CRITICAL INFORMATION PROTECTION. … Critical Information Protection October 2015 CRITICAL INFORMATION PROTECTION. Competitive advantage for Retail Banks . Table of Contents Introduction

Retail Banking Client Data Privacy & Protection Transformation Priorities to Establish the Leaders of the Digitalization Era

Clearswift Best Practice Guidance for Critical Information Protection

October 2015

CRITICAL INFORMATION PROTECTION. Competitive advantage for Retail Banks

Table of Contents

Introduction 3

Evolving the Retail Banking service for a sustainable client experience 4

New focal point: optimizing the client experience 5

Digitalization risk elements leading to client privacy exposure 9

Regulatory implications 10

Evidence that client data protection gaps still exist 11

An objective expert’s perspective and call to ‘do more’ in banking 12

Barriers to advancing the digitalization of retail banking 13

Challenges to new service launch - agility & speed 13

DevOps as part of the new services agility-with-stability solution 13

Cause & effect: fluidity of new services drives omnipresence of client data 13

Transformation activities: C-suite collective alignment 14

Transformation project initiatives 16

Critical information protection – mini-transformation project initiatives 16

Scoping the problem 17

Preparing the solution 17

Implementation 17

Review and modify 18

Summary 18

Appendix A: The impact of regulatory requirements on data management processes 19

About Clearswift 21

Clearswift Client Data Privacy & Protection | September 2015 | Point of View Document www.clearswift.com02

Introduction

Within the retail banking sector, digital has become the backbone of a new integrated fabric spanning all channels, value-added

services, complex business processes and enhanced profitability. As the bank’s streamlining and ‘One-Click’ processes with

clients becomes redefined by digitalization, the business imperative of accessing and protecting client data creates many new

responsibilities and opportunities for adding value to the client [experience] and operational efficiency of the bank—emphasizing

the quantifiable challenges of client data privacy and protection.

There is little question about the significance of aligning the processes and channels required to deliver a digital platform, however

business efficiency needs to be assessed within the magnitude of client data and protecting it across the interconnected multiple

channels of client engagement. Failure to understand the impact of the new channels on the distribution, availability and protection

of client data will potentially result in inefficient digitalization, client disapproval and intensified data loss, either from the primary

data holder, or from one of its third party data processors and with it the potential for significant reputational damage.

“Banking is not somewhere you go, but something you do.”– Brett King, Bank 3.0, 2012

As branch formats are aligned to match customer profiles and needs, in each location (everything from unmanned-fully-

automated to full-service outlets) the retail bank’s Executives, including the Chief Operations Officer (COO), Chief Information

Officer (CIO), Chief Information Security Officer (CISO) and Chief Compliance Offer (CCO) will have to wrestle with prioritizing a

lengthy list of branch and country-specific competing infrastructure, complex processes, security and regulatory compliance

requirements on a daily basis. As banks move away from a purely ‘contribution to profit’ consideration, to include customer

experience and access to funding in a low interest rate environment, the need for agility in providing new services has never

been greater. However, as one of the most regulated industries, the 2008-2012 economic crisis contagion has awoken many

governments to establish increased operational regulations; requiring large banks to legally separate their volatile wholesale

arms from their retail banks by 2019, when the Basel III international banking agreement comes into force and implementation

of the Dodd-Frank Wall Street Reform Act that updates the abolished US Banking Act of 1933 (Glass-Steagall), under the Volker

Rule. These, soon to be, implemented restrictions will provide increased protection for clients’ best financial interests and also

longevity for the banks, but the client now has a new, growing, monetizable asset held by the retail banks; ‘Personally Identifiable

and Payment Information’.

When client data is considered an asset for both legitimate and criminal processes it will serve to reinforce and differentiate

the banks’s required investment in new technology as part of its digital transformation; garnering the questions:

• Should client data held by the banks remain a line item within the broader list of security and compliance investment

requirements for banks, or should it be separated, prioritized and treated as the monetizable asset it represents?

• It is essential, but is it possible for the rest of the bank’s C-Suite to enter the information security fold and transform client

data privacy from a source of risk, anxiety and expense into a source of competitive advantage and brand distinction?

As banks transform to become fully digitized, providing the ultimate client experience, the pivotal nucleus will be the multiple

channel accessibility and richness of CRM, social, personal and behavioral data. Understanding this information and exploiting

it like never before will create the impetus for the bank’s collective executive leadership to prioritize client data privacy and

protection as a “Vanilla Standard” for the bank’s new product and service offerings, as well as its broader enterprise cybersecurity

and compliance framework.

Prioritization has implications that extend beyond the existing sole responsibilities of the CIO, CISO & CCO due to its direct impact

on ‘Increased Penetration’, ‘Client Experience’, ‘Information Accessibility’ and address ‘Security Concerns’, all of which directly drive

improved client loyalty. Client data privacy, protection and leadership from a client advocacy standpoint will directly impact the

top-line growth agenda of the bank’s senior executives due to the client loyalty topics, and also stimulation for the client to use

the bank’s apps and websites more frequently; capitalizing on the transition of websites as a sales tool and not just a service

portal. Simply put, ‘the heightened criticality of client data privacy and protection in retail banking is becoming a unified priority

and business imperative for the entire C-Suite’.


Evolving the Retail Banking service for a sustainable client experience

An array of market forces in the new digital era is driving a profound impact on the retail banking sector and traditional banks

as currently we know them (Fig1). Technological capabilities, regulatory requirements, and the consumer appetite for innovation

and flexibility are creating an imperative to change.

Online banking is now a core element of both retail banking operations and client expectations. Competitive barriers for new,

non-traditional entrants such as Atom, Fidor Bank, Starling, BankMobile, bKash, are disappearing. In order to compete, banks

must continue to transform themselves across all channels and operations into the required ‘always on’ bank of tomorrow—today.

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”– Charles Darwin

A new digital value chain promises to reshape how banks compete, operate, drive profitability and enhance interactions with

clients. New channels for interactions and client engagement now exist to compliment the evolving value of brick and mortar

relationships of delivering client specific service and lasting experience with the intention of driving client loyalty, value-added

service/product adoption and topline growth, through innovation and resource efficiency. This clearly has implications beyond

the CIO and falls into the top-of-mind requirements of the CMO and other C-suite members.

