Tag Archives: bank of america

What Blockchain Means (Part 2)

Our first post covered the morning sessions on blockchain at the #CityChain17 event organized by MBN Solutions and held at IBM’s spacious SouthBank offices. Our next speakers focused more on applying the technology in your business.

So, here are some more reflections from listening to those speakers, together with blockchain resources that I hope you’ll find useful.

How to get from concept to implementation

First up was Peter Bidewell (CMO of Applied Blockchain). Complementing the earlier technology detail, he unashamedly emphasized engaging the wider business, especially senior leaders (a popular topic for this blog).

He emphasized that his firm was finding real business uses for the technology and that it specialized in the “smart contracts” capability of blockchain.

The benefits of blockchain that he is seeing as more relevant for business clients are:

  • Tamper-proof actions/events
  • Peer-to-peer (avoiding cost of intermediaries)
  • Innately secure (built-in encryption and consensus)
  • Pre-reconciled data (automatically synchronized)
  • Smart contracts

But to apply this technology in business he has found the company needed to develop a number of other augmentations/supporting capabilities. This includes a blockchain “mantle” with:

  • Platform-agnostic implementation of blockchain
  • Data-privacy “capsule” used within the chain
  • Identity management service
  • System performance improvements

See also: What Blockchain Means for Insurance  

In addition to that “enhanced blockchain” capability, real world business applications have required a “full stack” of technologies:

  1. Blockchain (of choice)
  2. Mantle (the above enhancements)
  3. Integration with other key business systems
  4. Front-end (user experience, or UX)

Bidewell explained that a smart contract has nothing to do with replacing lawyers. Rather, it is a container of data and code (a block that can be placed on the chain/shared-ledger/network. It can contain:

  1. Data
  2. Permissions
  3. Workflow logic
  4. Token (if simulating passing of funds)

He finished by sharing some interesting applications. His company is working with Bank of America. Appii, Nuggets and SITA.

The first of those is perhaps the most relevant for readers. BABB is to be the first blockchain-based bank, “an app store for banking.”

The Appii pilot is also interesting, as it enables a sort of verified LinkedIn or CV (with qualifications/experience validated by providers). But the example that sticks in the memory best is real-time drone regulation for SITA; the world’s first blockchain-based registry of what all drones are:

What’s the path to mainstream adoption?

Acknowledging the emerging reality at this event (that commercial blockchain case studies are still in pilot stage), our next speaker shared his experience and thoughts on making greater progress.

Brian McNulty is a founder of the R3 Consortium (mentioned in part one). This is the world’s largest blockchain alliance, with more than 70 major financial services firms and more than 200 software firms and regulators already members.

R3 – Consortium Approach from R3 on Vimeo.

What does R3 do? Well, apparently it collaborates on commercial pilots. It also provides labs and a research center to support organizations during their innovation. R3 has its own technology (R3 Corda implementation) and own “path to production” methodology. So, perhaps some resources worth checking out.

Akin to what we have learned for customer insight and data science pilots, McNulty confirmed that the path to mainstream adoption will be a “burning platform.” What story will make the case for such an unacceptable status quo that organizations must make the leap to blockchain (to avoid the flames)?

He suggests a few pointers:

  • Collaboration is increasing, adding complexity;
  • The appetite of regulators in increasing, as they grasp the benefits of pushing for distributed ledgers as market solutions;
  • More work is needed on standards (but the dust is settling, and competition is reducing)
  • Will we get to cash on the blockchain? (probably more a move to digital assets on ledger being counted as monetary assets)
  • The real burning platform will probably be increased operating costs (currently $2.6 trillion annually, with blockchain promising 20% savings)

Despite all that, McNulty confirmed that most businesses are still only at pilot stage. But, apparently, some FS firms are having IT developers trained en masse (so that blockchain can be considered as just another technology option to meet business requirements).

Bursting the blockchain hype bubble

Next was a man who should seriously consider a second career in stand-up comedy. Dave Birch is innovation director for Consult Hyperion. He gave a hilarious comedy session on the hype around blockchain.

Using just genuine newspaper headlines, he revealed how blockchain is apparently the answer for every industry, transforming everything from banking to burgers and healthcare and ending global poverty. As an aside, he shared the amusing story of how Amex was conned during the “Great Salad Oil swindle” of 1963.

He used that as analogy to the crucial issue of how not to get swindled by hyped blockchain claims. The key, it appears, is to always ask: What’s in the blocks?

Birch also shared his four-layered model of a shared ledger:

  1. Contract (smart contract built upon)
  2. Consensus
  3. Content
  4. Communications (robust)

He described the lower three as a “consensus computer.” He also introduced a taxonomy of blockchain implementations. This was divided into a simple binary tree built on two layers of questions:

  • Is it a public or private ledger?
  • Is it permissioned or double-permissioned?

