From the September 2011 issue of Treasury & Risk magazine

The Cloud Invasion

As software as a service proliferates, the fortress mentality succumbs to the drive for efficiency despite security breaches.

The corporate firewall isn’t what it used to be. The drive for efficiency and the influence of social media are trumping security concerns as financial transactions and communications move to the Internet and mobile devices. The cloud is replacing the fortress, in spite of ongoing security breaches that are embarrassing and sometimes expensive. Treasury technology is becoming convenient. The swell of software as a service (SaaS), now often associated with cloud computing, has become a tidal wave.

“Over 95% of our new business is SaaS,” says Orazio Pater, COO of GTreasury, a Chicago-based treasury workstation provider. “For a while, the largest companies still wanted installed software, but we don’t see much of that any more. The only on-site installations now are at companies that have legal or regulatory reasons for needing total control. It’s hard to justify the cost of an installed system.”

The new drivers around treasury tech decisions are apparent in the case of Styron, which was born in June 2010 as a brand new $3.5 billion multinational plastics, latex and rubber company with no treasury and no legacy infrastructure to constrain its choices. Part of the separation agreement when $54 billion Dow Chemical spun off Styron was that Dow would continue to perform treasury operations for the new company for a year.

“We had to build a treasury staff and treasury operating systems from scratch,” notes assistant treasurer Michael Rowan, who previously worked for GMAC Mortgage and was hired in December 2010 to find the right technology and implement it by the end of June.

Styron hired two consulting firms, Treasury Strategies in the U.S. and Nasarius Switzerland in Europe, to help with technology choices. The RFP made it clear to vendors that implementation would have to be expedited, the system would have to handle global cash management from the start, and it would have to accommodate less urgent needs in the future, when investments and hedging transactions would be added. Three vendors were invited to make presentations.

The winner was IT2, operating from its New York City office, a vendor Rowan had not worked with before. “They made a great presentation,” he recalls. “We could see that the system was very good. And we could also see that they understood our need to move forward quickly. Their CEO even flew over from London to our headquarters in Berwyn, Pa., to reinforce that commitment from the top.”

Implementation went as scheduled. “The two consulting groups worked with us through the process,” Rowan says. “IT2 had a project team and a manager, Emma Orton, who kept us on track. It helped tremendously that Dow was operating the treasury during this time so our staff of about 10, in treasury centers in the U.S., Switzerland, Brazil and Hong Kong, could essentially devote all their time to getting us ready.”

“From the beginning, no one had any illusions about what had to be delivered,” notes Steve Bullock, senior vice president and general manager for IT2. “It was a case of highly disciplined project management.”

By late May, the new system was operational. For five or six weeks it ran parallel with Dow’s WallStreet Systems workstation to ensure the two systems were producing the same results. By July 1, the IT2 system was carrying the load, which was essentially cash management at the start.

“We think IT2 will be the only treasury system we need for now,” Rowan says. It has to communicate with Dow’s SAP system, which still supports Styron’s accounting. “We have to feed data from IT2 into SAP for account postings, and we have to take AP and AR data from SAP into IT2 for forecasting,” he explains. “That was a little complicated. We had to make sure we touch only Styron information.”

Connecting to Akshay Software International, the SWIFT service bureau Styron uses to import its account balances through the SWIFT network, was easy because IT2 works with SWIFT, Rowan says. “We pull all our balances through SWIFT, and we send MT 101 messages through SWIFT to our banks to execute cash payments.”

That’s just phase one of the project. Phase two includes turning on a module that will let Styron trade FX forwards to hedge its currency exposures. The company, which makes 60% of its sales in the eurozone and another 19% in Asia, only conducts spot trades for now and is not hedging. “Our exposures aren’t bad,” Rowan says. “Our euro business is pretty balanced, so we’re OK, but we definitely want to move to being more proactive.” He predicts that will happen this month.

Also ahead is getting acknowledgements back from banks automatically through IT2. Further down the road, Styron will get intraday balances through SWIFT, “so we stay on top of our cash position and don’t have to wait for overnight reports,” Rowan says.

According to Bullock, Styron now has available FX hedging that includes barrier and average rate options and non-deliverable forwards. The system will support fixed, floating, index-linked and zero-coupon-rate loans and deposits, as well as interest-rate swaps. Styron will use the IT2 Smart Cash Modeler for forecasting as well as multilateral netting, cash concentration and integrated bank account administration. Front office risk-management activity will include hedge accounting, credit risk management, scenario analysis and value at risk (VaR). Styron subs can use the IT2 NET Web option for remote operations.

