Upload
hoangkhanh
View
214
Download
1
Embed Size (px)
Citation preview
Retail Banking Client Data Privacy & Protection Transformation Priorities to Establish the Leaders of the Digitalization Era
Clearswift Best Practice Guidance for Critical Information Protection
October 2015
CRITICAL INFORMATION PROTECTION. Competitive advantage for Retail Banks
Table of Contents
Introduction 3
Evolving the Retail Banking service for a sustainable client experience 4
New focal point: optimizing the client experience 5
Digitalization risk elements leading to client privacy exposure 9
Regulatory implications 10
Evidence that client data protection gaps still exist 11
An objective expert’s perspective and call to ‘do more’ in banking 12
Barriers to advancing the digitalization of retail banking 13
Challenges to new service launch - agility & speed 13
DevOps as part of the new services agility-with-stability solution 13
Cause & effect: fluidity of new services drives omnipresence of client data 13
Transformation activities: C-suite collective alignment 14
Transformation project initiatives 16
Critical information protection – mini-transformation project initiatives 16
Scoping the problem 17
Preparing the solution 17
Implementation 17
Review and modify 18
Summary 18
Appendix A: The impact of regulatory requirements on data management processes 19
About Clearswift 21
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com02
Introduction
Within the retail banking sector, digital has become the backbone of a new integrated fabric spanning all channels, value-added
services, complex business processes and enhanced profitability. As the bank’s streamlining and ‘One-Click’ processes with
clients becomes redefined by digitalization, the business imperative of accessing and protecting client data creates many new
responsibilities and opportunities for adding value to the client [experience] and operational efficiency of the bank—emphasizing
the quantifiable challenges of client data privacy and protection.
There is little question about the significance of aligning the processes and channels required to deliver a digital platform, however
business efficiency needs to be assessed within the magnitude of client data and protecting it across the interconnected multiple
channels of client engagement. Failure to understand the impact of the new channels on the distribution, availability and protection
of client data will potentially result in inefficient digitalization, client disapproval and intensified data loss, either from the primary
data holder, or from one of its third party data processors and with it the potential for significant reputational damage.
“Banking is not somewhere you go, but something you do.”– Brett King, Bank 3.0, 2012
As branch formats are aligned to match customer profiles and needs, in each location (everything from unmanned-fully-
automated to full-service outlets) the retail bank’s Executives, including the Chief Operations Officer (COO), Chief Information
Officer (CIO), Chief Information Security Officer (CISO) and Chief Compliance Offer (CCO) will have to wrestle with prioritizing a
lengthy list of branch and country-specific competing infrastructure, complex processes, security and regulatory compliance
requirements on a daily basis. As banks move away from a purely ‘contribution to profit’ consideration, to include customer
experience and access to funding in a low interest rate environment, the need for agility in providing new services has never
been greater. However, as one of the most regulated industries, the 2008-2012 economic crisis contagion has awoken many
governments to establish increased operational regulations; requiring large banks to legally separate their volatile wholesale
arms from their retail banks by 2019, when the Basel III international banking agreement comes into force and implementation
of the Dodd-Frank Wall Street Reform Act that updates the abolished US Banking Act of 1933 (Glass-Steagall), under the Volker
Rule. These, soon to be, implemented restrictions will provide increased protection for clients’ best financial interests and also
longevity for the banks, but the client now has a new, growing, monetizable asset held by the retail banks; ‘Personally Identifiable
and Payment Information’.
When client data is considered an asset for both legitimate and criminal processes it will serve to reinforce and differentiate
the banks’s required investment in new technology as part of its digital transformation; garnering the questions:
• Should client data held by the banks remain a line item within the broader list of security and compliance investment
requirements for banks, or should it be separated, prioritized and treated as the monetizable asset it represents?
• It is essential, but is it possible for the rest of the bank’s C-Suite to enter the information security fold and transform client
data privacy from a source of risk, anxiety and expense into a source of competitive advantage and brand distinction?
As banks transform to become fully digitized, providing the ultimate client experience, the pivotal nucleus will be the multiple
channel accessibility and richness of CRM, social, personal and behavioral data. Understanding this information and exploiting
it like never before will create the impetus for the bank’s collective executive leadership to prioritize client data privacy and
protection as a “Vanilla Standard” for the bank’s new product and service offerings, as well as its broader enterprise cybersecurity
and compliance framework.
Prioritization has implications that extend beyond the existing sole responsibilities of the CIO, CISO & CCO due to its direct impact
on ‘Increased Penetration’, ‘Client Experience’, ‘Information Accessibility’ and address ‘Security Concerns’, all of which directly drive
improved client loyalty. Client data privacy, protection and leadership from a client advocacy standpoint will directly impact the
top-line growth agenda of the bank’s senior executives due to the client loyalty topics, and also stimulation for the client to use
the bank’s apps and websites more frequently; capitalizing on the transition of websites as a sales tool and not just a service
portal. Simply put, ‘the heightened criticality of client data privacy and protection in retail banking is becoming a unified priority
and business imperative for the entire C-Suite’.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com03
Evolving the Retail Banking service for a sustainable client experience
An array of market forces in the new digital era is driving a profound impact on the retail banking sector and traditional banks
as currently we know them (Fig1). Technological capabilities, regulatory requirements, and the consumer appetite for innovation
and flexibility are creating an imperative to change.
Online banking is now a core element of both retail banking operations and client expectations. Competitive barriers for new,
non-traditional entrants such as Atom, Fidor Bank, Starling, BankMobile, bKash, are disappearing. In order to compete, banks
must continue to transform themselves across all channels and operations into the required ‘always on’ bank of tomorrow—today.
“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”– Charles Darwin
A new digital value chain promises to reshape how banks compete, operate, drive profitability and enhance interactions with
clients. New channels for interactions and client engagement now exist to compliment the evolving value of brick and mortar
relationships of delivering client specific service and lasting experience with the intention of driving client loyalty, value-added
service/product adoption and topline growth, through innovation and resource efficiency. This clearly has implications beyond
the CIO and falls into the top-of-mind requirements of the CMO and other C-suite members.
