Traditional banks see online payment and financial services providers as their biggest threat, but they can still be a part of the shift to digital banking because of their status as regulated institutions that have the trust of customers and authorities, according to banking software provider Temenos.
SWIFT, the global messaging system has been in the spotlight in recent months for some breaches, both in domestic as well as international markets. Its chief executive Gottfried Leibbrandt talks about how experience is teaching it to improve and how there’s no stopping India’s digital journey, though it may appear to be faltering. Edited excerpts:
Recently we had the biggest banking fraud involving Punjab National Bank and a lot of commentary involved SWIFT systems as well. What do you think of it?
We don’t comment on individual cases. What I can say is that in addition to what we saw in the Bangladesh case which was a cyberfraud… the core business of banks at the end of the day is keeping money safe and that relies on a lot of controls. One of the things that banks have to ensure is that they don’t have insider fraud and a lot of what banks do today is trying to prevent that. Globally, there are still cases of insider fraud and they will continue. And many of those are traceable to a lack of internal controls to make sure that if one or two persons collude or go rogue, they cannot take away major resources from the bank.
So would removing human intervention in payments work?
The controls that we put in the SWIFT environment are not all technology. So the controls are IT, process and people… it always has to be these three things. Part of the controls may be vetting of your employee, another control maybe just reconciling the books, yet another control can be automation of flows and individuals cannot interfere with it or securing and signing transactions. The lesson has always been that you should never rely on a single control. There has to be a system of controls. If one of them fails, there is another one that captures a discrepancy.
As far as payments security is concerned, how do you see India versus the rest of the world?
The Indian landscape is changing as fast as anywhere in the world. I am seeing that the banking system as a whole is taking this very seriously and wanting to digitise payments. After the Bangladesh breach two years ago, we launched a massive Customer Security Programme (CSP) that has met with very good success and I don’t see much difference there between India and rest of the world. Banks have taken the security challenge seriously and they are putting in a lot of efforts to bring in additional controls and checks, selfattest it and share it with their trade partners and counterparties.
Are Indian banks warming up to the idea of CSP, are they willing to adhere to all the protocols?
These controls put a high bar. We don’t expect everybody to be compliant on day 1, and we see banks working towards it. Globally, we had 93% banks self-attest against these controls. India was at 85% and the same goes for linking SWIFT system to their back offices. We are engaged with the banks to help them get this integration in place.
As far as RBI goes, a lot of regulations have been reactive than proactive in both the PNB and City Union Bank cases. How are other regulators?
You can accuse the global regulatory committee of being reactive; it was only after the global financial crisis that a lot of checks and balances were brought in. To some extent, regulators are by nature reactive. You can say SWIFT community reacted only after the Bangladesh bank fraud happened. So, I won’t hold that totally against the regulator. But we have seen regulators engaging with banks in many cases. They have mandated the controls in their own jurisdiction. We are also in dialogue with all these regulators and I don’t think India is an exception to what we see globally.
What are the best in other markets when it comes to cyber security? What can we learn?
I do see that regulators are more and more concerned about cyber, not just related to SWIFT but in general cyber security of banks. In Europe, we see fairly significant testing programmes where they mandate the banks to go outside and find hackers and test systems. All of that is at various stages.
As far as Asia is concerned, where do China and India stack up in terms of markets with huge business potential?
I look at China in admiration, especially their infrastructure prowess in both physical and digital space. I would say financial infrastructure is no exception, it’s sometimes more organised than in my own country in Europe. I think they have cyber high on the agenda as all the other countries; they also have the ability to take technical skills at the banking levels and bring these to bear. But again I don’t see why India will not have the same skills at the end of the day. Both countries are very different in terms of their political systems; India should learn from everybody but at the same time plot its own course.
Digital payments growth in India looked promising after demonetisation. But it appears to be tapering?
I think the future is digital. My favourite comparison is Germany to China. In Germany, still two-thirds of the payments in shops are cash and that is a western country. In China, one-third of payments in shops are cash and rest is Alipay and WeChat. Don’t pin me down on timing, but I think India will get to a point where it will be 50:50 digital and cash. You cannot wish away cash but look at the Chinese, it happened fairly quickly. If you have the technology, that is a very compelling proposition for consumers. The advantage that India has is scale. If you do everything at the scale of 1.3 billion people, the payments industry is bound to leap-frog.