[Mac_crypto] FSTC Feb/March Project Update

R. A. Hettinga mac_crypto@vmeng.com
Fri, 19 Mar 2004 14:51:01 -0500

--- begin forwarded text

Date: Fri, 19 Mar 2004 13:13:02 -0500
From: Jim Salters <jim.salters@fstc.org>
Subject: FSTC Feb/March Project Update
To: members@ls.fstc.org
Thread-Index: AcOY1criVNnui1FAT6+CaQEHHvzv6xAaRT6QABIC/ZAB4kj+kArXnVIQAFV7wBA=
List-Post: <mailto:members@ls.fstc.org>
List-Subscribe: <http://ls.fstc.org/subscribe>,
List-Archive: <http://ls.fstc.org/archives/members/>
List-Help: <http://ls.fstc.org/elists/admin.shtml>,
List-Id: <members.ls.fstc.org>

To: FSTC Members and Friends
From: Jim Salters, Director of Tech Initiatives and Project Development

*** Feb/March Project Update ***

Since our last update, 22 companies have committed to participate and launch
the Image Quality and Usability Assurance: Phase I project.  Also, we
completed the SVPCo/FSTC Black and White vs. Gray-Scale in Bank Operations
project in February, and SVPCo is now utilizing that report as a key
component of its planning.  Lastly, our Minimum Required Practices for
Global Sourcing project has issued a call for participation, and commitments
are being made by both financial institutions and technology partners.

FSTC provides an action-oriented, collaborative forum for our members to
address shared business opportunities and challenges through technology
projects and knowledge-sharing.  We view our projects as our core activity,
and one of the key benefits of FSTC membership is eligibility to participate
in these projects.  In our efforts to keep our members and friends
up-to-date on the latest developments in these active and developing
projects, we provide our colleagues this periodic project update.  As
always, please contact me or Zach Tumin, FSTC Executive Director, for more
information.  Or visit our website at http://fstc.org.

Active Projects:

1.  Business Continuity: Technology Best Practices Expertise Center
(launched Nov 2003)
2.  Survivability of Check Security Features in an Imaged Environment
(launched Oct 2003)
3.  Image Quality and Usability Assurance: Phase I (launching March 2004)

Projects in Formation:

1.  Minimum Required Practices for Global Sourcing (call for participation
2.  Phishing and Financial Services
3.  eBilling Self Service through Federated Identity
4.  Biometrics in Financial Services: Assessment and Action
5.  Treasury Services Integration: Data Exchange and Customer Connectivity
through Web Services (on hold)
6.  A Federated Identity Implementation Framework for Secure Email (on hold)
7.  Transformation to Open Mission Critical Systems


1.  Business Continuity: Technology Best Practices Expertise Center


The Technology Best Practices Expertise Center Phase I initiative has
brought industry leaders together to jointly develop consolidated,
industry-vetted best practices and actionable recommendations for technology
recovery in post-outage, remote recovery.  Regulatory compliance will be a
key requirement considered by the team.  The resulting documentation will
define best practices, identify key challenges and gaps in available
solutions, and identify recommendations for further actions (such as
testing) in future efforts.  The objective is to enable participating
companies to recover in a cost-effective manner, to validate and compare
their own recovery strategies with their peers, and to address regulatory
compliance in an industry forum.

The project launched on November 5, 2003 in New York, and is expected to
conclude in April 2004.  Project participants include: Bank One, Bank of
America, Comerica, JPMorgan Chase, Huntington, RBC Financial, US Bank,
Wachovia, and IBM.

This initiative originated in our Business Continuity SCOM.

2.  Survivability of Check Security Features in an Imaged Environment


In this project, participating financial institutions and partner technology
companies are selecting current and proposed (next-generation) check
security features.  Working with participating industry partners and
financial institutions, the project will test the survivability of these
check security features in high-speed and low-speed capture, in both gray
scale and black & white imaged environments. The result will be an
independent indication as to the viability of current and proposed
next-generation check security features in a truncated (imaged) environment.

This project launched in October 2003, held its first in-person meeting
November 18th in Charlotte, hosted by IBM, and is expected to conclude in
the April 2004 timeframe.  Project participants include Bank of America,
Canadian Payments Association, Comerica, Federal Reserve, First Citizens,
JPMorgan Chase, US Treasury, Wachovia, Wells Fargo, and Zions Bank; ASD
Corp, Cheque Guard, Clarke American, Deluxe, Fiserv, Harland, IBM, and SQN
Banking Systems.

This project originates from the Check Truncation SIG

3.   Image Quality and Usability Assurance: Phase I


A group of FSTC member institutions and technology companies convened
January 13th in Atlanta to develop an initial set of objectives and
deliverables for a Phase I FSTC image quality initiative.   The goal is to
bring financial institutions together with key technology partners to better
understand the current industry activities in the area of image quality,
identify critical challenges yet to be addressed, and leverage the FSTC
project environment as a place to undertake key collaborative development,
testing, prototyping, and specification required to ultimately ensure
minimum image quality assessment capabilities in centralized and distributed
capture points, regardless of vendor or institution.  The ultimate objective
is to prevent unusable check images (and their financial exposure) from
entering the payment system.

