india’s banking tech experts give insight on 2012 strategies

To speak with and learn from Sameer and Dharmaraj in person, click here to attend Banking Tech Summit India in November 2011 in Mumbai.

AN OVERVIEW OF THE TECHNOLOGY SECTOR IN BANKING IN INDIA

BY

Sameer Ratolikar Chief Information and Security Officer

Bank of India

&

Dharmaraj Ramakrishnan Head of Core Banking Unit

ING Vysya Bank

These interviews were conducted by

Melanie Timbrell & Tom McDonald of FST Media, Australia as part of their Who’s Who in Asia’s Financial Services.

15 - 16 November, 2011, Four Seasons Hotel, Mumbai, India

mailto:[email protected]?subject=I%20want%20to%20attend%20Banking%20Tech%20Summit%20India

http://www.iqpc.com/Event.aspx?id=529346&utm_campaign=Interviews&utm_medium=email&utm_source=Exact%20Target&utm_content=text&utm_term=link%20URL&MAC=%25%25MACCODE%25%25

http://www.iqpc.com/Event.aspx?id=529346&utm_campaign=Interviews&utm_medium=email&utm_source=Exact%20Target&utm_content=text&utm_term=link%20URL&MAC=%25%25MACCODE%25%25�


Sameer Ratolikar Chief Information and Security Officer

Bank of India

Timbrell: What are your key information security priorities for the next 12 to 18 months?

Ratolikar: My key security priorities for the next 12-18 months are:

1) Ensuring proper technology risk management is established to satisfy regulators and business partners

2) Data loss prevention strategies across the enterprise

3) Secure Access control and management, especially for third party service providers

4) IT Governance, Risk Management and Compliance (GRC) to automate the security governance and compliance process

5) Identity management across all critical applications

6) To see a Business Continuity Management (BCM) system framed and implemented across the Bank

Timbrell: What do you see as the top IT security risks facing banks in India right now?

Ratolikar: Top security risks faced by banks in India include unawareness among customers and users about emerging cyber threats, basic hygiene of information security and sensitive data leakage knowingly or unknowingly. In addition to this, identity theft-related attacks are also on the rise.

Timbrell: What is Bank of India’s position on cloud computing; and how are you managing associated security risks?

Ratolikar: We are enthusiastic about cloud computing with regard to seeing how IT services are delivered in a cloud. We feel that as the concept is new and yet to mature, we will use it for some



services like email and web while making observations, test the performance and then we may go for a private / hybrid cloud.

The talent pool of service providers, data privacy, Business Continuity Planning (BCP), jurisdiction of data storage and legal issues are all risks to be managed if one decides to opt for cloud.

Timbrell: What technology innovations and trends do you feel are shaping the future of banking in India?

Ratolikar: Technology innovations in the banking industry started in India almost eight years back in the form of core banking. I feel the following services will shape the future of banking in India:

• Internet banking (in use since 2000 but growing rapidly with innovation)

• Mobile banking

• KIOSK banking

• Integration of the ATM networks of all banks

• Financial inclusion using smart cards for rural masses (door step banking)

• Single view of the customer using business intelligence

Timbrell: Global consultancy firm Boston Consulting Group (BCG) recently predicted mobile banking and payments transactions in India would reach US$350 billion by 2015. From a security perspective, how are you preparing for this surge in uptake of banking using handheld devices?

Ratolikar: Today we have more mobile handsets than bank accounts in India. So the penetration of mobile phones is definitely being leveraged to provide banking services. But like any innovation brings with it some risks, mobile / handheld systems are no exception.

We have to address the risks arising from such “consumerised devices,” using a standard framework of People, Processes and Technology. We are educating users continuously via our Intranet Portal, conducting ‘Security Weeks’, engaging on policy compliance etc.

A centralised access management system is being deployed to see that all connections to our applications via these handheld devices are identified, authenticated and then authorised. Digital Rights Management and data leakage prevention solutions are also being evaluated to prevent data leakage via these devices and other end points.