If Styron’s current technology is conveniently accessible, highly automated and firewall-porous, tomorrow’s tech will be even more so if a group of innovators at Deutsche Bank have it right. They fervently believe treasury is ready to embrace the technology that has swept through the consumer world of social media and mobile devices. Bank thought leaders recruited a stable of software designers from leading companies and created a software development hub in Research Triangle Park, N.C., led by Kristopher Tyra, head of user experience development for group technology, who considers himself a software entrepreneur, not a banker.

And that is revolutionary, insists David Watson, head of client access products for global transaction banking. “We’re creating a user experience research process that feeds continually into an agile delivery model,” Watson says. Traditional bank cash management and treasury applications aimed to build up impressive functionality. Now Deutsche Bank seeks to break those applications down into “lightweight” functionality.

“We will provide loosely interconnected applications and business logic that more precisely link to what a user needs to do,” Tyra explains. “We’re going to provide simplicity on the front end by breaking down functionality into pieces.” Those streamlined components will be easy to use, will require less training, and will be ideally suited to mobile devices, Tyra says. The complexity on the back end will be invisible to users, he adds. “We’re reversing the traditional goal of rich functionality and moving to simplicity and intuitiveness. There will be no need for user manuals.”

Not everyone is a big fan of SaaS. Consultant Bruce Lynn questions the claims of lower costs. “You’re swapping a fixed up-front cost for a floating cost on the back end. Vendors can always raise floating costs, and treasurers don’t have a way to hedge against the floating cost exposure.”

And the “no IT” benefit is also a bit overstated, Lynn insists. “Information has to flow through the firewall, which necessarily involves IT. It’s not a big problem but it’s an issue,” he says. “Typically IT won’t understand the content that is flowing in and out.” Moreover, SaaS delivery precludes much customization. “It will fit some companies better than others,” Lynn says. “If you have an unusual or complex legal or banking structure, SaaS might not work for you.”

Security remains a concern. Technology around transaction security may not have changed a lot in the past few years, but it’s about to, says Aaron Bills, COO at 3Delta Systems in Chantilly, Va. The harbinger is a court decision in favor of Experi-Metal, a Michigan custom auto-parts maker, and against Comerica Bank, after a phishing attack compromised the Web login credentials for the company’s account at Comerica. In less than seven hours, hackers wire-transferred more than $1.9 million from Experi-Metal’s account to destinations around the globe. All but $561,399 was recovered. Comerica claimed that it had met the standard of “commercially reasonable” security and Experi-Metal was liable for the losses since its access controls had been compromised. The court disagreed.

“This is a monumental event,” Bills claims. “Now that banks’ protection under the ‘commercially reasonable’ security standard has been pierced, I think you’ll see banks scramble to upgrade the security around customer accounts.” Other lawsuits have been filed, but this verdict, reached June 13, is the first in favor of the victim, he notes.

Treasury staffs have an opportunity now to “demand that their banks explain what they plan to do about data security,” suggests Dan Miner, general manager of treasury services at 3Delta Systems. They also should review the liability language in their contracts with banks, Miner adds. “The legal change has put market forces in play,” he notes. “Banks will be less able to hide behind the standard of ‘commercially reasonable’ security.”

Economy and convenience have encouraged the use of commercial browsers with public networks, but new security threats are exposing the problems with that combination, says Joe Spatarella, vice president of sales and marketing for Online Banking Solutions in Atlanta, who calls the move to the Internet “a deal with the devil.”

Both commercial browsers and the Internet were built for open communication. There are effective protections for virtual private networks and for using the Internet without commercial browsers, Spatarella says. He predicts a back-to-the-desktop trend, after such events as the Trojan hacking attempt to present what looked like a Trusteer survey to users of Android devices. Cloud computing will continue to grow, but will be implemented as a private cloud, not a public cloud, he suggests. 

 

“Banks tend to cluster around a leader in a field, in this case Trusteer,” says Maggie Scarborough, managing director of FinServ Strategies in Baltimore. “When cybercriminals, who are now organized, see a leader, they attack.” The weak spot is the use of commercial, off-the-shelf browsers for sensitive financial applications, Scarborough says. Countermeasures include as much straight-through processing as possible to minimize browser use and adopting hardened browsers, which are starting to appear, for vulnerable financial applications, she says.

Bob Blair, executive director of J.P. Morgan Treasury Services, says the bank will continue to use commercial browsers as one form of communication.

“The security of the browser channel is a source of concern and requires constant vigilance, but there are effective security measures available,” Blair says. “Business is moving into the digital age, and that requires growing use of computers and the Internet.” Enhanced security is not an option; it’s required by bank regulators, both domestically and globally, he notes.