Digitalization brand distinction: market context & considerations

Fig 1: Retail Banking re-visualized: The heightened need for client data privacy and protection can be a catalyst of a retail banks

digitalization growth agenda and client advocacy of the brand.

Digital platform

Market forces

• Payments disruption

• Digitalization

• Client evolving & maturing appetite for technology

• Governance and regulations

• Lower competitive entry barriers

Omni channel market outreach

• Client ‘one-click’

• Value-added services & products

• Multi-label strategy

• ‘Wow’ experience

• Online security

• Seamless support

Brand

Growthagenda

Sales leads promotions

& campaigns

3rd partyproviders

3rd partyproviders

Branches call centers,

partners

Client proposition & value

Bank identity & values

Client data (crm, behavioral, personal, social, etc.

Mobile

Service cloud

Cloud

market point of view

Retail Banking re-visualized

Sales cloud

Product & service o�erings


1 “The Everyday Bank: A New Vision for the Digital Age,” Accenture, 2015.2 Bank for International Settlements, www.bis.org/publ/bcbs98.htm

Supporting the Clearswift “Retail Banking Re-Visualized” market point of view is the 2015 report from Accenture1 that

emphasizes how digital technology increases the need for transformation: ‘Non-banks are capturing more and more of the

banking value chain, providing services such as payments, checking and even savings accounts that could erode as much as

one-third of traditional bank revenues by 2020’. The response is not just about evaluating branches, improving online and

mobile banking offerings, or making current products and services “more digital”. Instead, the report says, “banks need to

move further into the daily lives of customers, providing assistance before, during and after the financial transaction.” Accenture

describes the “Everyday Bank” as having the capability to leverage the vast amount of insight it possesses about the client

and their environment to become central to a customer’s digital ecosystem. The retail bank must reinvent itself as a value

aggregator, advice provider and access facilitator, acting proactively on the customer’s behalf, improving reputation and trust.

New focal point: optimizing the client experienceThe ambition of a retail bank’s digital transformation is to pivot to a new client-centric business model that is more about client

experience than promoting products - which comes with the change in client interaction and trust. With the competitive entry

barriers of yesteryear disappearing for new players, it is important for traditional banks to act quickly to implement this new

model of retail banking, empowering customers to embed (and adopt) new forms of banking services & interactions into their

digital lives.

Financial transaction behavior has moved on in so many ways, creating a new model of banking, driven by the expectation

of the individual, such that banks need to support them – new banks are often there first as they are not encumbered with

legacy systems, technologies and architectures. This creates further pressure on the traditional banks who need to support their

legacy environments while responding to the new requirements. Recent technological advances which need to be supported

include the introduction of new digital currencies (for example Bitcoin, NueCoin, Ripple, Litecoin, Peercoin, Namecoin, Dogecoin,

Next and Mastercoin) which are now widely accepted as a form of payment as well as new online and mobile apps (for example

Apple Pay, Mint, Spendee, Manilla, Paypal and SavedPlus) to carry out payment, without the need of a traditional bank or credit

card. Of course, coupled with this are the various forms of client driven enhanced client digital outreach channels (including,

branches, mobility, apps and social media). Change in order to support these new mechanisms, at a speed the client expects,

will involve usage, collaboration, movement and storage of client data on unprecedented levels. The increasing volume and

importance of client data creates considerations related to the collection and treatment of data— as far back as 20032. The Basel

Committee on Banking Supervision considered that while existing risk management principles remain applicable to e-banking

activities, such principles must be tailored, adapted and, in some cases, expanded to address the specific risk management

challenges created by the characteristics of e-banking activities. To meet customers’ expectations, banks must therefore have

effective capacity, business continuity and contingency planning. Banks should also develop appropriate incident response

plans, including communication strategies that ensure business continuity, control reputation risk and limit liability associated

with disruptions in their e-banking services.

It would be ironic for, and undermining to, the bank’s next-generation investments and brand modernization efforts to neglect

weaving client data privacy protection into every transformational step along the way. Simply put, banks cannot readily move

towards the new model without simultaneously addressing the electronic-risk, or e-risk, implications—particularly

client data privacy and protection. This viewpoint is depicted via the new e-Banking Client Centric Business Model (Fig 2)

and emphasizes once again how the collective remits of the CHRO, COO, CMO & CIO converge around this issue. The diagram

emphasizes that the central issue is not banking risk mitigation, but rather e-client loyalty, trust and brand preference.


Fig 2: Digitalization Client Centric Business Model: Implementing and enforcing a ‘Critical Information Protection’

framework can be instrumental in achieving a client-centric business model in the emerging e-banking era.

Digitalization client centric business model

Digitalization enablement utilizing a ‘Critical Information Protection’ Framework for automated

adherence for Client Data Privacy & Protection

Capturing Client Loyalty, Trust & Preference

Bank CMO

Demonstrated ‘client-first’ brand leadership & distinction in the digital era

Bank CHRO

Reorganized retail bank and upskilled to deliver client specific engagement

Bank COO, CCO

Value-Added Service Adoption, Business Empowerment aligned to Regulatory Compliance via ‘enhanced perceived value from the market’

Bank CIO, CISO

Prioritised ‘client data privacy & protection’ with ‘Delivery Agility’

Regulatory compliance, outside of current industry practices, will become routine in business on varying levels and where the

retail bank operates in more than one country the application may differ based on country and government privacy regulations.

The Basel Committee on Banking Supervision (BCBS) consultative document ‘Principles for Effective Risk Data Aggregation and

Risk Reporting’ provides the regulatory drivers for change within the industry, the implications for banks. The BCBS proposed

14 principles to ensure that data and associated processes used by the risk function are “fit for purpose”. Global Systemically

Important Banks (G-SIBs) are required to implement the principles in full by the beginning of 2016. However, they would have

submitted a self-assessment against the principles to their local supervisor in 2013. The BCBS paper sets clear expectations

that banks will quantify their risk appetite and have robust infrastructure, processes and controls in place to monitor risks within

the appropriate thresholds across credit, market, liquidity and operational risk. A summary of the 14 principles is provided in the

table on the next page.


