Financial monthly “BANK”: today’s consumer is highly demanding, expecting at the same time security, convenience and 24-hour availability of banking services. How to create the tools responsible for credit processes to be able to meet both the customer’s expectations and the regulatory requirements?
Jakub Rabong: We are dealing with the coexistence of four stakeholders: regulators in the broadest sense, end customers, banks as funding institutions and, of course, IT solution providers who develop systems according to banks’ requirements. Their collaboration to set and respect the standards of modern banking makes it safe, simple and able to benefit each of these four entities. The thing is, in the online world, ensuring a high level of security in the credit area faces a number of challenges. For example, there are systems, even several years old, which have not always been properly updated and adapted to the dynamically changing infrastructure. This results in some events in the bank’s oldest systems or possibly in credit risk assessment models that evaluate creditworthiness and actually rely on historical data. The emerging mechanisms sometimes do not resonate with the current requirements of customers, who expect the loan form to be as simple as possible, on the assumption that the bank has full knowledge of the applicant. The consumer also expects the financial institution to take responsibility for the security of remote channel operations.
Banks, IT system providers or regulators alike have to live up to these expectations, which is not an easy challenge, especially as the modern consumer would like their application to be processed as quickly as possible, preferably in real time. In order to achieve this goal, the supply chain for technology solutions needs to be shortened so as to shift responsibility to lower channels and be able to implement them in smaller batches, with a smaller team, but more frequently. Then we don’t have big, multi-year implementations of a given improvement, but instead divide them into two-week sprints, and once they are completed, we deliver a version to the bank to verify progress. This enables us to deliver system functionality faster, more frequently and with fewer resources. In the world of IT and among bank experts, there is a growing need for specialists in a particular field, be it credit risk, product modelling or processes. Therefore, the ideal remedy is to divide large projects into smaller parts executed by specialised teams.
With such a high level of technological advancement of the it architecture in banks, it is not difficult to incur technological debt. How can this issue be reduced, also in the context of the coexistence of a new piece of infrastructure with existing systems which may be several or even a dozen years old?
VSoft’s product range includes more than a dozen connectors to information databases that exist in Poland and are leading players when it comes to providing data whether from the customer side, transactions, or possibly verifying certain fraud activities. We also have experience in integrating with dozens of various other smaller entities. There are indeed plenty of such databases on the market, and the entities that share them have been operating for a number of years, providing a data structure that is systematised, complete and of good quality. When it comes to connecting to external databases provided by entities that we as VSoft cooperate with, they can be divided into those that we currently consider critical to the modern credit process, e.g. BIK, Kontomatik, and those that support customer or transaction assessment, e.g. new businesses database, MPA module The situation, on the other hand, is different when a bank or other financial institution wants to integrate modern tools with applications that are several years old and have not been updated – and this is often a challenge for both parties when implementing large projects – both the institution and the IT provider. In doing so, it is not only necessary to migrate to a newer version, but also to review existing processes and adapt them to the new solutions.
The data structure is always more or less the same, i.e. we have customer objects, product objects, security and some documentation issues, customer and employee files. Of course, this is described differently in each institution and the relationships between the applications in the database structure differ, however, the business logic is mostly the same. Agreed business requirements and possessed technical documentation are the basis for the proper and fast implementation of the solution for our customers. Then the migration is de facto painless. As VSoft, we have rich experience in integration with central systems in banks. Hence, we know what data is there and which services are made available.
The challenge for the client is to determine what they would like to have in the new system, what data, how to migrate it and what to improve in the various stages of the migration. Apart from this, data processing consent is also a crucial aspect, is it up to date, or do we need to update it, due to GDPR, and if so, how. There are plenty of such implementation elements. There is also the question of whether we transfer so-called non-existent customers, i.e. non-existent files and closed products, and the decision of what we do with them if they are not transferred. As part of our work, we split this into a number of points, which we go through one by one with the client, completing and clarifying each one, and only then do we have a complete picture of what to do with a given system.
Credit information is obtained from a wide variety of sources. To what extent are credit systems able to automatically aggregate and verify knowledge which can come from the trusted databases you mentioned, but also, for example, from social media?
Systems which assess the risk of abuse are divided into two layers. The first, automatic, in which banks with specific requirements in this area integrate with providers of solutions to reduce the risk of, for example, fraud, verify customers for onboarding, or provide solutions for signing documentation completely online or control the withdrawal of funds. The second layer involves activities that are monitored by staff and managed hierarchically. Some of the elements are managed from the business/technical parameter level and some by modifying algorithms in systems e.g. Low-Code, such as VSoft archITekt. The last area, which is extremely crucial nowadays, is that of cyber security experts, who monitor the penetration of systems by other systems and certain elements that are particularly relevant in the online channel. Nowadays, we are not only witnessing events that happen automatically, e.g. the substitution of fake bank websites, the interception of BLIK codes, takeovers or impersonation of telephone consultants. For some elements, action is actually taken within a few milliseconds, and for others, preventive or verification actions are triggered.
So what should the process of implementing such solutions look like? After all it is a kind of innovation for the bank. It is not only a matter of avoiding a cyber-security gap, but also of not jeopardising the institution’s reputation with an unexpected outage….
I always emphasise that one detected or, even worse, undetected fraud or a tarnished reputation due to some gaps or failures is a far greater cost to a bank than investing in a good provider who will implement certain processes and solutions. The consequences of a tarnished reputation, loss of data or criminal activity that the bank detects too late or not at all can be very serious and long-lasting. And here, not only VSoft, but other entities that are experts in the field of cyber security, emphasise that we need to anticipate criminal activities, which is all the more difficult as what matters is the reaction time, this chain between detection, analysis, implementation and security in the bank. This process is often too long, and one must remember that criminals act very quickly. That is why it is so crucial that the implementation process is as quick and secure as possible.