Retail Banking Client Data Privacy & Protection ... - Clearswift

15 downloads 289 Views 1MB Size Report
Oct 6, 2015 - clients becomes redefined by digitalization, the business imperative of accessing ... the bank's apps and
Retail Banking Client Data Privacy & Protection Transformation Priorities to Establish the Leaders of the Digitalization Era October 2015

Clearswift Best Practice Guidance for Critical Information Protection

CRITICAL INFORMATION PROTECTION. Competitive advantage for

Retail Banks

Table of Contents

02



Introduction 3





Evolving the Retail Banking service for a sustainable client experience 4



  New focal point: optimizing the client experience 5





Digitalization risk elements leading to client privacy exposure 9





Regulatory implications

10





Evidence that client data protection gaps still exist

11





An objective expert’s perspective and call to ‘do more’ in banking

12





Barriers to advancing the digitalization of retail banking

13



  Challenges to new service launch - agility & speed

13





  DevOps as part of the new services agility-with-stability solution

13





  Cause & effect: fluidity of new services drives omnipresence of client data

13





Transformation activities: C-suite collective alignment

14





  Transformation project initiatives

16





  Critical information protection – mini-transformation project initiatives

16





  Scoping the problem

17





  Preparing the solution

17





 Implementation

17





  Review and modify

18





Summary 18





Appendix A: The impact of regulatory requirements on data management processes

19





About Clearswift

21

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Introduction Within the retail banking sector, digital has become the backbone of a new integrated fabric spanning all channels, value-added services, complex business processes and enhanced profitability. As the bank’s streamlining and ‘One-Click’ processes with clients becomes redefined by digitalization, the business imperative of accessing and protecting client data creates many new responsibilities and opportunities for adding value to the client [experience] and operational efficiency of the bank—emphasizing the quantifiable challenges of client data privacy and protection. There is little question about the significance of aligning the processes and channels required to deliver a digital platform, however business efficiency needs to be assessed within the magnitude of client data and protecting it across the interconnected multiple channels of client engagement. Failure to understand the impact of the new channels on the distribution, availability and protection of client data will potentially result in inefficient digitalization, client disapproval and intensified data loss, either from the primary data holder, or from one of its third party data processors and with it the potential for significant reputational damage.

“Banking is not somewhere you go, but something you do.” – Brett King, Bank 3.0, 2012 As branch formats are aligned to match customer profiles and needs, in each location (everything from unmanned-fullyautomated to full-service outlets) the retail bank’s Executives, including the Chief Operations Officer (COO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and Chief Compliance Offer (CCO) will have to wrestle with prioritizing a lengthy list of branch and country-specific competing infrastructure, complex processes, security and regulatory compliance requirements on a daily basis. As banks move away from a purely ‘contribution to profit’ consideration, to include customer experience and access to funding in a low interest rate environment, the need for agility in providing new services has never been greater. However, as one of the most regulated industries, the 2008-2012 economic crisis contagion has awoken many governments to establish increased operational regulations; requiring large banks to legally separate their volatile wholesale arms from their retail banks by 2019, when the Basel III international banking agreement comes into force and implementation of the Dodd-Frank Wall Street Reform Act that updates the abolished US Banking Act of 1933 (Glass-Steagall), under the Volker Rule. These, soon to be, implemented restrictions will provide increased protection for clients’ best financial interests and also longevity for the banks, but the client now has a new, growing, monetizable asset held by the retail banks; ‘Personally Identifiable and Payment Information’. When client data is considered an asset for both legitimate and criminal processes it will serve to reinforce and differentiate the banks’s required investment in new technology as part of its digital transformation; garnering the questions: • Should client data held by the banks remain a line item within the broader list of security and compliance investment requirements for banks, or should it be separated, prioritized and treated as the monetizable asset it represents? • It is essential, but is it possible for the rest of the bank’s C-Suite to enter the information security fold and transform client data privacy from a source of risk, anxiety and expense into a source of competitive advantage and brand distinction? As banks transform to become fully digitized, providing the ultimate client experience, the pivotal nucleus will be the multiple channel accessibility and richness of CRM, social, personal and behavioral data. Understanding this information and exploiting it like never before will create the impetus for the bank’s collective executive leadership to prioritize client data privacy and protection as a “Vanilla Standard” for the bank’s new product and service offerings, as well as its broader enterprise cybersecurity and compliance framework. Prioritization has implications that extend beyond the existing sole responsibilities of the CIO, CISO & CCO due to its direct impact on ‘Increased Penetration’, ‘Client Experience’, ‘Information Accessibility’ and address ‘Security Concerns’, all of which directly drive improved client loyalty. Client data privacy, protection and leadership from a client advocacy standpoint will directly impact the top-line growth agenda of the bank’s senior executives due to the client loyalty topics, and also stimulation for the client to use the bank’s apps and websites more frequently; capitalizing on the transition of websites as a sales tool and not just a service portal. Simply put, ‘the heightened criticality of client data privacy and protection in retail banking is becoming a unified priority and business imperative for the entire C-Suite’.

03

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Evolving the Retail Banking service for a sustainable client experience An array of market forces in the new digital era is driving a profound impact on the retail banking sector and traditional banks as currently we know them (Fig1). Technological capabilities, regulatory requirements, and the consumer appetite for innovation and flexibility are creating an imperative to change. Online banking is now a core element of both retail banking operations and client expectations. Competitive barriers for new, non-traditional entrants such as Atom, Fidor Bank, Starling, BankMobile, bKash, are disappearing. In order to compete, banks must continue to transform themselves across all channels and operations into the required ‘always on’ bank of tomorrow—today.

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” – Charles Darwin A new digital value chain promises to reshape how banks compete, operate, drive profitability and enhance interactions with clients. New channels for interactions and client engagement now exist to compliment the evolving value of brick and mortar relationships of delivering client specific service and lasting experience with the intention of driving client loyalty, value-added service/product adoption and topline growth, through innovation and resource efficiency. This clearly has implications beyond the CIO and falls into the top-of-mind requirements of the CMO and other C-suite members.

