Every week it seems like another major data breach makes headlines. Though the scourge plagues all industries, the sensitivity of information in the financial sector means that banks are among the biggest targets.
To avoid becoming victims, financial institutions need to stay ahead of the opposition on security. Emerging technology offers innovative solutions that all firms must leverage. But the challenge is to continually stay ahead of the hackers and add defenses without making the customer experience unbearable.
Photo: Eric Crabtree, vice president and global head of financial services at Unisys, addresses the crowd at a corporate event in Bogotá, Colombia. (Credit: Loren Moss)
To learn more maintaining this difficult balance — now and in the future — Finance Colombia recently sat down with Eric Crabtree, vice president and global head of financial services at Unisys. Before joining Unisys in January, he served as an omni-channel director at Royal Bank of Scotland and previously worked at Barclays Bank and Washington Mutual.
In an exclusive interview, Crabtree discusses the many problems facing banks today and shares some of the forward-thinking solutions offered by Unisys.
Finance Colombia: You recently gave a presentation at the ATH conference in Bogotá, Colombia, about mobility and banking. What was the key message?
Eric Crabtree: The bottom line is that the way people want to interact with their banks and the way people want to do their banking is changing dramatically. We’re moving into the digital world. The traditional mode of going to the branch or using the contact center — while that’s still part of the financial services ecosystem — it’s almost going away.
Customers are demanding different options. They want their banks to come to them versus them having to come to their bank. That leads to a whole new set of challenges — and a whole new set of opportunities for banks. It chances how they have to provide their products, services, and customer experience to their client base.
Finance Colombia: How does fintech fit into all this?
Eric Crabtree: You don’t need to look any farther to see the impact of mobile and digital on the industry than the explosion in the fintech world. It seemed in 2015 like there was a new fintech coming on line almost every week. I think global spending on fintech capped out at about $20 billion in 2015. They are definitely in the space of disrupting at the moment. But my personal view is that, when positioned right, fintech companies can become good partners to provide solutions and get those solutions to market at a quicker pace than a traditional bank could probably do.
With that context in place, what does a good mobile solution look like? If you think about your environment, what are the right devices? How are you managing the life cycle? How are you managing and controlling your releases?
That’s all one component. Your applications are your other component. You really need to define what type of end-user experience you’re trying to achieve and what content you need to build to produce that experience.
And then the third leg is infrastructure: What do you do with the cloud? What do you do with data analytics? How do you support both the application and the environment? And then, finally, the most critical component is security.
If you look at banks, security really is their license to trade. If they get that wrong and they compromise customer information — or lose it — they’re basically going to be out of business. I think the Panama Papers really brought that home. That was a law firm, but that could have been a bank. We have to be especially careful with customers’ data.
And there’s not just one security solution. Security includes everything from biometrics to facial recognition to speech. In our case, it includes Stealth, with micro-segmentation, stealth-identity, and being able to compartmentalize transactions and what people can do. Geo-location can also play a part of that. You can mix-and-match those different components. Whatever the solution, the goal is to provide a good layer of security, ensure you get the proper authentication, and never compromise your customers’ information.
Finance Colombia: Yes, geo-location. When I went to Panama a couple of days ago, Bancolombia shut off my access because I had a Panama IP address. I had to call them and tell them. I think that what’s interesting about what Unisys is doing with “Stealth” and with micro-segmentation. Because, obviously, if you can’t find it — you can’t hack it
But there is a related question. I did a presentation last year at an event in Miami about it, and the talk I gave was: “How do you provide financial services security in the contact center without frustrating your customers?” How do you provide a holistic approach but not lock things down so much that the customers can’t even get into their own information?
Eric Crabtree: It’s a real challenge. I think pattern behavior is really interesting. I think artificial intelligence is also an interesting new area.
We partnered with a company called Brighterion that does anti-money-laundering fraud control. It basically provides a learning system. It tracks patterns of behavior, what types of transactions you typically do. And if it starts to see things outside of the pattern, that’s when it triggers a flag and there can be an intervention from the financial center.
Finance Colombia: There was a big BPO company in Mexico that got infiltrated by organized crime. The call center operators, the agents, got in there and were able to steal the information and sell it to organized crime. So, they have all the super-security and everything, but it was an inside job.
