Hong Kong's banks don't operate like HK's post offices, where clerks deal out coins and paper stamps in nineteenth-century fashion. Banks must leverage IT to serve an increasingly sophisticated public, while balancing security concerns and increasingly tight compliance issues.
"Even my 80-year-old mum knows she ought to ask for higher-yield deposits or guaranteed funds when she goes to the bank," said Michael Leung, senior VP and CIO, Information Systems Group, Bank of America (Asia). Leung explained that the increasing sophistication of both banking products and customer expectations was a positive trend, as well as a driver for Hong Kong banks to raise the overall level of their technology.
The overall compliance picture is driving higher adoption of IT among Hong Kong banks, according to Leung. "Legacy systems often cannot fulfill the requirements of Basel II, Sarbanes-Oxley or Anti-Money Laundering related guidelines," he said. "We can add capacity to the mainframe and 'bandage' the applications, but these compliance measures require the capture of more specific information. For example, if a loan went really bad in the past, we could simply write off the loan, turn it over to a collection agency and book whatever they could recover as income. Now, we have to capture data related to the principal, interest owed, amounts recovered and the source of repayment even though the payment is made years after."
Major computer surgery
This need for more data collection and more complex collation has driven Bank of America (Asia) to start working on a core banking system replacement opportunity, a process Leung likened to "open-heart surgery." The process really began with preliminary exploration and staff training about a year ago, and will likely take two additional years to complete, he said. "This not only involves the core system but many peripheral applications," said Leung, "including investment products, teller systems, online banking, ATMs and cards, data warehousing-all these are integrally connected to the core system."
Leung added that another hurdle was retraining his core banking team of 16 programmers, who were more comfortable with RPG (AS/400) coding than J2EE and .NET. "You basically have to do a 'brain-dump' to get an RPG guy to switch over to Java," said Leung jovially. "Not only are we using new tools, but also a new development platform." The BofA CIO explained that the new system is Unix-based, with a front-end based on Windows and .NET, a back-end using EJB/J2EE and Unix middleware. Leung said that he considered deploying Linux, but "the available Linux system monitoring and management tools, in my opinion, are weak compared to their more mature Unix equivalents."
The process started with training, "not only training on technical matters but also on business and operation issues," Leung pointed out. "We had to change our processes and learn how to do things differently."
As for vendor selection, Leung said he considered adequate local support to be "paramount." "Look at SARS," he said. "At that time, you had to have local support-even if you offered them a first-class ticket, [support technicians] would not come to Hong Kong!" Leung's example is a wake-up call: some support roles cannot be fulfilled by telecommuting or call centers, but require 'boots on the ground due to security and compliance concerns.'
We have mainframe, Unix and Windows environments, but Windows-based development tools are changing too fast, making maintenance a headache for us," said Thomas Ng, head of IT at Dah Sing Bank. "For example, how many applications developed using Windows-based tools six years ago are not to some degree obsolete by now? We cannot afford to keep upgrading development tools that adds no business value. That is why mainframe applications can survive for so long.
"Windows is fine for new developments, but a nightmare to use with existing systems that have been developed on older tools," said Ng. "We have to upgrade constantly...systems can suddenly become obsolete and support can be stopped very quickly."
It's been a year since the Hong Kong Monetary Authority (HKMA) mandated two-factor authentication for online transactions. One possible approach is a "hard token" such as the devices HSBC mailed out to its customers about a year ago, but not all financial-sector IT experts are convinced.
"We're not sure yet if a hard token is the best way to go," said Ng from Dah Sing Bank. "In absolute security terms they are pretty good, but there are alternatives: some companies sell services or software that enable your mobile phone to act as a token. So during transactions the mobile phone is sent a PIN or a temporary key that you enter on your PC or whatever device you're using to authenticate and approve the transaction."
"We use the e-cert right now to enable e-banking," said Ng, "but we also acknowledge it is not ideal. It's too difficult to use and users cannot carry it with them...I think to try and change or improve the e-cert right now would not be easy...that's why the tokens have appeared."