Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
- Brian Hurdis is wrestling with a compliance case, and the stakes are every bit as high as they are for most business cases.
Hurdis, senior executive vice president and chief information officer for Metavante Corp.,
is immersed in a multi-million-dollar technology project that will be rolled across all of the company's business units. The project centers around pending federal guidelines on two-factor authentication to prevent identity theft, and failure is not an option.
It is a compliance case where the stakes are high enough to impact a growing component of the financial services industry - e-finance. "If done incorrectly, it could be very cumbersome and have a negative impact of how end-users continue their adoption of electronic banking," Hurdis stated.Author of authenticity
The Milwaukee-based Metavante, the financial technology subsidiary of Marshall & Ilsley Corp.
, develops banking and payment technologies for financial services firms. Like other members of the financial industry, it is working to meet a pending federal guideline for two-factor authentication.
At the moment, when consumers log onto an online banking service, they enter a password and what Hurdis calls an "out-of-wallet" component that uniquely identifies, or authenticates, them. In the current Internet banking model, this is considered a single-factor type of authentication.
With stronger identification, a second factor is introduced. Said Hurdis: "It's strengthening that whole concept of, `Are you who you say you are? Do you know what you need to know to gain access to this account?'"
Given the task at hand, and the organization in which Hurdis operates, even something that sounds like a simple add-on feature turns into a complex project involving an enterprise implementation across multiple business units.
It helps that Hurdis, a 20-year banking and technology professional, serves on the company's Executive Committee. But with multiple user constituencies, he has several layers of communication to contend with. There is his internal constituency of network architects, about 800 people strong, and the 1,700 developers and operations staff within Metavante; the product teams that own the company's business lines; an external constituency comprised of Metavante's financial service customers; and, finally, the end consumer.
Metavante, which reported $1.2 billion in revenue in 2005, employs 5,500 people and has a global reach. "There are a lot of moving pieces," Hurdis said. Communication layers
Part of the communication flow involves clarifying the roles of Metavante, its banking customers, and what communications they must provide to their end consumer. To facilitate communication, Hurdis chairs a Technology Committee comprised of key technology officers from all of Metavante's constituencies.
"What we do is socialize where the hot spots are and ultimately boil that up into an enterprise level initiative," he said, "and the Technology Committee becomes the place for dealing with that.
"That began the stream of communications that started to frame out the program, and started to deal with the time lines that are still in flux, which is why this is kind of a difficult project."
The last planning piece was to architect this as an enterprise solution, and then evaluate vendors that provide dual authentication.
For Hurdis, who has a bachelor's degree in management information systems from the University of Wisconsin-Eau Claire, vendor selection may be the easiest piece to this puzzle. When Metavante started its vendor selection process, it looked at regulatory guidelines that included requests for proposals, which were submitted to top tier vendors.
"We had to stick with the top vendors because companies like Gartner and Forester and others really have managed some of that analysis, so we know who are the top players in any of these technology areas," Hurdis said.
Metavante selected TriCipher
, which will have to meet vendor performance criteria. Metavante has not worked with TriCipher before, which adds to the complexity of the project, but spelling out vendor performance is a standard part of any vendor contract Metavante enters into.
"We added extra layers following the passage of Sarbanes Oxley, but we had a very strong program to begin with," Hurdis said.
Banks are expected to have two-factor authentication in place by the end of 2006, but Hurdis predicted there would be banks that will still be in the enrollment phase in the first quarter of 2007. He characterized this as normal logistics, and said the federal government is aware of the scope they have created within this time line.
Each Metavante business unit will need to get its operating model established before moving on to production, and migration will be completed in phases. Metavante will introduce the architecture in the third quarter of 2006, then migrate it to banks so they can begin to incorporate it into their operating models, including call centers that assist customers.
Change management, which Hurdis said has been "an extremely critical aspect" of Metavante's business, also touches various constituencies. Hurdis likens it to changing the tires on a car while it is moving down the road, and he said it links back to communication. There are various levels of change, communication, and coordination across constituencies, including one million Internet banking end-users.
"The first thing we had to do was set a very explicit series of milestones for decisions that had to be made on technology, but also that had to be communicated to banks so that they had plenty of lead time to do their planning," he explained. "Our change management process has a lot to do with communication, and all those milestones were built into the program."Measuring results
Even when making a compliance case, Hurdis tries to align the project with an expense management component. Measures of success include the extent to which the company meets regulatory requirements for two-factor authentication, the level of "usability" across the customer base, and the delivery of technology at a unit cost that is appropriate to Metavante's business model.
All of these will be measured after deployment, but first a key evaluative tool is being deployed. "We're doing a very detailed, what I'll call broad, risk assessment," Hurdis said, "for the different organizational functions within our business."