Digitalization brand distinction: market context & considerations
Fig 1: Retail Banking re-visualized: The heightened need for client data privacy and protection can be a catalyst of a retail banks
digitalization growth agenda and client advocacy of the brand.
Digital platform
Market forces
• Payments disruption
• Digitalization
• Client evolving & maturing appetite for technology
• Governance and regulations
• Lower competitive entry barriers
Omni channel market outreach
• Client ‘one-click’
• Value-added services & products
• Multi-label strategy
• ‘Wow’ experience
• Online security
• Seamless support
Brand
Growthagenda
Sales leads promotions
& campaigns
3rd partyproviders
3rd partyproviders
Branches call centers,
partners
Client proposition & value
Bank identity & values
Client data (crm, behavioral, personal, social, etc.
Mobile
Service cloud
Cloud
market point of view
Retail Banking re-visualized
Sales cloud
Product & service o�erings
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com04
1 “The Everyday Bank: A New Vision for the Digital Age,” Accenture, 2015.2 Bank for International Settlements, www.bis.org/publ/bcbs98.htm
Supporting the Clearswift “Retail Banking Re-Visualized” market point of view is the 2015 report from Accenture1 that
emphasizes how digital technology increases the need for transformation: ‘Non-banks are capturing more and more of the
banking value chain, providing services such as payments, checking and even savings accounts that could erode as much as
one-third of traditional bank revenues by 2020’. The response is not just about evaluating branches, improving online and
mobile banking offerings, or making current products and services “more digital”. Instead, the report says, “banks need to
move further into the daily lives of customers, providing assistance before, during and after the financial transaction.” Accenture
describes the “Everyday Bank” as having the capability to leverage the vast amount of insight it possesses about the client
and their environment to become central to a customer’s digital ecosystem. The retail bank must reinvent itself as a value
aggregator, advice provider and access facilitator, acting proactively on the customer’s behalf, improving reputation and trust.
New focal point: optimizing the client experienceThe ambition of a retail bank’s digital transformation is to pivot to a new client-centric business model that is more about client
experience than promoting products - which comes with the change in client interaction and trust. With the competitive entry
barriers of yesteryear disappearing for new players, it is important for traditional banks to act quickly to implement this new
model of retail banking, empowering customers to embed (and adopt) new forms of banking services & interactions into their
digital lives.
Financial transaction behavior has moved on in so many ways, creating a new model of banking, driven by the expectation
of the individual, such that banks need to support them – new banks are often there first as they are not encumbered with
legacy systems, technologies and architectures. This creates further pressure on the traditional banks who need to support their
legacy environments while responding to the new requirements. Recent technological advances which need to be supported
include the introduction of new digital currencies (for example Bitcoin, NueCoin, Ripple, Litecoin, Peercoin, Namecoin, Dogecoin,
Next and Mastercoin) which are now widely accepted as a form of payment as well as new online and mobile apps (for example
Apple Pay, Mint, Spendee, Manilla, Paypal and SavedPlus) to carry out payment, without the need of a traditional bank or credit
card. Of course, coupled with this are the various forms of client driven enhanced client digital outreach channels (including,
branches, mobility, apps and social media). Change in order to support these new mechanisms, at a speed the client expects,
will involve usage, collaboration, movement and storage of client data on unprecedented levels. The increasing volume and
importance of client data creates considerations related to the collection and treatment of data— as far back as 20032. The Basel
Committee on Banking Supervision considered that while existing risk management principles remain applicable to e-banking
activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management
challenges created by the characteristics of e-banking activities. To meet customers’ expectations, banks must therefore have
effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response
plans, including communication strategies that ensure business continuity, control reputation risk and limit liability associated
with disruptions in their e-banking services.
It would be ironic for, and undermining to, the bank’s next-generation investments and brand modernization efforts to neglect
weaving client data privacy protection into every transformational step along the way. Simply put, banks cannot readily move
towards the new model without simultaneously addressing the electronic-risk, or e-risk, implications—particularly
client data privacy and protection. This viewpoint is depicted via the new e-Banking Client Centric Business Model (Fig 2)
and emphasizes once again how the collective remits of the CHRO, COO, CMO & CIO converge around this issue. The diagram
emphasizes that the central issue is not banking risk mitigation, but rather e-client loyalty, trust and brand preference.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com05
Fig 2: Digitalization Client Centric Business Model: Implementing and enforcing a ‘Critical Information Protection’
framework can be instrumental in achieving a client-centric business model in the emerging e-banking era.
Digitalization client centric business model
Digitalization enablement utilizing a ‘Critical Information Protection’ Framework for automated
adherence for Client Data Privacy & Protection
Capturing Client Loyalty, Trust & Preference
Bank CMO
Demonstrated ‘client-first’ brand leadership & distinction in the digital era
Bank CHRO
Reorganized retail bank and upskilled to deliver client specific engagement
Bank COO, CCO
Value-Added Service Adoption, Business Empowerment aligned to Regulatory Compliance via ‘enhanced perceived value from the market’
Bank CIO, CISO
Prioritised ‘client data privacy & protection’ with ‘Delivery Agility’
Regulatory compliance, outside of current industry practices, will become routine in business on varying levels and where the
retail bank operates in more than one country the application may differ based on country and government privacy regulations.