Digitalization brand distinction: market context & considerations

market point of view

Retail Banking re-visualized Market forces

Bank identity & values

Omni channel market outreach

Growth agenda

• Payments disruption • Digitalization • Client evolving & maturing appetite for technology • Governance and regulations • Lower competitive entry barriers

Brand

Client proposition & value

• Online security • Seamless support

Cloud

Sales cloud

• Client ‘one-click’ • Value-added services & products • Multi-label strategy • ‘Wow’ experience

3rd party providers

Branches call centers, partners

Mobile

Sales leads promotions & campaigns

3rd party providers

Service cloud

Product & service offerings Client data (crm, behavioral, personal, social, etc. Digital platform

Fig 1: Retail Banking re-visualized: The heightened need for client data privacy and protection can be a catalyst of a retail banks digitalization growth agenda and client advocacy of the brand.

04

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Supporting the Clearswift “Retail Banking Re-Visualized” market point of view is the 2015 report from Accenture1 that emphasizes how digital technology increases the need for transformation: ‘Non-banks are capturing more and more of the banking value chain, providing services such as payments, checking and even savings accounts that could erode as much as one-third of traditional bank revenues by 2020’. The response is not just about evaluating branches, improving online and mobile banking offerings, or making current products and services “more digital”. Instead, the report says, “banks need to move further into the daily lives of customers, providing assistance before, during and after the financial transaction.” Accenture describes the “Everyday Bank” as having the capability to leverage the vast amount of insight it possesses about the client and their environment to become central to a customer’s digital ecosystem. The retail bank must reinvent itself as a value aggregator, advice provider and access facilitator, acting proactively on the customer’s behalf, improving reputation and trust.

New focal point: optimizing the client experience The ambition of a retail bank’s digital transformation is to pivot to a new client-centric business model that is more about client experience than promoting products - which comes with the change in client interaction and trust. With the competitive entry barriers of yesteryear disappearing for new players, it is important for traditional banks to act quickly to implement this new model of retail banking, empowering customers to embed (and adopt) new forms of banking services & interactions into their digital lives. Financial transaction behavior has moved on in so many ways, creating a new model of banking, driven by the expectation of the individual, such that banks need to support them – new banks are often there first as they are not encumbered with legacy systems, technologies and architectures. This creates further pressure on the traditional banks who need to support their legacy environments while responding to the new requirements. Recent technological advances which need to be supported include the introduction of new digital currencies (for example Bitcoin, NueCoin, Ripple, Litecoin, Peercoin, Namecoin, Dogecoin, Next and Mastercoin) which are now widely accepted as a form of payment as well as new online and mobile apps (for example Apple Pay, Mint, Spendee, Manilla, Paypal and SavedPlus) to carry out payment, without the need of a traditional bank or credit card. Of course, coupled with this are the various forms of client driven enhanced client digital outreach channels (including, branches, mobility, apps and social media). Change in order to support these new mechanisms, at a speed the client expects, will involve usage, collaboration, movement and storage of client data on unprecedented levels. The increasing volume and importance of client data creates considerations related to the collection and treatment of data— as far back as 20032. The Basel Committee on Banking Supervision considered that while existing risk management principles remain applicable to e-banking activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management challenges created by the characteristics of e-banking activities. To meet customers’ expectations, banks must therefore have effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response plans, including communication strategies that ensure business continuity, control reputation risk and limit liability associated with disruptions in their e-banking services. It would be ironic for, and undermining to, the bank’s next-generation investments and brand modernization efforts to neglect weaving client data privacy protection into every transformational step along the way. Simply put, banks cannot readily move towards the new model without simultaneously addressing the electronic-risk, or e-risk, implications—particularly client data privacy and protection. This viewpoint is depicted via the new e-Banking Client Centric Business Model (Fig 2) and emphasizes once again how the collective remits of the CHRO, COO, CMO & CIO converge around this issue. The diagram emphasizes that the central issue is not banking risk mitigation, but rather e-client loyalty, trust and brand preference.

1 2

05

“The Everyday Bank: A New Vision for the Digital Age,” Accenture, 2015. Bank for International Settlements, www.bis.org/publ/bcbs98.htm

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Digitalization client centric business model Bank CHRO Reorganized retail bank and upskilled to deliver client specific engagement

Bank CIO, CISO

Bank CMO

Prioritised ‘client data privacy & protection’ with ‘Delivery Agility’

Demonstrated ‘client-first’ brand leadership & distinction in the digital era

Capturing Client Loyalty, Trust & Preference

Bank COO, CCO Value-Added Service Adoption, Business Empowerment aligned to Regulatory Compliance via ‘enhanced perceived value from the market’

Digitalization enablement utilizing a ‘Critical Information Protection’ Framework for automated adherence for Client Data Privacy & Protection

Fig 2: Digitalization Client Centric Business Model: Implementing and enforcing a ‘Critical Information Protection’ framework can be instrumental in achieving a client-centric business model in the emerging e-banking era.

Regulatory compliance, outside of current industry practices, will become routine in business on varying levels and where the retail bank operates in more than one country the application may differ based on country and government privacy regulations. The Basel Committee on Banking Supervision (BCBS) consultative document ‘Principles for Effective Risk Data Aggregation and Risk Reporting’ provides the regulatory drivers for change within the industry, the implications for banks. The BCBS proposed 14 principles to ensure that data and associated processes used by the risk function are “fit for purpose”. Global Systemically Important Banks (G-SIBs) are required to implement the principles in full by the beginning of 2016. However, they would have submitted a self-assessment against the principles to their local supervisor in 2013. The BCBS paper sets clear expectations that banks will quantify their risk appetite and have robust infrastructure, processes and controls in place to monitor risks within the appropriate thresholds across credit, market, liquidity and operational risk. A summary of the 14 principles is provided in the table on the next page.