Eric Crabtree: Now, when you talk about a call center environment, internally, it’s still very hard. I firmly believe in the segmentation of duties. We’ve seen cases where you have people who have access to passwords and also they have access to operational capabilities within a portfolio. You have to just draw those lines. You have to limit the access that they have and essentially rotate positions. And sure, in the financial services industry there are times when you are required to take “fire-breaks” of two weeks of vacation at a time.
Basically you’re going in to be checked to make sure you’re not doing anything fraudulent or anything that you shouldn’t be doing. I think probably if UBS had taken that approach, they probably wouldn’t have had the £2 billion trading loss. Because it was clear that that behavior had continued for years and years with that one trader. They never really got around that.
I think the future is going to be geo-location combined with telco, marrying up information with the telco. So OK, we know that Loren is in Panama. And we know that he’s done the transaction on his mobile. And we know his phone’s with him in Panama. So you’ve got multiple levels of authentication to make sure it’s actually you. I just think it’s a plethora of things.
Somebody asked me the other day: “Do you think the hackers are winning, Eric?” My answer to that was “no.” I think the hackers are very good. They’re always going to be looking at new opportunities, and they will get through. But if you look at the billions and billions of transactions that occur on a daily, weekly, monthly basis, very few of them actually get compromised. So I don’t think they’re winning. But the sad news is that one breach is bad enough. If they get one, that’s bad enough.
Finance Colombia: Look at what happened to Target. Look at the way that hit their reputation.
Eric Crabtree: Exactly. You always have to stay ahead of it. And with Stealth we’re doing that with micro-segmentation — and looking at Stealth-identity as well. In the future, you can start to put that onto devices and have a front-end experience that’s similar to our back-end experience with Stealth.
Security plays an important part in everything that we do. For example, in the U.K., we’re partnering with Nationwide Building Society in taking an approach to biometrics that’s almost behavior-related. When you have your phone and you’re typing in your password, you move in a certain way. Your fingers move in a certain way.
Finance Colombia: Right. It’s like your signature. You write your signature a certain way.
Eric Crabtree: It’s a signature — almost your digital signature — so we’ve got a perfect concept rolling with Nationwide on that. If that’s successful, we’ll look to go live with them. They are the largest building society in the U.K. You combine that with our facial recognition, iris recognition, and you start to provide that level of security that a customer can fully trust.
Finance Colombia: One of the things that’s fascinating is that Colombia is ahead of the U.S. in certain respects. For example, they’re already using EMV technology with credit cards. That’s already implemented down here. But the problem is that it wouldn’t always work because they were printing the cards before they activated the system in the U.S. And so when I went to use it, I couldn’t do anything because Bank of America wasn’t ready. They were giving out the chips, but they hadn’t turned on their system, so I can’t get any money out of the card.
Another thing that is interesting is that, if you go to do a money transfer in Colombia, there’s biometrics and they use “captahuellas,” which is a fingerprint reader. You can’t go to Western Union and take out money without them reading your fingerprint. And we don’t have anything like that in the U.S. The technology’s there but nobody’s implementing it.
It’s interesting because you see that, in certain countries, everybody has a unique situation. Down here they’ve had to be more aggressive in combatting fraud. And now countries like the U.S. can learn from what we’re seeing in places like Colombia and the Caribbean.
Eric Crabtree: I agree, and the U.S. is an interesting one as well because, similar to here, they are behind. In the U.K. we have the image EMV chip as well, and so it’s all chip and PIN. Everything from going to an ATM to going out to dinner — you put your card in the card-reader. I had the same experience here. I brought my American Express, my corporate card, and I didn’t have a PIN number because they’d never sent me one. Well, they plug it in and they want the PIN. And so they had to call the reservation system and get a special approval to get it authorized.
But the U.K. was one of the first ones to adopt that biometrics technology. When I was at NatWest and RBS running their digital team, I was the first one in the U.K. to use Touch ID to be able to allow authentication into mobile banking. We were the first bank to launch that in the U.K.