The Basel Committee on Banking Supervision (BCBS) consultative document ‘Principles for Effective Risk Data Aggregation and
Risk Reporting’ provides the regulatory drivers for change within the industry, the implications for banks. The BCBS proposed
14 principles to ensure that data and associated processes used by the risk function are “fit for purpose”. Global Systemically
Important Banks (G-SIBs) are required to implement the principles in full by the beginning of 2016. However, they would have
submitted a self-assessment against the principles to their local supervisor in 2013. The BCBS paper sets clear expectations
that banks will quantify their risk appetite and have robust infrastructure, processes and controls in place to monitor risks within
the appropriate thresholds across credit, market, liquidity and operational risk. A summary of the 14 principles is provided in the
table on the next page.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com06
3 Risk, data and the supervisor: The clock is ticking… Deloitte & EMEA Centre for Regulatory Strategy4 Retail Distribution 2015 – McKinsey & Company5 The Data Loss Prevention Market by the Numbers 2014-2019, 451 Research, July 2015
Summary of BCBS Principles for Effective Risk Data Aggregation and Risk Reporting
Governance and Infrastructure • The bank’s board and senior management must understand deficiencies
in all aspects of the controls and aggregated data.
• Organisational boundaries must be overcome so risk data can be
accurately aggregated across business lines, jurisdictions and legal
entities in a timely manner.
• Systems must support risk data aggregation and reporting, including
during times of stress or crisis
Risk data aggregation capabilities • Banks must demonstrate the ability to generate accurate and reliable
aggregated risk data, largely automated to minimise errors.
• The capabilities will also need to meet all on-demand and ad hoc report
scenarios in a timely manner, including during crisis situations and in
response to a supervisory request.
Risk reporting practices • Banks must ensure that reconciled, validated and accurate risk reports are
presented to the appropriate stakeholders in a timely manner to support
the decision making process.
• The reports must cover all material risk areas within the organisation and
be easily understood by recipients.
• All material gaps or weakness are well understood and factored into the
decision making process.
Supervisory review,
tools and cooperation
• Supervisors will review and monitor banks’ compliance with the principles
and use appropriate tools to ensure deficiencies are addressed in an
effective and timely manner.
• The supervisor should have the ability to restrict growth in a bank’s risk-
taking activities should it have concerns about data deficiencies.
Table 1: BCBS Principles for Effective Risk Data Aggregation and Risk Reporting3
However, rather than retail banks approaching this from purely a compliance stance, there is also an opportunity for established
and trusted banking brands to take a leaf from the new online banks and start their regulatory adherence ahead of the legislation
to demonstrate new thinking and operational excellence in the form of competitive differentiation. This in turn will help to allay
the perception by consumers regarding security concerns as being the major factor why they are reluctant to bank online4,
allowing retail banks to remain the trusted and preferred banking brands of the future. Standard competitive pressures means
that the new market entrants will move more quickly on this issue as their foundation will be built upon access, collaboration
and storing of digital content, thus formulating a new preference of trusted brands in e-banking.
The plethora of data loss incidents reported globally that have unfortunately become commonplace, has meant that there
are new operational capabilities available for banks looking to be more progressive in the area of client data privacy and
protection. Voice of the Enterprise: Information Security from 451 Research, indicates that fear of data loss or theft is the
number one security challenge over the next 12 months and the use of DLP in information security projects is a growth
priority over the next 12 months5.
As with the execution of any technology category used to provide a business benefit, the technology industry has delivered a
mixture of traditional and new features and functions over the past decade that address the nuances and evolution of individual
businesses and implementation preferences, such as Virtualization (VMware), Mobile Pay (Apple), Adaptive Redaction (Clearswift),
Bitcoin (technology, not crypto-currency). This has enabled retail banks to move beyond traditional security constraints,
to prioritize client data protection and use security automation to create new sources of business value for clients.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com07
Sitting above (or below) these features and functions has to be a framework that underpins any digital transformation.
For the purpose of this report our focus is on client data privacy and protection. A ‘Critical Information Protection (CIP)’
framework (Fig3) needs to be implemented as part of organization’s mini-transformation projects. The CIP framework
allows banks to avoid approaching client data privacy and protection in a regulatory compliance “check-box” fashion, but
instead lends itself to appreciating the value assigned to each element of client data as it relates to the differing business
units within each organization. By abstracting out the client data and wrapping privacy around it, it is possible for retail
banking operational personnel and technology leaders to work closer together and create a foundation of automated
client data management. For privacy to be effective there needs to be an understanding of the context of the data within
operational, regulatory, collaboration, new product applicability, etc. of the retail bank. This allows the organization
to mitigate the risk of cyber-targeting and the theft of the information or exposing client data unintentionally.
The basis of the framework provides flexibility for organizations to implement these practices as part of the evolving change
management that the retail bank needs to adopt in its aim of digitalization. If assurance as to the protection of client data can
be given at all times, then agility in new service definition and rollout can be achieved in conjunction with the adoption of the
new and evolving financial transaction technologies. Understanding the interdependencies of each practice (task) ensures
that this is an evolutionary change rather than a radical revolutionary adoption, where feedback from clients, employees,
3rd parties, etc. can feed into the framework to ensure that their nuances can be appreciated and employed.
Fig 3: Critical Information Protection (CIP) Framework, Clearswift
CLIENT DATA PRIVACY(CRITICAL INFORMATION PROTECTION)
proactive threat mitigation
reg. compliance & audit
infra & end point security
Risk handling as a foundational element of brand leadership
OPERATIONAL RISK & REG COMPLIANCE(Prioritized Client Data Privacy Drives Brand Distinction)
DATA
Small. Large. Structured. Unst
ruct
ured
. New
. Com
plim
entary. Old. Personal. Business. Social. IP. Text. Im
age. Report. Analytics. Simple.
Com
plex
.Raw
. Inf
orm
ation
. Knowledg. Temporary. Permanent. Transient.
Remediation
SecurityGovernance
Employee Comms
Classification & Policy
Metrics
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com08
• Employee communications: Building and sustaining a culture of client privacy and protection requires developing a program
that engages employees in proactively taking steps to ensuring more secure communications and processes, including
providing mechanisms for employees to learn more about company data protection policies, why they are important, and
how to raise issues to get results.
• Classification & policy: Not all data is sensitive, so understanding that there are differing data types ensures that there
will be appropriate levels of policy enforcement. Beginning with the data most critical to the enterprise, and developing,
over time, a data classification and policy management program that regularly solicits input from across the business
on the most critical data to protect. Banks need to develop and deploy a methodology to prioritize this input in order
to ensure that the right information is protected with the appropriate level of investment.