06

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Summary of BCBS Principles for Effective Risk Data Aggregation and Risk Reporting Governance and Infrastructure

• The bank’s board and senior management must understand deficiencies in all aspects of the controls and aggregated data. • Organisational boundaries must be overcome so risk data can be accurately aggregated across business lines, jurisdictions and legal entities in a timely manner. • Systems must support risk data aggregation and reporting, including during times of stress or crisis

Risk data aggregation capabilities

• Banks must demonstrate the ability to generate accurate and reliable aggregated risk data, largely automated to minimise errors. • The capabilities will also need to meet all on-demand and ad hoc report scenarios in a timely manner, including during crisis situations and in response to a supervisory request.

Risk reporting practices

• Banks must ensure that reconciled, validated and accurate risk reports are presented to the appropriate stakeholders in a timely manner to support the decision making process. • The reports must cover all material risk areas within the organisation and be easily understood by recipients. • All material gaps or weakness are well understood and factored into the decision making process.

Supervisory review, tools and cooperation

• Supervisors will review and monitor banks’ compliance with the principles and use appropriate tools to ensure deficiencies are addressed in an effective and timely manner. • The supervisor should have the ability to restrict growth in a bank’s risktaking activities should it have concerns about data deficiencies.

Table 1: BCBS Principles for Effective Risk Data Aggregation and Risk Reporting3

However, rather than retail banks approaching this from purely a compliance stance, there is also an opportunity for established and trusted banking brands to take a leaf from the new online banks and start their regulatory adherence ahead of the legislation to demonstrate new thinking and operational excellence in the form of competitive differentiation. This in turn will help to allay the perception by consumers regarding security concerns as being the major factor why they are reluctant to bank online4, allowing retail banks to remain the trusted and preferred banking brands of the future. Standard competitive pressures means that the new market entrants will move more quickly on this issue as their foundation will be built upon access, collaboration and storing of digital content, thus formulating a new preference of trusted brands in e-banking. The plethora of data loss incidents reported globally that have unfortunately become commonplace, has meant that there are new operational capabilities available for banks looking to be more progressive in the area of client data privacy and protection. Voice of the Enterprise: Information Security from 451 Research, indicates that fear of data loss or theft is the number one security challenge over the next 12 months and the use of DLP in information security projects is a growth priority over the next 12 months5. As with the execution of any technology category used to provide a business benefit, the technology industry has delivered a mixture of traditional and new features and functions over the past decade that address the nuances and evolution of individual businesses and implementation preferences, such as Virtualization (VMware), Mobile Pay (Apple), Adaptive Redaction (Clearswift), Bitcoin (technology, not crypto-currency). This has enabled retail banks to move beyond traditional security constraints, to prioritize client data protection and use security automation to create new sources of business value for clients.

Risk, data and the supervisor: The clock is ticking… Deloitte & EMEA Centre for Regulatory Strategy Retail Distribution 2015 – McKinsey & Company 5 The Data Loss Prevention Market by the Numbers 2014-2019, 451 Research, July 2015 3 4

07

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Sitting above (or below) these features and functions has to be a framework that underpins any digital transformation. For the purpose of this report our focus is on client data privacy and protection. A ‘Critical Information Protection (CIP)’ framework (Fig3) needs to be implemented as part of organization’s mini-transformation projects. The CIP framework allows banks to avoid approaching client data privacy and protection in a regulatory compliance “check-box” fashion, but instead lends itself to appreciating the value assigned to each element of client data as it relates to the differing business units within each organization. By abstracting out the client data and wrapping privacy around it, it is possible for retail banking operational personnel and technology leaders to work closer together and create a foundation of automated client data management. For privacy to be effective there needs to be an understanding of the context of the data within operational, regulatory, collaboration, new product applicability, etc. of the retail bank. This allows the organization to mitigate the risk of cyber-targeting and the theft of the information or exposing client data unintentionally.

OPERATIONAL RISK & REG COMPLIANCE (Prioritized Client Data Privacy Drives Brand Distinction)

Risk handling as a foundational element of brand leadership

infra & end point security

reg. compliance & audit

proactive threat mitigation

CLIENT DATA PRIVACY (CRITICAL INFORMATION PROTECTION)

Security Governance

DATA

rge. Struct u r e . La d all . Analytics. Sim . Un rt ple po . Re

st

Remediation

m

red. New. Comp lim ctu ru lex.Raw. Inform e mp ati o C

ld. Personal. Bu s y. O edg. Te l ar mpo ine nt Know rar . y on

al. IP. Text. Ima g oci .S ent. Transie e. S ss erman nt. .P

Employee Comms

Metrics

Classification & Policy

Fig 3: Critical Information Protection (CIP) Framework, Clearswift

The basis of the framework provides flexibility for organizations to implement these practices as part of the evolving change management that the retail bank needs to adopt in its aim of digitalization. If assurance as to the protection of client data can be given at all times, then agility in new service definition and rollout can be achieved in conjunction with the adoption of the new and evolving financial transaction technologies. Understanding the interdependencies of each practice (task) ensures that this is an evolutionary change rather than a radical revolutionary adoption, where feedback from clients, employees, 3rd parties, etc. can feed into the framework to ensure that their nuances can be appreciated and employed.

