Reinventing the file transfer

By Doug Kern, Inovis

How banks can move from “servers to services” to deliver great customer service and lower costs.

“How can we help our customers become more efficient and productive, when our own back offices are so expensive, fragmented, outdated and non‐interoperable?”
-CEO Treasury, JPMorgan Chase Bank

Making Lemonade

It’s a tough time to be a banker.  Not only is the economy in the tank, tying up liquidity and tightening budgets, but the stimulus lifeline extended by US government comes attached with some serious compliance strings, adding layers to existing business processes.

It’s particularly a tough time to be a banking technology executive. These brave souls are facing a perfect storm of challenges.

Going into the downturn, IT execs were balancing the need to provide stellar data-driven services to be competitive with legacy systems that are inadequate for the task but can’t be thrown out. The downturn adds to the pressure cooker, bringing mandates for data governance and oversight, scarce capital for big-ticket items, and vanishing headcount from budget cuts.

Regardless of a bank’s current position in their market, there’s one thing that most will agree on: today is a time of change in banking. And with change comes opportunity.

Some organizations will disappear; others will emerge from the crisis recognizable in name only. Smart banks will turn lemons into lemonade, seizing the opportunity to deploy low-cost, service-oriented IT capabilities, enabling them to serve customers in new ways.

This article describes how banks can reinvent how they connect to corporate customers and partners by using a services-oriented approach to transfer files. While the economy has been the bright light recently, dominating attention, there’s been a quiet revolution in the way companies exchange critical information. The days of file-transfer-protocol (FTP) tools and machine-to-machine orientations, replaced with a holistic set of services that focus on governance and shield the technology complexity.

Why Electronic Connections Matter

A bit of background, first. The dark secret in wholesale banking is that much of the technology is common to all banks, making it difficult to create and sustain differentiated services.  And as banking products are quickly copied by competitors, customer service has become ground-zero for differentiation.

In this context, a bank’s electronic connections with their corporate customers is their “supply chain”, playing a powerful role in determining their competitive differentiation and cost structure.  Many teams are held back, however, forced to rely on decades-old file transfer systems that consume between 60 and 80 percent of nondiscretionary spending, making it difficult to reliably connect to clients and rapidly deliver new services, hurting customer service and costs.[1]

“B2Bank” describes the process of connecting banks to third parties, including corporate customers, government agencies and other banks.[2]

These transactions and connections span funds management, insurance, trade services, payroll, payments and foreign exchange orders.

The Data Transmission Challenge

Centralizing data transmissions and the management of customer connections is a critical first step in differentiating from competitors. To enable this, the underlying file transfer platform and services must be efficient, secure, “future-proof”, and audit-friendly. Banks need visibility to file transfer performance, extending report cards to customers, and a remediation processes to resolve errors when things go bad.

How and why did data transmission get put under the spotlight as a barrier to innovation?  Looking back, a number of macros issues contributed: restructuring, compliance mandates, legacy IT systems, changes to buying relationships, and an increased focus on governance.

Recession-induced Restructuring
One of the byproducts of the economic downturn that began in mid 2008 is a massive restructuring within financial services and other markets.

With overall bankruptcy filings on the rise in the US (a 74% increase from 2007 to 2008), many banks are seeing their corporate customers in retail, automotive either restructure or close doors, often requiring a change in their banking relationship and data connections.
And within financial services, a similar wave of bankruptcies, mergers and reorganizations are flowing across banks, insurance providers and other financial service providers, bringing changes to how shared services teams manage corporate connections.

As part of the US bank’s “stress test” results in May, the government told the largest 19 banks that they needed to raise an additional $75 billion by November 2009. Most will accomplish this by selling stock or divesting assets, which will require changes to data connections across partners, customers and divisions.

The pressure of compliance mandates
The last decade has seen a sharp rise in compliance mandates that organizations must follow, impacting IT groups, finance and line-of-business owners to setup, manage and track new processes and reports.

To adhere to the mandates, IT groups must adjust policies, update data requirements, reconfigure systems and provide the auditing and reporting to track compliance.
Here’s a snapshot of common compliance mandates that are making data transmission more complicated for US banks and insurance providers and financial services companies.

• TARP: The Troubled Asset Relief Program allows the US Treasury to purchase $700 billion in troubled mortgage assets to promote financial market stability. The law establishes an oversight and compliance structure and broad mandates for transparency and reporting requirements for participating institutions.  The pressure on banks to provide transparency and reporting will likely increase, given difficulties in tracking the program’s money flows and effectiveness.[3]
• SOX: The Sarbanes-Oxley Act requires that public companies ensure the integrity of data used on financial statements and holds directors accountable for data accuracy.
• HIPAA: The Health Insurance Portability and Accountability Act requires that companies protect personal health records and prevent unauthorized access and transmission.
• Gramm-Leach-Bliley Act: The Gramm-Leach-Bliley Act was passed in 1999 to protect consumers’ personal financial information held by financial institutions and mandates privacy requirements. 
• PCI DSS: The Payment Card Industry Data Security Standard protects credit cardholder data and provides a minimum security standard for data in-motion and at-rest, across members, merchants and service providers.

Accidental architectures
Years ago, it was simpler to connect banks to corporate customers. Beginning in the 1970s, most electronic connections were computer-to-computer, with little demands for quick setup, data encryption, digital signatures, translation services or functional acknowledgements.  Importantly, the bank controlled how the connection process, including file format and communications structure. Over the next forty years, IT groups have created an “accidental architecture”, complicating connections by layering new file transfer tools on top of existing systems. This trend was accelerated by the banking mergers during the 1980s and the shift to Internet transactions during the late 1990s.

