Exclusive: ‘Mission critical moves’ – Ciaran Chu, ACI Worldwide and Darren Busby, MYHSM in “The Paytech Magazine”
When Tier 1 banks take the decision to move a core process such as payments to the Cloud, they want to know it’s secure. We asked Ciaran Chu of ACI Worldwide and Darren Busby of MYHSM how they go about convincing them
Cloud technology is helping banks to modernise and change their business models. At the same time, innovation must be matched by tighter security and rigorous standards. Technology partnerships can overcome the challenges of digital progress while maximising the benefits, and ACI Worldwide and MYHSM are two companies that are working together to smooth the way. ACI Worldwide provides real-time payment solutions to most of the world’s leading banks, and MYHSM is a global provider of Cloud-based payment hardware security modules (HSMs) as a service. It was recently acquired by Utimaco, which manufactures HSMs, underlining how collaboration is also becoming consolidation.
Here, Darren Busby, who is responsible for global sales at MYHSM, and Ciaran Chu, head of ACI Worldwide’s public Cloud business, discuss how technology, partnerships and changes in the payments infrastructure are enabling Tier 1 banks to innovate like fintechs.
The Paytech Magazine: Banks are revising their view of the Cloud and technology partnerships. What’s driving this change?
Ciaran Chu: If you think about how banks make money, it’s mainly been by charging transaction fees and using interest rates to boost income. Interest rates are now at an all-time low, with little sign of changing, so banks realise they must change their business models to achieve a better cost-to-income ratio. Public Cloud providers such as Amazon, Microsoft and Google, have shown that the Cloud is a viable way to lower costs and increase customer focus. The message is now clear that it pays to harness the Cloud and form partnerships to develop different revenue streams. Startup banks and challengers have led the way by focussing on customer experience, rather than doing all the things that add time and cost without benefitting customers.
Darren Busby: Time and cost are certainly problems. For decades, banks have had no option but to run their own IT infrastructures and technology – and that was simply to maintain the status quo, with no scope to innovate and differentiate. Only a few years ago, it was unthinkable that a bank would take its mission-critical payment systems and put them in the Cloud. Now, however, we’re comfortable with the public Cloud, it’s trusted and tested, and banks can outsource with confidence. I think the whole infrastructure will eventually move into the Cloud.
TPM: What’s the rate of change? Are banks following a phased approach?
CC: About 15 months ago, we asked customers if they are ‘Cloud-first’. The answer was a resounding ‘yes’. Then we asked if that meant for customer relationship management and front-end solutions, or core payment infrastructures. The vast majority intended to move their core payment infrastructure into the public Cloud in the next 18 months, reflecting what Darren said about everything eventually moving to the Cloud. COVID-19 has obviously impacted that journey. The pandemic has lifted home working to an unprecedented level, and banks have had to focus on their operating processes because many now have distributed workforces. That’s helped to generate use cases, with banks taking mission-critical systems and saying, for example, ‘we have to have standing authorisation today, it has to be high availability, so why don’t we test that as a backup in the public Cloud?’. By doing that, banks are developing new capability, realising new business value, and making savings. It’s a phased and well-considered approach, and the speed of change depends on aligning the transformation agenda with the business and the culture.
DB: There is no way Tier 1 banks and big financial institutions will do a big bang and risk taking mission-critical elements such as the payment HSMs and move these into the Cloud overnight. What we do is provide different approaches to help with migration. For example, moving the test service to our service. Then, once they’re ready, customers can move elements of their production environment, segregated by local master keys (LMKs), in a phased way, under their own control, from an on-premises model to a fully outsourced and managed service.
TPM: Beyond phasing, how do you overcome the challenges of digital transformation? What are the priorities?
CC: ACI has customers with different agendas and transformation needs, so the first thing is to understand the priorities for change. Real-time payments and fraud prevention are very logical use cases. Often, time and resources are the biggest transformation challenges facing our customers. They are too busy to innovate, to run use cases and proof of concepts, so we help them outsource things like testing in the Cloud, working with Cloud providers to improve operations. One of the biggest challenges for incumbents and neobanks is in-house skills. Key knowledge often sits with just a few people, which isn’t ideal for operating mission-critical systems. Our job goes beyond providing mission-critical software. We help customers transform through training, which is vital for transformation, and forging technology partnerships.
DB: Removing complexity is fundamental to our service. The front end might be the bit that excites people but someone has to take care of all the back-end stuff, the payment HSMs, the glorified PCs that sit in the back office. This makes huge demands in terms of regulatory compliance, particularly payment card industry compliance – PCI PIN (personal identification number) and PCI DSS (data security standard) – and requires a skilled team and a secure infrastructure. These are complex and costly parts of any payment business – and are the parts we handle.
CC: I’d add that, with the upcoming PCI changes, if you’re a big bank, you’re not running one or two HSMs, you’re running maybe 40 or 50, so it’s a real capex cost that’s going to tie you down for the next few years. Having a partnership with MYHSM has been really powerful from ACI’s perspective, because it boosts thought leadership. With MYHSM and the likes of Microsoft and Amazon, you have the tangible proof that there is a better way of doing things.
TPM: What impact does MYHSM’s subscription model have on costs and flexibility?
DB: We offer a monthly subscription model, as opposed to doing it
on- premise which is a big capex purchase, locking banks in for the lifetime of that hardware model, typically around seven years. Rolling 12-month terms and subscription-based fees allow them to evaluate their needs before committing
to long-term contracts. They turn capex cost into opex, and it’s a fraction of doing it on-premise. It’s about unlocking revenue and enabling banks to focus investment elsewhere, to their timescale.
TPM: Can banks maintain their trusted reputation when moving to the Cloud?
CC: With the banks I’m talking to now, there are two big areas of debate. One is how to create a compelling subscription-based business model. The other is how to generate incremental value around their trust franchise. By that I mean how to inspire confidence in electronic payments and data innovation, and gain more data insights to help customers and thus strengthen the banking relationship. As we shift towards the Cloud and outsource more time-consuming activities, banks can move beyond just transaction processing and add value while reinforcing trust.
DB: For me, the Cloud absolutely improves the security of banks. But to win the trust of banks, we must demonstrate that what we do is rock solid. There are plenty of new banks and providers of other financial services, but If you analyse them, they’re just used for transactions. That’s because people prefer to have their salaries paid into a traditional bank. Trust is the jewel in a legacy bank’s crown and they don’t want to lose that, which is why they work with suppliers like MYHSM, which provide the highest levels of security. Equally, they want to offer customers more, which is why we and ACI combine security with the ability to develop modular payment offerings that compete with the newcomers.