08

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

• Employee communications: Building and sustaining a culture of client privacy and protection requires developing a program that engages employees in proactively taking steps to ensuring more secure communications and processes, including providing mechanisms for employees to learn more about company data protection policies, why they are important, and how to raise issues to get results. • Classification & policy: Not all data is sensitive, so understanding that there are differing data types ensures that there will be appropriate levels of policy enforcement. Beginning with the data most critical to the enterprise, and developing, over time, a data classification and policy management program that regularly solicits input from across the business on the most critical data to protect. Banks need to develop and deploy a methodology to prioritize this input in order to ensure that the right information is protected with the appropriate level of investment. • Remediation: An effective remediation program will focus on sustainability to support digitalization, moving from a reactive employee- driven remediation processes (manual) to system-driven proactive remediation processes (automated) in the mid-term. Enforced automated remediation ensures that although the incidents and processes that encourage data loss activity may not be fully implemented, the technology acts as a guardian for the business/employee and ensures that client data privacy is protected and secure during this transition period. Development of future digital channels and business activities (M&A) can be integrated into the remediation program, ensuring that newly introduced data is protected until the necessary re-architecture and normalization activities have completed. • Metrics: A metrics program must adequately measure data loss risk reduction both company-wide and at a more granular level (executive, business unit, department, etc.) to support ownership of data loss risk reduction. Communication of results, both successes and where more effort is needed is essential in order to drive change and adoption. These metrics also help an organization assess and communicate critical information protection program performance and quantify the value realized. • Security governance: Often defined within a cross organization Steering Committee, it provides strategic direction to those developing the critical information protection program. This overarching program needs to cover areas of policy development and management; incident remediation process development and execution; collection and communication of metrics demonstrating program effectiveness and results; employee awareness, training, and engagement; and in the selection and phasing of technologies for the critical information protection solution deployment.

Digitalization risk elements leading to client privacy exposure With the compelling new model of retail banking that’s embedded with client engagement and retention firmly in mind, there is a need to consider the specific elements of client data privacy risks that must be addressed, beginning with a look at the types of digital information banks routinely collect. • Personal information: When one visits or uses online banking services, banks may collect personal information from or about individuals such as their name, email address, mailing address, telephone number(s), account numbers, limited location information (zip/post code to help find a nearby ATM), user name and password. Banks will also collect payment card information, social/nation/my ID security numbers, driver’s license numbers (or comparable); which is reasonably required for ordinary business purposes. • Information usage and impact data: In addition to the personal information, banks may collect certain information about a client or prospect’s (channel demand generation) use of online services. For example, the bank may capture the IP address of the device used to connect to the online service, the type of operating system and browser used, and information about the site, the parts of the bank’s online service that were accessed, and subsequent sites visited. The bank or their third-party partners may also use cookies, web beacons or other technologies to collect and store other information about sites visited, or use of online services. In addition, banks may later associate the usage and other information collected online with the personal information from the individual. • Omni-channel and mobile banking data: For convenience, banks offer the ability to access products and services through mobile applications and mobile-optimized websites (‘Mobile Banking’). When using mobile banking services, the bank may collect information such as unique device identifiers for one’s mobile device, the screen resolution and other device settings, information about location, and analytical information about how that consumer may traditionally use their mobile device. Consent is typically requested via location service permissions before collecting certain information (such as precise geo-location information). • Additional sources of client information collected: Banks may also collect information about consumers from additional online and offline sources including from co-branded partner sites or commercially available third-party sources, such as credit reporting agencies. Banks may combine this information with the further sources of information they have collected about a client as defined under their Online Privacy Policy.

09

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

The combination of all the above types of personal and banking information provides the retail bank with a level of rich CRM data that exists today, but is often siloed across the differing operational units. The challenge to retail banks will be to assimilate this data for both client experience and also traction of client longevity. However, the antithesis of collecting these rich levels of data exposes the organization, employees and 3rd parties to intentional and unintentional data disclosure, breach and theft for which mitigation is required. Firstly, there is the external movement and disclosure of client data. Banks may share the information collected from and about individuals with their affiliates and other third parties. For example, banks may share your information with: • Affiliated websites and businesses in an effort to bring improved service across their family of products and services, when permissible under relevant laws and regulations • Third party service providers • Other companies to bring co-branded services, products or programs Today, it is becoming increasingly important to understand the full information supply chain in order to ensure adequate protection along its length. A data breach with a 3rd party data processor or an affiliate will have a negative brand reputation impact. Joined-up process and thinking is required to protect the information that has been shared. Secondly, there is the internal movement and disclosure of client data. Banks share / disclose / manipulate varying levels of client data internally as part of their standard business operations and for product/service development. This is essential to track, alert and measure effectiveness for specific types of client segments. A brief number of examples include: • Development of new online services • New product offerings • Mobile transactions for differing users across a variety of device types • Market testing for diverse/new demographic markets • Marketing programs and campaigns • Copies of data for disaster recovery and business continuity • Freedom of Information (FOI) requests Once again, a complete understanding of the use of the information is needed. As internal processes increasingly rely on external collaboration, it is not unusual for internal departments to outsource parts of projects which may not be realized by those further up the bank. What was thought to be an internal project suddenly turns into an external one – with all the additional risks that are associated with it.

Regulatory implications The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others is realized. In the case of client data, Retail Banks should adopt a ‘Client First’ approach to GRC as the exponential growth of client related data develops and the diversity of operations span traditional banking silos. As a heavily regulated industry, there are multiple regulations that must be adhered to. Some of the primary data protection regulations that Retail Banks have to comply with by law are outlined in Table 2. Regulation

Data Included

Regulation Revision Planned

Primary Region Focus

Safe Harbor6 (see Appendix A)

PII

Yes (2015–2017)

US – Europe US – Switzerland

EU Data Protection Directive 1998

PII

Yes (2015)

28 EU Member States

PCI-DSS

PCI

3.2 due 2016

Worldwide

Electronic Communications Privacy Act

PII, PCI

No

US

Table 2: Examples of primary data protection regulations , governing client data 6

10

http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

The evolution of the current European Data Protection Directive in the European Union is due to be superseded in the next 6 months, becoming law within 2 years (~2017) and with it the possibility of massive fines based on 2-5% of global turnover (or up to €100,000,000 if required). This document positions compliance of the new EU General Data Protection Regulation (EUGDPR) during the timeframe of digitalization, without the need to revisit the old ‘directive’ compliance that may create an opportunity for retail banks to be non-compliant and visible to the FTC, ICO and other regulatory organizations7.