• Remediation: An effective remediation program will focus on sustainability to support digitalization, moving from a reactive
employee- driven remediation processes (manual) to system-driven proactive remediation processes (automated) in the
mid-term. Enforced automated remediation ensures that although the incidents and processes that encourage data loss
activity may not be fully implemented, the technology acts as a guardian for the business/employee and ensures that client
data privacy is protected and secure during this transition period. Development of future digital channels and business
activities (M&A) can be integrated into the remediation program, ensuring that newly introduced data is protected until
the necessary re-architecture and normalization activities have completed.
• Metrics: A metrics program must adequately measure data loss risk reduction both company-wide and at a more granular
level (executive, business unit, department, etc.) to support ownership of data loss risk reduction. Communication of results,
both successes and where more effort is needed is essential in order to drive change and adoption. These metrics also help
an organization assess and communicate critical information protection program performance and quantify the value realized.
• Security governance: Often defined within a cross organization Steering Committee, it provides strategic direction to
those developing the critical information protection program. This overarching program needs to cover areas of policy
development and management; incident remediation process development and execution; collection and communication
of metrics demonstrating program effectiveness and results; employee awareness, training, and engagement; and
in the selection and phasing of technologies for the critical information protection solution deployment.
Digitalization risk elements leading to client privacy exposure
With the compelling new model of retail banking that’s embedded with client engagement and retention firmly in mind, there
is a need to consider the specific elements of client data privacy risks that must be addressed, beginning with a look at the
types of digital information banks routinely collect.
• Personal information: When one visits or uses online banking services, banks may collect personal information from
or about individuals such as their name, email address, mailing address, telephone number(s), account numbers, limited
location information (zip/post code to help find a nearby ATM), user name and password. Banks will also collect payment
card information, social/nation/my ID security numbers, driver’s license numbers (or comparable); which is reasonably
required for ordinary business purposes.
• Information usage and impact data: In addition to the personal information, banks may collect certain information
about a client or prospect’s (channel demand generation) use of online services. For example, the bank may capture
the IP address of the device used to connect to the online service, the type of operating system and browser used,
and information about the site, the parts of the bank’s online service that were accessed, and subsequent sites visited.
The bank or their third-party partners may also use cookies, web beacons or other technologies to collect and store
other information about sites visited, or use of online services. In addition, banks may later associate the usage and
other information collected online with the personal information from the individual.
• Omni-channel and mobile banking data: For convenience, banks offer the ability to access products and services
through mobile applications and mobile-optimized websites (‘Mobile Banking’). When using mobile banking services,
the bank may collect information such as unique device identifiers for one’s mobile device, the screen resolution and
other device settings, information about location, and analytical information about how that consumer may traditionally
use their mobile device. Consent is typically requested via location service permissions before collecting certain
information (such as precise geo-location information).
• Additional sources of client information collected: Banks may also collect information about consumers from
additional online and offline sources including from co-branded partner sites or commercially available third-party
sources, such as credit reporting agencies. Banks may combine this information with the further sources of information
they have collected about a client as defined under their Online Privacy Policy.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com09
The combination of all the above types of personal and banking information provides the retail bank with a level of rich CRM data
that exists today, but is often siloed across the differing operational units. The challenge to retail banks will be to assimilate this
data for both client experience and also traction of client longevity. However, the antithesis of collecting these rich levels of data
exposes the organization, employees and 3rd parties to intentional and unintentional data disclosure, breach and theft for which
mitigation is required.
Firstly, there is the external movement and disclosure of client data. Banks may share the information collected from and about
individuals with their affiliates and other third parties. For example, banks may share your information with:
• Affiliated websites and businesses in an effort to bring improved service across their family of products and services,
when permissible under relevant laws and regulations
• Third party service providers
• Other companies to bring co-branded services, products or programs
Today, it is becoming increasingly important to understand the full information supply chain in order to ensure adequate protection
along its length. A data breach with a 3rd party data processor or an affiliate will have a negative brand reputation impact.
Joined-up process and thinking is required to protect the information that has been shared.
Secondly, there is the internal movement and disclosure of client data. Banks share / disclose / manipulate varying levels
of client data internally as part of their standard business operations and for product/service development. This is essential
to track, alert and measure effectiveness for specific types of client segments. A brief number of examples include:
• Development of new online services
• New product offerings
• Mobile transactions for differing users across a variety of device types
• Market testing for diverse/new demographic markets
• Marketing programs and campaigns
• Copies of data for disaster recovery and business continuity
• Freedom of Information (FOI) requests
Once again, a complete understanding of the use of the information is needed. As internal processes increasingly rely on external
collaboration, it is not unusual for internal departments to outsource parts of projects which may not be realized by those further
up the bank. What was thought to be an internal project suddenly turns into an external one – with all the additional risks that are
associated with it.
Regulatory implications
The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the
opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others
is realized. In the case of client data, Retail Banks should adopt a ‘Client First’ approach to GRC as the exponential growth
of client related data develops and the diversity of operations span traditional banking silos.
As a heavily regulated industry, there are multiple regulations that must be adhered to. Some of the primary data protection
regulations that Retail Banks have to comply with by law are outlined in Table 2.
Regulation Data Included
Regulation Revision Planned
Primary Region Focus
Safe Harbor6 (see Appendix A) PII Yes (2015–2017) US – Europe
US – Switzerland
EU Data Protection Directive 1998 PII Yes (2015) 28 EU Member States
PCI-DSS PCI 3.2 due 2016 Worldwide
Electronic Communications
Privacy Act
PII, PCI No US
6 http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
Table 2: Examples of primary data protection regulations , governing client data
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com10
The evolution of the current European Data Protection Directive in the European Union is due to be superseded in the next
6 months, becoming law within 2 years (~2017) and with it the possibility of massive fines based on 2-5% of global turnover
(or up to €100,000,000 if required). This document positions compliance of the new EU General Data Protection Regulation
(EUGDPR) during the timeframe of digitalization, without the need to revisit the old ‘directive’ compliance that may create
an opportunity for retail banks to be non-compliant and visible to the FTC, ICO and other regulatory organizations7.
