Aug 01, 2012Banks and other financial institutions are in the business of securing sensitive information and, of course, money. So it's no surprise they prefer to keep their methods for protecting client assets private. The RFID solution providers we interviewed for this story agreed to discuss recent projects for financial firms as long as we'd keep their clients anonymous. Still, their input sheds light on where—and why—RFID is being used in the financial services sector.
The main RFID applications used by financial services are designed to track IT assets, mobile devices, storage, cash and documents. One RFID application that isn't under wraps is contactless payments.
In 2008, the Financial Services Technology Consortium (FSTC) published a set of standards for implementing RFID-based systems to track IT assets within data centers. Shortly thereafter, FSTC was acquired by the Financial Services Roundtable, and a communications representative for BITS, the Roundtable's technology policy division, says work in the area is outdated. A spokesperson for GS1 says, for now, there is no activity on its part to republish or otherwise use the standard.
Nevertheless, some banks are tracking IT assets in data centers, and technology advances are simplifying that process. In the United States, RFID facilitates compliance with the Sarbanes-Oxley Act (SOX), which requires a proper accounting of fixed assets. Banks must be able to document where their assets are, whether they have "ghost assets" lingering on their books and how they gather information on their assets. The data collected with RFID can provide an accounting.
Another driver is data center consolidation, to reduce costs and complexity. Moving assets requires strong controls, and RFID can provide visibility into the process, according to a technology provider that has been working on consolidation projects with two global banking organizations.
Until recently, RFID-tagging IT assets was challenging for several reasons. It requires a small tag for devices such as blades, and the technology must provide accurate reads on metallic devices. In addition, financial institutions that have global operations must be able to do holistic rollouts using consistent technology throughout their facilities. The EPC Gen 2 standard specifies a global ultrahigh-frequency RFID band from 860 MHz to 960 MHz. But a small subset of that band is used in various regions, including the United States, Europe and Japan. So a tag that could support the different operational frequencies was essential.
Today, Confidex, Omni-ID and Xerafy are among the RFID providers meeting these challenges. The Confidex SteelBit, for example, is a miniature UHF on-metal tag, based on the FSTC standards; it supports operational frequencies in the United States, Europe and Japan. The Omni-ID Prox also is a global, small UHF on-metal tag that is FSTC- compliant.
Xerafy recently debuted its flexible small form factor Metal Skin. The global EPC Gen 2 inlay is designed to track metal assets and can incorporate human-readable data. For the financial services industry, "the problem with hard tags is that they are not able to have their human-readable information printed on them, unless you do the labor of putting a label on top," says Xerafy marketing manager Kelly Stark.
As low-profile, flexible designs and lower costs become the norm, Liard adds, it may become more feasible for financial firms to track their large contingents of laptops, tablets and other devices. This could be particularly helpful given the sensitive data that may reside on the mobile devices of financial firms' employees. "You've got lines forming in some environments for checking these in and out," he says. That process will go faster, he explains, if RFID-tagged laptops are identified automatically by serial number and associated by database with the proper individual, rather than hand-checked manually at security desks.
Storage is another IT asset ripe for RFID-tracking at financial services firms. There are many tapes and disk drives hosting sensitive customer financial information, for instance, and no business wants that data falling into unauthorized hands—and then having to tell its clients the bad news, as required by legislation such as California's Customer Data Protection Act. "Data tapes with a lot of sensitive financial information sometimes have to go from point A to point B," Liard says.
So tagging cases, individual tapes and vehicles that move the tapes to off-site storage facilities may be an option.
But the holy grail for RFID asset tracking in the financial sector is all about the money, says Scot Stelter Sr., senior director of product marketing at Impinj, a UHF technology provider. "That is the biggest security issue there is," he says. This is especially so in cash-based economies such as China, where Impinj worked on a project with a commercial bank whose branches must deposit cash periodically with the state-owned Bank of China—this means the client must transport cash physically and the transaction must be auditable.
Since mid-2011, several branches of the commercial bank have been RFID-tracking cash. The bank deployed RFID readers at its facilities and at the Bank of China. Machines wrap the cash in bundles of 10,000 RMB (US$1,568). These are wrapped in stacks of 100,000 RMB, and then placed in 40-stack cases. Forty cases are placed per trolley, totaling 160 million RMB. A Chinese services provider custom-designed an application that uses Impinj Monza UHF chips on tags for the case locks, which cannot be opened without destroying the tag.
"When a trolley goes through the portal at the destination, which is manned by custom readers using Impinj's Indy reader chip, all the cases are read, so [it's clear] they haven't been opened and the cash is untouched," Stelter says.
A large bank in India—one of the largest banks in the world, in fact—is engaged in an RFID pilot using close to 20,000 UHF tags to track bundles of cash in different denominations, according to Anand Surana, CEO of Indian IT services provider Icegein, which supplied the software. The bank wants to know how many bundles are in its vault at any given time, to improve processes and logistics for next-day cash dispatches to its 40-plus branches in the country.
"Imagine thousands of bundles a day that you have to count with line-of-sight bar codes, and how cumbersome and tedious that is" compared with RFID, Surana says. Biometric security technology was part of the deployment; parties authorized to open the vault must present RFID access cards and have their fingerprints scanned for access. "So both bundles of money and people are tracked," Surana says.
The bank in India decided to pilot the cash-tracking application because of the success it had with a document-tracking solution, also provided by Icegein. "They realized that document tracking saved them huge time in finding documents that were misplaced, so why not try it with bundles of money as well," Surana says.
