Case study written for Thales, UK, July 2003.
The key issue associated with making financial payments electronically is security, whether simple transactions between two parties via debit or credit card, or payment via the internet. ‘Skimming’ of consumers’ credit cards in restaurants and other retail outlets, misdirected payments via the internet, and fraud on a much grander scale are all issues that have hit the headlines this year alone. The responsibility for securing such payments, whatever the size, is a daunting task for any individual or organisation. Imagine then, undertaking to supply the security solution to the Bankers Automated Clearing System (BACS).
BACS is the organisation - owned by all the major UK clearing banks and building societies - that processes the majority of business-related electronic funds transfers in the UK. For example, every month businesses in the UK perform the payroll operations for their personnel, triggering thousands of money transfers as staff salaries are paid directly into their bank accounts. This is just part of what BACS does and by the end of the year, BACS will have processed more than 14,400,000,000 direct debit and direct credit payments on behalf of over 100,000 UK businesses.
With such an important system there is no margin for error, given that any difficulties could potentially affect all UK businesses. It is therefore great testimony to BACS that its payment delivery system, BACSTEL, has been almost 100 per cent reliable since its inception more than two decades ago. However, by early 2002, the BACS board had concluded that the BACSTEL infrastructure should be upgraded as the first stage of a comprehensive technology upgrade plan for all BACS systems. In 2002 BACS migrated BACSTEL’s infrastructure to run on internet protocol (IP), enabling BACS to offer a wider range of services to business users, as well as an improvement in existing services. These services would lead to cost savings for the UK businesses that used BACSTEL-IP, and with the flexibility of IP, would make it much quicker and easier to incorporate new payment services in the future.
However, BACSTEL-IP had to be secure, as the sheer quantity of payments and sums of money on the system made security critical. Further, the security solution had to fulfil a number of criteria in addition to simply authenticating UK businesses as they accessed the system. It had to be able to trace all the transactions made on the system if needed, and secondly for every transaction it needed to produce an audit trail. The size of the project also made it daunting – the solution had to be able to scale to a total of 500,000 users and up to 100 million payment items per day. Perhaps most complex of all, it would have to interoperate with 12 banks, operating seven different public key infrastructure (PKI) systems with five different smart card manufacturers. BACS called on Thales e-Security to help them secure the future of UK business electronic payments.
Thales e-Security’s implementation of the project was a true team effort. The Thales e-Security project team worked closely with the other vendors involved, as well as the BACS technical design and implementation teams, throughout the development cycle. This minimised the project risk, and ensured successful on-time delivery of the complete solution. BACS’ project security team had already recommended using smart cards to enable the solution. Once approved by the member banks and BACS senior management, the project was trialed with Royal Bank of Scotland for four months before being rolled out to all other member banks in the UK. Hardware and Thales software was installed around the UK by BACS approved solution suppliers.
In order to support the simultaneous connection to 12 banks required by BACSTEL-IP, Thales e-Security worked closely with BACS to develop the fourth generation of its digital signature messaging system, AssureTransaction. UK businesses wishing to organise payments via BACSTEL-IP from their office are issued the cryptographic smart card by their bank. That smart card is then used to digitally authenticate all payment instructions, tying them to the signer and ensuring that they cannot be accidentally or deliberately altered. Each bank was given the flexibility to select its own public key infrastructure (PKI) for the issuing of the digital certificates used on this card.
AssureTransaction ensures compatibility with all relevant PKI standards by verifying each transaction against the set of rules defined by the bank that issued the smart card being used to sign the transaction. It authenticates the smart card holder by generating a random number. The cardholder responds by signing the logon challenge using the smart card together with his or her secret PIN, a so-called two-factor authentication. AssureTransaction then cryptographically confirms the identity against the cardholder’s public key certificate, and validates this in real time with the issuing bank. Similarly, all payment requests and other transactions submitted to BACS are digitally signed by the user with his smart card and PIN, and verified in real time. AssureTransaction also digitally signs the reports sent by BACS to users, so that the user knows he or she can rely on the contents of the report.
Since all digital certificates used are verified in real time against the issuing bank, lost or stolen cards cannot be used to sign transactions, and changes in employee status are reflected in the system as soon as the bank is made aware of them. This substantially reduces the risk of fraud compared to the old system. Varying levels of security access are supported for different personnel working in the banks or businesses using the system.
