"Even my 80-year-old mum knows she ought to ask for higher-yield deposits or guaranteed funds when she goes to the bank," said Michael Leung, senior VP and CIO, Information Systems Group, Bank of America (Asia). Leung explained that the increasing sophistication of both banking products and customer expectations was a positive trend, as well as a driver for Hong Kong banks to raise the overall level of their technology.
The overall compliance picture is driving higher adoption of IT among Hong Kong banks, according to Leung. "Legacy systems often cannot fulfill the requirements of Basel II, Sarbanes-Oxley or Anti-Money Laundering related guidelines," he said. "We can add capacity to the mainframe and 'bandage' the applications, but these compliance measures require the capture of more specific information. For example, if a loan went really bad in the past, we could simply write off the loan, turn it over to a collection agency and book whatever they could recover as income. Now, we have to capture data related to the principal, interest owed, amounts recovered and the source of repayment even though the payment is made years after."
Major computer surgery
This need for more data collection and more complex collation has driven Bank of America (Asia) to start working on a core banking system replacement opportunity, a process Leung likened to "open-heart surgery." The process really began with preliminary exploration and staff training about a year ago, and will likely take two additional years to complete, he said. "This not only involves the core system but many peripheral applications," said Leung, "including investment products, teller systems, online banking, ATMs and cards, data warehousing-all these are integrally connected to the core system."
Leung added that another hurdle was retraining his core banking team of 16 programmers, who were more comfortable with RPG (AS/400) coding than J2EE and NET. "You basically have to do a 'brain-dump' to get an RPG guy to switch over to Java," said Leung jovially. "Not only are we using new tools, but also a new development platform." The BofA CIO explained that the new system is Unix-based, with a front-end based on Windows and .NET, a back-end using EJB/J2EE and Unix middleware. Leung said that he considered deploying Linux, but "the available Linux system monitoring and management tools, in my opinion, are weak compared to their more mature Unix equivalents."
The process started with training, "not only training on technical matters but also on business and operation issues," Leung pointed out. "We had to change our processes and learn how to do things differently."
As for vendor selection, Leung said he considered adequate local support to be "paramount." "Look at SARS," he said. "At that time, you had to have local support-even if you offered them a first-class ticket, [support technicians] would not come to Hong Kong!" Leung's example is a wake-up call: some support roles cannot be fulfilled by telecommuting or call centers, but require 'boots on the ground due to security and compliance concerns.'
We have mainframe, Unix and Windows environments, but Windows-based development tools are changing too fast, making maintenance a headache for us," said Thomas Ng, head of IT at Dah Sing Bank. "For example, how many applications developed using Windows-based tools six years ago are not to some degree obsolete by now? We cannot afford to keep upgrading development tools that adds no business value. That is why mainframe applications can survive for so long.
"Windows is fine for new developments, but a nightmare to use with existing systems that have been developed on older tools," said Ng. "We have to upgrade constantly...systems can suddenly become obsolete and support can be stopped very quickly."
Two-factor authentication
It's been a year since the Hong Kong Monetary Authority (HKMA) mandated two-factor authentication for online transactions. One possible approach is a "hard token" such as the devices HSBC mailed out to its customers about a year ago, but not all financial-sector IT experts are convinced.
"We're not sure yet if a hard token is the best way to go," said Ng from Dah Sing Bank. "In absolute security terms they are pretty good, but there are alternatives: some companies sell services or software that enable your mobile phone to act as a token. So during transactions the mobile phone is sent a PIN or a temporary key that you enter on your PC or whatever device you're using to authenticate and approve the transaction."
"We use the e-cert right now to enable e-banking," said Ng, "but we also acknowledge it is not ideal. It's too difficult to use and users cannot carry it with them...I think to try and change or improve the e-cert right now would not be easy...that's why the tokens have appeared."
Leung said that there are four types of high-risk transactions for online banking, and his bank decided to use the Hong Kong Post Office's e-cert (an electronic certificate embedded in Hong Kong's SIM card-equipped smart ID cards) scheme.
However, the HKPO has backed off the e-cert approach due to, among others, lack of acceptance by the general public. Leung added he was disillusioned by the entire e-cert experience and his bank would consider other solutions such as hard tokens generating one-time-password (OTP). "I'm disappointed [with the e-cert]," he said, "I feel we were somewhat led down the wrong path by the concerned entities."
However, Leung pointed out that the e-cert scheme was one of the first such schemes implemented, and as anyone in IT knows, early adopters often get the short end of the stick. That said, Leung noted that his bank will continue to support customers currently using e-certs as a second factor even as they may roll out hard tokens with OTP function.
"So far you see banks all opting for different options," said Ng from Dah Sing, "as there's no accepted standard technology or method for banks to adopt. I don't think in the near future, there will be a single standard tool or technology that all banks will adopt."
Online take-up
As for take-up in online banking and stock trading, Leung pegs it as 30 to 40 percent among his userbase. "That's the metric we use for transactions," he said, "although many customers check our website for information and register SMS alerts, like stock prices and currency rates, without doing a transaction-we provide this information as a service."
Ng from Dah Sing said while e-banking was not "hugely popular...we are still one of the e-banking providers with the most customers [in Hong Kong]. We are still expanding our e-channels, [and also] making it possible for mobile banking via emerging mobile devices."
Ng added that the growth of 3G and GPRS usage would also encourage more mobile banking usage, a trend which might help drive e-cert adoption "as the advanced devices can easily have the e-cert embedded."
The phish factor
Leung said that his bank only endorses Microsoft's Internet Explorer browser, as he feels there are security issues with Firefox (IE's main competitor, although there are several other web browsers on the market). But the BofA CIO said that phishing represents a bigger security risk. While he is not aware of any successful phishing attempt ever occurred at the Bank, Leung added that even if bogus high-risk transactions can not be completed, personal data such as usernames and passwords can be compromised if the bad guys succeed in fooling Netizens.
And he's seen phishing attempts made on his bank's homepage. "One of the interesting aspects is that the fake page was made in the USA, and doesn't use a double-byte character set-so the button that says "Chinese-version" in Chinese characters displays as a double question-mark," he noted. However, Leung said that Netizens should always be vigilant against phishing attempts. "I've seen 'bank0famerica' and 'bankofamerca' used as URLs," he said. "One character will be off and people might not notice that the URL is wrong." As always, online banking customers should never click on embedded hyperlinks, and remain vigilant about phishing schemes.
"Security is still the top priority for us," concurred Ng. "We see more and more standardization across systems and networks which makes the environment much more open to attacks from outside...I think we have to go back a little and start separating the network into different access layers or zones, one layer for internal applications for key business users [and a] public network for internal users with low-level access to systems and information as well as for public or partners and other visiting parties."
"It's ironic," mused Leung. "We used to say: 'online banking, anytime, anywhere, any device'...the idea was that customers could use their PDAs, or computers in cybercafes to do their banking. But now, because of security issues, we say: 'go home, and use your familiar and trusted computer with your second-factor token!"