeed better positioned to address the security concerns linked to the payment and mobile banking applications.