If you think about it, a shared ledger is really a practical example of the much talked about RegTech. Dave pointed out that a shared-ledger solution would have uncovered the Great Salad Oil Swindle, because the macro production numbers would have been unbelievable. A lot of the hype is misguided, because blockchain can’t fix individual problems, but it can spot systemic errors.

An interesting analogy he shared was an old idea of best way to avoid bank branch robberies. At the time when lots of architects were suggesting military-like protections for staff and vaults, one radical turn of the century designers suggested the opposite: a bank built mainly of glass. If everyone can see what is going on, the bank robber has nowhere to hide.

That is the principle of blockchain, the power of radical transparency. So, businesses may get more value thinking how to radically redesign, rather than just reengineer, existing database solutions into a blockchain app.

See also: Blockchain: What Role in Insurance?  

Getting back to the customer benefit of blockchain

Our final speaker brought us back to that emphasis during panel session – what is in it for the customer? (A topic that is preaching to the choir on this blog.)

Peter Ferry, commercial director at Wallet Services, suggested that blockchain is gradually becoming an invisible technology option. The focus will return to customer needs and business requirements, with IT departments worrying about when blockchain is the right technology solution for needs.

But when would it be relevant? How can blockchain make our lives simpler?

As Ferry rightly pointed out, the development of the internet and today’s digital applications should be a warning. Mostly, digital technology has not made our lives simpler; if anything, they are more complex and demanding. The internet has developed differently than was originally dreamed (distributed and robust network for military purposes).

Blockchain can potentially do a lot for customers, including: security by default, sovereignty of their own data and no single point of failure. Customer-focused design principles have to be applied to this enabling technology to deliver real value.

So, there is a strong case for customer insight teams to partner with blockchain development teams to help enable this.

For its part, Wallet Services used this event to launch its enabling technology. SICCAR can be thought of as Blockchain as a Service, including APIs, services and pre-fabricated business use cases. Might be worth checking out:

How will you approach the potential of blockchain for your business?

I hope this post was also useful, giving you food for thought and some useful resources/contacts.

Where are you on this journey? Are you still learning about blockchain?

Do you have plans to partner with blockchain development team? Are you already using customer insight to guide blockchain pilots?

If so, please let us know what’s working for you or any pitfalls to avoid (using the comments section below).

Phishers’ New Ruse: Trusted Tech Brands

Most of us don’t think twice about opening and maintaining multiple free email accounts where we live out our digital lives. And we’re getting more and more comfortable by the day at downloading and using mobile apps.

Yet those behaviors can harm us. ThirdCertainty sat down with David Duncan, chief marketing officer for threat intelligence and security company Webroot, to discuss how cyber criminals are hustling to take advantage of our love of free Web mail services and nifty mobile apps.

Infographic: Where malicious phishers lurk

3C: Phishing attacks leveraging our love of Google, Apple, Yahoo, Facebook and Dropbox are skyrocketing. How come?


David Duncan, Webroot chief marketing officer

Duncan: There are 10 times more phishing attacks based on emulating tech companies than financial firms. You’d think it would be the other way around, but it’s not. The focus is on stealing information from your various email accounts because it’s easier to spoof people into acting on something that appears to come from Google or Apple than from Bank of America or Citibank.

Free resource: Stay informed with a free subscription to SPWNR

3C: Because we’re less suspicious of Google and Apple than big banks?

Duncan: Yes. Phishers prey on the fact that we see those brands as trustworthy brands.

3C: What ruses should folks watch out for?

Duncan: It’s the typical ones. You’ll get something advising you of the need to change your password or share your contacts. They’ll send you a link to click. A certain percentage of gullible users will click on the link and follow instructions to give up their credentials.

I can’t say I know of any specific new strategies other than the fact that the focus is on impersonating big domains like Google and Yahoo because people don’t think too much about something that appears to be coming from those trusted sources.

3C: Is there really a one-in-three chance the average person will fall for a phishing scam?

Duncan: Yes, there is a 30% chance of Internet users falling for a zero-day phishing attack over the course of the year. It used to be about one out of every seven phishing emails actually got through. But we’re human beings, which means we’re gullible.

3C: What about mobile apps? What’s the risk there?

Duncan: A year ago, we tracked about 8 million mobile apps, and around 75% were trustworthy and 10% were benign. So 15% were malicious or suspicious. Now we’re classifying 15 million mobile apps, and we’re finding 35% to 40% are suspicious or malicious in character.

3C: That’s a pretty significant change.

Duncan: People don’t think of installing an app on their mobile device as installing a potentially unwanted application that’s being delivered from an untrustworthy app store.

3C: So is this mostly an Android exposure?