3 Risk, data and the supervisor: The clock is ticking… Deloitte & EMEA Centre for Regulatory Strategy4 Retail Distribution 2015 – McKinsey & Company5 The Data Loss Prevention Market by the Numbers 2014-2019, 451 Research, July 2015

Summary of BCBS Principles for Effective Risk Data Aggregation and Risk Reporting

Governance and Infrastructure • The bank’s board and senior management must understand deficiencies

in all aspects of the controls and aggregated data.

• Organisational boundaries must be overcome so risk data can be

accurately aggregated across business lines, jurisdictions and legal

entities in a timely manner.

• Systems must support risk data aggregation and reporting, including

during times of stress or crisis

Risk data aggregation capabilities • Banks must demonstrate the ability to generate accurate and reliable

aggregated risk data, largely automated to minimise errors.

• The capabilities will also need to meet all on-demand and ad hoc report

scenarios in a timely manner, including during crisis situations and in

response to a supervisory request.

Risk reporting practices • Banks must ensure that reconciled, validated and accurate risk reports are

presented to the appropriate stakeholders in a timely manner to support

the decision making process.

• The reports must cover all material risk areas within the organisation and

be easily understood by recipients.

• All material gaps or weakness are well understood and factored into the

decision making process.

Supervisory review,

tools and cooperation

• Supervisors will review and monitor banks’ compliance with the principles

and use appropriate tools to ensure deficiencies are addressed in an

effective and timely manner.

• The supervisor should have the ability to restrict growth in a bank’s risk-

taking activities should it have concerns about data deficiencies.

Table 1: BCBS Principles for Effective Risk Data Aggregation and Risk Reporting3

However, rather than retail banks approaching this from purely a compliance stance, there is also an opportunity for established

and trusted banking brands to take a leaf from the new online banks and start their regulatory adherence ahead of the legislation

to demonstrate new thinking and operational excellence in the form of competitive differentiation. This in turn will help to allay

the perception by consumers regarding security concerns as being the major factor why they are reluctant to bank online4,

allowing retail banks to remain the trusted and preferred banking brands of the future. Standard competitive pressures means

that the new market entrants will move more quickly on this issue as their foundation will be built upon access, collaboration

and storing of digital content, thus formulating a new preference of trusted brands in e-banking.

The plethora of data loss incidents reported globally that have unfortunately become commonplace, has meant that there

are new operational capabilities available for banks looking to be more progressive in the area of client data privacy and

protection. Voice of the Enterprise: Information Security from 451 Research, indicates that fear of data loss or theft is the

number one security challenge over the next 12 months and the use of DLP in information security projects is a growth

priority over the next 12 months5.

As with the execution of any technology category used to provide a business benefit, the technology industry has delivered a

mixture of traditional and new features and functions over the past decade that address the nuances and evolution of individual

businesses and implementation preferences, such as Virtualization (VMware), Mobile Pay (Apple), Adaptive Redaction (Clearswift),

Bitcoin (technology, not crypto-currency). This has enabled retail banks to move beyond traditional security constraints,

to prioritize client data protection and use security automation to create new sources of business value for clients.


Sitting above (or below) these features and functions has to be a framework that underpins any digital transformation.

For the purpose of this report our focus is on client data privacy and protection. A ‘Critical Information Protection (CIP)’

framework (Fig3) needs to be implemented as part of organization’s mini-transformation projects. The CIP framework

allows banks to avoid approaching client data privacy and protection in a regulatory compliance “check-box” fashion, but

instead lends itself to appreciating the value assigned to each element of client data as it relates to the differing business

units within each organization. By abstracting out the client data and wrapping privacy around it, it is possible for retail

banking operational personnel and technology leaders to work closer together and create a foundation of automated

client data management. For privacy to be effective there needs to be an understanding of the context of the data within

operational, regulatory, collaboration, new product applicability, etc. of the retail bank. This allows the organization

to mitigate the risk of cyber-targeting and the theft of the information or exposing client data unintentionally.

The basis of the framework provides flexibility for organizations to implement these practices as part of the evolving change

management that the retail bank needs to adopt in its aim of digitalization. If assurance as to the protection of client data can

be given at all times, then agility in new service definition and rollout can be achieved in conjunction with the adoption of the

new and evolving financial transaction technologies. Understanding the interdependencies of each practice (task) ensures

that this is an evolutionary change rather than a radical revolutionary adoption, where feedback from clients, employees,

3rd parties, etc. can feed into the framework to ensure that their nuances can be appreciated and employed.

Fig 3: Critical Information Protection (CIP) Framework, Clearswift

CLIENT DATA PRIVACY(CRITICAL INFORMATION PROTECTION)

proactive threat mitigation

reg. compliance & audit

infra & end point security

Risk handling as a foundational element of brand leadership

OPERATIONAL RISK & REG COMPLIANCE(Prioritized Client Data Privacy Drives Brand Distinction)

DATA

Small. Large. Structured. Unst

ruct

ured

. New

. Com

plim

entary. Old. Personal. Business. Social. IP. Text. Im

age. Report. Analytics. Simple.

Com

plex

.Raw

. Inf

orm

ation

. Knowledg. Temporary. Permanent. Transient.

Remediation

SecurityGovernance

Employee Comms

Classification & Policy

Metrics


• Employee communications: Building and sustaining a culture of client privacy and protection requires developing a program

that engages employees in proactively taking steps to ensuring more secure communications and processes, including

providing mechanisms for employees to learn more about company data protection policies, why they are important, and

how to raise issues to get results.

• Classification & policy: Not all data is sensitive, so understanding that there are differing data types ensures that there

will be appropriate levels of policy enforcement. Beginning with the data most critical to the enterprise, and developing,

over time, a data classification and policy management program that regularly solicits input from across the business

on the most critical data to protect. Banks need to develop and deploy a methodology to prioritize this input in order

to ensure that the right information is protected with the appropriate level of investment.

• Remediation: An effective remediation program will focus on sustainability to support digitalization, moving from a reactive

employee- driven remediation processes (manual) to system-driven proactive remediation processes (automated) in the

mid-term. Enforced automated remediation ensures that although the incidents and processes that encourage data loss

activity may not be fully implemented, the technology acts as a guardian for the business/employee and ensures that client

data privacy is protected and secure during this transition period. Development of future digital channels and business

activities (M&A) can be integrated into the remediation program, ensuring that newly introduced data is protected until

the necessary re-architecture and normalization activities have completed.