Evidence that client data protection gaps still exist A recent survey on data protection and privacy, highlighted that client data protection is still a major concern for EU Citizens8. When it comes to control over personal data: • >80% feel that they do not have complete control over their personal data they provide online. • 66% are concerned about not having complete control over their personal data. The respondents were most concerned about the recording of their activities via payment cards and via mobile phones, both of which have a direct impact on the next generation bank. Building trust in a digital platform with protection around personal (client) data will provide the competitive advantage. In a separate question around the disclosure of personal data: • >70% say that providing personal information is an increasing part of modern life and accept that there is no other alternative. • >50% disagree that providing personal information is not a big issue for them. The majority of people are uncomfortable with Internet companies using information about their online activity to tailor advertisements, and >66% think it is important to be able to transfer personal information from an old service provider to a new one. We live in an era where competitors are only a click away and new legislation to help individuals move accounts, means that keeping and maintaining loyalty becomes critical to growth. When it comes to the management of personal data by third parties: • 70% say that their explicit approval should be required in all cases before their data is collected and processed. • 70% are concerned about their information being used for a different purpose from the one it was collected for. Almost all respondents say they would want to be informed should their data be lost or stolen, with 66% believing the public authority or private company handling the data should be the ones to inform them if it has been lost or stolen. It is unfortunate that data breaches are no longer ‘if’ but ‘when’, however understanding the viewpoint of the client means the organization can respond accordingly. For many organizations there is often a ‘click-through’ privacy policy, however only 20% of people fully read privacy statements. Most do not read them because they find them too long to read, unclear, or too difficult to understand.

11

7

 TC, ICO and other regulatory organisations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional F regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc.

8

 ource: Admin By Patrick van Eecke and Mathieu Le Boudec; http://blogs.dlapiper.com/privacymatters/europe-recent-survey-finds-that-dataS protection-remains-a-major-concern-for-eu-citizens/

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

An objective expert’s perspective and call to ‘do more’ in banking Data security experts and authorities agree that a more concerted and proactive approach is required for securing client data as a critical priority beyond the standard compliance check-box-approach. At a recent Cybersecurity and Privacy conference in Brussels (April 29, 2015)9, keynote speaker and recently appointed European Data Protection Supervisor (EDPS) Giovanni Buttarelli commented on his 5-year strategy. While acknowledging the importance of cybersecurity for the sustainability of our digitally supported economy and society, Buttarelli stated that the privacy challenges cybersecurity entails are not to be minimized, and that its objective is not to be misused to justify measures weakening the protection of data protection rights. Buttarelli also addressed the tension between cybersecurity and data protection, stating that “The rights to privacy and data protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.” Instead, a high level of cybersecurity should ensure that such measures help improve the security of all information processed, including personal data. Cybersecurity can play a fundamental role for retail banks in contributing to ensuring the protection of individuals’ rights to privacy and data protection in online and omni-channel environments. He continued by warning that “cybersecurity must not become an excuse for disproportionate processing of personal data”. To find the right balance, data protection principles such as necessity and proportionality can be applied to help guide privacy-by-design and privacy-by-default for cybersecurity solutions. Buttarelli also addressed the ongoing efforts to reform the EU data protection framework, noting that a key plank of the reform is data security. Under the current legal framework the three elements to determine the selection of adequate technical and organization measures are: • The risk of the processing • The state of the art • The cost of the measures He noted that the third element must not be overstated, given the importance of appropriate data security. “A proper cost benefit analysis would demonstrate that data security, benefits not only individuals whose personal information is processed, but also the professional reputation of the organization processing the data.”

“The rights to privacy and data protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.” – Giovanni Buttarelli, European Data Protection Supervisor (EDPS) Buttarelli explicitly mentioned various sectors as expected to needing to deal with cybersecurity more intensively and these were the banking and health sector, and IT initiatives such as the Internet of Things (IoT), Bring Your Own Devices (BYOD) and Wearables, as these attacks would have a significant impact on privacy and the protection of personal data.

9

12

The full keynote speech of the EDPS: https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Strategy2015

