CORPORATE ID MANAGEMENT
As corporate treasury systems become increasingly automated, businesses and their banking partners are devising innovative techniques to ensure only authorized personnel can make payments.
Wendel: In approximately 25% of cases, account signatories are wrong.
Hans-Maarten van den Nouland jokes that he is earning a reputation among cash management banks as being demanding. As director, international treasury services, Europe, for US pharmaceuticals company Merck, van den Nouland is leading a major overhaul of Merck’s cash management processes. The multi-year project includes, among other things, enhancing the security of processes related to payments initiated by the company’s enterprise resource planning (ERP) systems.
“Some companies don’t know how many bank accounts they have,” says Karen Wendel, CEO of IdenTrust, a global network of banks that issues digital certificates certifying someone’s identity, “and in approximately 25% of cases account signatories are wrong.” Adding to corporates’ concerns with the current system, van den Nouland says, at present, payment files are signed at a company identification level, not at the individual level. In other words, the bank knows a payment transfer is being initiated from Merck’s account in the United States, for example, but the bank cannot determine who authorized the payment and whether that person has authorization to make payments for that amount.
Gary Greenwald, global head of capabilities and information products at Citi Global Transaction Services, says the potential for security breaches in corporate payment transfers has been exacerbated by the increasing automation of payment transfer files from companies’ accounts-payable systems to a bank’s systems. “As payment files are pushed out automatically to the banks to execute, the risk of someone in a company’s IT department, for example, going in and changing the beneficiary of the payment increases,” he says.
A survey of IT and security professionals by DigitalPersona and the Business Performance Management Forum highlights the potential for information security breaches by company employees. Sixty percent of respondents in its survey said that they or someone in their company had shared a network password with a colleague. Seventeen percent had either given out or received someone else’s security token or smart card.
Although banks have implemented proprietary identity-management solutions, van den Nouland says only three banks were willing to try to meet Merck’s demands for a single interoperable digital identity-management solution to be implemented by the beginning of 2008.
The banks appear to have been caught napping, which is surprising given that as early as 1999, when the hype around B2B e-commerce peaked, 11 leading global banks, including Citi, Bank of America, ABN AMRO and Deutsche Bank, formed Identrus (now called IdenTrust), the only global network of its kind whereby banks representing 50 countries agreed on a set of uniform system rules, contracts and business practices for facilitating trust and risk management in B2B e-commerce transactions.
IdenTrust uses bank-issued digital certificates to certify that people are who they say they are. The certificates bind an identity to a pair of electronic keys, otherwise known as Public Key Infrastructure (PKI), which uses a public and private key to encrypt and sign digital information. PKI-encrypted digital certificates are considered to be one of the strongest means of authenticating someone’s identity. “It is the most secure, robust mechanism you can find, as the identity of a person is vouched for,” Wendel explains.
Yet when IdenTrust was starting out, PKI “was very expensive, complicated and difficult to implement,” Wendel explains, “and it was less focused on compelling business applications.” Greenwald says banks also tended to build proprietary PKI and identity-management solutions, and up until recently “interoperability” was not high on corporates’ wish lists.
Greenwald: Automation is increasing the potential for security breaches.
PKI has gone through different adoption cycles, says Wendel, with its popularity plummeting to an all-time low at the turn of the millennium. It was replaced by pin and password, which authenticated a user to a website or electronic banking application. One of its shortcomings, however, was that it did not vouch for a user’s actual identity, and as the incidence of identity theft has increased in recent years, Wendel says the tide of opinion has turned again in PKI’s favor.
Authentication at the individual as opposed to the corporate level has become essential, particularly given that a number of major multinationals are now using the bank-owned and -operated SWIFT network to transmit bulk payment files to multiple banks. Last year at SWIFT’s annual user conference in Sydney, Australia, Citi, BNP Paribas and IdenTrust successfully demonstrated a “double” digital signature proof of concept, which used SWIFT’s PKI security protocol (it provides authentication at the corporate level) and an IdenTrust digital certificate identifying a specific corporate employee, to authenticate a payment transfer between two different banks.
Greenwald says the proof of concept also demonstrated that a single digital identity issued by one bank could be recognized by another bank. “Companies are looking for identity-management solutions that operate across their physical and financial supply chains without having to enter into bilateral agreements each time they cross the firewall,” Greenwald explains. Pilots are also currently under way whereby IdenTrust digital ID credentials and legally binding digital signatures will be embedded in bank account mandate and account signatory applications.
Merck, with the support of its two leading cash management banks and using IdenTrust digital ID credentials, is implementing an identity-management solution that is more robust than ever—and not entirely dependent on internal IT controls. Every payment message generated by its ERP system triggers an authorization button, invoking a digital signature. A copy of the encrypted payment message is also sent to a secure external database, called an e-vault. The message contained in the e-vault and the one received by the bank are then compared. “If there is a change between the originally authorized payment message and the one the bank receives, the bank will not execute the message,” van den Nouland explains. “If somebody manipulates a payment, it will get detected.”