Duncan: Probably 90% is Android, maybe 10% is iOS. Apple has a more secured kind of walled guard for verifying and authenticating the source of applications. But it also depends on what users are accustomed to. If you go over to certain geographies in the world, people may not necessarily always go to the iTunes store. There are a lot of third-party websites where even iOS apps are cheaper or they’re free.

Unstructured Data: New Cyber Worry

Companies are generating mountains of unstructured data and, in doing so, unwittingly adding to their security exposure.

Unstructured data is any piece of information that doesn’t get stored in a database or some other formal data management system. Some 80% of business data is said to be unstructured, and that percentage has to be rising. Think of it as employee-generated business information—the sum total of human ingenuity that we display in the workplace, typing away on productivity and collaboration software and dispersing our pearls of wisdom in digital communications.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

Unstructured data is all of the data that we are generating on our laptops and mobile devices, storing in cloud services, transferring in email and text messages and pitching into social media sites.

Many companies are just starting to come to grips with the complex challenge of figuring out how to categorize and manage this deluge of unstructured data.

Sensitive data at risk

But what’s more concerning is the gaping security exposure.

It was unstructured data—in the form of a text message transcript of employees conversing about deflating footballs—that blindsided the New England Patriots NFL team and its star quarterback, Tom Brady.

Yet the full scope of risk created by unstructured data is much more profound.

“The risk that unstructured data poses dwarfs that of any other type of data,” says Adam Laub, product management vice president at STEALTHbits Technologies. “It is the least understood form of data in terms of access, activity, ownership and content.”

STEALTHbits helps companies that use Windows Active Directory identify and keep more detailed track of shared files that hold unstructured data. That may sound basic. Yet the fact that STEALTHbits is part of a thriving cottage industry of technology vendors helping organizations get a grip on unstructured data is truly a sign of the times. I met with Laub as he was pitching STEALTHbits’ technology at the recent RSA Conference in San Francisco. “Any single file can contain the data that puts an organization in the headlines, and turning a blind eye to the problem or claiming it’s too big to handle is not a valid excuse for why unstructured data hasn’t been secured properly,” Laub says.

A decade and a half has elapsed since the Y2K scare. During that period, business networks have advanced and morphed and now tie extensively into the Internet cloud and mobile devices.

Time to close loophole

Along the way, no one had the foresight to champion a standard architecture to keep track of—much less manage and secure—unstructured data, which continues to grow by leaps and bounds.

Criminals certainly recognize the opportunity for mischief that has resulted. It’s difficult to guard the cream when the cream can be accessed from endless digital paths.

Just ask Morgan Stanley. Earlier this year, a low-ranking Morgan Stanley financial adviser pilfered, then posted for sale, account records, including passwords, for 6 million clients. The employee was fired and is being investigated by the FBI. But Morgan Stanley has to deal with the hit to its reputation.

“The urgency is that your information is under attack today,” says Ronald Arden, vice president at Fasoo USA, a data management technology vendor. “Somebody is trying to steal your most important information, and it doesn’t matter if you’re a small company that makes widgets for the oil and gas industry or you’re Bank of America.”

Fasoo’s technology encrypts any newly generated data that could be sensitive and fosters a process for classifying which types of unstructured data should routinely be locked down, Arden told me.

Technology solutions, of course, are only as effective as the people and processes in place behind them. It is incumbent upon executives, managers and employees to help make security part and parcel of the core business mission. Those that don’t do this will continue to be easy targets.

Steps forward

Simple first steps include identifying where sensitive data exists. This should lead to clarity about data ownership and better choices about granting access to sensitive data, says STEALTHbits’ Laub.

This can pave the way to more formal “Data Access Governance” programs, in which data access activities are monitored and user behaviors are baselined. “This will go a long way towards enabling security personnel to focus on the events and activities that matter most,” says Laub.

Smaller organizations may have to move much more quickly and efficiently. Taking stock of the most sensitive information in a small or mid sized organization is doable, says Fasoo’s Arden.

“If you are a manufacturing company, the intellectual property around your designs and processes are the most critical pieces of information in your business, if you are a financial company it’s your customer records,” Arden says. “Think about securing that information with layers of encryption and security policies to guarantee that that information cannot leave your company.”

Some unstructured business data is benign and may not need to be locked down. “If I write you a memo that says, ‘We’re having a party tonight,’ that’s not a critical piece of information,” says Arden. “But a financial report or intellectual property or something related to healthcare or privacy, that’s probably something that you need to start thinking about locking down.”

Smarter, Faster Trades — and Without Fraud

New York Times senior economic correspondent Neil Irwin did great public service in his Upshot column provocatively titled, “Why Can’t the Banking Industry Solve Its Ethics Problems?

While Irwin addressed the issue for investors in general, his column should hold particular interest for those in the insurance business because insurers are such large investors and generate such a high percentage of their operating profit from investments. In terms of commercial and multifamily real estate mortgages alone, insurers hold more than $900 billion of investments, according to the Mortgage Bankers Association’s Q4 2013 report. (That’s $343 billion in commercial and multifamily mortgage debt plus $567 billion in commercial mortgage-backed securities, collateralized debt obligations and asset-backed securities.) The Federal Reserve tallies life insurance companies’ holdings of residential mortgage-backed securities (RMBS) at $365 billion as of the end of the first quarter, 2014. Insurers need the investment industry to clean up its problems if they are to get maximum value from these huge investments.

Why does fraud occur so repeatedly? Irwin ponders.

The answer: gamed markets.

Since the Great Depression, investments systems have relied on enforcement after the fact. If companies were investigated, prosecuted and found to have done something wrong, they were punished. Typically, this is now done through fines and stricter monitoring, meaning that current and future staff – not those in place at the time of the fraud – and shareholders bear the costs. Sometimes, individual perpetrators are forced to retire (with pensions). Only in the past few years have the Department of Justice, Federal Housing Finance Administration and Securities and Exchange Commission begun extracting hefty fines and settlements with the largest banks, such as: Citigroup’s $7 billion, JPMorgan Chase’s $13 billion and Bank of America’s $6.3 billion with FHFA and the reported $17 billion with DOJ in connection with residential mortgage-backed securities.

As Irwin notes, fraud continues to occur despite extensive efforts to address the problems that led to the near-collapse of the financial system that spawned the Great Recession.

Gaming the system through high-speed trading remains legal. As long as there is no insider trading, traders can greatly increase the speed of their transactions with network equipment, software and advantageous location of their computers.

Insider trading is illegal but hard to root out. Successful prosecution almost always entails a whistleblower coming forward to provide regulators with precise information. And coming forward as a whistleblower entails consequential career risks.

Two innovations address these systemic challenges by providing better information for the market in real time and creating a feedback loop that improves that information – rather than waiting until after the fact to police bad guys. The innovations are interactive finance and confidence accounting.

First, Interactive finance rewards institutions and individuals with financial or strategic advantage for revealing information that details risk. That information could be, for instance, about the changing value of a house, about the payment history of the mortgagee, other financial information about the borrower, etc. That information would stay with the mortgage even if it became part of a pool that was sliced and diced into mortgage-backed securities, so that a potential buyer could probe and could track changes in real time, rather than rely on a single-point-in-time evaluation by a ratings agency. Interactive finance – not enforcement – would keep agencies from giving their highest ratings to securities whose underlying assets were suspect, as happened with sub-prime mortgages in the buildup to the Great Recession.

Marketcore, an intellectual property firm I advise, offers such interactive finance technology. It supports the determination of risk for financial products, continuous revaluation and analysis of components of pooled securities, among other capabilities that make markets and clear them.

Its technology diminishes incentives for fraud by making opacity and concealment anachronistic and replacing them with transparency. The IP also charts effective pathways to employ crowd data and meta data for timely detection of risk, building on the growing availability of information in a “big data” world and allowing for a generational improvement in detecting risk and rating credit.

Second, confidence accounting yields greater transparency and accuracy than traditional, prudential valuation. In confidence accounting, you don’t just set a value for an asset. You say there is an xx% chance that the valuation will fall within a certain range. You then roll up all the assessments and have a probability-based understanding of the likely range of total value. You can also use the estimations as a feedback loop and identify people or institutions that consistently overstate value – if someone says asset values will fall within a certain range 95% of the time, do those values, in fact, fall within that range 95% of the time?

As risk expert David M. Rowe explains in a current Risk blog (citing work by Ian Harris, Michael Mainelli and Jan-Peter Onstwedder) confidence accounting can illuminate “the degree of uncertainty around valuation estimates…including how to partition uncertainty surrounding current valuation from the more familiar concept of risk from uncertain future events, and the messy issue of how to aggregate valuation uncertainty for specific positions into the implied uncertainty of net worth.”

Through these two innovations, interactive finance and confidence accounting, banks would have much easier times detecting rogues and suppressing rascals. In the process, banks would not only increase their own wellbeing but that of their shareholders, employees and the investing public, including insurance companies.

Going forward is now a simple business decision for us all. We must pick up the pieces of what we have learned and refashion and rebuild data-refreshing business models in which everyone can participate as an information merchant. We must deliver a common architecture in which data is consistently revalued, in a system that continually rewards disclosures about risks and values.

Interactive finance and confidence accounting are emergent technologies poised to  play key roles shaping and defining smarter, faster, ethical trades in 21st century finance.