After the system had been rolled out, BACS surveyed its member banks for their opinion on the new technology and its impact on their business. The results were very promising. Over 75 per cent of users expressed the intention to migrate to the new solution as soon as it was available to them. In the same survey, users rated the enhanced security of the new system the number one benefit to their business. Users particularly valued the ability to tightly define payment permissions for individuals in the business, allowing delegation of signing responsibility to specific cardholders within subsidiaries or departments whilst retaining full control at a corporate level. All in all, the feedback was so positive that BACS now intends to work again with Thales e-Security to develop and implement further service enhancements in the future.
22 July 2003
Salmon Helps PRI Swim Upstream
PR case study written for Salmon, July 2003.
The founders of PRI, one of the latest start-up companies to enter the UK and European insurance market, needed to achieve the impossible. Not only did they need to secure £130 million in funding from investors before a tangible company even existed, they also planned to use a new insurance underwriting application that was more advanced than any other available in the market, and would shake up the way that underwriting business was conducted.
This underwriting application would allow PRI to gain a significant competitive advantage, and also underpin the business model PRI wrote to engender a favourable impression from two key audiences. The first audience would be the potential investors in the company, and the second the Financial Services Authority (FSA), who had the power to offer or decline PRI’s accreditation and thus would decide whether or not PRI could legally trade once it was up-and-running. Within one year of trading PRI was so successful that it was snapped up by Brit, one of the UK’s largest insurance organisations, giving all PRI shareholders a healthy profit and demonstrating that such a complex application could be written from scratch, installed, and used to deliver return on investment within eight months.
In Spring 2002, founders Andreas Loucaides (now CEO) and Peter Matson (now Chief Underwriting Director) developed a radical new business case for a new insurance company. They intended to outsource absolutely everything possible, leaving only the specialised skill sets of professional underwriters untouched. While on paper this was recognised as being the ideal model, it relied upon back office operation, which was an integral part of the infrastructure that contributed to the stability and credibility of the company. This would be critical when Loucaides et al presented to the various financial institutions to secure investment, and later had to apply to the FSA for accreditation. It also had an impact on which organisation PRI would choose to outsource to, because its reputation and brand values would be considered crucial factors in determining PRI’s likelihood of success.
The outsourcing brief was won by the Ins-sure Services operating company, part of Xchanging, a business process outsourcing (BPO) organisation. Ins-sure accepted that everything including PRI’s office premises, furniture, fittings, and IT infrastructure would be outsourced to them. In turn, Xchanging put out to competitive tender the building of the underwriting application that was to be a crucial element in the overall integrated insurance system that Xchanging was offering to PRI. With its proven track record of delivering complex projects on time and to budget, Xchanging chose Salmon, a systems integration organisation, to build the underwriting application. Louciades explains, “By this time the investors also had a say in which organisation was chosen. They agreed that Salmon would be the right company to go with in addition to being more cost-effective than a previous company we had approached, but which was unable to deliver the required guarantees for service. The pressure was on, because PRI still had to be operational and trading no later than 1st September 2002, so we chose to use a temporary solution until January 2003 to allow Salmon enough time to deliver exactly what we needed. From the outset Salmon was very honest and transparent about delivering on time and to budget, which was important for us.”
Salmon’s work was to be the cornerstone to Xchanging’s outsourcing deal with PRI. Every insurance company has to have an insurance underwriting operational system that is relevant to all markets the company operates in, and compatible with the other applications. “It was critical that the application Salmon designed would enable us to deliver services to the standard we intended, given our revenue projections in the business case,” explains Louciades. “For example, without Salmon, debit notes and broker notes would have to be produced in another way, which adds time and administration into the underwriters’ day-to-day processes. The underwriting application would have an impact on every part of our business. This is why our investors had also expressed concerns that in the past, other insurance companies had underestimated the importance of this part of the business to the extent that it developed into a serious weakness over time.”