Evidence that client data protection gaps still exist
A recent survey on data protection and privacy, highlighted that client data protection is still a major concern for EU Citizens8.
When it comes to control over personal data:
• >80% feel that they do not have complete control over their personal data they provide online.
• 66% are concerned about not having complete control over their personal data.
The respondents were most concerned about the recording of their activities via payment cards and via mobile phones,
both of which have a direct impact on the next generation bank. Building trust in a digital platform with protection around
personal (client) data will provide the competitive advantage.
In a separate question around the disclosure of personal data:
• >70% say that providing personal information is an increasing part of modern life and accept that there is no other alternative.
• >50% disagree that providing personal information is not a big issue for them.
The majority of people are uncomfortable with Internet companies using information about their online activity to tailor
advertisements, and >66% think it is important to be able to transfer personal information from an old service provider
to a new one. We live in an era where competitors are only a click away and new legislation to help individuals move
accounts, means that keeping and maintaining loyalty becomes critical to growth.
When it comes to the management of personal data by third parties:
• 70% say that their explicit approval should be required in all cases before their data is collected and processed.
• 70% are concerned about their information being used for a different purpose from the one it was collected for.
Almost all respondents say they would want to be informed should their data be lost or stolen, with 66% believing the
public authority or private company handling the data should be the ones to inform them if it has been lost or stolen.
It is unfortunate that data breaches are no longer ‘if’ but ‘when’, however understanding the viewpoint of the client
means the organization can respond accordingly.
For many organizations there is often a ‘click-through’ privacy policy, however only 20% of people fully read privacy
statements. Most do not read them because they find them too long to read, unclear, or too difficult to understand.
7 FTC, ICO and other regulatory organisations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc.
8 Source: Admin By Patrick van Eecke and Mathieu Le Boudec; http://blogs.dlapiper.com/privacymatters/europe-recent-survey-finds-that-data-protection-remains-a-major-concern-for-eu-citizens/
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com11
9 The full keynote speech of the EDPS: https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Strategy2015
An objective expert’s perspective and call to ‘do more’ in bankingData security experts and authorities agree that a more concerted and proactive approach is required for securing client data
as a critical priority beyond the standard compliance check-box-approach. At a recent Cybersecurity and Privacy conference
in Brussels (April 29, 2015)9, keynote speaker and recently appointed European Data Protection Supervisor (EDPS) Giovanni
Buttarelli commented on his 5-year strategy. While acknowledging the importance of cybersecurity for the sustainability of
our digitally supported economy and society, Buttarelli stated that the privacy challenges cybersecurity entails are not to be
minimized, and that its objective is not to be misused to justify measures weakening the protection of data protection rights.
Buttarelli also addressed the tension between cybersecurity and data protection, stating that “The rights to privacy and data
protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.” Instead, a high
level of cybersecurity should ensure that such measures help improve the security of all information processed, including
personal data. Cybersecurity can play a fundamental role for retail banks in contributing to ensuring the protection of individuals’
rights to privacy and data protection in online and omni-channel environments.
He continued by warning that “cybersecurity must not become an excuse for disproportionate processing of personal data”.
To find the right balance, data protection principles such as necessity and proportionality can be applied to help guide
privacy-by-design and privacy-by-default for cybersecurity solutions.
Buttarelli also addressed the ongoing efforts to reform the EU data protection framework, noting that a key plank of the
reform is data security. Under the current legal framework the three elements to determine the selection of adequate
technical and organization measures are:
• The risk of the processing
• The state of the art
• The cost of the measures
He noted that the third element must not be overstated, given the importance of appropriate data security. “A proper cost
benefit analysis would demonstrate that data security, benefits not only individuals whose personal information is processed, but
also the professional reputation of the organization processing the data.”
“The rights to privacy and data protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.”– Giovanni Buttarelli, European Data Protection Supervisor (EDPS)
Buttarelli explicitly mentioned various sectors as expected to needing to deal with cybersecurity more intensively and these
were the banking and health sector, and IT initiatives such as the Internet of Things (IoT), Bring Your Own Devices (BYOD) and
Wearables, as these attacks would have a significant impact on privacy and the protection of personal data.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com12
Barriers to advancing the digitalization of retail banking
Challenges to new service launch - agility & speedThere is a natural and well-intended friction point between the top line growth Executive leaders; COO, CMO, and Dept. GM’s.
These Executives have a desire to launch and monetize new services as quickly as possible. However, IT leaders; CIO, CISO and
CCO have a different point of view and are chiefly concerned with client support, service stability, security and compliance as
priorities over speed. The latter ambition requires a slower and more risk adverse approach to new service roll out to ensure
new product, channels and services are adequately secure and adhere to necessary regulatory compliance, whilst achieving the
required levels of operational excellence. Because of this, IT executives are more inclined to adopt a methodic and controlled roll
out perhaps one new service per quarter whereas the top line growth Executives would ideally wish to see one new service per
month. This disconnect is clearly visible and understandable from both vantage points and therefore needs to be addressed.
DevOps as part of the new services agility-with-stability solutionHistorically CIOs have managed new services creation through linear and controlled processes known as Information Technology
Infrastructure Library (ITIL) and IT Service Management (ITSM) standards respectively. These standard practices were created
at the time, when IT singularly had a monopoly on the enterprise technology infrastructure and the world moved at a slower pace
than it does today. The rationale was that linear and controlled stages of design, development, testing, would proceed any
new service release in the spirit of stability and a successful launch. Unfortunately, this approach is now dated and lead
times required to accommodate this discipline does not match the speed of today’s business dynamics and related appetite
for new service launch and consumption.