• Metrics: A metrics program must adequately measure data loss risk reduction both company-wide and at a more granular

level (executive, business unit, department, etc.) to support ownership of data loss risk reduction. Communication of results,

both successes and where more effort is needed is essential in order to drive change and adoption. These metrics also help

an organization assess and communicate critical information protection program performance and quantify the value realized.

• Security governance: Often defined within a cross organization Steering Committee, it provides strategic direction to

those developing the critical information protection program. This overarching program needs to cover areas of policy

development and management; incident remediation process development and execution; collection and communication

of metrics demonstrating program effectiveness and results; employee awareness, training, and engagement; and

in the selection and phasing of technologies for the critical information protection solution deployment.

Digitalization risk elements leading to client privacy exposure

With the compelling new model of retail banking that’s embedded with client engagement and retention firmly in mind, there

is a need to consider the specific elements of client data privacy risks that must be addressed, beginning with a look at the

types of digital information banks routinely collect.

• Personal information: When one visits or uses online banking services, banks may collect personal information from

or about individuals such as their name, email address, mailing address, telephone number(s), account numbers, limited

location information (zip/post code to help find a nearby ATM), user name and password. Banks will also collect payment

card information, social/nation/my ID security numbers, driver’s license numbers (or comparable); which is reasonably

required for ordinary business purposes.

• Information usage and impact data: In addition to the personal information, banks may collect certain information

about a client or prospect’s (channel demand generation) use of online services. For example, the bank may capture

the IP address of the device used to connect to the online service, the type of operating system and browser used,

and information about the site, the parts of the bank’s online service that were accessed, and subsequent sites visited.

The bank or their third-party partners may also use cookies, web beacons or other technologies to collect and store

other information about sites visited, or use of online services. In addition, banks may later associate the usage and

other information collected online with the personal information from the individual.

• Omni-channel and mobile banking data: For convenience, banks offer the ability to access products and services

through mobile applications and mobile-optimized websites (‘Mobile Banking’). When using mobile banking services,

the bank may collect information such as unique device identifiers for one’s mobile device, the screen resolution and

other device settings, information about location, and analytical information about how that consumer may traditionally

use their mobile device. Consent is typically requested via location service permissions before collecting certain

information (such as precise geo-location information).

• Additional sources of client information collected: Banks may also collect information about consumers from

additional online and offline sources including from co-branded partner sites or commercially available third-party

sources, such as credit reporting agencies. Banks may combine this information with the further sources of information

they have collected about a client as defined under their Online Privacy Policy.


The combination of all the above types of personal and banking information provides the retail bank with a level of rich CRM data

that exists today, but is often siloed across the differing operational units. The challenge to retail banks will be to assimilate this

data for both client experience and also traction of client longevity. However, the antithesis of collecting these rich levels of data

exposes the organization, employees and 3rd parties to intentional and unintentional data disclosure, breach and theft for which

mitigation is required.

Firstly, there is the external movement and disclosure of client data. Banks may share the information collected from and about

individuals with their affiliates and other third parties. For example, banks may share your information with:

• Affiliated websites and businesses in an effort to bring improved service across their family of products and services,

when permissible under relevant laws and regulations

• Third party service providers

• Other companies to bring co-branded services, products or programs

Today, it is becoming increasingly important to understand the full information supply chain in order to ensure adequate protection

along its length. A data breach with a 3rd party data processor or an affiliate will have a negative brand reputation impact.

Joined-up process and thinking is required to protect the information that has been shared.

Secondly, there is the internal movement and disclosure of client data. Banks share / disclose / manipulate varying levels

of client data internally as part of their standard business operations and for product/service development. This is essential

to track, alert and measure effectiveness for specific types of client segments. A brief number of examples include:

• Development of new online services

• New product offerings

• Mobile transactions for differing users across a variety of device types

• Market testing for diverse/new demographic markets

• Marketing programs and campaigns

• Copies of data for disaster recovery and business continuity

• Freedom of Information (FOI) requests

Once again, a complete understanding of the use of the information is needed. As internal processes increasingly rely on external

collaboration, it is not unusual for internal departments to outsource parts of projects which may not be realized by those further

up the bank. What was thought to be an internal project suddenly turns into an external one – with all the additional risks that are

associated with it.

Regulatory implications

The global focus on Governance, Regulations and Compliance (GRC) has accelerated across regional boundaries as the

opportunity to expand commercial operations via technologies such as web 2.0, and mobile applications amongst others

is realized. In the case of client data, Retail Banks should adopt a ‘Client First’ approach to GRC as the exponential growth

of client related data develops and the diversity of operations span traditional banking silos.

As a heavily regulated industry, there are multiple regulations that must be adhered to. Some of the primary data protection

regulations that Retail Banks have to comply with by law are outlined in Table 2.

Regulation Data Included

Regulation Revision Planned

Primary Region Focus

Safe Harbor6 (see Appendix A) PII Yes (2015–2017) US – Europe

US – Switzerland

EU Data Protection Directive 1998 PII Yes (2015) 28 EU Member States

PCI-DSS PCI 3.2 due 2016 Worldwide

Electronic Communications

Privacy Act

PII, PCI No US

6 http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

Table 2: Examples of primary data protection regulations , governing client data


The evolution of the current European Data Protection Directive in the European Union is due to be superseded in the next

6 months, becoming law within 2 years (~2017) and with it the possibility of massive fines based on 2-5% of global turnover

(or up to €100,000,000 if required). This document positions compliance of the new EU General Data Protection Regulation

(EUGDPR) during the timeframe of digitalization, without the need to revisit the old ‘directive’ compliance that may create

an opportunity for retail banks to be non-compliant and visible to the FTC, ICO and other regulatory organizations7.

Evidence that client data protection gaps still exist

A recent survey on data protection and privacy, highlighted that client data protection is still a major concern for EU Citizens8.

When it comes to control over personal data:

• >80% feel that they do not have complete control over their personal data they provide online.

