enterprisesecuritymag

Facing the drift t-climb security & fraud's Everest

By Thierry Derungs, Chief Digital Officer, BNP Paribas Wealth Management

Thierry Derungs, Chief Digital Officer, BNP Paribas Wealth ManagementThierry Derungs, Chief Digital Officer, BNP Paribas Wealth Management

I remember… my first computer. In 1986, with my girlfriend (now my wife), we bought an incredibly expensive top personal computer with an extraordinary hard drive of 20Mb and the best modem to connect to Internet at… 14,4kbit/s. Modem connection music is still singing in my ears.

We thought at that time that our investment will be for years. 1 year after, we were still paying our out-dated PC… Thank you Moore, I should have known your law. I started in digital 25 years ago, firstly in CRM and contact centers, and then in 2000 I moved also to PC Banking. At that point of time, we were still supporting MS-DOS, having a fat client and we were one of the most disruptive as we provided our banking solution on Mac OS.

"No way to keep your tech security geek guru in the basement while having business dreaming in paradise and risk managers running after fraud cases"

Life was then easy as cybersecurity concern was purely for IT and attacks were still rare. Business was leaving with the high conviction that cybersecurity was just about our clients having antivirus and avoiding porn sites.

Just the time to blink my eyes and cybersecurity world has totally shifted. A bit more that 16 years ago, I did a very hard job to convince the senior executives to move from ID/password to OTP tokens for PC Banking. “Luckily”, we had some attacks and this new security became a selling point.

Today, at BNP Paribas Wealth Management, we do not have a security strategy. Security is just compulsory. Without, there is no trust, no credibility, and of course no business. Since about 10 years, security complexity has gradually exploded not only at the technical point of view but also in terms of business organization and, with GDPR in Europe, in terms of both legal and regulatory constraints. No room for amateurism or guesstimate.

This drift is obviously due to the explosion of users and devices, and, most important, to the always connected way of living. Nevertheless, these are not the scariest… now hackers investments on attacks have drastically increased. Pegasus attack (August 2016) on iOS made that obvious with hackers’ investment estimated to $1Mi.

So… that’s what I call an explosive cocktail! Absolute user expectations on easiness together with imperative trust, and security, need. Wide attack targets with mobile while hackers become “rich” investors. New technologies flood when business needs velocity and very short time to market.

Last but not least… Identity thefts increase blurring the distinction between security and fraud management.

As you can imagine, there is no single reply but a wide and harsh high tech gig which goes through the entire company. No way to keep your tech security geek guru in the basement while having business dreaming in paradise and risk managers running after fraud cases…All of them must understand each other and, most important, work together with the common spirit to protect our clients.

At BNP Paribas Wealth Management we moved few years ago to lean startup and agility in our factories to incubate and accelerate many business ideas. One of the key element has been our decision to have multidisciplinary small team (called “Pizza team” as the team is small enough to share a single pizza for dinner) per initiative, driven by a business expert as product owners.

We took also advantage of our extended work to develop our startup ecosystem to find new ideas and, most important, new partners to collaboratively build our solutions for tomorrow.

When it came to security and fraud systems evolutions, we decided to have the same approach, both for client facing security solutions, core security systems evolutions and, last but not least, fraud management development.

Our new ways of working and collaborating allow us to make strong and fast steps while embracing some new technologies and, most important, moving to security by design and changing our organization. Starting with client facing, we have moved to a multi-biometric approach. If we of course use the “simple” finger print ID available on mobile, our collaboration with a security technology provider allows us to expand to much more advanced biometric capacities. Our new authentication solution combines fingerprints (which are not the Touch ID), living facial recognition and voice biometric. Depending on the requested authentication level, our clients use one or several biometrics.

If we have worked hard on the client experience to allow the easiest authentication, no compromise was taken on security and we succeeded to absorb the increased complexity. At the same time, we have made many security evolutions. Obviously, a set of them was classic duties for security framework evolutions. But another important part was induced by our security by design approach together with the hard work raised by systematic penetration tests on each new initiative.

Thanks to our new ways of working with the factories, all of them have been commonly managed between business and IT as any other “classic” business expectations. In other words… business security awareness and involvement have both drastically strengthen. Fraud management has also benefit from this new ways of working. Our new partnership with a FinTech allowed us to move to a new approach based on artificial intelligence.

Outside the technology part (which is of course very important), our collaborative work is driving us to review profoundly our organization. Indeed, this advanced technology is not only about blocking known fraud cases, but is also about anticipating new ones. As such, our fraud management processes must be widely reviewed and collaboration must be widely extended across the company.

Security and fraud have been since long a major concern for BNP Paribas and we, at Wealth Management, have moved the balance much more to business while keeping of course a very strong and specialized IT drive. What is for sure is that security is a shared and aware responsibility across all our employees, managers and executives.