Without trust you can't do business and if you are only dealing with someone online, it is even harder to feel confident that the other party will deliver their side of the bargain. Banks have historically provided trust services to smooth the passage of trade, so it was natural that Royal Bank of Scotland (RBS) should look at how it could deliver online trust services to facilitate e-business conducted by its customers.
Early on in the project in 1999, RBS decided to join an international group of banks which had set up the Identrus network to develop standards for public key infrastructure (PKI). These systems allow users to trade securely both by preventing the interception of messages through encryption using a key-based system and by using the keys to create digital signatures or certificates which can be used to confirm that the sender is who they say they are.
RBS had identified business customers' needs for these kinds of services through market research, which picked up on corporate fears about using the Internet for B2B commerce. However, the bank quickly took a broader view of the problem. "It's not just about dealing with the fear factor but how we, as a trust provider, can help businesses in their whole supply chain management process," says Mark Robinson, Identrus programme director at RBS. "We looked at where digital signatures could be used across the trading cycle: not just when placing orders but authenticating and validating e-mails during negotiations, for instance. The traditional role of banks is to come in right at the end of the trading cycle. Identrus is about bringing the banks in at earlier stages."
Robinson continues, "We did look at alternatives, such as the Global Trust Authority, but we felt that, with more banks joining all the time, Identrus was gaining momentum and had a greater chance of success."
Because it would be investing in Identrus, RBS carried out an exhaustive due diligence process - incorporating detailed risk analysis, together with financial, legal, technical and strategic audits of the fledgling company - before committing itself to joining. RBS became a shareholder after completing this appraisal in September 1999 and immediately kicked off a project to implement its key infrastructure and the customer services which were to be based on it.
A two-stage project plan was developed which would allow the bank to tackle two very different implementation headaches. It would begin by launching a digital signing application built using some of the core features of Identrus. This would enhance customer services and at the same time allow RBS to test out core elements of its PKI solution and help customers get to grips with the concepts and benefits of PKI. The experiences of the first stage would then be used as a stepping stone to introduce Identrus-based services into other areas of the supply chain, with domestic and international trading and payments being the ultimate aims.
Lee Murphy, initiatives manager in the RBS Identrus team responsible for strategic development, stresses the importance of having an applications-led approach which directly aligns PKI functionality to specific business needs, explaining that, "PKI on its own is like a DVD player with no disks to put into it."
The first application which RBS has launched is a "store and sign" system: a Web site which houses contractual documents, shielded so that only the relevant trading partner can access the data, and which allows the various participants to sign documents using legally binding digital signatures.
RBS believes showing customers a practical application of this kind helps them understand the concepts behind PKI more quickly. "Introducing customers to a vanilla application where they are using PKI certificates to sign documents is a good stepping stone to more complex, trading-intensive applications," Murphy says.
However, before RBS could take the store-and-sign application to market, it had to develop the underlying Identrus infrastructure. A key decision at an early stage, says Robinson, was whether to develop the service in-house or outsource it to a third party. "There were two factors we took into account when answering that question," he explains. "First, we had just built an internal PKI to support Natwest.com, so we had substantial experience in-house. Second, we regarded PKI as being fundamental to our core B2B strategy. The in-house route would give us much greater control over the infrastructure, making us fleet of foot and able to deliver quick wins to market."
RBS' previous experience of PKI, with NatWest.com, was very much a mass-market, consumer-focused solution. "The Identrus infrastructure is more discerning, with stronger, token-based certificates," says Murphy. "However, there was a large percentage overlap in the two architectures."
Development of the Identrus infrastructure was also simplified by the fact that the initial store-and-sign application allows it to operate independently of the bank's existing applications. However, Identrus-based services that are planned for the future, such as online authorisation of payments, will necessitate the creation of links into the bank's core systems and the team will have to submit to RBS' normal procedures for linking new functions into its mission-critical applications.
Furthermore, a danger for RBS is that it will end up with multiple PKIs. "There's a balance between trying to build one infrastructure for everything or quickly throwing together infrastructures for particular applications," Robinson says. "At the moment, we have developed separate infrastructures and our focus is on individual applications, but the long-term plan is to integrate them."
In fact, Robinson admits, "putting the boxes together was relatively easy. The greater challenges were around the softer factors. For instance, we had to make sure we had strong operational procedures for managing the lifecycle of a certificate, from issuing it to expiry. We had to devise those processes and ensure at every stage that they cross-referenced back to the Identrus rulebook, our own organisation's procedures and UK law. That stage was more time and labour-intensive than we had expected."
The work was carried out mainly by RBS staff - five technologists and five business specialists - with consultants and an external legal counsel brought in to review various aspects of the programme. All of this work was subject to audit and approval by a team from Identrus. RBS has to resubmit to this audit process on annual basis but, as Murphy points out, "although it's cumbersome, it's worth it, because it gives everyone 100% confidence in the project".
Each bank is free to choose suppliers and products to implement its PKI, as long as they conform to the standards laid down in the Identrus framework. RBS' customers are also free to select parts of the technical solutions - such as smartcard readers - which they must implement themselves, as long as they conform to the Identrus framework.
RBS' approach has been to integrate best-of-breed products, while trying to create as simple a solution as possible. Not surprisingly, the solution chosen for its Identrus infrastructure has largely piggybacked off the Natwest.com set-up. "The main difference has been that our internal certificates are software-based, whereas Identrus is hardware or token-based, so we have had to source smartcards and smartcard readers," says Murphy.
The selection process also had to conform to RBS' purchasing guidelines: having identified which suppliers produced materials aligned to the Identrus standards.