Often today’s solution is where IT organizations use a growth unit of the organization called DevOps to acquire the ability to roll
out services with both speed and stability. DevOps combines application and new service developers with operations personnel
to achieve the best of both worlds. DevOps are a major user of client data to ensure that the new products/services are aligned
to the specific client/prospect market being targeted. It is essential for the COO or CDO (Chief Development Officer) to align many
of the elements from the critical information protection framework into the development practices to secure the client data within
these new services to eliminate the barrier to roll out and obtain the desired agility required by the C-suite.
Cause & effect: fluidity of new services drives omnipresence of client dataSolving the new service launch velocity problem through DevOps leads to another tangentially related issue. There is a common
perception that data while in its stationary state or ‘at rest’ within IT systems is secure. This perception is to a large extent true
and server-based platforms where data resides such as databases, CRM, ERP systems and the like are reasonably protected
from prying eyes. However, the issue that people often fail to realize is that today’s (and the future’s) retail banking enterprise
is highly fluid and dynamic. The creation of new services means that client data is constantly in motion and not simply residing or
resting within protected IT systems. Client data is continuously being processed and shared by many different personnel, 3rd
parties, and systems across the enterprise. The collective need for the data from multiple individuals or parties conducting
their day-to-day operational roles within and even outside the bank requires data to be extracted from where it securely sits and
utilized accordingly. Hence the root cause that exposes client data is data-in-motion, collaboration and replication.
The challenges that organizations can encounter can be seen if we look at how client data privacy and protection challenges
originate and then exponentially grow just by the simple way in which banks create, roll out and conduct new digital channels
and services. Below is a simplified example to illustrate the problem:
1. It all starts with a single master record in a database for any given client. The master record is a single copy that securely
resides within a database, but then there is an interaction between systems (web, application etc.) as part of the
day-to-day banking operations for services and transactions.
2. During this process, data is repeatedly extracted (fully or partially) from where it resides.
3. The omni-channel services will mashup10 data with other sources of data, various payment methods, authorization
checkpoints, security policies and automated processes. This places client data into new form factors and different
type of records that reside on multiple IT systems.
4. It is then viewed, analyzed, reported on, shared, copied, and stored by many different individuals along the operating
value chain – taking what was once the original single client master record and transforming that into multiple form
factors and records.
5. To visualize the magnitude of this, take this example of a single client record being replicated, and multiply that with
the number of clients a bank has. It is not unfeasible to have 100s of copies of what was a single record roaming the
organization at will – and that doesn’t take into account the versions in system backups!
10 ‘Mashup’ is the integration of heterogeneous digital data and applications from multiple sources for business purposes. An enterprise mashup is also sometimes known as a business mashup or, less precisely, as a data mashup.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com13
Figure 4 provides a true picture of how over the past 35 years retail banking has evolved from data collaboration being
a singular interaction with minimal restructuring of the original dataset to the current goal of digitalization where client
data moves in multidirectional channels and interactions, accumulating and jettisoning portions of data during its journey.
Transformation activities: C-suite collective alignmentAs previously mentioned, a cyber security architecture and internal compliance (operational) policies designed to mitigate
digital threats on behalf of the organization is only a subset of a broader enterprise risk and compliance framework. And,
as cybersecurity specialists are well aware, client data privacy protection is only one element of a multi-faceted security
and operational architecture. This paper asserts that client data privacy and protection must be prioritized and separated
from those broader risks and compliance constructs. Implementing client data privacy and protection as the ‘foundation’ for
a portfolio of new products and services provide the cohesion that was previously missing, yet required for efficient service
creation, launch & monetization. Once that concept is agreed upon, additional accountability must be assumed by the entire
C-Suite and then the challenge shifts to how to make Client Data Privacy and Protection implementation actionable.
2020: The definitive transformation to Retail Banking digitalization comes with a heavy (data) touch
Fig 4: Multichannel data proliferation for digitalization, Clearswift
2010 – 2020Full Digitalization
with a human touch
1980 – 2000Digitalization of Payments
2000 – 2010Digitalization of Payments
Bank Branch
Regional Branch
Bank Branch
HQ HQ
Bank HQBank HQ
Omni-Channels
Increasingly complex processes, appreciative of IT e�ectiveness, organisational /cultural change, metrics (new)
Digital
Bank Switch
Digital Banks
FIDOR
STARLING
ATOM
Open the Digital Bank before non-banks do, addressing client security concerns.
Branches
Right size and boost sales performance, fully digital with a personal touch
Products
More tailored to individual needs, integrated based on client journey, close revenue ‘leaking’
Video/Call Centres
More tailored to individual needs, Increase service to sales conversation, freeing up resources
Data
Accessible, integrated, secured, compliant, behavioural, social
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com14
Traditional banks understand the power of their brand as an asset and also how they are not immune to having their brand
tarnished in the eyes of the consumer and shareholders, as other industries (automotive11, entertainment12, retail13). Brand
value is a component of growth and identity, and the basis for loyalty, service adoption and preference within the client base.
Today, clients want to know that their personal information is safe and the platforms the banks provide for interactions and
transactions are secure. There is an opportunity to think about client critical information protection differently in banking to
deliver that promise at greater levels and enhance the reality (not just perception) of trust with clients.
At the risk of oversimplification, the banking digitalization transformation construct is comprised of three tiers, as shown in Figure 5.
• The first or top tier of a client-centric business model is what we call the “client modern experience.” This is about creating
modern, relevant services and is the outbound interface (channels) banks have with their clients that drives loyalty and
new service adoption. At this point client loyalty is derived from the clients’ perceptions of security, trust and value they
receive from their bank’s services and interactions.
• Below this layer is the“operational transformation layer,” which enables the client experience and creates the ability to
deliver new client centric products and services with greater speed. Delivery is via omni-channels and includes improved
operational cost efficiencies through the implementation of branch variants. These require new platforms, business process
optimization, applications (web/mobile) and rich client data analysis and management. It is at this stage that the organization
defines its digital growth and operational initiatives via mini-transformation projects; these in turn drive growth.