Within just nine months, Salmon delivered the underwriting application on time and to budget. Among the most significant hurdles that Salmon had to overcome was defining the application brief. Simon Ball, Salmon’s commercial director, explains: “Louciades is a visionary who intended PRI’s way of working to have beneficial long-term impact on underwriting in the UK. However, because the underwriting status quo hadn’t been challenged in years, PRI was more able to describe the shortcomings of the current system than the ideal new system. As a result, the application brief was defined over a longer period and almost by a process of elimination, during which we realised the work we were doing was going to be perceived as controversial by the insurance industry. Underwriters would be held more accountable for the work they did, and our application would record all the complex detail of every underwriting contract, to prevent issues caused by claims made by PRI’s clients in the future.”
This was also to be part of the challenge for Louciades. “The brief we gave Salmon meant they would come up with an application unlike any other,” he says. “Furthermore, it required slightly more of the individual underwriter’s time to use it, because it encouraged the recording of as much data as possible. We wanted to be able to maintain business continuity over decades regardless of which underwriters dealt with a particular contract in the future. Additionally we could see that the FSA and issues such as corporate social responsibility were going to play a role in shaping the insurance industry sooner rather than later. That said, user buy-in of the application was essential because the data inputted would later be cross-referenced alone and with other business applications. This would end up as part of the overall information management that would help deliver PRI’s competitive advantage. The fact that all information was stored in soft copy was also going to save PRI thousands of pounds in physical storage space. The application just had to work, or the business case put to both the investors and the FSA would unravel.”
Salmon had to bear all this in mind while writing the application that broke the mould for underwriting systems. However, Salmon’s multi-sector experience gave it an objective stance that perfectly complemented PRI’s visionary aims. A prime example of this was Salmon’s ability to deliver a web-based architecture as opposed to the standard client server based applications that are prevalent throughout the insurance sector. While some insurance firms might have a GUI front end, Salmon was able to deliver an advanced Java based architecture which few SIs in the insurance sector have experience of implementing.
It was paramount that Salmon delivered on all its promises at the soonest opportunity. This included breaking insurance sector history by devising a way to link the application directly to PRI’s document repository i.e. document management system, delivered by Xchanging. This was part of the automation Salmon built into the business processes required by the application, to compensate for the fact that underwriters charged by time and could afford to spend fewer hours with smaller underwriting projects. At the same time it would make PRI as a business more accurate, more accountable and more dynamic by enabling appropriate levels of information recording and sharing.
Weekly liaison between Salmon, Xchanging and PRI enabled a better understanding of the needs of the business, and the delivery of a complex yet user-friendly application. Underwriters populated the system the first time they logged on with a unique user ID and password, ensuring that initial access of the system was staggered, thereby avoiding any potential bottlenecks in data retrieval. They have freedom to customise the style and format of their individual GUI, but are governed by rules set in the system that dictate which information each individual has access to. Each underwriter is allocated an ‘identifier’ that associates them with a particular client company or companies, enabling free navigation of all necessary information for that company but simultaneously prohibiting access into other client company information. The system also automatically enforces varying levels of security access, so that authority for particular actions or documents is escalated to the appropriate level of management hierarchy. Similarly, each underwriter can customise document production and automated quotations, but only within parameters set at company level to ensure all necessary rules and regulations are adhered to. The system either displays an appropriate error message, or automatically logs out any user attempting to exceed their authority.
Individual underwriting documents are developed from a PDF or Microsoft Word template that automatically specifies field content and business actions the underwriter needs to complete. Paragraphs of copy are saved in a central repository that can be accessed by underwriters from different parts of the business, preventing unnecessary duplication of information that, if left unchecked, would use a disproportionately large quantity of storage space. The copy is stored in rich-text format to make it as flexible as possible and, because it is held centrally, can be updated in line with changes in legislation that affect the UK insurance market.
Perhaps the part of the application delivered by Salmon that had the most impact is the quotation rules engine. This helps underwriters develop project quotations almost automatically, by inviting as many details as possible to be inputted by the underwriter, before applying XML-based rules to any given situation to form the quotation.
The application’s computer architecture is based on J2EE standards for web applications written in Java, and both the data and application run on Sun Solaris central application servers using Oracle web server software. The modular application framework means that PRI can have system components added or removed without the need for reworking, and new software can be deployed easily. Again, this ensures rapid reaction to new legislation. In all, Salmon delivered a revolutionary application within nine months from a standing start.
The founders of PRI, one of the latest start-up companies to enter the UK and European insurance market, needed to achieve the impossible. Not only did they need to secure £130 million in funding from investors before a tangible company even existed, they also planned to use a new insurance underwriting application that was more advanced than any other available in the market, and would shake up the way that underwriting business was conducted.