Icegein also developed a document-tracking solution for a banking client that has nearly 500,000 documents in one vault. "If documents that should be in Row A are in Row Z, it's a nightmare," Surana says. "With RFID, it tells you exactly where these particular documents are." Other benefits, Icegein reports, include faster stocktaking and reconciliation (5,000 files in 45 minutes), and better security thanks to alerts when documents are moved outside the restricted area.
Banks and insurance companies often hire document-shredding firms to securely shred sensitive materials. Earlier this year, Reisswolf, a European confidential-waste-management firm, introduced an RFID-based electronic lock system, to ensure that only authorized parties can unlock containers holding documents to be destroyed. The solution, which uses active and passive tags, also generates a report indicating who opened a container, when and for how long.
Banking on Innovation
While some financial firms are quietly employing RFID to track and manage assets, more technology innovation and education is needed before the sector embraces the technology.
Tracking mortgage papers and other documents that banks in India are required to keep on hand for years is a major challenge, says Ashim Patil, CEO at Infotek Software & Systems (i-TEK), an RFID system integration company in that country. RFID could help, Patil says, but he hasn't seen the technology's use in that respect pan out. After conducting a pilot at one big bank in India and a limited deployment at another institution, things got quiet. The industry would reach a turning point, he suggests, if more banks were to begin tagging documents at the source—from the day a client applies for a loan, for instance, not after the loan is processed—using RFID-enabled printers on site. "The moment we get that, RFID takes off," he says.
A total IT asset-tracking solution is needed for that application and others to take off in the financial sector, Liard says. What might move things forward is for technology companies to start embedding RFID technology into components. A recent innovation—Intel's new platform, which features a UHF RFID chip embedded in a device's motherboard and wired directly to the microprocessor—could be used for location-based access control. The data on the chip could be written to or accessed by a handheld or fixed reader, even if the device were powered down. A bank, for example, could station an RFID reader at the doorway of a secured area to disable a notebook PC removed from the space without authorization.
"People in the financial sector will find that valuable to comply with security rules about customer and other data," Stelter says.
Cash-tracking applications could get a boost from version 2 of EPC Gen 2, due next year, Stelter says, because it will include encryption-based security. Tags will be able to authenticate readers and vice versa, and user memory will be partitioned securely. A commercial bank, for example, could use one section of user memory to store track-and-trace information it wants to keep private from a federal or state bank, or restrict it so the other bank can't change the information, he explains. "There will be new applications by virtue of really raising security capabilities," he says.
A few products based on the new Gen 2 spec may debut in late 2013, with more in late 2014, Stelter says.
La Caixa is Spain's leading financial institution in both retail and electronic banking as well as merchant services, with more than 200,000 businesses using its point-of-sale (POS) services. La Caixa also is a proponent of contactless payments, based on Near-Field Communication (NFC) technology, a short-range version of RFID.
In January, following successful payment pilots in the town of Sitges and on the Balearic Islands, la Caixa announced that it would roll out NFC in Barcelona. By year-end, the bank plans to issue more than 1 million cards that can be used at 500 contactless ATMs, and it plans to distribute NFC-enabled POS terminals to 15,000 businesses, according to a la Caixa representative.
The la Caixa cards support the EMV (Europay, MasterCard and Visa) global standard for interoperable credit and debit payment cards, POS payment terminals and transaction processing networks. Cards with embedded EMV chips are becoming the norm in Europe. In the United States, MasterCard and Visa have published guidelines for migration from magnetic stripe to EMV technology, to enhance security for contactless payments made with NFC-enabled cards and mobile phones.
While more mobile phone makers, banks and businesses are embracing NFC, there's an entire ecosystem of components that must interact for contactless payments to be fully realized, says Michael Liard, RFID director at VDC Research.
"The way I look at it is to picture a bunch of gears… that work to create the NFC machine—the integrated chip suppliers, mobile network operators, phone manufacturers, standards organizations, card issuers, banking community, mobile marketing and mobile money folks," he says. "And at the end of the NFC machine are us consumers, and we can shut that machine off with our indifference."
"Other banks are looking at extending the functionality of their mobile banking platforms to include mobile payments—something we believe to be very compelling for consumers, and which is the basis of our partnership with mFoundry " says James Anderson, MasterCard's group head of mobile product development. mFoundry is a mobile banking specialist, with more than 500 financial institution customers. MasterCard's Tap & Go PayPass technology, which uses NFC, will combine with mFoundry's mobile financial services platform, so consumers whose financial institutions use the mFoundry platform will be able to make secure payments at PayPass-enabled merchant terminals. It will likely also lead to a mobile application that lets mobile phone operators offer MasterCard NFC-enabled PayPass payments from their phones.
"Banks do acknowledge that mobile, in general, is the way forward, and there is a need to focus on mobile applications, for mobile banking and payments," says Sirpa Nordlund, executive director of Mobey Forum, the bank-led not-for-profit whose mission is to drive a sustainable mobile financial services ecosystem. "For the banks, it is more a question of how to meet the needs of a new generation of customers who grew up away from the desktop."
But there are other issues to be explored, Nordlund says, including how customer service works in a world of mobile-payment applications on NFC-enabled phones. "If you have your credit card in a phone, who do you call if it doesn't work—the mobile-phone manufacturer, the network operator or the bank?" she asks. Maybe it's not working because you haven't paid your phone bill, in which case how could a customer-service representative at the bank be of help? "All these customer service centers need clearly defined roles, in order to deliver valuable services to consumers," she says.
While these concerns won't be easy to address, Nordlund says, "Every leading bank must have given a thought or two to NFC, so they must have made a strategic decision to move now or later. It's no longer a question of 'if' they need to do it—it's now more a question of 'when.'"