• The third layer, reinforcing the operational layer, is the “operational risk and regulatory compliance layer.” Intended to be an
all-encompassing approach to digital risk mitigation, it involves infrastructure and endpoint security; regulatory compliance
and audit; and proactive threat mitigation (i.e. anticipating and addressing the notion of threats, including ‘zero-day threats’ that
loom beyond the horizon), three common categories of focus for CIOs and their security leadership and compliance teams.
Client data privacy resides within the broader enterprise risk handling, security and compliance framework. However, in order
to achieve efficiency in the three layers, client data and its privacy must be extracted from the broader framework and given
its own dedicated layer, prioritizing this matter on behalf of clients. Not doing so has the potential to undermine the bank’s
agility, growth strategy and potentially the client perception of the brand.
By taking this approach, banks are explicitly approaching this as a ‘Client First’ initiative. Progressive banks and the new
online banks are committed to collectively align and lead in this area. The Executive team have an opportunity to obtain the
client loyalty for which they are striving and will likely achieve the coveted growth velocity for their brand within a crowded
and competitive landscape.
Fig 5: Prioritizing Critical Information Protection: As the “foundation” client data privacy is a catalyst for achieving the needed
operational transformation that delivers on the retail bank’s growth agenda.
Retail Banking Top-line Growth ‘Client Centric Business Model’
Client Perceived Trust
Client Perceived Security
Client Perceived Compelling Value of Services & Interaction
Data Leverage & Treatment
New Services
Omni Channel
NewApps
CLIENT LOYALTY
BANK DIGITAL GROWTH INITIATIVES/IMPERATIVES
RISK HANDLING AS A FOUNDATIONAL ELEMENT OF BRAND LEADERSHIP
Proactive Threat Mitigation
Reg. Compliance & Audit
Infra & End Point Security
THE CLIENT MODERN EXPERIENCE(Drives Service Adoption)
OPERATIONAL RISK & REG COMPLIANCE(Prioritized Client Data Privacy Drives Brand Distinction)
BANK OPERATIONAL TRANSFORMATION(Drives Delivery, Relevancy & Growth)
CLIENT DATA PRIVACY PROTECTION POLICY & ADHERENCE
11 www.khaleejtimes.com/business/auto/i-am-endlessly-sorry-brand-is-tarnished-vw-ceo 12 www.gamespot.com/articles/sony-brand-name-seriously-tarnished-by-hacking-con/1100-6424359/ 13 www.gamespot.com/articles/sony-brand-name-seriously-tarnished-by-hacking-con/1100-6424359/
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com15
“Cyber security is paramount to rebuilding this trust – winners will have invested significantly in this area.”– PwC Retail Banking 2020 – Evolution or Revolution
Transformation project initiativesThe road to full digitalization for retail banks will take the collective of the entire organization to succeed. But viewing this
in its entirety is overwhelming and would trouble even the most accomplished academic, consultant or seasoned banking
executive. The transformation needs to be broken down into manageable, achievable ‘chunks’.
1. What is your organization’s 2020 vision?
• What would a blueprint look like for transactions, service and support as well as sales and financial advice?
• How can the client experience be elevated with innovation by removing their biggest frustrations?
• Do you wish to be a follower or innovator?
• What is your greatest priority – cost reduction or service revenue growth?
Responses to these challenges will provide the organization with a starting point and what the target blueprint success
will look like.
2. Agree a set of mini-transformational projects to deliver the blueprint:
As previously mentioned, a set of mini-transformational projects allows the organization to break down the overall blueprint
into manageable stages. It also encourages the multiple disciplines within the organization to play an effective roll in delivering
digitalization. Each project may have sub-projects within, but will effectively roll-up to deliver the main project, enabling the
deliverables team/individual to stay focused on an end goal.
Prioritizing the projects to give quick-wins followed by ‘biggest bang for the buck’ will help to maintain momentum.
Nothing succeeds like success.
3. Top down execution:
• An overall project lead (Executive level) needs to be assigned to track and ensure execution and ownership
of the mini-transformation projects
• Assign a realistic investment budget that spans the length of the overall project that is ring-fenced. Unworkable budgets
ultimately lead to failing services and then to client discontent
• Communicate to the whole organization what is happening, what they can expect to experience, how it may affect them
and what the target goal looks like
Critical information protection – mini-transformation project initiativesFrom a bank’s perspective, client data is the client, and client data is the most critical information that the bank holds. Therefore,
within the mini-transformation projects, there is the need to address the critical information protection framework (Fig3). With
any new initiative it is essential that the ground work has been accomplished effectively prior to implementation.
The effectiveness of the critical information protection framework is achieved by creating a foundation for the collection, access,
collaboration and storage of an increasing growth of rich data. Organizations need to address this project with an open stance and
ensure that all leaders, operational staff and developers are encouraged to build out the current picture of data residing within the
organization, immaterial of current activity or applicability to the future goal.
Without this understanding the ability to enforce policies, apply remediation actions, ensure compliance of security governance
and report on the metrics of success becomes an impossible task.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com16
Scoping the Problem
1 Have we defined what is our most critical / sensitive client data?
2 Do we know where it’s located (endpoints / databases / achieves / etc.)?
3 What is the financial / reputation risk if this data was lost/stolen (quantified, and by example)?
4 How are other organizations / competitors in our industry solving this problem (by example) and what is their experience?
5 What are the regulatory / legal obligation regarding our client information?
6 How much will this cost CapEx / Opex / TCO and what is the ROI?
7 How long will it take to implement and by whom?
8 Which departments will need to be involved and which told about the project?
Preparing the solution
1 How will we classify this information as critical (electronic / human) in each location and how long will this
exercise take?
2 What organizational changes (staff / training etc.) will we need to undertake in order to make the solution
effective and when?
3 Is there a technology solution available to capture all the potential egress points, both accidentally or maliciously
of our client information (including cloud, mobile and bring your own device)? Will this come from a single
supplier, or will multiple suppliers be required?