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Barriers to advancing the digitalization of retail banking Challenges to new service launch - agility & speed There is a natural and well-intended friction point between the top line growth Executive leaders; COO, CMO, and Dept. GM’s. These Executives have a desire to launch and monetize new services as quickly as possible. However, IT leaders; CIO, CISO and CCO have a different point of view and are chiefly concerned with client support, service stability, security and compliance as priorities over speed. The latter ambition requires a slower and more risk adverse approach to new service roll out to ensure new product, channels and services are adequately secure and adhere to necessary regulatory compliance, whilst achieving the required levels of operational excellence. Because of this, IT executives are more inclined to adopt a methodic and controlled roll out perhaps one new service per quarter whereas the top line growth Executives would ideally wish to see one new service per month. This disconnect is clearly visible and understandable from both vantage points and therefore needs to be addressed. DevOps as part of the new services agility-with-stability solution Historically CIOs have managed new services creation through linear and controlled processes known as Information Technology Infrastructure Library (ITIL) and IT Service Management (ITSM) standards respectively. These standard practices were created at the time, when IT singularly had a monopoly on the enterprise technology infrastructure and the world moved at a slower pace than it does today. The rationale was that linear and controlled stages of design, development, testing, would proceed any new service release in the spirit of stability and a successful launch. Unfortunately, this approach is now dated and lead times required to accommodate this discipline does not match the speed of today’s business dynamics and related appetite for new service launch and consumption. Often today’s solution is where IT organizations use a growth unit of the organization called DevOps to acquire the ability to roll out services with both speed and stability. DevOps combines application and new service developers with operations personnel to achieve the best of both worlds. DevOps are a major user of client data to ensure that the new products/services are aligned to the specific client/prospect market being targeted. It is essential for the COO or CDO (Chief Development Officer) to align many of the elements from the critical information protection framework into the development practices to secure the client data within these new services to eliminate the barrier to roll out and obtain the desired agility required by the C-suite. Cause & effect: fluidity of new services drives omnipresence of client data Solving the new service launch velocity problem through DevOps leads to another tangentially related issue. There is a common perception that data while in its stationary state or ‘at rest’ within IT systems is secure. This perception is to a large extent true and server-based platforms where data resides such as databases, CRM, ERP systems and the like are reasonably protected from prying eyes. However, the issue that people often fail to realize is that today’s (and the future’s) retail banking enterprise is highly fluid and dynamic. The creation of new services means that client data is constantly in motion and not simply residing or resting within protected IT systems. Client data is continuously being processed and shared by many different personnel, 3rd parties, and systems across the enterprise. The collective need for the data from multiple individuals or parties conducting their day-to-day operational roles within and even outside the bank requires data to be extracted from where it securely sits and utilized accordingly. Hence the root cause that exposes client data is data-in-motion, collaboration and replication. The challenges that organizations can encounter can be seen if we look at how client data privacy and protection challenges originate and then exponentially grow just by the simple way in which banks create, roll out and conduct new digital channels and services. Below is a simplified example to illustrate the problem: 1. It all starts with a single master record in a database for any given client. The master record is a single copy that securely resides within a database, but then there is an interaction between systems (web, application etc.) as part of the day-to-day banking operations for services and transactions. 2. During this process, data is repeatedly extracted (fully or partially) from where it resides. 3. The omni-channel services will mashup10 data with other sources of data, various payment methods, authorization checkpoints, security policies and automated processes. This places client data into new form factors and different type of records that reside on multiple IT systems. 4. It is then viewed, analyzed, reported on, shared, copied, and stored by many different individuals along the operating value chain – taking what was once the original single client master record and transforming that into multiple form factors and records. 5. To visualize the magnitude of this, take this example of a single client record being replicated, and multiply that with the number of clients a bank has. It is not unfeasible to have 100s of copies of what was a single record roaming the organization at will – and that doesn’t take into account the versions in system backups! 10

13

‘Mashup’ is the integration of heterogeneous digital data and applications from multiple sources for business purposes. An enterprise mashup is also sometimes known as a business mashup or, less precisely, as a data mashup.

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Figure 4 provides a true picture of how over the past 35 years retail banking has evolved from data collaboration being a singular interaction with minimal restructuring of the original dataset to the current goal of digitalization where client data moves in multidirectional channels and interactions, accumulating and jettisoning portions of data during its journey.

2020: The definitive transformation to Retail Banking digitalization comes with a heavy (data) touch 1980 – 2000 Digitalization of Payments

2000 – 2010 Digitalization of Payments

HQ

HQ Bank Branch

Regional Branch

Bank HQ

2010 – 2020 Full Digitalization with a human touch

Bank Branch Bank HQ

Omni-Channels Increasingly complex processes, appreciative of IT effectiveness, organisational /cultural change, metrics (new)

Digital

Data

Branches

Open the Digital Bank before non-banks do, addressing client security concerns.

Accessible, integrated, secured, compliant, behavioural, social

Right size and boost sales performance, fully digital with a personal touch

Bank Switch

Digital Banks

ATOM

Video/Call Centres

Products

More tailored to individual needs, Increase service to sales conversation, freeing up resources

More tailored to individual needs, integrated based on client journey, close revenue ‘leaking’

FIDOR

STARLING

Fig 4: Multichannel data proliferation for digitalization, Clearswift

Transformation activities: C-suite collective alignment As previously mentioned, a cyber security architecture and internal compliance (operational) policies designed to mitigate digital threats on behalf of the organization is only a subset of a broader enterprise risk and compliance framework. And, as cybersecurity specialists are well aware, client data privacy protection is only one element of a multi-faceted security and operational architecture. This paper asserts that client data privacy and protection must be prioritized and separated from those broader risks and compliance constructs. Implementing client data privacy and protection as the ‘foundation’ for a portfolio of new products and services provide the cohesion that was previously missing, yet required for efficient service creation, launch & monetization. Once that concept is agreed upon, additional accountability must be assumed by the entire C-Suite and then the challenge shifts to how to make Client Data Privacy and Protection implementation actionable.

14

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Traditional banks understand the power of their brand as an asset and also how they are not immune to having their brand tarnished in the eyes of the consumer and shareholders, as other industries (automotive11, entertainment12, retail13). Brand value is a component of growth and identity, and the basis for loyalty, service adoption and preference within the client base. Today, clients want to know that their personal information is safe and the platforms the banks provide for interactions and transactions are secure. There is an opportunity to think about client critical information protection differently in banking to deliver that promise at greater levels and enhance the reality (not just perception) of trust with clients. At the risk of oversimplification, the banking digitalization transformation construct is comprised of three tiers, as shown in Figure 5. • The first or top tier of a client-centric business model is what we call the “client modern experience.” This is about creating modern, relevant services and is the outbound interface (channels) banks have with their clients that drives loyalty and new service adoption. At this point client loyalty is derived from the clients’ perceptions of security, trust and value they receive from their bank’s services and interactions. • Below this layer is the“operational transformation layer,” which enables the client experience and creates the ability to deliver new client centric products and services with greater speed. Delivery is via omni-channels and includes improved operational cost efficiencies through the implementation of branch variants. These require new platforms, business process optimization, applications (web/mobile) and rich client data analysis and management. It is at this stage that the organization defines its digital growth and operational initiatives via mini-transformation projects; these in turn drive growth. • The third layer, reinforcing the operational layer, is the “operational risk and regulatory compliance layer.” Intended to be an all-encompassing approach to digital risk mitigation, it involves infrastructure and endpoint security; regulatory compliance and audit; and proactive threat mitigation (i.e. anticipating and addressing the notion of threats, including ‘zero-day threats’ that loom beyond the horizon), three common categories of focus for CIOs and their security leadership and compliance teams. Client data privacy resides within the broader enterprise risk handling, security and compliance framework. However, in order to achieve efficiency in the three layers, client data and its privacy must be extracted from the broader framework and given its own dedicated layer, prioritizing this matter on behalf of clients. Not doing so has the potential to undermine the bank’s agility, growth strategy and potentially the client perception of the brand. By taking this approach, banks are explicitly approaching this as a ‘Client First’ initiative. Progressive banks and the new online banks are committed to collectively align and lead in this area. The Executive team have an opportunity to obtain the client loyalty for which they are striving and will likely achieve the coveted growth velocity for their brand within a crowded and competitive landscape.