This underwriting application would allow PRI to gain a significant competitive advantage, and also underpin the business model PRI wrote to engender a favourable impression from two key audiences. The first audience would be the potential investors in the company, and the second the Financial Services Authority (FSA), who had the power to offer or decline PRI’s accreditation and thus would decide whether or not PRI could legally trade once it was up-and-running. Within one year of trading PRI was so successful that it was snapped up by Brit, one of the UK’s largest insurance organisations, giving all PRI shareholders a healthy profit and demonstrating that such a complex application could be written from scratch, installed, and used to deliver return on investment within eight months.
In Spring 2002, founders Andreas Loucaides (now CEO) and Peter Matson (now Chief Underwriting Director) developed a radical new business case for a new insurance company. They intended to outsource absolutely everything possible, leaving only the specialised skill sets of professional underwriters untouched. While on paper this was recognised as being the ideal model, it relied upon back office operation, which was an integral part of the infrastructure that contributed to the stability and credibility of the company. This would be critical when Loucaides et al presented to the various financial institutions to secure investment, and later had to apply to the FSA for accreditation. It also had an impact on which organisation PRI would choose to outsource to, because its reputation and brand values would be considered crucial factors in determining PRI’s likelihood of success.
The outsourcing brief was won by the Ins-sure Services operating company, part of Xchanging, a business process outsourcing (BPO) organisation. Ins-sure accepted that everything including PRI’s office premises, furniture, fittings, and IT infrastructure would be outsourced to them. In turn, Xchanging put out to competitive tender the building of the underwriting application that was to be a crucial element in the overall integrated insurance system that Xchanging was offering to PRI. With its proven track record of delivering complex projects on time and to budget, Xchanging chose Salmon, a systems integration organisation, to build the underwriting application. Louciades explains, “By this time the investors also had a say in which organisation was chosen. They agreed that Salmon would be the right company to go with in addition to being more cost-effective than a previous company we had approached, but which was unable to deliver the required guarantees for service. The pressure was on, because PRI still had to be operational and trading no later than 1st September 2002, so we chose to use a temporary solution until January 2003 to allow Salmon enough time to deliver exactly what we needed. From the outset Salmon was very honest and transparent about delivering on time and to budget, which was important for us.”
Salmon’s work was to be the cornerstone to Xchanging’s outsourcing deal with PRI. Every insurance company has to have an insurance underwriting operational system that is relevant to all markets the company operates in, and compatible with the other applications. “It was critical that the application Salmon designed would enable us to deliver services to the standard we intended, given our revenue projections in the business case,” explains Louciades. “For example, without Salmon, debit notes and broker notes would have to be produced in another way, which adds time and administration into the underwriters’ day-to-day processes. The underwriting application would have an impact on every part of our business. This is why our investors had also expressed concerns that in the past, other insurance companies had underestimated the importance of this part of the business to the extent that it developed into a serious weakness over time.”
Within just nine months, Salmon delivered the underwriting application on time and to budget. Among the most significant hurdles that Salmon had to overcome was defining the application brief. Simon Ball, Salmon’s commercial director, explains: “Louciades is a visionary who intended PRI’s way of working to have beneficial long-term impact on underwriting in the UK. However, because the underwriting status quo hadn’t been challenged in years, PRI was more able to describe the shortcomings of the current system than the ideal new system. As a result, the application brief was defined over a longer period and almost by a process of elimination, during which we realised the work we were doing was going to be perceived as controversial by the insurance industry. Underwriters would be held more accountable for the work they did, and our application would record all the complex detail of every underwriting contract, to prevent issues caused by claims made by PRI’s clients in the future.”
This was also to be part of the challenge for Louciades. “The brief we gave Salmon meant they would come up with an application unlike any other,” he says. “Furthermore, it required slightly more of the individual underwriter’s time to use it, because it encouraged the recording of as much data as possible. We wanted to be able to maintain business continuity over decades regardless of which underwriters dealt with a particular contract in the future. Additionally we could see that the FSA and issues such as corporate social responsibility were going to play a role in shaping the insurance industry sooner rather than later. That said, user buy-in of the application was essential because the data inputted would later be cross-referenced alone and with other business applications. This would end up as part of the overall information management that would help deliver PRI’s competitive advantage. The fact that all information was stored in soft copy was also going to save PRI thousands of pounds in physical storage space. The application just had to work, or the business case put to both the investors and the FSA would unravel.”