4 Does the solution fit within our existing infrastructure today or is further investment required?
(Will the solution be on-premise or in the cloud or a bit of both)?
5 Who is going to own the project (CIO / CTO / other)?
6 Can we get help before, during and/or after the project? From consulting, product and ongoing support perspectives.
Implementation
1 Which department or process will be first? Will this include partners in the extended enterprise, such as
suppliers or third party data processors?
2 How will success be measured and over what time period?
3 What happens if some information is re-classified from / to critical during the project? Is there a contingency or
process to changing priorities?
4 What will be the response to a data breach (Especially if this happens before or during implementation)?
A summarized approach is to resolve the following statements with a cross-functional team, with a view to reporting back
to the C-suite (probably through the CIO):
Once the team/individual have accumulated all avenues of information and research, the mini-transformation project team
will then need to address the following statements. Many of these statements will require cross functional disciplines to be
employed, emphasizing the need for the project team to include not only data owners but also data users and data governors.
You are now in a position to implement the transformation of your critical information protection framework, enabling
the organization to ensure a ‘client first’ approach to client data privacy and protection.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com17
Review and modifyAs each mini-transformation project is implemented and completed, a review should be carried out to ensure that
unpredicted influences on client data privacy do not impair the effectiveness of the critical information protection framework.
Looking to the future, the environment that the retail bank will operate in going forward will move as quickly as technology evolves
and the clients consume the services provided. This is not a set-and-forget project, the organization needs to assign owners
to regularly review the critical information protection framework as new services and products are developed. It also needs
to be reviewed as new data is created and new collaborative partnerships formed, as part of the bank’s growth strategy.
SummaryRetail banking is going through a period of unprecedented change. Banks with large amounts of heritage are coming under
threat from new players who are seeing their ability to react to client demands more quickly and efficiently to trends in the
marketplace as the competitive advantage they need to break into the market.
For banks to move to digitalization in an agile manner they need to be assured that their client data is protected at all times.
By implementing a Critical Information Protection Framework which protects the client data first, no matter where it exists,
can give the ability to roll out new services, more quickly. This is not just about technology, it is also about people and processes.
Transformation needs to happen at all levels, and while it is happening, client data must be protected at all times. The importance
of client data at the ‘micro’ level, or the individual, is sometimes lost when talking about millions of clients. However the effects
and distress it causes to individuals are all too easy to see. The good news is that all employees will also be clients in some shape
or form – so they need to protect the information they are responsible for in the same way as they would expect others to protect
their own information.
Growth in all businesses, but especially in banking, is predicated on trust. Without trust, clients will take their business
elsewhere; immediately. Putting client data and client privacy as the foundation for the digitization of retail banking and
protecting these valuable client assets with a critical information protection framework will build client trust, which will
create the foundation for growth.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com18
Appendix A: The impact of regulatory requirements on data management processes14.
Regulatory initiative
Impact of key regulatory requirements on banks’ data controls
Data
capture
Data
aggregation
Data
reporting
Data
protection
Data
governance
INTBCBS principles for data
aggregation and risk reporting
INTFSB common data
template for G-SIBs
INT Legal Entity Identifier initiative
INTBCBS review of pillar 3
disclosure requirements
EURecovery and Resolution
Directive (RRD)
EURevisions to Capital
Requirements Directive (CRD 4)
EU Common Reporting (COREP)
EU MiFID II
EUEuropean Market
Infrastructure
Regulation (EMIR)
EURevisions to the Market
Abuse Directive (MAD II)
EUCommission proposals on
reform of data protection rules
EU SEPA Regulation
UK ICB recommendations
UKChanges to the UK
supervisory architecture
UK Wheatley Review of LIBOR
14 Risk, data and the supervisor: The clock is ticking… Deloitte & EMEA Centre for Regulatory Strategy
UK
EU
INT International Direct impact
EU Potential indirect impact
UK Significant impact unlikely
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com19
Disclaimer: The Deloitte impact analysis is based on policy measures proposed in the latest official text for each regulatory
initiative which may be subject to change. Deloitte have assumed as a starting point that banks’ data processes are adequate
to meet current regulatory requirements. The actual impact will significantly vary from bank to bank.
Indeed, the Bank of England and the Financial Services Authority (FSA) have stated that the new PRA will validate firms’
data “through onsite inspections.” In addition the proposed BCBS risk data principles, advocate testing firms’ data processes
to ensure they are robust enough to withstand a range of adverse scenarios including a surge in business volumes and
potential crisis situations.
One thing is certain, poor quality; incomplete and inconsistent data is likely to put a serious strain on a firm’s relationship
with its supervisors and will lead to further scrutiny and challenge of the sufficiency of its risk management and governance
processes in general.
Safe Harbor Reform
1. The following ruling was delivered by the Court of Justice of the European Union, 6 October 2015
‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question whether
the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds
that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict the national
supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid.
2. The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015
EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US
government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU citizens
whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor compliance.
Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe Harbor self-certification
and enforcement procedures and recommended to the European Parliament and European Council Safe Harbor reforms
consisting of 13 requirements.
Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com20
www.clearswift.com | © Clearswift 2015
United KingdomClearswift Ltd
1310 Waterside
Arlington Business Park
Theale
Reading, RG7 4SA
UK
GermanyBusiness Excellence
IM Mediapark 8
50670, Koeln
GERMANY
United StatesClearswift Corporation
309 Fellowship Road
Suite 200
Mount Laurel, NJ 08054
UNITED STATES
JapanClearswift K.K
Shinjuku Park Tower N30th Floor
3-7-1 Nishi-Shinjuku
Tokyo 163-1030
JAPAN
AustraliaClearswift (Asia/Pacific) Pty Ltd
Level 17
40 Mount Street
North Sydney
New South Wales, 2060
AUSTRALIA
Clearswift is trusted by retail banks and other organisations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and ‘adaptive’ data loss prevention solution, avoiding the risk of business interruption and enabling organisations to have 100% visibility of their critical information 100% of the time.
For more information, please visit www.clearswift.com