The data security issues aren’t specific to SaaS and won’t stop its adoption, says Wolfgang Koester, CEO of Phoenix-based FiREapps. “The future will be cloud-based and on demand. What’s happened recently reinforces the need for encryption, which can provide the necessary security. The good SaaS companies are staying ahead of security threats.”

Security concerns didn’t deter the state of Alaska’s move to SaaS treasury technology. Alaska recently dropped its old Resource IQ installed treasury software at the end of its contract with SunGard in favor of an ASP-hosted version of GTreasury, says cash manager Michelle Prebula.

“The new system allows us to code most of our wires automatically,” Prebula explains. “One day recently, we took in $1 billion. That all had to be received and distributed among different accounts. Every receipt has to be recorded separately for each agency. That would have meant a full day’s work with our old system. Now we have so much less manual coding to do that we finished in just a couple of hours.”

Disaster recovery is another plus. “Now the system is hosted and backed up by the vendor,” Prebula says. “We can access it 24/7 from anywhere in the world. Before, we did it all here, and we would have had severe problems if we couldn’t work in our building.”

The RFP process was disappointing for the Alaska treasury, which uses about 100 accounts at five banks to handle its $10 billion a year in cash flow. The first RFP produced six bids, all of which were “nonresponsive,” Prebula says. So it repeated the process, which brought in two responsive bids, the winning one from GTreasury. However, getting GTreasury and bank systems to communicate automatically has been difficult. “We still have to log onto the bank Web site and manually initiate our wires,” she says.

This has been a big year for treasury technology upgrades or overhauls, reports Laurie McCulley, managing director at Treasury Strategies. “A lot of old systems are aging out and being replaced with upgrades.” It’s common to see treasuries replace installed software with SaaS delivery and go with systems that provide strong risk monitoring, McCulley says.

The early driver of SaaS—the lower up-front cost of subscribing to a service instead of buying a software license—has been superceded by an interest in avoiding dependence on IT, she adds.

The market is still reacting to the 2008 financial crisis but has moved from survival mode to prevention mode, observes Justin Brimfield, senior vice president of corporate development for New York-based Reval. “Companies are going through broad-based process reviews, making sure they have the right processes in place to withstand further shocks and the right technology to support those new processes.” Those revised processes made treasury more responsible for risk management and define risk management more broadly, Brimfield says.

 

 

For a look at how companies can back up cloud technology, see Fail-Safe for Clouds. And for a previous discussion of cutting-edge treasury technology, read Mobility, Agility and Clouds Ahead.

 

