Securing data provides Canadian online bank rapid path to new credit card business

The next BriefingsDirect data and security transformation use-case scenario describes how Tangerine Bank in Toronto has improved its speed to new business initiatives by gaining data-security agility.

We'll now learn how improving end-user experiences for online banking and making data more secure across its lifecycle has helped speed the delivery of a new credit card offering.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript ordownload a copy.

Here to explore how compliance, data security technology, and banking innovation come together to support a digital business success story isBilly Lo, Head of Enterprise Architecture at Tangerine Bank in Toronto. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: First, tell us a little bit about digital disruption in the banking industry. Obviously, there are lots of changes in many industries these days, but it seems that banking is particularly within the cross-hairs of disruption.

Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report

Lo: No doubt about that. Our bank used to be known as ING Direct. It started in Canada about 20 years ago. Our founders initially recognized this need and started a journey. Since then, we've been full-speed ahead. We're seeing the savings that we get out of being branchless and passing that back to the clients. That message resonates very well with our client base, and so far, so good.

Gardner: When you say online banking, there are no branches or no brick-and-mortar buildings with the word "bank" on the front. It's all done by mobile, via online. Am I missing anything?

Lo: On top of the fully digital experience, we also actually dive into a little bit of the physical as well, but not in a traditional way.

At Tangerine, we have a couple of other in-person kinds of channels. One is what we call a café. In an informal setting, you can get a coffee or orange juice at the café and get some advice. But most of the functionality is available through the digital channel, through a tablet onsite with someone guiding you along the way.

We've recently been exploring a concept called Mobile Pop-Ups, but not at malls. We refurbished containers and put them into different location to introduce the concept within your bank to different geographies. We also found that very rewarding, because you can reach many people online, but there are still some who need a little extra nudge to get comfortable with starting a banking relationship online.

User expectations

Gardner: That brings up an interesting topic. User expectations are also rapidly evolving in our world. Is there something about somebody who is attracted to online banking that you need to be aware of? Is there something about speed or agility? What is it about the banking customer who prefers online that you need to cater to?

 

Lo: Dana, you're right on the point. In this case, both speed and agility are expected from a bank that highlights their services in terms of user experience online. They're now used to the Gmail inbox, Facebook, instant messaging. The good old days of submitting a form and waiting for someone to come back to you is gone, really gone.

From an expectation point of view, we're heavily impacted by the consumerization of technology. All those things that you see on a smartphone, taking pictures and depositing a check, are almost, as we call it, table stakes. We have to work harder at inventing things that surprise and delight our clients.

Gardner: Of course a big part of being able to delight your customers is to know them and have data about them that you can use to allow services to be customized and personalized. So data is essential, but at the same time, you're in a highly regulated business where privacy issues and security are big concerns. How are you achieving the balance between data availability and data protection?

Lo: We in the banking business are in the business of trust. In everything that we do, trust has to be number one. We have to be ready for any kind of questions from our client base on how we handle the information. There's no doubt that transparency will help, and over time, with transparency, our clients learn that we're up-front in how we're using information. And it's not just transparency, but also putting the information in a way that's easily understandable up-front.

If you look at our registration process, one of the first thing that we tell people is "Here is our not-so-fine print." It's in big, bold fonts and that’s very important, because especially in a digital bank, a lion's share of the interactions are through non-face-to-face kind of interactions. If you invest the time in being transparent, invest the time in building up your security infrastructure to protect your information, and be vigilant about all of the current things that are happening. It can be done.

Gardner: Tell us a little bit about your journey toward this new credit-card offering and why putting the blocks of infrastructure investment in place in advance is so important for agility and for quality of service in a new offering.

Lo: Let's take this journey back a little bit as far as our credit-card offering is concerned. We started out as a savings bank and highlighted our high-interest offering at the beginning. That resonated well, and we quickly recognized the fact that we're going to need to expand our product offering. People actually wanted to use us as an everyday bank.

Unfortunately, at the time, we didn’t have the complete suite of products that our clients would need. So, over time, we built up with mutual funds, investments, and mortgages, and the last piece of the puzzle is credit cards. Once we have that, we can officially say to everybody that we're not just a peripheral bank, but have real full-service functions that you can have to support your everyday life.

In our case, efficiency and the speed of adoption is key. Every month that we wait for this offering to come out of the door, we're losing opportunities to turn a regular client into a full-service client. So, we were starting from scratch. We had zero infrastructure. We hired. We built up the technology behind it, partnered with a few of our trusted partners to build up the infrastructure, but the foundation does take time to do it right.

Foundational effort

One thing that not a whole lot of people understand is the foundational effort. If you spend a month or two on building up the right foundation, the saving going forward is actually exponential. With HPE, we adopted the tokenization solution to help protect [credit] card number information. We were able to complete the whole journey in a very quick fashion. That saves us a lot of time, because everything revolves around the card number. If we don’t get the foundation done right at the beginning, quickly, the cost and schedule impact is exponential.

Gardner: So quality is important because you want to get it right the first time. It's not just doing it quickly; it’s also doing it correctly. If you have to go back and redo infrastructure, that can be a huge tax on your innovation and really put a cultural drag on how things proceed.

Lo: Right on, and I don’t even want to think about it. Seriously, on the adoption of these foundational components, speed is key and that saves us a lot of hassle going forward in conversion as well as data cleansing. Once the cat is out of the bag, if you will, it’s so much harder.

Gardner: Billy, I've heard from other organizations that recognize that moving data around in the old-fashioned way doesn't work. Being PCI compliant, having privacy issues met, in fact, having less data and detailed information about a customer is much more desirable. Is that the case with you and the tokenization process and encryption use? How would you describe about what data to keep, what data to transact, and what's the right balance?

Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report

Lo: Just as any other security person would tell you, you have to know where the walls and the doors are with security information. We made a conscientious effort in identifying where we would need the actual card number available, such as for collections or for some operational process, and identify who needs them, where the door needs to be, and then lock them up. Tokenization allows us to do that without too much overhead, and overall, our experience has been definitely well worth investing the time.

Now, I have one place to monitor, and one door to monitor. As soon as I allow access to that information, I'll have an audit trail of who accessed what, when, and how. That gives me the comfort level that I have. Our clients specifically demand it, both on the business side and the front-end client point of view. They appreciate that.

Gardner: For some of our audience, who are not security folks per se, describe what secured data and stateless tokenization means. How does that work -- just an idea architecturally of how this actually works?

Lo: Imagine your card number or any kind of personally identifiable information (PII) that is important to you. Think of it as a piece of fruit, an apple, and you pass it around identifying yourself. Tokenization, and the Stateless Tokenization technology that HPE offers in particular, is that you have an exchange process. The middleman takes your apple, turn it into a pear through a specific algorithm. The reverse process can be applied when someone gives me a pear and ask for an actual apple; the visual is coming back to you.

So, every time, every piece of information that is passed along in the message exchange, they go through this process. The key term here is stateless, of course, so that we don’t have a rack of this mapping information stored somewhere, which becomes yet another vulnerability. That makes our operations a lot easier, especially in a multi data-center environment.

Gardner: So, you get the use of that tokenized data, but you don’t have to store it. It’s not in the state in different places that then have to be protected. There are fewer spots where somebody could be liable to expose it or get access to it.

Difficult to guarantee

Lo: No doubt. In fact, if you think about a larger-scale environment where pieces of information are stored in the cloud, in multiple data centers, in some cases, you may not even know physically where they are. It's very difficult to make that guarantee and say that we know where our information is, and that’s just online. There are the backups that are necessary to run a successful operation.

Gardner: We've heard now that you started from scratch with your credit-card activities. You put in the necessary infrastructure, recognizing that doing it right and fast is a great saver over time. Tell us a little bit about the actual credit card project. How has it come about, and where are you in its delivery to the market?

Lo: It’s been very exciting for us. Our clients have been looking forward to this. We started a public launch in March this year, after about six month’s trial within the bank and with some selected clients. We're now full force and we’ve been running campaigns.

How do we do this? How do we attract our clients? First of all, being transparent. Our product features are very specific, and we don’t hide the interest rate. We're very upfront about fair fees. We're offering promotions right now in three categories. We have four percent cash back for our product, which is a very attractive offering that the market is looking forward to. It’s been working really well.

Gardner: And what’s the name of the card? Is it just Tangerine Bank card or is there a branded name to it?

Lo: There is nothing fancy about it right now. This is our only card; so, it can’t go wrong.

Gardner: And is it both debit and credit?

Lo: We've had a debit card for a while now. In this case with the credit card, we have the technology behind it that uses the typical chip-card infrastructure as well as the MasterCard PayPass Tap and Go. And we're also venturing into a mobile payment in the very near future.

Gardner: That was my very next question. Now that you’re a full service bank online, more and more people are wondering how to automate this payment process, particularly with a mobile device. We’ve seen other organizations attempt this, but it doesn’t seem to have gone mainstream yet. Tell us about what you foresee for mobile payments and how you think you might be a leader in that market?

Learn More About Safeguarding
Data Throughout Its Lifecycle
Read the full Report

Lo: In the Canadian marketplace, the merchant landscape is very different from most other geographies. Well over 80 percent of the merchants in the Canadian marketplace are already Tap and Go and chip ready.

With the adoption of mobile payments in big-vendor environments such as Apple Pay as well as Android Pay, we're very, very optimistic. Tap and Go is already a significant component of the payment process, especially for small amounts. Naturally, this is just an extension, whether it’s through the mobile phone or your watch. The impediments that other geographies have around merchants’ reluctance or infrastructure constraints doesn’t really exist in the Canadian market place. So, we're ready.
Extra distance

Gardner: It seems to me that, given the emphasis on user experience and convenience, those organizations like yours that go the extra distance and make that user experience simple, transparent and worthwhile in terms of convenience and productivity, that customers will just put more and more and more of their transactions into that card. It could become so central to their lives. Is that part of your strategy?

Lo: Yes, in many ways. The Tap and Go payment process, once the merchant environment supports it, is very, very efficient. The more information we have around where our client is spending their time, the more we can customize our offering to cater for their specific needs and personalize insights that support their everyday life. No doubt about that. In fact, speaking of the credit card offering and differentiation factor, one of the things that we made very clear is that convenience comes with a cost in terms of people’s comfort level in using that product.

Now, if you lose your phone, what’s going to happen? We made it a very high priority to enable our client to freeze the card very easily. Let’s say, if I leave my card in a restaurant, I just pick up my phone or go to an Internet-connected device, freeze my card -- don’t cancel it, freeze it -- until I find it. So, we take quite a bit of time in exploring and making sure that people will feel comfortable using this new channels.

Gardner: It sounds like we're only just scratching the surface on these ancillary services that could be brought to bear when you have the underlying infrastructure in place, the security and data availability in place. It’s going to be interesting in the next several years how convenience can be even completely redefined.

Lo: Yes. We can't wait to continue to innovate for our clients, and in many ways, our clients are looking forward to all of these things as we progress. Banking is our everyday life.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript ordownload a copy. Sponsor: Hewlett Packard Enterprise.

You may also be interested in: