Banks have long been facilitators of trade, so providing trust
services for e-business was a natural extension for the Royal Bank
of Scotland
Without trust you can't do business and if you are only dealing
with someone online, it is even harder to feel confident that the
other party will deliver their side of the bargain. Banks have
historically provided trust services to smooth the passage of
trade, so it was natural that Royal Bank of Scotland (RBS) should
look at how it could deliver online trust services to facilitate
e-business conducted by its customers.
Early on in the project in 1999, RBS decided to join an
international group of banks which had set up the Identrus network
to develop standards for public key infrastructure (PKI). These
systems allow users to trade securely both by preventing the
interception of messages through encryption using a key-based
system and by using the keys to create digital signatures or
certificates which can be used to confirm that the sender is who
they say they are.
RBS had identified business customers' needs for these kinds of
services through market research, which picked up on corporate
fears about using the Internet for B2B commerce. However, the bank
quickly took a broader view of the problem. "It's not just about
dealing with the fear factor but how we, as a trust provider, can
help businesses in their whole supply chain management process,"
says Mark Robinson, Identrus programme director at RBS. "We looked
at where digital signatures could be used across the trading cycle:
not just when placing orders but authenticating and validating
e-mails during negotiations, for instance. The traditional role of
banks is to come in right at the end of the trading cycle. Identrus
is about bringing the banks in at earlier stages."
Robinson continues, "We did look at alternatives, such as the
Global Trust Authority, but we felt that, with more banks joining
all the time, Identrus was gaining momentum and had a greater
chance of success."
Because it would be investing in Identrus, RBS carried out an
exhaustive due diligence process - incorporating detailed risk
analysis, together with financial, legal, technical and strategic
audits of the fledgling company - before committing itself to
joining. RBS became a shareholder after completing this appraisal
in September 1999 and immediately kicked off a project to implement
its key infrastructure and the customer services which were to be
based on it.
A two-stage project plan was developed which would allow the bank
to tackle two very different implementation headaches. It would
begin by launching a digital signing application built using some
of the core features of Identrus. This would enhance customer
services and at the same time allow RBS to test out core elements
of its PKI solution and help customers get to grips with the
concepts and benefits of PKI. The experiences of the first stage
would then be used as a stepping stone to introduce Identrus-based
services into other areas of the supply chain, with domestic and
international trading and payments being the ultimate aims.
Lee Murphy, initiatives manager in the RBS Identrus team
responsible for strategic development, stresses the importance of
having an applications-led approach which directly aligns PKI
functionality to specific business needs, explaining that, "PKI on
its own is like a DVD player with no disks to put into it."
The first application which RBS has launched is a "store and sign"
system: a Web site which houses contractual documents, shielded so
that only the relevant trading partner can access the data, and
which allows the various participants to sign documents using
legally binding digital signatures.
RBS believes showing customers a practical application of this kind
helps them understand the concepts behind PKI more quickly.
"Introducing customers to a vanilla application where they are
using PKI certificates to sign documents is a good stepping stone
to more complex, trading-intensive applications," Murphy says.
However, before RBS could take the store-and-sign application to
market, it had to develop the underlying Identrus infrastructure. A
key decision at an early stage, says Robinson, was whether to
develop the service in-house or outsource it to a third party.
"There were two factors we took into account when answering that
question," he explains. "First, we had just built an internal PKI
to support Natwest.com, so we had substantial experience in-house.
Second, we regarded PKI as being fundamental to our core B2B
strategy. The in-house route would give us much greater control
over the infrastructure, making us fleet of foot and able to
deliver quick wins to market."
RBS' previous experience of PKI, with NatWest.com, was very much a
mass-market, consumer-focused solution. "The Identrus
infrastructure is more discerning, with stronger, token-based
certificates," says Murphy. "However, there was a large percentage
overlap in the two architectures."
Development of the Identrus infrastructure was also simplified by
the fact that the initial store-and-sign application allows it to
operate independently of the bank's existing applications. However,
Identrus-based services that are planned for the future, such as
online authorisation of payments, will necessitate the creation of
links into the bank's core systems and the team will have to submit
to RBS' normal procedures for linking new functions into its
mission-critical applications.
Furthermore, a danger for RBS is that it will end up with multiple
PKIs. "There's a balance between trying to build one infrastructure
for everything or quickly throwing together infrastructures for
particular applications," Robinson says. "At the moment, we have
developed separate infrastructures and our focus is on individual
applications, but the long-term plan is to integrate them."
In fact, Robinson admits, "putting the boxes together was
relatively easy. The greater challenges were around the softer
factors. For instance, we had to make sure we had strong
operational procedures for managing the lifecycle of a certificate,
from issuing it to expiry. We had to devise those processes and
ensure at every stage that they cross-referenced back to the
Identrus rulebook, our own organisation's procedures and UK law.
That stage was more time and labour-intensive than we had
expected."
The work was carried out mainly by RBS staff - five technologists
and five business specialists - with consultants and an external
legal counsel brought in to review various aspects of the
programme. All of this work was subject to audit and approval by a
team from Identrus. RBS has to resubmit to this audit process on
annual basis but, as Murphy points out, "although it's cumbersome,
it's worth it, because it gives everyone 100% confidence in the
project".
Each bank is free to choose suppliers and products to implement its
PKI, as long as they conform to the standards laid down in the
Identrus framework. RBS' customers are also free to select parts of
the technical solutions - such as smartcard readers - which they
must implement themselves, as long as they conform to the Identrus
framework.
RBS' approach has been to integrate best-of-breed products, while
trying to create as simple a solution as possible. Not
surprisingly, the solution chosen for its Identrus infrastructure
has largely piggybacked off the Natwest.com set-up. "The main
difference has been that our internal certificates are
software-based, whereas Identrus is hardware or token-based, so we
have had to source smartcards and smartcard readers," says Murphy.
The selection process also had to conform to RBS' purchasing
guidelines: having identified which suppliers produced materials
aligned to the Identrus standards.
Excellent relationships with suppliers has helped the team overcome
the technical headaches which are inevitable in any pioneering
implementation. "It has been about managing expectations and, when
things have not gone totally to plan, admitting that things haven't
worked as envisaged and then asking how we can put that right as
soon as possible," says Robinson.
Building the technical infrastructure, developing the relevant
procedures and documentation, and subjecting itself to
comprehensive testing and audit by Identrus took RBS about a year.
Since then, the team has concentrated on developing and marketing
applications to run over the infrastructure.
The first of these, the store-and-sign service, has been taken up
by Lombard, the asset finance arm of the RBS Group. It went live on
20 April when vehicle rental firm Sixt Kenning used an
Identrus-enabled Web site to sign a finance agreement with Lombard
for a new fleet of motor vehicles. Robinson says developing and
piloting this first Identrus product with another member of the RBS
Group "gives customers confidence because we can prove it works,
adds value and is economically sound".
The bank is now concentrating on marketing the store-and-sign
application to the rest of Lombard's customer base. It is also
starting to look for other companies to whom it can offer a version
of the application designed to meet their e-business needs and to
make indirect sales through other parts of the RBS Group - such as
corporate relationship managers - and carefully chosen third
parties.
The project has clearly worked well so far, but as one of the first
banks worldwide to launch a live Identrus application, RBS has had
little best practice to follow or benchmark its efforts against.
"People recognise that we have made a lot of progress and that we
have made a good fist of the project and know where we are taking
it," Murphy says. "As a company, we are very ingrained in project
management disciplines. But with a project like this, although
those tools are useful, they don't always give you the answers and
sometimes you have to think outside the box."
However, RBS has stuck to some best practice basics, not least
"learning to walk before we run," says Murphy. "We have created a
very simple first application and set up a dedicated sales team
working alongside the developers so that the feedback loop is very
quick and we can learn from talking to customers where their
concerns, fears and expectations are and adapt quickly to
those."
Robinson thinks RBS has succeeded in part because it was able to
assemble the right team. "It's important when you're dealing with
anything as new and differentiated as this that you get good
quality people together who can think outside the box and not just
take a project management manual off the shelf," says Robinson.
The Identrus member banks were also able to create goodwill and
teamworking amongst themselves, despite the fact the banking sector
has generally not had a strong history of positive co-operation on
similar projects.
