News Room

Australian financial institutions ignoring risks in rush to establish public trust in online transactions

Ernst & Young identifies multiple risk categories facing financial sector

1 November 2001


Australian Financial Institutions may be overlooking serious risks as they rush to implement Public Key Infrastructure (PKI) solutions, such as digital signatures, according to a new Expert Paper Building Trust through PKI by global professional services firm Ernst & Young.

PKI enables users of an unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair. If implemented properly, PKI can enable secure, publicly operated authentication as a foundation stone for high value e-commerce.

While greater uptake of digital signatures is expected to boost local B2B commerce, Ernst & Young believes that it is also likely to create new risks for stakeholders, particularly those in the financial services sector.

"The worldwide business to business (B2B) e-commerce market is predicted to expand to US$8.51 trillion by 2005 according to the Gartner Group (March 2001), yet a fundamental lack of trust regarding online transactions has proved to be a serious barrier to continued growth in Australia," said Andrew Pearce, a Principal at Ernst & Young.

"Consequently, pressure has mounted on the government and the country's leading financial institutions to develop and approve robust PKI solutions to assure the identity of individual trading parties and the confidentiality of exchanged information. However, many of Australia's largest financial institutions may be overlooking some significant risks in their enthusiasm to embrace digital signatures," he said.

Ernst & Young has classified a number of risk categories involved with the implementation of PKI solutions. These include risks involving fulfilment, transactions, information security, financial risk, governance, operational issues and those relating to the business environment.

Because digital signatures need to be portable and are likely to be issued to the customer on a smart card, together with a security password, a certain degree of fulfilment risk exists. Due to the potential number of customers involved, the quality of the customer database can present major security risks as even a small percentage of wrong information can involve significant re-issue or fraud costs if cards or PINs are misdirected.

Transaction risks occur when a financial institution wrongly verifies a signature, opening itself up to potentially significant legal claims. Ernst & Young predicts that customers will eventually place such a high degree of trust in PKI that any breakdown will be vigorously pursued legally.

Inadequate information security management represents a significant reputation risk for the financial institution. For example, a security breach would result in the expense of all certificates and keys being re-issued. However, far more costly would be the damage to the reputation of the institution if media coverage of the breach occurred.

Ineffective pricing results in financial risk exposure. For example, an inappropriate pricing model will result in a loss of market share and a potential loss of earnings. In addition, other financial risks are created when projects are late and budgets not met. This is usually the result of a lack of expertise in planning and managing a PKI project.

Financial institutions introducing PKI also need to manage their corporate governance liabilities as differences in laws and an absence of legal precedents can expose companies to legal action.

Operational risks must also be considered as institutions must ensure that PKI offerings match current market needs or accept a risk in taking solutions to the market too late, ultimately resulting in increased costs and lost revenues. PKI solutions must also be compatible with legacy systems and existing business processes.

Initiatives such as PKI must be seen as a whole business issue, not simply an IT initiative. A PKI implementation driven by the IT department only is unlikely to maximise the benefits to the organisation as a whole.

Combined with these factors are the inherent risks involved with the close corporate collaboration involved with doing business online. Ernst & Young warns that it is important for businesses to ensure that partnerships are based around the development and nurturing of mutual objectives that will support their collaborative effort.

Online businesses must also be aware of the threat posed by competitors encroaching on market share by collaborating with their clients on e-commerce initiatives.

"Choosing the right partner is vital," said Mr Pearce. "The process requires due diligence to ensure that the partners are appropriate to the financial institutions concerned. For many Australian financial institutions it will be advantageous to partner with consortiums that have been formed to offer a PKI service as an existing infrastructure can offer a low risk solution and save considerable time and money".

But perhaps the biggest underlying risks associated with a change of this magnitude is where the corporate culture and attitude towards risk is ineffective. For instance, where the risk culture of a financial institution does not adapt to the real-time nature of PKI, contract breaches and substantial financial losses could follow.

According to Mr Pearce, the challenge for the financial sector will be to maintain its position as the enabler of business and as the catalyst for positive change while managing the risks involved.

"Collaboration between trading partners online brings both opportunities and risks for financial institutions and businesses. The institutions that best match the risk reward balance will be those best placed to reap the rewards of PKI," he said.

Further media information:

Matthew Coleman
National Public Relations Manager
Ernst & Young
Tel: 61-2-9248 5828
Mobile: 0410 589 528

Christian May
Media Relations Manager
Ernst & Young
Tel: 61-2-9248 5030
Mobile: 0405 255 503


 
Copyright ©2002 Ernst & Young Australia
This information is not intended for use without professional advice.
Disclaimer
Privacy Policy Statement
Site Map
Contact Us