Finance Industry and Data Security
ArticSoft's OpenPGP products provide you with the following benefits:
- Complete client confidentiality
- Removes potential liability for disclosure
- Certainty information came from your firm
- Compliance with current privacy legislation
- Prevents viruses and hacking attacks
- Proof of source of documents
The banking industry has invested heavily in programs such as SWIFT and Identrus as means of ensuring that financial transactions are properly protected and guaranteed. See also Gramm-Leach-Bliley Act.
However, these investments have been focused inside the industry, and institutions have usually developed proprietary methods for communicating with their customers and business associates. Proprietary developments have created a number of practical issues that have to be considered, including:
- willingness of other, perhaps major industries, to implement infrastructure that may not be compatible with their policies
- conflict of implementations where partners are being pushed by different, and perhaps opposing requirements
- conflict of product implementations causing failures in partner systems requiring complex changes in order to resolve them.
The FileAssurity Open PGP product family has been developed in to achieve the following:
- minimize the possibility of implementation difficulties by working alongside e-mail and FTP services instead of trying to work inside them
- provide high resistance to virus and hacking attacks, especially through e-mail systems
- simplify the use of public key technologies so that customers, business associates and staff can more readily understand, and adopt high grade security services that do not hide themselves so much that users cannot be held accountable (liable) for their actions
- follow the postal service business model - only the sender pays - your customers can receive at no charge.
Customers in the finance sector have already realized the benefits of implementing ArticSoft products. Banks are already using ArticSoft to interoperate with partners and customers.
Applications include verifying, using a digital signature, instructions from traders, ensuring secure communications with law firms, automating secure transfers between branches.
The following case study shows how a bank has been able to use FileAssurity OpenPGP with its customers to simplify a current system, reduce their operational costs at the same time as increase the overall security of one of their systems.
The business problem
A bank receives a number of CD-ROMs from their customers containing payroll information that the bank must process every two weeks. Previously these were sent by the customers using a courier service, received by the bank, checked as having come from the correct customer, and then processed.
They would like to move to an Internet based solution but regulation requires them to encrypt all personal and financial data to be transferred electronically. They have an internal PKI service but it is for internal use only and can't be used to interoperate with their customers.
The ArticSoft solution described
Setting up the system
The bank has acquired a number of copies of FileAssurity OpenPGP for their and their client's use. They use one copy internally, into which they load a PKI identity from their internal PKI service, which is to be the identity that their customers will recognize.
Each customer receives a copy of FileAssurity OpenPGP and either generates their own identity using its key generation facility or, depending upon internal circumstances and requirements, uses a PKI identity from their own system or buys a PKI identity from one of the commercial suppliers.
The bank sends a copy of their public key to each of their customers, and also publishes it on their web site for both current and future customers to cross-reference if they need to check the key that they are using at any time. (Anyone externally can also use that public key to communicate securely with any authorized member of staff at the bank.) Later users of the payroll service can just download the public key into any OpenPGP compliant system and immediately use the service.
Customers, using their own generated keys, send the public key/certificate to the bank together with a letter authenticating the public key. Customers who have purchased publicly verified identities also send their public keys, and the bank may accept the public authority, provided it can be verified. Obviously an Identrus backed public key can be more readily accepted by the bank than others.
How the system works
When a customer wants to send payroll data, they use FileAssurity OpenPGP to digitally sign and encrypt the file for the bank. Directly from FileAssurity OpenPGP they are able to send the protected file to the bank using their internal e-mail service. That information is protected before it is attached to the e-mail so it cannot be exposed to virus attach or hacking at any time.
When the e-mail is received by the bank, the operator double clicks on the protected attachment. If it is encrypted for the bank it will be decrypted automatically and the digital signature verified. The operator is then able to check that the company digital signature corresponds to the payroll information that has been received. Once this has been checked the file can be input to the payroll process directly. This step ensures that due diligence has been applied - that the bank has verified a signature (just as they would with a manual signature).
Direct (cash) benefits
The bank has reduced its physical handling costs and removed some internal processes. There is also a reduced storage cost because the protected file received automatically links to the sending customer and it can be put onto backup without any further requirements for manual authentication that an unprotected file would create.
The customer has reduced their physical handling costs and removed the courier costs entirely.
Both comply with regulations governing the privacy of information. And unlike other solutions there is no risk of the information they are exchanging being hacked, passed through a spoof site or exposed whilst sitting on a web server or a mail server. The result is a far stronger security service than SSL or password based solutions can provide.
The cost of implementation is less than the costs incurred sending one set of payroll information. An enormous ROI.
The bank is now able to send the payroll reports back to their customers using FileAssurity OpenPGP. They can be certain that only the authorized customer can read the results, and turnaround of the system is now same day rather than having delays and costs previously incurred by using courier or the postal service.
As a further benefit, any stakeholder using an OpenPGP compliant product can send secure, verifiable information to the bank and be certain that only authorized agents of the bank are able to read the information. Something that cannot be guaranteed with ordinary e-mail. Dynamic relationships can be set up between individuals and relationship managers without any complexity or the need to involve the IT department.