Top private banks 'keep data internal'

SINGAPORE - The practice at Standard Chartered Bank of using a third-party firm to print the monthly statements of its wealthy clients is not followed by three leading private banks here. UBS, Credit Suisse and Bank of Singapore all said they do not outsource the printing of such documents.

"All data remains within UBS infrastructure at all times. At no point in the production process is data transferred externally to a third-party vendor," UBS said.

Bank of Singapore said it does not outsource printing of any materials containing customer information, while Credit Suisse said client statements are printed in-house using its own infrastructure and on its own premises.

Their comments come after dramatic revelations by StanChart on Thursday that the February bank statements of 647 of its private banking clients had been stolen from a server at Fuji Xerox, which was hired to print the material. Police found the statements on the laptop of James Raj Arokiasamy, the alleged hacker behind "The Messiah" pseudonym charged with accessing a town council website. It is not clear how the documents were stolen from the server or how they landed on James Raj's laptop.

Fuji Xerox told The Straits Times that police removed a server and desktop on Thursday from an offsite printing facility used to serve StanChart Private Bank.

The bank statements would likely have contained detailed, highly confidential information such as the clients' home addresses and amount of funds held with the bank. In the wrong hands, such data could be used for a range of criminal activity, said Mr Bryan Tan, a partner of law firm Pinsent Masons MPillay. "For example, it could be used for identity theft - someone could use that data to apply for loans in your name."

The Association of Banks in Singapore said the incident is a stark reminder for all financial institutions to ensure their IT infrastructure and systems are "robust and hardened" - a sentiment echoed by various banks.

However, while UBS and Bank of Singapore keep printing and other back-room functions in-house, few banks have the capacity to print the thousands of client statements that have to be mailed out monthly, or the millions of fliers and other marketing material that they produce annually.

Most outsource this job to printing firms. In fact, banks outsource a wide range of jobs, from credit-card embossing to certain accounting functions, to third-party service providers, said Frost & Sullivan analyst Cathy Huang. "But many banks have built their own private data centres, which they use to operate and store their core functions in-house, so they will typically only outsource less sensitive, secondary functions to third parties," she said.

OCBC Bank's head of group operations Denis Malone said: "Outsourcing of our operations is done very selectively, with the bulk of them performed internally."

Others, such as Barclays, Citi, DBS, HSBC, Maybank and United Overseas Bank, said outsourcing arrangements are strictly managed. This involves regular reviews of the bank's own outsourcing policies, and investing in systems and processes to deter criminal acts. It also means requiring the vendors to carry out vulnerability assessments to protect their own IT infrastructure, and conducting periodic checks on them to review security controls.

Ultimately, said UBS, it means having a system that ensures security throughout the life cycle of the data a bank handles - from creation and classification to handling and processing, dispatch, storage, and finally, the data's destruction.

yasminey@sph.com.sg


Get a copy of The Straits Times or go to straitstimes.com for more stories.