Excellent relationships with suppliers has helped the team overcome the technical headaches which are inevitable in any pioneering implementation. "It has been about managing expectations and, when things have not gone totally to plan, admitting that things haven't worked as envisaged and then asking how we can put that right as soon as possible," says Robinson.
Building the technical infrastructure, developing the relevant procedures and documentation, and subjecting itself to comprehensive testing and audit by Identrus took RBS about a year. Since then, the team has concentrated on developing and marketing applications to run over the infrastructure.
The first of these, the store-and-sign service, has been taken up by Lombard, the asset finance arm of the RBS Group. It went live on 20 April when vehicle rental firm Sixt Kenning used an Identrus-enabled Web site to sign a finance agreement with Lombard for a new fleet of motor vehicles. Robinson says developing and piloting this first Identrus product with another member of the RBS Group "gives customers confidence because we can prove it works, adds value and is economically sound".
The bank is now concentrating on marketing the store-and-sign application to the rest of Lombard's customer base. It is also starting to look for other companies to whom it can offer a version of the application designed to meet their e-business needs and to make indirect sales through other parts of the RBS Group - such as corporate relationship managers - and carefully chosen third parties.
The project has clearly worked well so far, but as one of the first banks worldwide to launch a live Identrus application, RBS has had little best practice to follow or benchmark its efforts against. "People recognise that we have made a lot of progress and that we have made a good fist of the project and know where we are taking it," Murphy says. "As a company, we are very ingrained in project management disciplines. But with a project like this, although those tools are useful, they don't always give you the answers and sometimes you have to think outside the box."
However, RBS has stuck to some best practice basics, not least "learning to walk before we run," says Murphy. "We have created a very simple first application and set up a dedicated sales team working alongside the developers so that the feedback loop is very quick and we can learn from talking to customers where their concerns, fears and expectations are and adapt quickly to those."
Robinson thinks RBS has succeeded in part because it was able to assemble the right team. "It's important when you're dealing with anything as new and differentiated as this that you get good quality people together who can think outside the box and not just take a project management manual off the shelf," says Robinson.
The Identrus member banks were also able to create goodwill and teamworking amongst themselves, despite the fact the banking sector has generally not had a strong history of positive co-operation on similar projects.
RBS now plans to launch two new Identrus-based services. The first is an authenticated e-mail solution. "We looked at this early on as a natural application to roll out, because most people use e-mail," explains Robinson. Customers will be able to use plug-ins to applications such as Outlook which have been evaluated and accredited by Identrus.
The second service will handle secure initiation of the payment process. "We see this as the killer application and for us. It's a neat marriage between the identity validation we have developed for the store-and-sign product and our payment capabilities as a bank," Murphy explains. "We expect to cover the whole spectrum of payment options, from a clean payment through to complicated trade financial instruments such as letters of credit."
At a glance
Royal Bank of Scotland (RBS) became the UK's second largest bank in March 2000 when it bought NatWest. It now has 15 million customers and 2,200 UK branches, and employs 88,000 staff. It is the UK leader in corporate and commercial banking and has more small business customers than any other bank.
RBS wanted to extend its heritage of providing trust services to business customers into the e-business arena, by providing security and authentication for e-enabled transactions. It saw the potential to deliver services at every stage of the trading cycle but needed to create an appropriate technical, legal and organisational infrastructure to underpin those offerings.
RBS became a founder member of international banks group Identrus, which developed a public key infrastructure (PKI) standard to enable secure online trading. RBS created an Identrus-based PKI and is now developing a series of applications which take advantage of the infrastructure to allow businesses to trade online with confidence. The first application, which went live in April 2001, allows companies to "store and sign" contract documents securely.
What the BuyIT experts say
The case study provides a useful account of a major organisation's best practice methods in managing an important project, from due diligence to avoiding the big-bang approach. It also gives a fascinating insight into the process by which security and authentication for e-enabled transactions is being delivered - undoubtedly an essential ingredient for e-commerce to succeed and therefore a topic of interest to all of us.
Royal Bank of Scotland understood that the requirement was not just to deal with the lack of confidence at the business-to-business (B2B) e-commerce end of the trading cycle, but to tackle the need for authentication at every stage in the supply chain, which means interoperable public key infrastructure (PKI) standards for all B2B processes and communication right up to payment. Without this breadth of vision, PKI would remain a niche application.
Royal Bank of Scotland's initiative with Identrus highlights how pervasive a concern e-business is in today's market. It is clear that there are significant corporate fears about using the Internet for B2B commerce. However, RBS researched and invested in technology that will assure that its Internet business transactions are private, authenticated and fully accessible, and remain safe from fraud.
While B2B commerce is an important issue, the Identrus programme will also enable RBS to help businesses manage their whole supply chain process. In the past, financial institutions have identified trading partners, offered signature guarantees and acted as payments intermediaries. Today, they provide purchasing cards, payroll services, letters of credit, and other products and services that require authorisation, identification and certification of a corporation's identity. RBS has capitalised on its strengths to enable its business customers to become trusted third parties for e-commerce transactions, gain real-time access to information and ultimately boost the management of their working capital.
Nothing strikes more fear into businesses committing transactions online than the insecurity of the Internet. It is excellent news that Royal Bank of Scotland has implemented its trust initiative with Identrus.
One of the key issues for financial institutions carrying out transactions electronically, whether it be purchasing cards, payroll services or financial agreements between two parties, has always been trust and authentication. There are, as RBS recognised, few PKI suppliers which provide such authentication tools. It is important that these tools meet the standards laid down in the Identrus framework.
Identrus has provided the standardisation and compliance across PKIs that gives trading partners the confidence and trust to trade electronically. What is key is the need for interoperability so there are no restrictions on customers using their own configurations. We applaud RBS for making these initial steps to ensure that trust and authentication is possible today between trading communities.
This was first published in October 2001