The corporate firewall isn’t what it used to be. The drive for efficiency and the influence of social media are trumping security concerns as financial transactions and communications move to the Internet and mobile devices. The cloud is replacing the fortress, in spite of ongoing security breaches that are embarrassing and sometimes expensive. Treasury technology is becoming convenient. The swell of software as a service (SaaS), now often associated with cloud computing, has become a tidal wave.
“Over 95% of our new business is SaaS,” says Orazio Pater, COO of GTreasury, a Chicago-based treasury workstation provider. “For a while, the largest companies still wanted installed software, but we don’t see much of that any more. The only on-site installations now are at companies that have legal or regulatory reasons for needing total control. It’s hard to justify the cost of an installed system.”
The new drivers around treasury tech decisions are apparent in the case of Styron, which was born in June 2010 as a brand new $3.5 billion multinational plastics, latex and rubber company with no treasury and no legacy infrastructure to constrain its choices. Part of the separation agreement when $54 billion Dow Chemical spun off Styron was that Dow would continue to perform treasury operations for the new company for a year.
“We had to build a treasury staff and treasury operating systems from scratch,” notes assistant treasurer Michael Rowan, who previously worked for GMAC Mortgage and was hired in December 2010 to find the right technology and implement it by the end of June.
Styron hired two consulting firms, Treasury Strategies in the U.S. and Nasarius Switzerland in Europe, to help with technology choices. The RFP made it clear to vendors that implementation would have to be expedited, the system would have to handle global cash management from the start, and it would have to accommodate less urgent needs in the future, when investments and hedging transactions would be added. Three vendors were invited to make presentations.
The winner was IT2, operating from its New York City office, a vendor Rowan had not worked with before. “They made a great presentation,” he recalls. “We could see that the system was very good. And we could also see that they understood our need to move forward quickly. Their CEO even flew over from London to our headquarters in Berwyn, Pa., to reinforce that commitment from the top.”
Implementation went as scheduled. “The two consulting groups worked with us through the process,” Rowan says. “IT2 had a project team and a manager, Emma Orton, who kept us on track. It helped tremendously that Dow was operating the treasury during this time so our staff of about 10, in treasury centers in the U.S., Switzerland, Brazil and Hong Kong, could essentially devote all their time to getting us ready.”
“From the beginning, no one had any illusions about what had to be delivered,” notes Steve Bullock, senior vice president and general manager for IT2. “It was a case of highly disciplined project management.”
By late May, the new system was operational. For five or six weeks it ran parallel with Dow’s WallStreet Systems workstation to ensure the two systems were producing the same results. By July 1, the IT2 system was carrying the load, which was essentially cash management at the start.
“We think IT2 will be the only treasury system we need for now,” Rowan says. It has to communicate with Dow’s SAP system, which still supports Styron’s accounting. “We have to feed data from IT2 into SAP for account postings, and we have to take AP and AR data from SAP into IT2 for forecasting,” he explains. “That was a little complicated. We had to make sure we touch only Styron information.”
Connecting to Akshay Software International, the SWIFT service bureau Styron uses to import its account balances through the SWIFT network, was easy because IT2 works with SWIFT, Rowan says. “We pull all our balances through SWIFT, and we send MT 101 messages through SWIFT to our banks to execute cash payments.”
That’s just phase one of the project. Phase two includes turning on a module that will let Styron trade FX forwards to hedge its currency exposures. The company, which makes 60% of its sales in the eurozone and another 19% in Asia, only conducts spot trades for now and is not hedging. “Our exposures aren’t bad,” Rowan says. “Our euro business is pretty balanced, so we’re OK, but we definitely want to move to being more proactive.” He predicts that will happen this month.
Also ahead is getting acknowledgements back from banks automatically through IT2. Further down the road, Styron will get intraday balances through SWIFT, “so we stay on top of our cash position and don’t have to wait for overnight reports,” Rowan says.
According to Bullock, Styron now has available FX hedging that includes barrier and average rate options and non-deliverable forwards. The system will support fixed, floating, index-linked and zero-coupon-rate loans and deposits, as well as interest-rate swaps. Styron will use the IT2 Smart Cash Modeler for forecasting as well as multilateral netting, cash concentration and integrated bank account administration. Front office risk-management activity will include hedge accounting, credit risk management, scenario analysis and value at risk (VaR). Styron subs can use the IT2 NET Web option for remote operations.
If Styron’s current technology is conveniently accessible, highly automated and firewall-porous, tomorrow’s tech will be even more so if a group of innovators at Deutsche Bank have it right. They fervently believe treasury is ready to embrace the technology that has swept through the consumer world of social media and mobile devices. Bank thought leaders recruited a stable of software designers from leading companies and created a software development hub in Research Triangle Park, N.C., led by Kristopher Tyra, head of user experience development for group technology, who considers himself a software entrepreneur, not a banker.
And that is revolutionary, insists David Watson, head of client access products for global transaction banking. “We’re creating a user experience research process that feeds continually into an agile delivery model,” Watson says. Traditional bank cash management and treasury applications aimed to build up impressive functionality. Now Deutsche Bank seeks to break those applications down into “lightweight” functionality.
“We will provide loosely interconnected applications and business logic that more precisely link to what a user needs to do,” Tyra explains. “We’re going to provide simplicity on the front end by breaking down functionality into pieces.” Those streamlined components will be easy to use, will require less training, and will be ideally suited to mobile devices, Tyra says. The complexity on the back end will be invisible to users, he adds. “We’re reversing the traditional goal of rich functionality and moving to simplicity and intuitiveness. There will be no need for user manuals.”