I know Barclays is also trialing the fingerprint readers at their teller counters. And what it does, in addition to the fingerprint reader, it also does something that is almost a vein recognition. It can tell that there’s blood pumping through your fingers. So a criminal can’t impersonate you — even if they cut your finger off and take your eyeball out.
You’re going to see all these types of things come to light, which I think not only helps with security but with the customer experience. Because, I don’t know about you, but I have so many passwords right now that sometimes I can’t keep track.
Finance Colombia: I have a password protector spreadsheet for my passwords.
Eric Crabtree: Me too! It’s the same thing. And it’s like 20 cells deep. Then, when I have to change a password, it’s like, “What do I change it to?” And if I don’t have my spreadsheet with me …
Finance Colombia: … now I don’t know what it is and you’re locked out.
Eric Crabtree: Exactly. There was one that asked “What’s the name of your first dog?” Well, I didn’t ever have a dog. So I put “none.” But I didn’t remember that I’d put “none. So I struggled and finally I got locked out. I had to call and go through the whole process.
So, I think there is a way to do it where you are providing more control with less controls, so to speak. But in the banking environment, that’s really hard. Banks have a traditional way of approaching security. When they see a breach they add more checks. And they keep adding more checks and they have more system controls and more checks and …
Finance Colombia: … and more customer frustration.
Eric Crabtree: And more customer frustration. Then, pretty soon, they’re spending 50% of their discretionary budgets on controls and then they’re not able to actually spend on enhancing the customer experience or growing their business. If you can find a way to streamline the whole process while providing the same level of security, that’s a win/win.
That’s why I think Stealth plays such a great part as well. One of the things I’m also focused on is bringing in a team of subject matter experts to help support the different regions within our global strategy. Each of these subject matter experts will also have a specialty, and the first guy I recruited has a specialty in security. He understands cybersecurity, and he understands infrastructure security. He can help us talk to banks in a different way.
We’ve had product discussions and said “here’s our excellent product, it does all this micro-segmentation, it’s fantastic, you really need it.” And people are like “yeah, it sounds great, but maybe not right now.”
We want to change that discussion to really focus on business outcomes. What are the outcomes that you’re trying to achieve? Let’s say you need to do commercial events at a business fair once a month. People think that means they have to set up a whole mobile bank and go through this huge expense. No, you don’t. Why don’t you put the applications on a laptop? We’ll put Stealth security on it so you’ll control what can actually be done at the event. So no cash can be transferred. Maybe you’ll just open accounts and that’s all you have access to do. And that can cost you a mere fraction compared to having to blow out an entire structure and set-ups.
Companies need to start thinking more about outcomes. What are you trying to achieve? That’s when people start to see how that offering can really help them. That’s going to be a lot of my focus. How do we take the great products that we have and shift the discussion to focus on the business outcomes that they drive?
Finance Colombia: We’ve talked about the customer-facing portion of it and making things easy for the customer. But internally in the banks, all these different layers that you mentioned, they add another layer of security. And that not only creates hassle, but it creates internal expense for the banks. How can banks leverage technology to streamline internal operations so that they have the security but can operate more efficiently and reduce costs?
Eric Crabtree: That’s a really good question and a good challenge. When I was at RBS and we looked at our contact centers, we had various levels. So you’d call in and talk to a generalist, right? So if the question is a fraud thing, they’ve got to pass you off to somebody else. And, oh, that’s a fraud on a credit card? Well, then they have to pass you off to somebody else again.
The first thing we did was build capability and understanding in our front-line team so you could have first-point-of-contact resolution. You can manage that through IVRs as well. You can say, “Tell us what you’re calling about.” They say “Fraud.” Then you get directed to the right place and you resolve everything at the first point of contact.
We were able to reduce layers and re-deploy people — re-train people — into different areas of expertise. That’s one area in which we had a lot of activity. On the rest of the operational side, I was never in deep technical nuts-and-bolts of it, but you’re always going to need your second-level and your third-level support. What we tried to do was to push as much to the front user agent as possible because you’ll not only create a better experience — you can create efficiencies. In big call centers, you’ve got 6,000 people. If you can reduce that by even a third, that’s a significant cost-save. And at the same time, you’re providing a better customer experience.