Let me respond to the second part of that question first. One way to make consumers more comfortable conducting financial transactions online is through education. We have to persuade our customers that typing an origination form online is just as acceptable as writing one on paper. This will take time - and every breach-of-security incident on the Internet is a setback. The real issue is consumer confidence. And it's critical that we frame that issue precisely in people's minds.
Privacy is about the ability to make a choice - choosing what you want to disclose about yourself - and to whom. That's the definition of privacy that we, as an industry, must convey to consumers. We need to do so very prominently. And we need to take proactive steps to help all borrowers understand precisely what personal information we require to make good lending decisions - and why we require it. This will go an especially long way with the less sophisticated borrower.
Another thing we have to do to change people's perception about the security of e-commerce is more tangible. We have to implement more effective Internet security measures, which is also more of a challenge because of the nature of the Internet itself. It represents convenience. Furthermore, consumers don't want to sacrifice convenience for greater security. They regard that as the job of the financial institutions. Consumers expect us to protect their personal privacy and confidential data with appropriate levels of information security…but at the same time make it even more simple and convenient for them to make online inquiries or conduct online transactions.
The next thing that financial institutions must do is address the issue of security within their own organizations. I believe this is done in several ways:
- Protection - preventing the corruption or destruction of data.
- Integrity - ensuring the authenticity of data
- Accessibility - balancing privacy against convenience.
- Executive Support - providing the resources and support necessary to create a highly secure Internet environment
This means protecting systems from attacks from viruses and worms, which cost companies billions of dollars in computer downtime. In response to this plague, the information industry has assembled a very substantial anti-virus team of experts.
This means ensuring that when data appears to come from computer A that it really did come from computer A and that no one saw it in transit. The solution that deals with this is a system of network firewalls complimented by intrusion detection systems. Developers are making great progress in building systems that extend and enhance the safety zones around sensitive data.
This means verifying a person's identity when she or he logs onto your network - so you can grant them access to appropriate applications and data. However, password systems used by most e-commerce sites are inadequate to protect the personal information attached to mortgage documents. Much stronger medicine is the type of crypto-system that enables you to reliably authenticate people and to encrypt and decrypt messages. Encryption systems are based on mathematically-based keys that include large, random combinations of numbers and characters, as well as trapdoor and one-way functions.
These are the primary issues and requirements, but it is also critical that organizational leaders provide and support two key elements: executive attention and dedicated resources.
The participation of top leadership is essential to identify a company's Internet security issues and to develop a strategy that balances performance with reasonable cost because the cost to provide security to customers cannot outweigh the convenience and performance of the Internet.
Dedicated resources are just as essential. By that, I mean specialized professionals -working with adequate budgets - who stay abreast of Internet security events and trends, and understand their ramifications for the company. They are responsible for providing overall direction for policies and practices, and supporting the administrators across the company who run cooperative or subordinate Internet security programs. When companies have top leadership and knowledgeable people who focus exclusively on this problem involved, they have significantly increased their ability to create a highly secure environment for Internet transactions. These companies can then work to educate consumers on the advantages - and assurances - of conducting financial transactions over the Internet. When this happens, in the end, we will all win.
First published on BankersOnline.com 1/7/02