Salmon had to bear all this in mind while writing the application that broke the mould for underwriting systems. However, Salmon’s multi-sector experience gave it an objective stance that perfectly complemented PRI’s visionary aims. A prime example of this was Salmon’s ability to deliver a web-based architecture as opposed to the standard client server based applications that are prevalent throughout the insurance sector. While some insurance firms might have a GUI front end, Salmon was able to deliver an advanced Java based architecture which few SIs in the insurance sector have experience of implementing.
It was paramount that Salmon delivered on all its promises at the soonest opportunity. This included breaking insurance sector history by devising a way to link the application directly to PRI’s document repository i.e. document management system, delivered by Xchanging. This was part of the automation Salmon built into the business processes required by the application, to compensate for the fact that underwriters charged by time and could afford to spend fewer hours with smaller underwriting projects. At the same time it would make PRI as a business more accurate, more accountable and more dynamic by enabling appropriate levels of information recording and sharing.
Weekly liaison between Salmon, Xchanging and PRI enabled a better understanding of the needs of the business, and the delivery of a complex yet user-friendly application. Underwriters populated the system the first time they logged on with a unique user ID and password, ensuring that initial access of the system was staggered, thereby avoiding any potential bottlenecks in data retrieval. They have freedom to customise the style and format of their individual GUI, but are governed by rules set in the system that dictate which information each individual has access to. Each underwriter is allocated an ‘identifier’ that associates them with a particular client company or companies, enabling free navigation of all necessary information for that company but simultaneously prohibiting access into other client company information. The system also automatically enforces varying levels of security access, so that authority for particular actions or documents is escalated to the appropriate level of management hierarchy. Similarly, each underwriter can customise document production and automated quotations, but only within parameters set at company level to ensure all necessary rules and regulations are adhered to. The system either displays an appropriate error message, or automatically logs out any user attempting to exceed their authority.
Individual underwriting documents are developed from a PDF or Microsoft Word template that automatically specifies field content and business actions the underwriter needs to complete. Paragraphs of copy are saved in a central repository that can be accessed by underwriters from different parts of the business, preventing unnecessary duplication of information that, if left unchecked, would use a disproportionately large quantity of storage space. The copy is stored in rich-text format to make it as flexible as possible and, because it is held centrally, can be updated in line with changes in legislation that affect the UK insurance market.
Perhaps the part of the application delivered by Salmon that had the most impact is the quotation rules engine. This helps underwriters develop project quotations almost automatically, by inviting as many details as possible to be inputted by the underwriter, before applying XML-based rules to any given situation to form the quotation.
The application’s computer architecture is based on J2EE standards for web applications written in Java, and both the data and application run on Sun Solaris central application servers using Oracle web server software. The modular application framework means that PRI can have system components added or removed without the need for reworking, and new software can be deployed easily. Again, this ensures rapid reaction to new legislation. In all, Salmon delivered a revolutionary application within nine months from a standing start.
04 July 2003
This was a fantastic piece of coverage for R.I.M. in the International Herald-Tribune, courtesy of their travel columnist, Roger Collis.However, it could have been very different.
R.I.M. was determined to expand its media coverage for its first colour BlackBerry device in Europe from its home sectors and into more mainstream publications. I suggested travel writers as their work schedule made having a BlackBerry a genuine boon, but travel journalists in the UK are not the most tech-savvy of people and the client insisted on doing the deskside briefing themself.
The client at the time upset the journalist, and the device was not formatted correctly so the journalist's e-mail reception failed to work. The result was a clutch of spam in the journalist's inbox, an angry journalist who threatened to pan R.I.M. in his article, name the client personally, and state that R.I.M. caused spam.
It took a week of damage limitation and troubleshooting to get the device swapped and couriered to the journalist, but the eventual story received made the effort well worthwhile.
Subscribe to:
Posts (Atom)
About Me
- Glyn
- Toronto, Ontario, Canada
- PR, internal communications and branding pro currently freelancing as a consultant, writer, DJ, and whatever else comes my way.
Posts