Not everyone is a big fan of SaaS. Consultant Bruce Lynn questions the claims of lower costs. “You’re swapping a fixed up-front cost for a floating cost on the back end. Vendors can always raise floating costs, and treasurers don’t have a way to hedge against the floating cost exposure.”
And the “no IT” benefit is also a bit overstated, Lynn insists. “Information has to flow through the firewall, which necessarily involves IT. It’s not a big problem but it’s an issue,” he says. “Typically IT won’t understand the content that is flowing in and out.” Moreover, SaaS delivery precludes much customization. “It will fit some companies better than others,” Lynn says. “If you have an unusual or complex legal or banking structure, SaaS might not work for you.”
Security remains a concern. Technology around transaction security may not have changed a lot in the past few years, but it’s about to, says Aaron Bills, COO at 3Delta Systems in Chantilly, Va. The harbinger is a court decision in favor of Experi-Metal, a Michigan custom auto-parts maker, and against Comerica Bank, after a phishing attack compromised the Web login credentials for the company’s account at Comerica. In less than seven hours, hackers wire-transferred more than $1.9 million from Experi-Metal’s account to destinations around the globe. All but $561,399 was recovered. Comerica claimed that it had met the standard of “commercially reasonable” security and Experi-Metal was liable for the losses since its access controls had been compromised. The court disagreed.
“This is a monumental event,” Bills claims. “Now that banks’ protection under the ‘commercially reasonable’ security standard has been pierced, I think you’ll see banks scramble to upgrade the security around customer accounts.” Other lawsuits have been filed, but this verdict, reached June 13, is the first in favor of the victim, he notes.
Treasury staffs have an opportunity now to “demand that their banks explain what they plan to do about data security,” suggests Dan Miner, general manager of treasury services at 3Delta Systems. They also should review the liability language in their contracts with banks, Miner adds. “The legal change has put market forces in play,” he notes. “Banks will be less able to hide behind the standard of ‘commercially reasonable’ security.”
Economy and convenience have encouraged the use of commercial browsers with public networks, but new security threats are exposing the problems with that combination, says Joe Spatarella, vice president of sales and marketing for Online Banking Solutions in Atlanta, who calls the move to the Internet “a deal with the devil.”
Both commercial browsers and the Internet were built for open communication. There are effective protections for virtual private networks and for using the Internet without commercial browsers, Spatarella says. He predicts a back-to-the-desktop trend, after such events as the Trojan hacking attempt to present what looked like a Trusteer survey to users of Android devices. Cloud computing will continue to grow, but will be implemented as a private cloud, not a public cloud, he suggests.
 “Banks tend to cluster around a leader in a field, in this case Trusteer,” says Maggie Scarborough, managing director of FinServ Strategies in Baltimore. “When cybercriminals, who are now organized, see a leader, they attack.” The weak spot is the use of commercial, off-the-shelf browsers for sensitive financial applications, Scarborough says. Countermeasures include as much straight-through processing as possible to minimize browser use and adopting hardened browsers, which are starting to appear, for vulnerable financial applications, she says.
Bob Blair, executive director of J.P. Morgan Treasury Services, says the bank will continue to use commercial browsers as one form of communication.
“The security of the browser channel is a source of concern and requires constant vigilance, but there are effective security measures available,” Blair says. “Business is moving into the digital age, and that requires growing use of computers and the Internet.” Enhanced security is not an option; it’s required by bank regulators, both domestically and globally, he notes.
The data security issues aren’t specific to SaaS and won’t stop its adoption, says Wolfgang Koester, CEO of Phoenix-based FiREapps. “The future will be cloud-based and on demand. What’s happened recently reinforces the need for encryption, which can provide the necessary security. The good SaaS companies are staying ahead of security threats.”
Security concerns didn’t deter the state of Alaska’s move to SaaS treasury technology. Alaska recently dropped its old Resource IQ installed treasury software at the end of its contract with SunGard in favor of an ASP-hosted version of GTreasury, says cash manager Michelle Prebula.
“The new system allows us to code most of our wires automatically,” Prebula explains. “One day recently, we took in $1 billion. That all had to be received and distributed among different accounts. Every receipt has to be recorded separately for each agency. That would have meant a full day’s work with our old system. Now we have so much less manual coding to do that we finished in just a couple of hours.”
Disaster recovery is another plus. “Now the system is hosted and backed up by the vendor,” Prebula says. “We can access it 24/7 from anywhere in the world. Before, we did it all here, and we would have had severe problems if we couldn’t work in our building.”
The RFP process was disappointing for the Alaska treasury, which uses about 100 accounts at five banks to handle its $10 billion a year in cash flow. The first RFP produced six bids, all of which were “nonresponsive,” Prebula says. So it repeated the process, which brought in two responsive bids, the winning one from GTreasury. However, getting GTreasury and bank systems to communicate automatically has been difficult. “We still have to log onto the bank Web site and manually initiate our wires,” she says.
This has been a big year for treasury technology upgrades or overhauls, reports Laurie McCulley, managing director at Treasury Strategies. “A lot of old systems are aging out and being replaced with upgrades.” It’s common to see treasuries replace installed software with SaaS delivery and go with systems that provide strong risk monitoring, McCulley says.
The early driver of SaaS—the lower up-front cost of subscribing to a service instead of buying a software license—has been superceded by an interest in avoiding dependence on IT, she adds.
The market is still reacting to the 2008 financial crisis but has moved from survival mode to prevention mode, observes Justin Brimfield, senior vice president of corporate development for New York-based Reval. “Companies are going through broad-based process reviews, making sure they have the right processes in place to withstand further shocks and the right technology to support those new processes.” Those revised processes made treasury more responsible for risk management and define risk management more broadly, Brimfield says.
Page 3 of 3
Comments