We’re in for some interesting times ahead, as banks big and small start a delicate balancing act. For banks, there are rewards and sparkling new opportunities beyond their own branches, apps, and channels to partner with other companies: additional customer engagement, value-add retail services, the possibility for increased customer retention and brand recognition. Services such as Mint and Quicken conveniently bring account information together from various sources for the consumer. How long will it be before the web goliaths start sniffing around for ways to perhaps bring their known shoppers and trusted customers some information on their individually available credit or accounts on hand while they’re shopping? Especially if they’re using a co-branded account or service, why wouldn’t there be a consumer expectation that the financial institution and the retailers have a trust relationship amongst one another, similar to the TD Bank/Target Red Card relationship?
Hopefully, compliance and risk management experts aren’t running from the room screaming at the notion of creating these trusted relationships, as their expertise and insight is critical to the success of these projects. Consumers have developed a trust relationship with Mint and Quicken and their service infrastructure to hold credentials and bring together financial information. For banks, developing these cross-vertical partnerships where both parties are aware and managing their risk tolerance and compliance in context of one another absolutely demands close control and ongoing monitoring of process, procedure, and product. On the technical side, projects like the Open Bank Project might be carving out a path to abstracting the banks inner, most secure workings to a service platform layer for not only apps, but possibly business partners. And major retailers have long been consuming services in their supply chain and back office. Both the data and value is there, leaving technologists to build the plumbing and risk managers to keep the programs compliant and on the rails.
Among the new risks to mitigate in building partnership with a non-financial services organization are the following:
Audit Boundaries: A clear delineation for the responsibility of traceability and accountability should be made between the parties, so each knows what their responsibility to their organization is and how things like SLAs are measured.
Data Security and Integrity: Both the business and the consumer have a vested interest in making sure all regulated and non-regulated data is stored properly both in transit and at rest. Additionally, each party needs to review each data element that’s shared between the parties, as well as the use and risk of sharing that element. An interface exposed externally deserves higher scrutiny.
Regulatory and Compliance Standards: For financial services institutions, the standards are generally well understood and applied by risk management professionals. Working collaboratively with partners to understand what additional regulations might apply, and designing processes for tracking adherence to standards is critical.
Secure Transport: Operations personnel will be critical in insuring the transport layer is secure and reliable, and there is appropriate monitoring of the service.
Service Development: Adherence to architectural principles and coding processes that include reviews, and traceable changes help build a stronger IT product.
Systems Authentication: Again, operations should be involved in insuring the hardware products on either end of the integration are who they say they are, and processes for change in the data center should involve risk management review.
User Authentication: Banks put more weight on insuring that the user on the other end of the wire is who they say they are than most retailers. Similar to the audit boundaries, risk management personnel should understand very clearly whether to let a partner do authentication, or claim that responsibility for the bank. The stakes are higher for the financial services partner, and there might even be multiple layers of authentication required through a partner interface.
User authorization: Once authenticated, risk management should insure that if there’s multiple access levels, that the user can only see or work with the data designated for him or her.
User experience: The biggest retailers spend manhours crafting their experience to keep their users engaged, and while partners working with financial institutions as sources of some data might expect to be able to drive all the UX decisions, risk management should be ready to keep them in check. If an additional sign-on or verification is needed for a riskier transaction or operation, it’s in the bank’s interest to hold that line.
The scope for risk management isn’t getting smaller any time soon, and in fact there’s opportunity for us to be involved at many more levels of both the smaller and larger businesses than imagined.