Timbrell: Phishing and vishing attacks are on the increase across the region. How is Bank of India dealing with this increased threat?

Ratolikar: Although there is no one-size-fits-all solution to tackle phishing and vishing, one of the most effective ways is deploying a ‘Two Factor Authentication’ solution. We deployed the 2FA solution two years ago and are happy to witness near-zero incidents. In addition to this technological solution, creating awareness among users about these attacks is extremely important. We are promoting awareness via radio channels, newspapers, periodical SMSes etc.

Timbrell: Does Bank of India currently deploy Information Loss Protection (ILP) capability and how do you protect from leakage of sensitive data?

Ratolikar: Information Loss Prevention capabilities and strategies start with education and framing the right policies focusing on the impact of data loss, regulatory concerns, legal acts etc. We have done all these things. Now our focus is on a technological solution in the form of rights management and Data Loss Prevention (DLP). We have started deploying Information Rights Management in the Bank. Once this project is over, we will look for the right solution to achieve comprehensive DLP.

Timbrell: How far ahead do you plan your IT security strategy; and why?

Ratolikar: It would be difficult to name the exact time frame for planning IT strategy. Our IT strategy is influenced by the outcome of regular risk assessment exercises on our information assets. We conduct the exercises and based on those results define and amend the strategy.

Our IT security strategy is always aligned with People, Processes & Technology and mapped to Confidentiality, Integrity and Availability of Data. Similarly, whenever any new projects are rolled out to customers, they have to go through our risk assessment exercise.

Timbrell: What skill set do you seek out in prospective team members?

Ratolikar: I seek team mates with the right attitude to learning, good analytical skills, clarity of thought and an appetite and interest in security.

Timbrell: When your time as a technology leader draws to a close, what would you wish to be remembered for?

Ratolikar: A CIO with leadership and motivational qualities and a great risk manager who transformed IT from a cost centre to a profit centre.



Dharmaraj Ramakrishnan Head of Core Banking Unit

ING Vysya Bank

McDonald: What are your top IT priorities for the next 12 to 18 months?

Ramakrishnan: The top priorities for us over the next 12 to 18 months – from a technology point of view – are increasing the use of server virtualisation, data architecture, data analysis, financial inclusion and core banking upgrades.

McDonald: ING Vysya has recently stated it now has the fastest electronics payments processor in the country. How critical is continued investment in National Electronic Fund Transfer (NEFT) and Real-Time Gross Settlement (RTGS) technologies to drive future growth?

Ramakrishnan: India is experiencing a large shift in how payments are sent, as electronic payment networks gain a strong foothold in the country. The benefits of wire-transfer are speed, safety and superior customer service.

If you look at paper payment instruments – cheques, demand drafts and cash – these have existed in India since the 19th century. As recently as 2003, 86 per cent of all non-cash payments in India were still made through the use of paper instruments, with electronic payments only just beginning to take off. Since then, electronic payments have grown by at least 60 per cent year-on-year, and by mid-2009 electronic payments represented 33 per cent in volume and 62 per cent in value of all payments made in India. There has been a five per cent decline in cheque clearing during 2008-2009 financial year compared to the 2007-2008 financial year. Looking at these statistics, there’s enough opportunity for banks to move from paper to electronic. I am sure that NEFT and RTGS will gain momentum and that’s the way forward for a faster turn-around.



The Reserve Bank of India (Central Bank)’s efforts to make the RTGS and NEFT processes as common as cheques are today, are paying off. Increasingly, banks are offering their customers innovative payment services that are faster, cheaper and safer for all concerned. To realise the cost and efficiency benefits from shifting to electronic payments, it is imperative to develop a comprehensive Paper-to-Electronic (P2E) change management solution.

At ING Vysya, we have done system re-architecture and automation as part of our Payments Programme. This includes automated payee name validation for all inward processes. Payment processors are the most sensitive areas of operations and we designed fail-safe systems that worked flawlessly from day one. The fuzzy logic built in for payee name validation has to be suitable for Indian names and conditions. Since payee name validation was at the heart of Straight-Through-Processing (STP) we had to get this absolutely right and we have done.