Shifting Balance of Power
As the underlying technology has become common across banks during the last two decades, banks have become “quick copiers” in replicating their competitor’s services. As this commoditization occurred, banking customers had more choice in buying services and therefore more power in dictating how to connect IT systems and file transfers. This pendulum shift in the power in banking relationships required banks to be more flexible and support a variety of connection types, protocols and service levels, making their point-to-point systems more difficult to maintain.

The Rise of Governance

As the “accidental architecture” evolved within bank IT groups and the need to adhere to compliance mandates rose, managing governance of file transfer processes has become a critical need for organizations.  File transmission teams now must enforce policies and processes across two areas: machine-to-machine processes, related to the integration of messages, files and transactions; and human-centric transactions, relating to the collaborative processes across groups and teams.

Alternative File Transfer Approaches

Data Transmission Managers have turned to a number of different approaches to exchanging files with corporate customers, government agencies and partner banks, often cobbling together a patchwork of old and new systems to support a diverse client base.

Here are a few of the most common file transfer approaches.

FTP
Since the 1970s, file transfer protocol (FTP) has become one of the most common ways to move files in and out of an organization. FTP is simple to setup and easy to use for individual use, particularly for ad-hoc file transfers. But FTP has a number of limitations that make it a poor and risky tool for enterprises. First, since FTP was originally designed with minimal security, there’s often no encryption for passwords or files being transferred, making data open to attack or loss. Second, file traceability and auditing are limited with FTP. While you can confirm that the file was delivered to the recipient’s FTP server, there is no way to verify that the recipient downloaded it from the server. And there is no audit trail of file usage to support regulatory reporting requirements.

Point-to-point solutions
Direct, or point-to-point, connections have been used since the 1970s to setup electronic transmissions between banks and third parties.  As the numbers and types of connections grew, the costs to translate, onboard and maintain point-to-point connections grew.  In addition to costs, another drawback is lack of a centralized management process to roll up views of status and transaction performance.  While many banks have shifted away from point-to-point connections, deploying gateways along with Internet-based transactions, point-to-point connections often remain and require ongoing maintenance to support the connected clients.

File transfer software
Many banks have turned to secure file transfer (SFT) software packages to consolidate corporate connections and mask complexity. These approaches are typically behind-the-firewall software applications, requiring resources to purchase and maintain hardware and software.

For many companies, these approaches fall short.  First, they’re often limited to connectivity, without broader capabilities found in broader managed file transfer (MFT) capabilities. Gartner highlights the differences: “while ‘secure file transfer’ solutions are adequate for some data transmissions, ‘managed file transfer’ suites address security protections, but also tackle a company's internal and external audibility, accountability and data control requirements.”[4]

A Service-Oriented File Transfer Approach

Leading banks, insurance providers and other financial groups are increasingly turning to a platform of services for managing file transfers across customers, government organizations and other banks.

These needs are triggered in part by increasing importance of governance and flexible deployment models.

Capabilities

• Guaranteed Data Delivery. Support for Checkpoint/Restart to automatically restart transmissions if they are interrupted due to operator error or failure within hardware, software or network.
• Security. Support for managing file transfer risk, identity, access and authentication issues across users and organizations.
• Visibility. Access to transaction activity status, performance and usage metrics across multiple file transfer systems, masking the complexity of transmissions across customers and external trading partners.
• Provisioning. A lifecycle set of capabilities to provision and change connections with customers, users, systems or third-parties, including rule setup, templates, invitations, data profile repository, testing and certification.
• Enforcement. A rules-based approach to addressing issues relating to identity, access, authentication performance and risk.
• Monitoring & Exception Management. Ability to monitor the health of the network and data movement to uncover errors in the file transfer process. Alerts, triggered notifications and drill-down views to root cause data to speed up response and resolution.
• Remediation. An embedded, web-based process to resolve chronic errors across file transfer processes with internal teams, customers and third parties.
• Central Console. Consolidated infrastructure that reduces the number of environments that required specialized scripting.
• Small Partner Connections. Easy web-based access for smaller customers to connect.
• Reporting and Auditing. Support for reporting service level agreements, compliance and performance across messages, files, transactions and users.
• Customer scorecards. Providing banking customers with shared web access to a transparent set of report cards and metrics, in order to improve customer service and competitive differentiation.
• Flexible Delivery Options. Ability to deliver file transfer services in a private, cloud-based model, or in a public, cloud-based model using software-as-a-service (SaaS) capabilities. This enables banks to keep long-term options open and avoid lock-in to a particular approach as needs change in capital budgets and IT architectures.

The Lemonade Stand

A services-oriented approach to file transfer enables banking technology execs to change the conversation with their business units. Instead of talking about servers, proxies and protocols, you can lead the discussion on things that directly matter to the business: how to improve speed-to-market for provisioning paying customers, how to manage risk and governance, and how to improve customer satisfaction. And though your 401K may not approve, you can extend a hand of thanks to the chaotic economy for forcing the change, and enabling the lemons-to-lemonade transition.

About Inovis

Inovis offers software and services that enable companies to do business electronically across their entire trading community. Each day, over 20,000 companies across the globe rely on Inovis to reliably send and receive purchase orders, synchronize data and manage exceptions in order to lower supply chain costs and get products to customers faster. Founded in 1983, the company is based in Atlanta, Georgia and has offices across the United States, the United Kingdom and Hong Kong. For more information, please visit www.inovis.com or email info@inovis.com.

References:
[1] Source: EDS.
[2] Tower Group, “B2Bank Integration: A New Acronym for the Changing Ecommerce Landscape".
[3] See Wikipedia.org: en.wikipedia.org/wiki/Troubled_Assets_Relief_Program#Controversies.
[4] Gartner, “Managed File Transfer Suites: Technology Overview”, April 2005.