• 66% are concerned about not having complete control over their personal data.

The respondents were most concerned about the recording of their activities via payment cards and via mobile phones,

both of which have a direct impact on the next generation bank. Building trust in a digital platform with protection around

personal (client) data will provide the competitive advantage.

In a separate question around the disclosure of personal data:

• >70% say that providing personal information is an increasing part of modern life and accept that there is no other alternative.

• >50% disagree that providing personal information is not a big issue for them.

The majority of people are uncomfortable with Internet companies using information about their online activity to tailor

advertisements, and >66% think it is important to be able to transfer personal information from an old service provider

to a new one. We live in an era where competitors are only a click away and new legislation to help individuals move

accounts, means that keeping and maintaining loyalty becomes critical to growth.

When it comes to the management of personal data by third parties:

• 70% say that their explicit approval should be required in all cases before their data is collected and processed.

• 70% are concerned about their information being used for a different purpose from the one it was collected for.

Almost all respondents say they would want to be informed should their data be lost or stolen, with 66% believing the

public authority or private company handling the data should be the ones to inform them if it has been lost or stolen.

It is unfortunate that data breaches are no longer ‘if’ but ‘when’, however understanding the viewpoint of the client

means the organization can respond accordingly.

For many organizations there is often a ‘click-through’ privacy policy, however only 20% of people fully read privacy

statements. Most do not read them because they find them too long to read, unclear, or too difficult to understand.

7 FTC, ICO and other regulatory organisations. Federal Trade Commission (US), Information Commissioners Office (UK), Federal and regional regulators (DACH), Dept. of Health and Human Services (US), Federal Data Protection and Information Commissioner (Switz), etc.

8 Source: Admin By Patrick van Eecke and Mathieu Le Boudec; http://blogs.dlapiper.com/privacymatters/europe-recent-survey-finds-that-data-protection-remains-a-major-concern-for-eu-citizens/


9 The full keynote speech of the EDPS: https://secure.edps.europa.eu/EDPSWEB/edps/site/mySite/Strategy2015

An objective expert’s perspective and call to ‘do more’ in bankingData security experts and authorities agree that a more concerted and proactive approach is required for securing client data

as a critical priority beyond the standard compliance check-box-approach. At a recent Cybersecurity and Privacy conference

in Brussels (April 29, 2015)9, keynote speaker and recently appointed European Data Protection Supervisor (EDPS) Giovanni

Buttarelli commented on his 5-year strategy. While acknowledging the importance of cybersecurity for the sustainability of

our digitally supported economy and society, Buttarelli stated that the privacy challenges cybersecurity entails are not to be

minimized, and that its objective is not to be misused to justify measures weakening the protection of data protection rights.

Buttarelli also addressed the tension between cybersecurity and data protection, stating that “The rights to privacy and data

protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.” Instead, a high

level of cybersecurity should ensure that such measures help improve the security of all information processed, including

personal data. Cybersecurity can play a fundamental role for retail banks in contributing to ensuring the protection of individuals’

rights to privacy and data protection in online and omni-channel environments.

He continued by warning that “cybersecurity must not become an excuse for disproportionate processing of personal data”.

To find the right balance, data protection principles such as necessity and proportionality can be applied to help guide

privacy-by-design and privacy-by-default for cybersecurity solutions.

Buttarelli also addressed the ongoing efforts to reform the EU data protection framework, noting that a key plank of the

reform is data security. Under the current legal framework the three elements to determine the selection of adequate

technical and organization measures are:

• The risk of the processing

• The state of the art

• The cost of the measures

He noted that the third element must not be overstated, given the importance of appropriate data security. “A proper cost

benefit analysis would demonstrate that data security, benefits not only individuals whose personal information is processed, but

also the professional reputation of the organization processing the data.”

“The rights to privacy and data protection have long been perceived as conflicting with the objective of cybersecurity. I believe this is a misperception.”– Giovanni Buttarelli, European Data Protection Supervisor (EDPS)

Buttarelli explicitly mentioned various sectors as expected to needing to deal with cybersecurity more intensively and these

were the banking and health sector, and IT initiatives such as the Internet of Things (IoT), Bring Your Own Devices (BYOD) and

Wearables, as these attacks would have a significant impact on privacy and the protection of personal data.


Barriers to advancing the digitalization of retail banking

Challenges to new service launch - agility & speedThere is a natural and well-intended friction point between the top line growth Executive leaders; COO, CMO, and Dept. GM’s.

These Executives have a desire to launch and monetize new services as quickly as possible. However, IT leaders; CIO, CISO and

CCO have a different point of view and are chiefly concerned with client support, service stability, security and compliance as

priorities over speed. The latter ambition requires a slower and more risk adverse approach to new service roll out to ensure

new product, channels and services are adequately secure and adhere to necessary regulatory compliance, whilst achieving the

required levels of operational excellence. Because of this, IT executives are more inclined to adopt a methodic and controlled roll

out perhaps one new service per quarter whereas the top line growth Executives would ideally wish to see one new service per

month. This disconnect is clearly visible and understandable from both vantage points and therefore needs to be addressed.

DevOps as part of the new services agility-with-stability solutionHistorically CIOs have managed new services creation through linear and controlled processes known as Information Technology

Infrastructure Library (ITIL) and IT Service Management (ITSM) standards respectively. These standard practices were created

at the time, when IT singularly had a monopoly on the enterprise technology infrastructure and the world moved at a slower pace

than it does today. The rationale was that linear and controlled stages of design, development, testing, would proceed any

new service release in the spirit of stability and a successful launch. Unfortunately, this approach is now dated and lead

times required to accommodate this discipline does not match the speed of today’s business dynamics and related appetite

for new service launch and consumption.

Often today’s solution is where IT organizations use a growth unit of the organization called DevOps to acquire the ability to roll

out services with both speed and stability. DevOps combines application and new service developers with operations personnel

to achieve the best of both worlds. DevOps are a major user of client data to ensure that the new products/services are aligned

to the specific client/prospect market being targeted. It is essential for the COO or CDO (Chief Development Officer) to align many

of the elements from the critical information protection framework into the development practices to secure the client data within

these new services to eliminate the barrier to roll out and obtain the desired agility required by the C-suite.