RBS now plans to launch two new Identrus-based services. The first
is an authenticated e-mail solution. "We looked at this early on as
a natural application to roll out, because most people use e-mail,"
explains Robinson. Customers will be able to use plug-ins to
applications such as Outlook which have been evaluated and
accredited by Identrus.
The second service will handle secure initiation of the payment
process. "We see this as the killer application and for us. It's a
neat marriage between the identity validation we have developed for
the store-and-sign product and our payment capabilities as a bank,"
Murphy explains. "We expect to cover the whole spectrum of payment
options, from a clean payment through to complicated trade
financial instruments such as letters of credit."
At a glance
The Organisation
Royal Bank of Scotland (RBS) became
the UK's second largest bank in March 2000 when it bought NatWest.
It now has 15 million customers and 2,200 UK branches, and employs
88,000 staff. It is the UK leader in corporate and commercial
banking and has more small business customers than any other
bank.
The Challenge
RBS wanted to extend its heritage of
providing trust services to business customers into the e-business
arena, by providing security and authentication for e-enabled
transactions. It saw the potential to deliver services at every
stage of the trading cycle but needed to create an appropriate
technical, legal and organisational infrastructure to underpin
those offerings.
The Solution
RBS became a founder member of
international banks group Identrus, which developed a public key
infrastructure (PKI) standard to enable secure online trading. RBS
created an Identrus-based PKI and is now developing a series of
applications which take advantage of the infrastructure to allow
businesses to trade online with confidence. The first application,
which went live in April 2001, allows companies to "store and sign"
contract documents securely.
What the BuyIT experts say
- Alistair Fulton, BuyIT chairman and president of the Computing
Services & Software Association
The case study provides a useful account of a major organisation's
best practice methods in managing an important project, from due
diligence to avoiding the big-bang approach. It also gives a
fascinating insight into the process by which security and
authentication for e-enabled transactions is being delivered -
undoubtedly an essential ingredient for e-commerce to succeed and
therefore a topic of interest to all of us.
Royal Bank of Scotland understood that the requirement was not just
to deal with the lack of confidence at the business-to-business
(B2B) e-commerce end of the trading cycle, but to tackle the need
for authentication at every stage in the supply chain, which means
interoperable public key infrastructure (PKI) standards for all B2B
processes and communication right up to payment. Without this
breadth of vision, PKI would remain a niche application.
- Alison Barnes, director, marketing communications, MRO
Software
Royal Bank of Scotland's initiative with Identrus highlights how
pervasive a concern e-business is in today's market. It is clear
that there are significant corporate fears about using the Internet
for B2B commerce. However, RBS researched and invested in
technology that will assure that its Internet business transactions
are private, authenticated and fully accessible, and remain safe
from fraud.
While B2B commerce is an important issue, the Identrus programme
will also enable RBS to help businesses manage their whole supply
chain process. In the past, financial institutions have identified
trading partners, offered signature guarantees and acted as
payments intermediaries. Today, they provide purchasing cards,
payroll services, letters of credit, and other products and
services that require authorisation, identification and
certification of a corporation's identity. RBS has capitalised on
its strengths to enable its business customers to become trusted
third parties for e-commerce transactions, gain real-time access to
information and ultimately boost the management of their working
capital.
- Michael Templeman, UK managing director, Elcom
Nothing strikes more fear into businesses committing transactions
online than the insecurity of the Internet. It is excellent news
that Royal Bank of Scotland has implemented its trust initiative
with Identrus.
One of the key issues for financial institutions carrying out
transactions electronically, whether it be purchasing cards,
payroll services or financial agreements between two parties, has
always been trust and authentication. There are, as RBS recognised,
few PKI suppliers which provide such authentication tools. It is
important that these tools meet the standards laid down in the
Identrus framework.
Identrus has provided the standardisation and compliance across
PKIs that gives trading partners the confidence and trust to trade
electronically. What is key is the need for interoperability so
there are no restrictions on customers using their own
configurations. We applaud RBS for making these initial steps to
ensure that trust and authentication is possible today between
trading communities.