Like its neighbouring peers in the region, the financial services industry (FSI) in the Philippines is on a continuous digital transformation journey to meet the demands of customers, as well as counter the evolving sophistication of cyberthreats.
But what exactly are the technologies leveraged by the FSI to power their digital transformation? And what more can technology do to solve the recurring problems among banks and the FSI, especially that the pandemic reshaped the business mindset of enterprises?
Dennis Lumbao, Head of Enterprise Technologies, Dell Technologies, observed five trends in the current banking and FSI landscape:
- Focusing on a mobile-first experience
- Moving towards being data-driven
- Taking an omnichannel approach (e.g. unified messaging, cohesive visuals, consistent collateral)
- Open banking
“Companies today are moving to the cloud. What we are seeing is a hybrid cloud or multi-cloud environment, where organisations are able to move workloads between on-premises and off-premises seamlessly as needed,” Lumbao said, during a webinar on “Digitally Transforming Banks & FSIs in the Philippines,” organised by Jicara Media and hosted by Dell Technologies.
Lee Wei Yang, Enterprise Architect for Dell Technologies, elaborated on the open banking trend in the Philippines: “As we go through the pandemic, we see more and more that open banking is playing a critical role. Digital payments, digitalisation, and the ecosystems of partners start to play a greater role in the banking industry itself. We see more partnerships between banks and big tech (companies), or even banks and e-commerce sites, as well as maybe ride-sharing and all that. All these are enabled through cloud platforms, as well as changes in the business model.”
A changing industry
Not long ago, customers had to make a physical appearance at the bank for a simple transaction such as a deposit.
Today, bank transfers take place with just a few taps on a smartphone. Digital payment platforms are also thriving, keeping up with people who are always on the go.
Lee observed a lot of shifts happening within the banking culture itself, with a focus on adopting more digital technologies that are intelligent, connected, and have the ability to personalise.
“As transactions are moving a lot more in terms of volume and speed, how can we have more active intelligence of the customer, or of the transaction— not to stop the transaction, but to help it go through faster and safer? How can a bank personalise some of these services to their customers in the process?,” he said.
All these technologies, Lee noted, are meant to address the following issues among banking institutions:
- How can they continue banking as a monolith, with the legacy model that they have, but make it more relevant?
- How can they rely on it slightly less as they focus more on banking as a service/banking as an experience?
- Banking as a platform. How can they aggregate some of the fintech services or partners?
“Banks are looking at how they can make services more composable to their customers, so things like opening innovations and partner ecosystems will come into play very importantly in this environment,” Lee said.
Other areas that will have an impact on banks’ modernisation include regulatory compliance, augmented reality, distributed banking, and blockchain, he added.
The tech ecosystem
With all of the presented issues faced by the banking and FSI sector in terms of modernisation, exactly what kind of ecosystem is advisable for these organisations to maximise their digital capabilities?
One of the most important components in this journey is the use of open APIs, according to Arivuvel Ramu, CTO of digital bank Tonik.
“You need to connect to all the ecosystem partnerships. With new banks like us, we need to work with fintechs, digital lenders, wallet providers, payment processors, and payment aggregators to connect and provide a seamless experience. So you need an open API to integrate,” said Ramu.
For Marcus Loh, Dell’s General Manager, Data Protection Solutions, South Asia, cyber resiliency should be top of mind for banks and the FSI, with the advent of cyberthreats like ransomware becoming more and more rampant.
“A cyber incident is no longer an ‘if,’ but ‘when’ is it going to happen? When it does, what keeps everybody awake is whether or not they can reliably and confidently recover the minimal viable organisation in the banking industry. What are the basic sets of services that you can very quickly recover to a minimal viable organisation? How do you adopt the right balance of a prevention strategy and a recovery strategy?,” Loh said.
According to Loh, not all data is created equal, and therefore the challenge for banks and the FSI is determining 15% of their most relevant data.
“When you have too much data and you try to protect everything, you protect nothing. So the question is, how do I then figure out what is important for me to protect, and (then) allocate a strategy more targeted towards that?” he said.
Loh added that financial institutions must be able to secure and recover their customers’ sensitive data, because under the Philippines’ Data Protection Act of 2012, unauthorised access and processing of personal information is punishable by imprisonment and fines of up to 4 million PHP.
“You need to prioritise them (i.e. relevant data) differently, you need to secure them differently. From a cyber resiliency standpoint, allocate more resources in the event of something that happened, we can actually very quickly recover that,” he said.
As banks and the FSI are increasingly turning to cloud for their digital transformation journey, the panel of experts shared some pointers on how to leverage the technology.
For Dell’s Lee, while cloud is top of mind for most innovations, the question is how to effectively implement it in an industry as tightly regulated as banking.
“It’s always an option where you can experiment on the cloud, and then you can always bring it back on-prem if you need to. At the same time, there are also workloads that may be deemed fit for the cloud, based on a customer experience perspective. This is where we see the workload shifting and moving across multi-cloud, across on-prem, and on the cloud itself, or even a private cloud. We can call this whole thing a hybrid multi-cloud platform,” Lee remarked.
“You need to be able to identify which are the critical data, which are the data that is of highest value at the point of its creation, and leverage that for things like active intelligence into your customers, or to make sure that transactions go through safely,” he added.
For Ramu, regardless if an organisation is a traditional bank, a transforming bank, or a new bank, cloud adoption will always be a question of speed versus cost of operations.
“I would say, getting visible infrastructure, which is typically multi-cloud (is the way to go). Most of the application modernisation (is either) you have something monolithic which you want to move into cloud, and open up the API endpoint to flourish and be integrated with the ecosystem, or you move into a custom builder software and put it into cloud, or third, you’re purchasing the software-as-a-service model,” Ramu explained.
Meanwhile, Loh reiterated the seriousness of cyberattacks on mission-critical services, such as banking, with malicious actors taking advantage of cloud vulnerabilities.
“In the last 18 months, I think that attackers (have become) very smart and are getting very complex and sophisticated. One of the first things that they will do is to actually look at your backup infrastructure. They will either encrypt or delete your backup data, and then encrypt your primary applications, thus forcing you into a situation whereby you have no choice but to actually pay the ransom, unless you have a very resilient recovery strategy,” Loh said.
In order to overcome this ordeal, Loh shared the “Three I’s” strategy, the first of which is to have a totally isolated air gap data vault.
The second ‘I’ refers to immutability: “By moving it (i.e. data) to a vault and making it immutable, in the very, little likelihood that somebody has access to your vault, you do not have the capability of actually making any changes, or deleting your data. We also have security built in, whereby we have multi-use authentication and multi-layer authentication, to make this very, very difficult for anybody to actually make any changes or delete your backup data.”
Finally, there is intelligence: “If you look at all the industry experts, what they’re saying is that during a cyber event, you need to recover a clean copy. How do you ensure that what you’ve backed up is not being tainted? If you can recover quickly, and then you realise it’s tainted, then you’re back to square one, because they (hackers) still have control over your system. So from an intelligence standpoint, what we do is a full context index scanning of your backup images to tell you if anything has been happening to your data specifically,” Loh said.
To conclude, Ramu said that every CISO must pay importance to these three things: data residence and data security, API data management, and (having a) business continuity plan.
“People getting into cloud must be more worried about these three aspects, and they need to protect these through multiple assessments. Eyes and ears must be open to see around what’s happening in the cloud. Putting things into the cloud doesn’t mean that you’re (automatically) safe,” he said.