Cause & effect: fluidity of new services drives omnipresence of client dataSolving the new service launch velocity problem through DevOps leads to another tangentially related issue. There is a common

perception that data while in its stationary state or ‘at rest’ within IT systems is secure. This perception is to a large extent true

and server-based platforms where data resides such as databases, CRM, ERP systems and the like are reasonably protected

from prying eyes. However, the issue that people often fail to realize is that today’s (and the future’s) retail banking enterprise

is highly fluid and dynamic. The creation of new services means that client data is constantly in motion and not simply residing or

resting within protected IT systems. Client data is continuously being processed and shared by many different personnel, 3rd

parties, and systems across the enterprise. The collective need for the data from multiple individuals or parties conducting

their day-to-day operational roles within and even outside the bank requires data to be extracted from where it securely sits and

utilized accordingly. Hence the root cause that exposes client data is data-in-motion, collaboration and replication.

The challenges that organizations can encounter can be seen if we look at how client data privacy and protection challenges

originate and then exponentially grow just by the simple way in which banks create, roll out and conduct new digital channels

and services. Below is a simplified example to illustrate the problem:

1. It all starts with a single master record in a database for any given client. The master record is a single copy that securely

resides within a database, but then there is an interaction between systems (web, application etc.) as part of the

day-to-day banking operations for services and transactions.

2. During this process, data is repeatedly extracted (fully or partially) from where it resides.

3. The omni-channel services will mashup10 data with other sources of data, various payment methods, authorization

checkpoints, security policies and automated processes. This places client data into new form factors and different

type of records that reside on multiple IT systems.

4. It is then viewed, analyzed, reported on, shared, copied, and stored by many different individuals along the operating

value chain – taking what was once the original single client master record and transforming that into multiple form

factors and records.

5. To visualize the magnitude of this, take this example of a single client record being replicated, and multiply that with

the number of clients a bank has. It is not unfeasible to have 100s of copies of what was a single record roaming the

organization at will – and that doesn’t take into account the versions in system backups!

10 ‘Mashup’ is the integration of heterogeneous digital data and applications from multiple sources for business purposes. An enterprise mashup is also sometimes known as a business mashup or, less precisely, as a data mashup.


Figure 4 provides a true picture of how over the past 35 years retail banking has evolved from data collaboration being

a singular interaction with minimal restructuring of the original dataset to the current goal of digitalization where client

data moves in multidirectional channels and interactions, accumulating and jettisoning portions of data during its journey.

Transformation activities: C-suite collective alignmentAs previously mentioned, a cyber security architecture and internal compliance (operational) policies designed to mitigate

digital threats on behalf of the organization is only a subset of a broader enterprise risk and compliance framework. And,

as cybersecurity specialists are well aware, client data privacy protection is only one element of a multi-faceted security

and operational architecture. This paper asserts that client data privacy and protection must be prioritized and separated

from those broader risks and compliance constructs. Implementing client data privacy and protection as the ‘foundation’ for

a portfolio of new products and services provide the cohesion that was previously missing, yet required for efficient service

creation, launch & monetization. Once that concept is agreed upon, additional accountability must be assumed by the entire

C-Suite and then the challenge shifts to how to make Client Data Privacy and Protection implementation actionable.

2020: The definitive transformation to Retail Banking digitalization comes with a heavy (data) touch

Fig 4: Multichannel data proliferation for digitalization, Clearswift

2010 – 2020Full Digitalization

with a human touch

1980 – 2000Digitalization of Payments

2000 – 2010Digitalization of Payments

Bank Branch

Regional Branch

Bank Branch

HQ HQ

Bank HQBank HQ

Omni-Channels

Increasingly complex processes, appreciative of IT e�ectiveness, organisational /cultural change, metrics (new)

Digital

Bank Switch

Digital Banks

FIDOR

STARLING

ATOM

Open the Digital Bank before non-banks do, addressing client security concerns.

Branches

Right size and boost sales performance, fully digital with a personal touch

Products

More tailored to individual needs, integrated based on client journey, close revenue ‘leaking’

Video/Call Centres

More tailored to individual needs, Increase service to sales conversation, freeing up resources

Data

Accessible, integrated, secured, compliant, behavioural, social


Traditional banks understand the power of their brand as an asset and also how they are not immune to having their brand

tarnished in the eyes of the consumer and shareholders, as other industries (automotive11, entertainment12, retail13). Brand

value is a component of growth and identity, and the basis for loyalty, service adoption and preference within the client base.

Today, clients want to know that their personal information is safe and the platforms the banks provide for interactions and

transactions are secure. There is an opportunity to think about client critical information protection differently in banking to

deliver that promise at greater levels and enhance the reality (not just perception) of trust with clients.

At the risk of oversimplification, the banking digitalization transformation construct is comprised of three tiers, as shown in Figure 5.

• The first or top tier of a client-centric business model is what we call the “client modern experience.” This is about creating

modern, relevant services and is the outbound interface (channels) banks have with their clients that drives loyalty and

new service adoption. At this point client loyalty is derived from the clients’ perceptions of security, trust and value they

receive from their bank’s services and interactions.

• Below this layer is the“operational transformation layer,” which enables the client experience and creates the ability to

deliver new client centric products and services with greater speed. Delivery is via omni-channels and includes improved

operational cost efficiencies through the implementation of branch variants. These require new platforms, business process

optimization, applications (web/mobile) and rich client data analysis and management. It is at this stage that the organization

defines its digital growth and operational initiatives via mini-transformation projects; these in turn drive growth.

• The third layer, reinforcing the operational layer, is the “operational risk and regulatory compliance layer.” Intended to be an

all-encompassing approach to digital risk mitigation, it involves infrastructure and endpoint security; regulatory compliance

and audit; and proactive threat mitigation (i.e. anticipating and addressing the notion of threats, including ‘zero-day threats’ that

loom beyond the horizon), three common categories of focus for CIOs and their security leadership and compliance teams.

Client data privacy resides within the broader enterprise risk handling, security and compliance framework. However, in order

to achieve efficiency in the three layers, client data and its privacy must be extracted from the broader framework and given

its own dedicated layer, prioritizing this matter on behalf of clients. Not doing so has the potential to undermine the bank’s

agility, growth strategy and potentially the client perception of the brand.

