Secure is as Secure Does
The Future of Cyber Banking in Japan
|
Internet banking services, backed by the made-in-Japan SECE security protocol, are taking off in Japan. But whether the flight will be a
smooth one for the Japanese economy depends on whether Japan's financial institutions willingly take the pilot's seat or are content to just
go along for the ride.
by Noriko Takezaki Japanese banks, long regarded as among the most conservative institutions in Japan, and being tightly regulated by the Ministry of Finance (MoF), have begun to change. With the expected growth of electronic commerce (EC) that is being ushered in by the Internet era, and in the face of "Big Bang" deregulation/liberalization of Japan's financial and securities industries, change was inevitable (and, many would say, overdue). But successfully coping with change requires foresight and effort, and on that question the jury is still out. One of the more obvious changes for the general public is that some banks have started offering Internet-based banking services. Bank customers can now check their account balance, or even transfer money, via the Internet. The unanswered question on many minds, though, is "How secure is Internet-based banking?" Bank representatives may proudly declare that, since their services are based on SECE, the process is generally safe. But for most of us, that simply leads to another question: "What is SECE, and what does it mean for me?" SECE, which stands for Secure Electronic Commerce Environment, was jointly developed by Hitachi, Fujitsu, and NEC, all major vendors of financial computing systems in Japan. The main objective of SECE development was to create a common and secure platform for electronic commerce business. SECE development was eventually incorporated as one of the EC promotion projects of ECOM (the Electronic Commerce Promotion Council of Japan), a Ministry of International Trade and Industry (MITI) affiliate. Because of its recognition by ECOM, the SECE development project received a subsidy of some ¥1 billion from MITI. SECE complies with the global Secure Electronic Transaction (SET) standard created by Visa International Service Association and MasterCard International Inc. It augments SET by having a Japanese Payment Option that is suitable for the common commercial practices in Japan. For security, SECE uses the same encryption methods as SET - in other words, 1,024-bit RSA for public key encryption, 56-bit DES for shared key encryption, and SHA as the hash function. The SECE protocol comprises a payment component (an application-level protocol for executing safe and accurate payments between consumers, shops, and financial institutions) and a certificate management component (used for electronic certificates that authenticate transactions over the Internet). Overcoming initial resistance SECE did not get support from Japan's financial industry at the beginning, in spite of its backing by MITI. "At first, many thought that SECE intended to compete against SET and pursue Japan-specific aspects only," recalls Hiroyuki Chiba, an engineer in Hitachi's electronic commerce department. Chiba was involved in SECE development from its start, but he soon discovered that, "Even some of my colleagues in Hitachi said SECE would soon be shelved. They regarded me as a poor guy who had been assigned to a troublesome, fruitless task." In order to persuade doubters, particularly those in the financial industry, SECE promoters eventually launched a banking-working group in January 1997 by inviting representatives from the 11 major banks in Japan. Prior to that, SECE promoters had already launched a credit card working group (in November 1996) with 10 credit card companies in Japan; Visa International and MasterCard International participated in that group as observers. It was this involvement by Visa and MasterCard in SECE activities that finally persuaded the financial industry that SECE was not out do battle with SET. Even after the banking working group was launched, however, SECE promoters found that there were serious hurdles to overcome. One major hurdle was changing the mindset of the traditional financial computing business, in which each bank and its vendor independently developed its own system. Banking officials were also confused and concerned by the absence of MoF participation in the SECE initiative (since the MoF had always provided behind-the-scenes "guidance" for every banking activity in Japan). Banking working group members, therefore, initially participated as observers only, tending only to listen to other's views but unwilling to risk voicing any opinions of their own. As the bankers eventually came to understand the importance of SECE as the framework for their use of the Internet, however, they became enthusiastic. "For the past two years, we have had a meeting of the SECE banking working group every Tuesday evening, sometimes lasting until midnight. The representatives of the 11 banks, as well as we SECE promoters, became so eager about the discussion of banking protocol development that we hardly took time out for dinner. And when the meeting was finally over, we always had to dash to the station so as not to miss the last train," observes Hitachi's Chiba. "But nobody complained. I think this was because we all believed that SECE can lead the future of our country, and we are in its core." As a result of the banking working group's activities, the SECE study group completed development of SECE Banking Transaction Protocol version 1.0 in September 1997. This protocol has been published on the ECOM webpage (http://www.ecom.or.jp). MITI, meanwhile, is very proud of flanking the rival MoF through its successful backing of SECE. Also, the effort was realized through exactly the scenario that MITI now promotes; that is, while the ministry supports the establishment of frameworks for the private sector's new business initiatives, MITI believes the private sector itself should lead the effort to successfully commercialize