Retail Banking Top-line Growth ‘Client Centric Business Model’ CLIENT LOYALTY THE CLIENT MODERN EXPERIENCE (Drives Service Adoption) Client Perceived Security

Client Perceived Trust

Client Perceived Compelling Value of Services & Interaction

BANK DIGITAL GROWTH INITIATIVES/IMPERATIVES BANK OPERATIONAL TRANSFORMATION (Drives Delivery, Relevancy & Growth) New Apps

New Services

Omni Channel

Data Leverage & Treatment

RISK HANDLING AS A FOUNDATIONAL ELEMENT OF BRAND LEADERSHIP OPERATIONAL RISK & REG COMPLIANCE (Prioritized Client Data Privacy Drives Brand Distinction) Infra & End Point Security

Reg. Compliance & Audit

Proactive Threat Mitigation

CLIENT DATA PRIVACY PROTECTION POLICY & ADHERENCE

Fig 5: Prioritizing Critical Information Protection: As the “foundation” client data privacy is a catalyst for achieving the needed operational transformation that delivers on the retail bank’s growth agenda.

w ww.khaleejtimes.com/business/auto/i-am-endlessly-sorry-brand-is-tarnished-vw-ceo w ww.gamespot.com/articles/sony-brand-name-seriously-tarnished-by-hacking-con/1100-6424359/ 13 w ww.gamespot.com/articles/sony-brand-name-seriously-tarnished-by-hacking-con/1100-6424359/ 11

12

15

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

“Cyber security is paramount to rebuilding this trust – winners will have invested significantly in this area.” – PwC Retail Banking 2020 – Evolution or Revolution Transformation project initiatives The road to full digitalization for retail banks will take the collective of the entire organization to succeed. But viewing this in its entirety is overwhelming and would trouble even the most accomplished academic, consultant or seasoned banking executive. The transformation needs to be broken down into manageable, achievable ‘chunks’. 1. What is your organization’s 2020 vision? • What would a blueprint look like for transactions, service and support as well as sales and financial advice? • How can the client experience be elevated with innovation by removing their biggest frustrations? • Do you wish to be a follower or innovator? • What is your greatest priority – cost reduction or service revenue growth? Responses to these challenges will provide the organization with a starting point and what the target blueprint success will look like. 2. Agree a set of mini-transformational projects to deliver the blueprint: As previously mentioned, a set of mini-transformational projects allows the organization to break down the overall blueprint into manageable stages. It also encourages the multiple disciplines within the organization to play an effective roll in delivering digitalization. Each project may have sub-projects within, but will effectively roll-up to deliver the main project, enabling the deliverables team/individual to stay focused on an end goal. Prioritizing the projects to give quick-wins followed by ‘biggest bang for the buck’ will help to maintain momentum. Nothing succeeds like success. 3. Top down execution: • An overall project lead (Executive level) needs to be assigned to track and ensure execution and ownership of the mini-transformation projects

• Assign a realistic investment budget that spans the length of the overall project that is ring-fenced. Unworkable budgets ultimately lead to failing services and then to client discontent



• Communicate to the whole organization what is happening, what they can expect to experience, how it may affect them and what the target goal looks like

Critical information protection – mini-transformation project initiatives From a bank’s perspective, client data is the client, and client data is the most critical information that the bank holds. Therefore, within the mini-transformation projects, there is the need to address the critical information protection framework (Fig3). With any new initiative it is essential that the ground work has been accomplished effectively prior to implementation. The effectiveness of the critical information protection framework is achieved by creating a foundation for the collection, access, collaboration and storage of an increasing growth of rich data. Organizations need to address this project with an open stance and ensure that all leaders, operational staff and developers are encouraged to build out the current picture of data residing within the organization, immaterial of current activity or applicability to the future goal. Without this understanding the ability to enforce policies, apply remediation actions, ensure compliance of security governance and report on the metrics of success becomes an impossible task.

16

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

A summarized approach is to resolve the following statements with a cross-functional team, with a view to reporting back to the C-suite (probably through the CIO): Scoping the Problem 1

Have we defined what is our most critical / sensitive client data?

2

Do we know where it’s located (endpoints / databases / achieves / etc.)?

3

What is the financial / reputation risk if this data was lost/stolen (quantified, and by example)?

4

How are other organizations / competitors in our industry solving this problem (by example) and what is their experience?

5

What are the regulatory / legal obligation regarding our client information?

6

How much will this cost CapEx / Opex / TCO and what is the ROI?

7

How long will it take to implement and by whom?

8

Which departments will need to be involved and which told about the project?

Once the team/individual have accumulated all avenues of information and research, the mini-transformation project team will then need to address the following statements. Many of these statements will require cross functional disciplines to be employed, emphasizing the need for the project team to include not only data owners but also data users and data governors. Preparing the solution 1

How will we classify this information as critical (electronic / human) in each location and how long will this exercise take?