By taking this approach, banks are explicitly approaching this as a ‘Client First’ initiative. Progressive banks and the new

online banks are committed to collectively align and lead in this area. The Executive team have an opportunity to obtain the

client loyalty for which they are striving and will likely achieve the coveted growth velocity for their brand within a crowded

and competitive landscape.

Fig 5: Prioritizing Critical Information Protection: As the “foundation” client data privacy is a catalyst for achieving the needed

operational transformation that delivers on the retail bank’s growth agenda.

Retail Banking Top-line Growth ‘Client Centric Business Model’

Client Perceived Trust

Client Perceived Security

Client Perceived Compelling Value of Services & Interaction

Data Leverage & Treatment

New Services

Omni Channel

NewApps

CLIENT LOYALTY

BANK DIGITAL GROWTH INITIATIVES/IMPERATIVES

RISK HANDLING AS A FOUNDATIONAL ELEMENT OF BRAND LEADERSHIP

Proactive Threat Mitigation

Reg. Compliance & Audit

Infra & End Point Security

THE CLIENT MODERN EXPERIENCE(Drives Service Adoption)

OPERATIONAL RISK & REG COMPLIANCE(Prioritized Client Data Privacy Drives Brand Distinction)

BANK OPERATIONAL TRANSFORMATION(Drives Delivery, Relevancy & Growth)

CLIENT DATA PRIVACY PROTECTION POLICY & ADHERENCE

11 www.khaleejtimes.com/business/auto/i-am-endlessly-sorry-brand-is-tarnished-vw-ceo 12 www.gamespot.com/articles/sony-brand-name-seriously-tarnished-by-hacking-con/1100-6424359/ 13 www.gamespot.com/articles/sony-brand-name-seriously-tarnished-by-hacking-con/1100-6424359/


“Cyber security is paramount to rebuilding this trust – winners will have invested significantly in this area.”– PwC Retail Banking 2020 – Evolution or Revolution

Transformation project initiativesThe road to full digitalization for retail banks will take the collective of the entire organization to succeed. But viewing this

in its entirety is overwhelming and would trouble even the most accomplished academic, consultant or seasoned banking

executive. The transformation needs to be broken down into manageable, achievable ‘chunks’.

1. What is your organization’s 2020 vision?

• What would a blueprint look like for transactions, service and support as well as sales and financial advice?

• How can the client experience be elevated with innovation by removing their biggest frustrations?

• Do you wish to be a follower or innovator?

• What is your greatest priority – cost reduction or service revenue growth?

Responses to these challenges will provide the organization with a starting point and what the target blueprint success

will look like.

2. Agree a set of mini-transformational projects to deliver the blueprint:

As previously mentioned, a set of mini-transformational projects allows the organization to break down the overall blueprint

into manageable stages. It also encourages the multiple disciplines within the organization to play an effective roll in delivering

digitalization. Each project may have sub-projects within, but will effectively roll-up to deliver the main project, enabling the

deliverables team/individual to stay focused on an end goal.

Prioritizing the projects to give quick-wins followed by ‘biggest bang for the buck’ will help to maintain momentum.

Nothing succeeds like success.

3. Top down execution:

• An overall project lead (Executive level) needs to be assigned to track and ensure execution and ownership

of the mini-transformation projects

• Assign a realistic investment budget that spans the length of the overall project that is ring-fenced. Unworkable budgets

ultimately lead to failing services and then to client discontent

• Communicate to the whole organization what is happening, what they can expect to experience, how it may affect them

and what the target goal looks like

Critical information protection – mini-transformation project initiativesFrom a bank’s perspective, client data is the client, and client data is the most critical information that the bank holds. Therefore,

within the mini-transformation projects, there is the need to address the critical information protection framework (Fig3). With

any new initiative it is essential that the ground work has been accomplished effectively prior to implementation.

The effectiveness of the critical information protection framework is achieved by creating a foundation for the collection, access,

collaboration and storage of an increasing growth of rich data. Organizations need to address this project with an open stance and

ensure that all leaders, operational staff and developers are encouraged to build out the current picture of data residing within the

organization, immaterial of current activity or applicability to the future goal.

Without this understanding the ability to enforce policies, apply remediation actions, ensure compliance of security governance

and report on the metrics of success becomes an impossible task.


Scoping the Problem

1 Have we defined what is our most critical / sensitive client data?

2 Do we know where it’s located (endpoints / databases / achieves / etc.)?

3 What is the financial / reputation risk if this data was lost/stolen (quantified, and by example)?

4 How are other organizations / competitors in our industry solving this problem (by example) and what is their experience?

5 What are the regulatory / legal obligation regarding our client information?

6 How much will this cost CapEx / Opex / TCO and what is the ROI?

7 How long will it take to implement and by whom?

8 Which departments will need to be involved and which told about the project?

Preparing the solution

1 How will we classify this information as critical (electronic / human) in each location and how long will this

exercise take?

2 What organizational changes (staff / training etc.) will we need to undertake in order to make the solution

effective and when?

3 Is there a technology solution available to capture all the potential egress points, both accidentally or maliciously

of our client information (including cloud, mobile and bring your own device)? Will this come from a single

supplier, or will multiple suppliers be required?

4 Does the solution fit within our existing infrastructure today or is further investment required?

(Will the solution be on-premise or in the cloud or a bit of both)?

5 Who is going to own the project (CIO / CTO / other)?

6 Can we get help before, during and/or after the project? From consulting, product and ongoing support perspectives.

Implementation

1 Which department or process will be first? Will this include partners in the extended enterprise, such as

suppliers or third party data processors?

2 How will success be measured and over what time period?

3 What happens if some information is re-classified from / to critical during the project? Is there a contingency or

process to changing priorities?

4 What will be the response to a data breach (Especially if this happens before or during implementation)?

A summarized approach is to resolve the following statements with a cross-functional team, with a view to reporting back

to the C-suite (probably through the CIO):

Once the team/individual have accumulated all avenues of information and research, the mini-transformation project team

will then need to address the following statements. Many of these statements will require cross functional disciplines to be

employed, emphasizing the need for the project team to include not only data owners but also data users and data governors.