new businesses and activate the Japanese economy as a whole. "Follow the example of SECE" has become a slogan among MITI officials for their policy-making activities, one that they often quote to encourage other industry leaders to activate their business. Internet banking in Japan Introduction of Internet-based banking services for the public has been slow, however. As of October, just three banks were offering Internet banking services in Japan: Sumitomo Bank, Sanwa Bank, and Asahi Bank. Daiwa Bank and Daiichi Kangyo Bank, meanwhile, are scheduled to launch Internet banking services later this year. And currently, the only available Net banking services are bank account balance inquiry and money transfer within Japan. These services are available 24 hours per day. Sanwa Bank also operates a virtual shopping mall on the Internet, for which it manages payment transactions. This mall, called EC Direct, currently has 13 shops, including Asahiya bookstore, JTB (a travel bureau), JAS (an airline), Takashimaya Virtual Mall (a department store), and IBM PC Direct. For security of their Internet banking services, all of the banks mentioned above (except Sumitomo) use or will use SECE. "Since SECE is compatible with the world's standard, SET, we can easily expand our SECE-based banking services to credit card transactions in the future," says Kiharu Nakamura, senior manager in Sanwa Bank's network strategy department. "Not only by providing banking services to our customers, but also through an overall payment settlement service for consumers, we can create real opportunities to make profits out of transaction settlement over the Internet." "We think that the initial two years will be a period of promoting use of the Internet among our customers," continues Nakamura. "Our real challenge will come later - say, in three years - when EC business is flourishing. In order to take the lead three years after, we decided to start Internet-based services now." Odd-man-out Sumitomo Bank uses SSL (Secure Socket Layer), not SECE, to secure its service. When Sumitomo started its service - it was the first, in January 1997 - SECE was not yet available, so the bank selected the same method that American banks had been using: SSL with VeriSign's electronic authentication service. Sumitomo Bank initially used 40-bit SSL, but upgraded this year to 128-bit SSL for enhanced security. Currently, about 10,000 customers user Sumitomo's Internet banking service, and the bank expects to have 100,000 subscribers (about 5% of its customers) in three to five years. Sumitomo Bank has also been carrying out trials of a virtual shopping mall, but has not yet decided whether it will operate such a mall. "We have been quite aggressive in the use of the Internet in our activities, since our launch of Japan's first Internet banking service two years ago. However, when it comes to the issue of whether we should be involved in the payment settlement (kessai) for consumers, we are taking cautious steps," declares Takeyoshi Enomoto, assistant general manager at Sumitomo Bank's electronic commerce banking department. "The point is that we don't know how soon EC business can be successfully disseminated. For the time being, we will observe the situation closely, while carrying out some related trials." NTT Data's challenge Meanwhile, NTT Data--a provider of communications infrastructure for financial institutions--has announced that from April 1999 it will offer Internet-based banking blended with securities services through its ANSER-Web service. ANSER-Web, started in November 1997, was originally designed to offer financial institutions with bank account balance inquiry capability via the Internet. So far, 116 city and local banks and credit unions have signed on as ANSER-Web customers. The new banking/securities services will enable users to make balance inquiries, debit/credit transactions, and money transfers, as well as utilize securities services such as orders for stocks and application/cancellation of specified contract security products. Security will be provided by 128-bit SSL for account balance inquiries, and by 1,024-bit RSA and 56-bit DES combined with the VeriSign's electronic authentication for money transfers. The new ANSER-Web service will allow the use of Microsoft Money, the fund management software whose Japanese version was released in July, for fund transactions, asset management, and stock price simulations. Further, the service will be linked to an Internet-based mobile banking service that NTT Mobile Communications Network (NTT DoCoMo) plans to offer in the near future. A millennial market change On the government side, several advisory bodies have been formed to examine what deregulation measures are needed for realization by 2001 of market-oriented transactions in such fields as banking, securities, insurance, foreign exchange, corporate accounting, taxation, and commercial regulations. Although it is not yet certain just how much such a deregulation, or "Big Bang," will affect businesses, one thing is clear: Japanese companies will have to be ready to face the challenge of a new phase of commerce. As an example, loosening of the Foreign Exchange and Foreign Trade Control Act will almost certainly lead to an increase in cross-border transactions. And an increase in use of the Internet and electronic commerce will necessitate new methods of dealing with business on a global scale. Whether Japanese banks can prosper, or even survive, in such a new business environment will depend on how accurately they perceive changes in the market, and how enthusiastically they institute new procedures to deal with the new market realities. If they continue to slavishly follow conventional business procedures and concepts, and let foreign financial institutions take the lead in innovative services, the Japanese banking industry may soon find itself facing a crisis that overshadows the current unrecoverable loan dilemma.
Sumitomo Bank:http://www.sumitomobank.co.jp
|