McDonald: What key challenges are currently facing ING Vysya’s Core Banking Unit and what strategies are in place to address these?

Ramakrishnan: We are reasonably satisfied with our core banking system. We are nevertheless going in for an upgraded version to reap the benefits of true Service Oriented Architecture (SOA) implementation, easier maintainability and faster time to market. We are also working on real time replication of data for our analytical needs, and towards true 24/7 availability.

McDonald: Given the pace of growth in India’s banking industry, what adaptive and flexible systems are you putting in place to manage the market’s expanding customer base?

Ramakrishnan: Our focus is continuously on providing a world class solution to our customers. If you look at our RTGS & NEFT processing, we are the fastest electronic payment processor in the country. In fact, we have developed the RTGS and NEFT processing functionality within the core banking system.

We have also introduced online trading by integrating with a third party solution a real-time mode that makes Application Programming Interface (API) calls between core banking and the trading engine using Enterprise Service Bus (ESB) as a middleware. We went live with this project in a record time of 30 days. This clearly shows that our time-to-market is pretty good from a technology point of view.

Our philosophy is every customer of ours should have an enjoyable experience – making the bank “Easy to Deal With,” as ING’s motto goes.



McDonald: To what extent is ING Vysya considering moving software, storage and infrastructure to the cloud in order to keep up with India’s economic expansion?

Ramakrishnan: No to public cloud. While scepticism prevails around the adoption of public cloud, due primarily to data security concerns, private cloud adoption seems to be making traction. If we watch carefully, virtualisation and Software-as-a-Service (SaaS) are the underlying elements of cloud computing. There has been prominent adoption of former, but not the latter in the banking segment.

In India, co-operative banks, as well as a few scheduled banks, have been using hosted services for a long time now, which is very similar to private could. In private cloud, virtualisation is the key element and banks have been adopting this for quite some time. At ING Vysya we have virtualised our production systems and we are heading towards a private cloud. Virtualisation has yielded significant benefits in our IT organisation, in particular, it has allowed us to provide scalable infrastructure.

McDonald: What do you foresee as the next ‘big thing’ in banking innovation?

Ramakrishnan: Traditional banking models cover just under half of India’s population. The next material innovation in the Indian context (and indeed in the context of all developing economy countries) would be to build banking models and delivery mechanisms that extend banking services to the unbanked. We believe that the key driver will be India’s ambitious Aadhaar project by the Unique Identification Authority of India (UIDAI), which seeks to provide biometric-based enrolment and authentication services to all Indian residents. Which, at 1.3 billion people, would be the most audacious and path breaking innovation in centralised identity enrolment and authentication attempted, ever.

McDonald: Core banking modernisation is often associated with the highly expensive task of overhauling legacy systems. In your experience, what is the most promising and cost effective technology aiding IT core modernisation?

Ramakrishnan: Progressive modernisation is the right way to go. Key steps we follow are: identifying the legacy systems which are to be replaced; doing a cost benefit analysis and justifying the capital investment; and finally ensuring deployment of new systems are aligned with business priorities – this will help in achieving a faster ROI.



McDonald: India’s population is rapidly embracing mobile and online banking technology. How is ING Vysya adapting to this emerging trend; and is the Bank moving toward an increasingly branchless banking model?

Ramakrishnan: We are one of the early movers in mobile banking implementation. We implemented our mobile banking solution in 2008 and have now reached a stage of platform renewal. We have a three pronged approach to mobile banking: SMS based banking at the base; third-party applications and mobile malls for the mass market; and an exclusive platform for high end mobile and tablet platforms, which is under development.

We have had a comprehensive internet banking channel (“Mibank”) for a long time, and have very recently added an exclusive business banking and corporate banking channel called ING Converge, which has gained excellent traction in the marketplace.

McDonald: Every IT leader, particularly at your level, has a legacy they wish to be remembered for. What is yours?

Ramakrishnan: I would like to be remembered as a person who drives transformation.
