Cryptography in Financial Institutions: Where Market Changes Require a Mutual Understanding by CEO and CISO - to Manage Risk AND Reduce Total Cost of Ownership

Changes in regulations, and the competitive landscape are disrupting the payment ecosystems. This article explains why concerted action on crypto is needed by the banks’ CEOs and CISOs.

Disruptive change from all sides

Changing competitive landscape

The long stable banking world is currently being challenged by external intruders like Apple, Google, Microsoft, or Alibaba. A multitude of Fintechs is entering the market with value propositions around payment and analytics.

Regulation and standard-driven change

Banking regulations like the European Payment Service Directive 2 force banks to open up their payment APIs to Fintechs creating an agile ecosystem of replacement but also coopetition.

A new PCI standard puts the lever on security: PCI PTS HSM v3 forces banks to replace insecure Hardware Security Modules and to replace them with new HSM designs, which are built around key blocks. Many of the new HSMs are not backward compatible, requiring lots of adaptations in banking applications, when the HSM backbone is being replaced.

Consolidation on the supplier side

The growing integration of cryptographic components and the pressure for rapid innovation started an ongoing wave of mergers and take-overs. In many cases, a multi-sourcing strategy lost its validity as suddenly former competitors ended up being part of the company.

Resulting and unavoidable infrastructure changes - a chance in a life-time to clean up the legacy infrastructure

What appears like a threat to the banking world is actually a great opportunity, comparable to the time of deregulation in the telecom sector during the 1990s. As a result of the deregulation, established telecoms boomed, fueled by ecosystems of startups and service providers around them, eager to dock onto their infrastructure and to co-create service proposals.

The banks have the same opportunity. As cash-based payments keep on losing importance, more and more payment related services are routed through the banks.

The regulation-driven change of infrastructure can now help to improve the banks’ competitiveness.

What are the processes concerned?

When talking about payment, we think about three four axes:

  • ATM involving cash withdrawals, 
  • Card Not Present Transaction (CNP),
  • EFTPOS This and CNP is currently covering a big percentage of the payments. However, parts of it are moving to alternatives,
  • Payment Apps, the fastest growing segment, involving big players like Apple Pay, Paypal, Google Pay or Alipay. However it also includes many Fintechs, docking on the bank infrastructures to co-create service offerings.

Traditional mainframe systems where optimized on handling ATM transfers. The challenge is that their rather monolithic structure is not good at coping with the ecosystem driven open innovation from the Payment App axis, which led to the emergence of countless new services driven by intruders from a non-banking background.

Consequently the banking application software market is also undergoing disruptive change. Traditionally dominated by the mainframe providers IBM and HPE, today the biggest growth (%) can be seen with more service oriented providers like Microsoft, Temenos Group or SS&C Technologies.

Close cooperation of CEO and CISO

Good crypto infrastructure needs to be able to service all 3 axes, be flexible, manageable (meaning not too complex), compliant and allow for central and comfortable auditability.

Decisions on cryptographical infrastructure are by default strategic as they determine the banks future strategic scope of manoeuvre and how quickly it can respond to market requirements and service opportunities.

In the same time, c-level business decisions cannot be taken without consulting the CISO and his or her crypto team, as they have to provide an infrastructure which is able to accomplish the bank’s strategic goals and which is compliant to the regulations in the envisioned fields of activity.

Also simple managerial factors like total cost of ownership (TCO), compliance and risk mitigation through dual vendor strategies need mutual understanding. 

In our next blogs...

In the next blogs we will dive deep into these aspects and look at the parameters to be tuned, including managing the risk of (key) migration, Total cost of ownership, reduced complexity / simplicity, flexibility, dual vendor strategies and PQC-proof infrastructures. Our series on total cost of ownership sheds light on each of these aspects from technical and strategic perspectives.

We did not address cloud as an independent axis as it is not a strategic alternative but a way of providing and implementing the service offer in a trade off of advantages and disadvantages (read more in our extended article on architectural alternatives  and in our series on cloud subjects and Utimaco’s Crypto Server Cloud).

About the author

Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail


      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.