You are now in a position to implement the transformation of your critical information protection framework, enabling

the organization to ensure a ‘client first’ approach to client data privacy and protection.


Review and modifyAs each mini-transformation project is implemented and completed, a review should be carried out to ensure that

unpredicted influences on client data privacy do not impair the effectiveness of the critical information protection framework.

Looking to the future, the environment that the retail bank will operate in going forward will move as quickly as technology evolves

and the clients consume the services provided. This is not a set-and-forget project, the organization needs to assign owners

to regularly review the critical information protection framework as new services and products are developed. It also needs

to be reviewed as new data is created and new collaborative partnerships formed, as part of the bank’s growth strategy.

SummaryRetail banking is going through a period of unprecedented change. Banks with large amounts of heritage are coming under

threat from new players who are seeing their ability to react to client demands more quickly and efficiently to trends in the

marketplace as the competitive advantage they need to break into the market.

For banks to move to digitalization in an agile manner they need to be assured that their client data is protected at all times.

By implementing a Critical Information Protection Framework which protects the client data first, no matter where it exists,

can give the ability to roll out new services, more quickly. This is not just about technology, it is also about people and processes.

Transformation needs to happen at all levels, and while it is happening, client data must be protected at all times. The importance

of client data at the ‘micro’ level, or the individual, is sometimes lost when talking about millions of clients. However the effects

and distress it causes to individuals are all too easy to see. The good news is that all employees will also be clients in some shape

or form – so they need to protect the information they are responsible for in the same way as they would expect others to protect

their own information.

Growth in all businesses, but especially in banking, is predicated on trust. Without trust, clients will take their business

elsewhere; immediately. Putting client data and client privacy as the foundation for the digitization of retail banking and

protecting these valuable client assets with a critical information protection framework will build client trust, which will

create the foundation for growth.


Appendix A: The impact of regulatory requirements on data management processes14.

Regulatory initiative

Impact of key regulatory requirements on banks’ data controls

Data

capture

Data

aggregation

Data

reporting

Data

protection

Data

governance

INTBCBS principles for data

aggregation and risk reporting

INTFSB common data

template for G-SIBs

INT Legal Entity Identifier initiative

INTBCBS review of pillar 3

disclosure requirements

EURecovery and Resolution

Directive (RRD)

EURevisions to Capital

Requirements Directive (CRD 4)

EU Common Reporting (COREP)

EU MiFID II

EUEuropean Market

Infrastructure

Regulation (EMIR)

EURevisions to the Market

Abuse Directive (MAD II)

EUCommission proposals on

reform of data protection rules

EU SEPA Regulation

UK ICB recommendations

UKChanges to the UK

supervisory architecture

UK Wheatley Review of LIBOR

14 Risk, data and the supervisor: The clock is ticking… Deloitte & EMEA Centre for Regulatory Strategy

UK

EU

INT International Direct impact

EU Potential indirect impact

UK Significant impact unlikely


Disclaimer: The Deloitte impact analysis is based on policy measures proposed in the latest official text for each regulatory

initiative which may be subject to change. Deloitte have assumed as a starting point that banks’ data processes are adequate

to meet current regulatory requirements. The actual impact will significantly vary from bank to bank.

Indeed, the Bank of England and the Financial Services Authority (FSA) have stated that the new PRA will validate firms’

data “through onsite inspections.” In addition the proposed BCBS risk data principles, advocate testing firms’ data processes

to ensure they are robust enough to withstand a range of adverse scenarios including a surge in business volumes and

potential crisis situations.

One thing is certain, poor quality; incomplete and inconsistent data is likely to put a serious strain on a firm’s relationship

with its supervisors and will lead to further scrutiny and challenge of the sufficiency of its risk management and governance

processes in general.

Safe Harbor Reform

1. The following ruling was delivered by the Court of Justice of the European Union, 6 October 2015

‘The Court finds that Safe Harbour denies the national supervisory authorities their powers where a person calls into question whether

the decision is compatible with the protection of the privacy and of the fundamental rights and freedoms of individuals. The Court holds

that the Commission (Irish supervisory authority (the Data Protection Commissioner)) did not have competence to restrict the national

supervisory authorities’ powers in that way. For all those reasons, the Court declares the Safe Harbour Decision invalid.

2. The following reform has been proposed prior to the ruling by the Court of Justice of the European Union, 6 October 2015

EU concern with the adequacy of the Safe Harbor framework intensified after the June 2013 disclosure of PRISM, the US

government surveillance program under which the NSA is reported to have secretly monitored the personal data of EU citizens

whose data transfers to US online service providers was made possible by these providers’ self-certified Safe Harbor compliance.

Prodded largely by this discovery, the European Commission cited a host of alleged deficiencies in the Safe Harbor self-certification

and enforcement procedures and recommended to the European Parliament and European Council Safe Harbor reforms

consisting of 13 requirements.


www.clearswift.com | © Clearswift 2015

United KingdomClearswift Ltd

1310 Waterside

Arlington Business Park

Theale

Reading, RG7 4SA

UK

GermanyBusiness Excellence

IM Mediapark 8

50670, Koeln

GERMANY

United StatesClearswift Corporation

309 Fellowship Road

Suite 200

Mount Laurel, NJ 08054

UNITED STATES

JapanClearswift K.K

Shinjuku Park Tower N30th Floor

3-7-1 Nishi-Shinjuku

Tokyo 163-1030

JAPAN

AustraliaClearswift (Asia/Pacific) Pty Ltd

Level 17

40 Mount Street

North Sydney

New South Wales, 2060

AUSTRALIA

Clearswift is trusted by retail banks and other organisations globally to protect their critical information, giving them the freedom to securely collaborate and drive business growth. Our unique technology supports a straightforward and ‘adaptive’ data loss prevention solution, avoiding the risk of business interruption and enabling organisations to have 100% visibility of their critical information 100% of the time.

For more information, please visit www.clearswift.com

Documents

CRITICAL INFORMATION PROTECTION. … Critical Information Protection October 2015 CRITICAL INFORMATION PROTECTION. Competitive advantage for Retail Banks . Table of Contents Introduction