Banks and banking functions as we know them have been around for centuries now. The history of money is tightly intertwined with the history of the banking industry. Even though the way we bank has changed considerably, the basic principles remain the same. Some of the banks we know today have been around longer than us as individuals. Perhaps this is the reason why customers trust that their banks will not only keep their money safe but also safeguard all the other information that they have about them.
While banks have always had large amounts of personal and financial data about their customers, today all of that data has become easily accessible to anyone who has the permission to access it. The growth of financial technology has led to many innovations and changes over the past few decades like wire transfers, credit/debit cards, online banking and mobile payments. Banks have had to, not only upgrade their systems to accommodate these changes but also transform their processes to ensure continued security when implementing new technology. Banking regulations are constantly changing according to the requirements imposed by modern banking systems. Banks have a legal responsibility to keep customer data safe and protect it from falling in the wrong hands. In this article, we will see how modern banks ensure that they fulfil this responsibility.
In order to secure data, banks have to follow a 360 degrees approach to ensure that a security breach does not take place internally or externally. This implies securing both the customer-facing end of banking processes as well as the internal processes related to employees, vendors, systems and processes. Following are some of the ways in which this is done.
- Authentication: Authentication requires that every transaction in the bank takes place after confirming the identity of the person initiating the transaction. This applies to the customers logging in to online or mobile banking systems, to those visiting the bank in person, or those using credit/debit cards at POS terminals and ATM’s. It also applies to bank employees who have access to customers and banks data. While earlier authentication simply required an Id and a password or PIN, many banks have now implemented two-factor and multi-factor authentication to ensure that the person is actually who he/she claims to be. Banks are also using biometric authentication techniques to verify customers identity including behavioural biometrics when they interact with banking systems like IVR.
- Audit Trails: A history of banking transactions was always available as a statement or passbook. Additionally banking systems also maintain an audit trail for every event that takes place during a customer’s interaction with the systems. Whether it is a customer using phone banking or online banking, the time of the interaction is recorded along with the details of the interaction. This data is backed up daily and is never purged completely but archived at defined intervals of time.
- Secure Infrastructure: Secure infrastructure implies the database systems and servers where data is stored and the boundaries established to secure these. Production data is usually encrypted in any core banking system. If required for testing, it is mandatory that important data like account number, customer name and address be masked. Access to production systems is restricted. Vendors who deal with infrastructure are generally different from those who deal with applications. Bank employees are usually given special equipment where access to social websites, personal emails and USB ports is blocked. Employees can only access the bank’s network over a VPN when using public Wi-Fi.
- Secure Processes: Banks have established many processes to ensure that security is implemented and tested. This includes, KYC (Know Your Customer) updates for customers, NDA (Non-disclosure agreement) for employees and vendors, securing special zones within the premises, remote data centres. With Data Loss Prevention (DLP) solutions banks can mitigate insider threats and safeguard sensitive customer data like name and credit card number. Processes related to global and local regulations are also implemented and a risk assessment carried out to ensure that these processes are in-line with the requirements.
- Continuous Communication: Banks also communicate regularly with consumers on upgrades to systems, the introduction of new authentication procedures etc, in addition to the periodic account statements that are generated and sent to customers. Customers can also set limits and alerts based on different conditions to ensure that they are informed if any unexpected activity takes place with respect to their accounts. While there are multiple channels of communication available, the set-up is flexible to cater to customers convenience.
Thus banks work round the clock to ensure that they are doing everything that needs to be done to secure their data.