2

What organizational changes (staff / training etc.) will we need to undertake in order to make the solution effective and when?

3

Is there a technology solution available to capture all the potential egress points, both accidentally or maliciously of our client information (including cloud, mobile and bring your own device)? Will this come from a single supplier, or will multiple suppliers be required?

4

Does the solution fit within our existing infrastructure today or is further investment required? (Will the solution be on-premise or in the cloud or a bit of both)?

5

Who is going to own the project (CIO / CTO / other)?

6

Can we get help before, during and/or after the project? From consulting, product and ongoing support perspectives.

You are now in a position to implement the transformation of your critical information protection framework, enabling the organization to ensure a ‘client first’ approach to client data privacy and protection. Implementation

17

1

Which department or process will be first? Will this include partners in the extended enterprise, such as suppliers or third party data processors?

2

How will success be measured and over what time period?

3

What happens if some information is re-classified from / to critical during the project? Is there a contingency or process to changing priorities?

4

What will be the response to a data breach (Especially if this happens before or during implementation)?

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Review and modify As each mini-transformation project is implemented and completed, a review should be carried out to ensure that unpredicted influences on client data privacy do not impair the effectiveness of the critical information protection framework. Looking to the future, the environment that the retail bank will operate in going forward will move as quickly as technology evolves and the clients consume the services provided. This is not a set-and-forget project, the organization needs to assign owners to regularly review the critical information protection framework as new services and products are developed. It also needs to be reviewed as new data is created and new collaborative partnerships formed, as part of the bank’s growth strategy.

Summary Retail banking is going through a period of unprecedented change. Banks with large amounts of heritage are coming under threat from new players who are seeing their ability to react to client demands more quickly and efficiently to trends in the marketplace as the competitive advantage they need to break into the market. For banks to move to digitalization in an agile manner they need to be assured that their client data is protected at all times. By implementing a Critical Information Protection Framework which protects the client data first, no matter where it exists, can give the ability to roll out new services, more quickly. This is not just about technology, it is also about people and processes. Transformation needs to happen at all levels, and while it is happening, client data must be protected at all times. The importance of client data at the ‘micro’ level, or the individual, is sometimes lost when talking about millions of clients. However the effects and distress it causes to individuals are all too easy to see. The good news is that all employees will also be clients in some shape or form – so they need to protect the information they are responsible for in the same way as they would expect others to protect their own information. Growth in all businesses, but especially in banking, is predicated on trust. Without trust, clients will take their business elsewhere; immediately. Putting client data and client privacy as the foundation for the digitization of retail banking and protecting these valuable client assets with a critical information protection framework will build client trust, which will create the foundation for growth.

18

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Appendix A: The impact of regulatory requirements on data management processes14.

Impact of key regulatory requirements on banks’ data controls Regulatory initiative

INT

BCBS principles for data aggregation and risk reporting

INT

FSB common data template for G-SIBs

INT

Legal Entity Identifier initiative

INT

BCBS review of pillar 3 disclosure requirements

EU

Recovery and Resolution Directive (RRD)

EU

Revisions to Capital Requirements Directive (CRD 4)

EU

Common Reporting (COREP)

EU

MiFID II

EU

14

19

Data capture

Data aggregation

Data reporting

Data protection

Data governance

European Market Infrastructure Regulation (EMIR)

EU

Revisions to the Market Abuse Directive (MAD II)

EU

Commission proposals on reform of data protection rules

EU

SEPA Regulation

UK

ICB recommendations

UK

Changes to the UK supervisory architecture

UK

Wheatley Review of LIBOR

INT

International

Direct impact

EU

EU

Potential indirect impact

UK

UK

Significant impact unlikely

Risk, data and the supervisor: The clock is ticking… Deloitte & EMEA Centre for Regulatory Strategy

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Disclaimer: The Deloitte impact analysis is based on policy measures proposed in the latest official text for each regulatory initiative which may be subject to change. Deloitte have assumed as a starting point that banks’ data processes are adequate to meet current regulatory requirements. The actual impact will significantly vary from bank to bank. Indeed, the Bank of England and the Financial Services Authority (FSA) have stated that the new PRA will validate firms’ data “through onsite inspections.” In addition the proposed BCBS risk data principles, advocate testing firms’ data processes to ensure they are robust enough to withstand a range of adverse scenarios including a surge in business volumes and potential crisis situations. One thing is certain, poor quality; incomplete and inconsistent data is likely to put a serious strain on a firm’s relationship with its supervisors and will lead to further scrutiny and challenge of the sufficiency of its risk management and governance processes in general.

Safe Harbor Reform 1. The following ruling was delivered by the Court of Justice of the European Union, 6 October 2015 ‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question whether the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict the national supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid. 2. The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015 EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU citizens whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor compliance. Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe Harbor self-certification and enforcement procedures and recommended to the European Parliament and European Council Safe Harbor reforms consisting of 13 requirements.

20

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document

www.clearswift.com

Clearswift is trusted by retail banks and other organisations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and ‘adaptive’ data loss prevention solution, avoiding the risk of business interruption and enabling organisations to have 100% visibility of their critical information 100% of the time. For more information, please visit www.clearswift.com

United Kingdom Clearswift Ltd 1310 Waterside Arlington Business Park Theale Reading, RG7 4SA UK Germany Business Excellence IM Mediapark 8 50670, Koeln GERMANY

United States Clearswift Corporation 309 Fellowship Road Suite 200 Mount Laurel, NJ 08054 UNITED STATES Japan Clearswift K.K Shinjuku Park Tower N30th Floor 3-7-1 Nishi-Shinjuku Tokyo 163-1030 JAPAN

www.clearswift.com | © Clearswift 2015

Australia Clearswift (Asia/Pacific) Pty Ltd Level 17 40 Mount Street North Sydney New South Wales, 2060 AUSTRALIA