A call for participation was issued February 4, and since then 22 companies
have committed to pariticpate.  The first in-person project meeting will be
held April 2nd in San Francisco, following the FSTC/ABA/Federal
Reserve/SVPCo Image Assurance and Security event March 31-April 1 at the
Fairmont (http://fstc.org/meetings/next.cfm).  The project is expected to
run for 90 days, and conclude in June 2004.


1.  Minimum Required Practices for Global Sourcing


This primary objective of this initiative is to develop a comprehensive set
of tactical minimum required practices for both financial institutions and
vendors, as a baseline for the industry.  With increasing regulatory
interest, and a desire to collaborate to improve the overall strength of the
financial industry, FSTC members have defined a series of activities for
2004 that address key gaps and opportunities shared by FSTC member
institutions.  Areas of interest include data privacy, business continuity,
governance, safeguarding intellectual property, and others.

An in-person meeting was held February 26th in Orlando, bringing our core
group together with a broader industry audience to share the group's vision,
as well as further refine the scope, objectives, and next steps.  A call for
participation has been issued, and a number of financial institutions and
technology partners have committed to participate.

Please contact Zach Tumin (zachary.tumin@fstc.org) for more information.

2.  Phishing in Financial Services

FSTC member-institutions have expressed an interest in understanding and
addressing, at a technical level, the complex problem of phishing via both
email and web sites. A core group is developing a strawman statement of
financial institution requirements regarding phishing that will address
issues of ease of use and acceptance, effectiveness, cost and complexity of
implementation, and required industry coordination. When validated with a
larger group of financial institutions and technology providers, it is the
intention of these members to inventory and evaluate current vendor
solutions against the set of known threat models and financial institution
requirements, and to work with industry groups to prove/test/validate those
solutions. For more information, please contact Zach Tumin

An FI-only project definition session is being held March 24th in New York
to begin this process.

3.  eBilling Self Service Through Federated Identity

This proposed project would seek to bring FSTC members together to define an
implementation framework for using federated identity standards such as SAML
to link financial institution sites with biller self-service sites.  The
proposition for billers is reduced identity management costs and increased
adoption, while financial institutions benefit from increased online
traffic, stronger customer service, and increased use of online services.
Customers will benefit from having a consolidated access point for disparate
billing sites and fewer usernames and passwords to remember.

A core group of financial institutions and technology companies are
currently developing this concept, and developing an initial set of use
cases.  Also, these companies are talking to billers and banks who might
participate in a pilot.  We expect to be able to share more information
about this project soon.

4.  Biometrics in Financial Services: Assessment and Action

Using as a basis the internal control objectives and practices of the ANSI
Standard X9.84 - 2003, Security and Management of Biometric Data, a core
group of interested FSTC members is developing a project concept to assist
financial institutions in determining the viability of biometric
technologies in several financial institution-specific use cases, including
account openings.  As currently conceived, this effort will culminate in the
assessment of the current state (2004) and desired future state of biometric
standardization, technologies, and business process efforts, and produce a
statement of financial institution requirements and recommendations on
issues of interoperability, security and management, and customer service
for critical business processes. The requirements for institutions to
utilize data in a standardized and privacy-aware fashion will be a important
performance metric. Ultimately, the project may include the development of a
reference implementation and the deployment of a pilot system to validate
the reference implementation.

5.  Treasury Services Integration: Data Exchange and Customer Connectivity
through Web Services (on hold)


As a potential Phase II following the previous Web Services for Corporate
Cash Management effort, a core group of FSTC institutions and technology
companies have defined key business objectives and deliverables for a
discovery phase, and subsequent pilot-level project utilizing Web Services
in the Treasury Services / Cash Management area.  The project, as it
currently stands, will seek to further develop the Phase I set of web
services and associated definitions to create new and open-standards-based
connectivity options between banks, and between banks and their customers.
The business goals are to enable standards-based "plug-and-play" integration
capabilities between institutions and customer platforms, whether ERP,
Treasury Work Station (TWS), or desktop.

A core group of financial institutions and technology companies has
committed to launching this initiative in the second half of 2004.  This
project is considered on-hold until later this year.

6.  A Federated Identity Implementation Framework for Secure Email (on hold)

Coming from discussions in the FSTC Advisory Council Security and
Infrastructure Standing Committee (SCOM)
(http://fstc.org/advisory/security.cfm), FSTC members are putting plans
together to create a federated identity implementation framework, with the
primary application being secure email.  The primary business objectives are
to create interoperability for shared customers and business partners, as
well as to reduce the cost of managing identity databases internally within
institutions.  The project would deliver a set of technical, business, and
legal/regulatory definitions to create a framework for the industry to
utilize in secure email and ultimately other applications.

An in-person session was held January 8th in Boston, hosted by Fidelity.  A
revised proposal was developed coming out of this meeting, however, given
the relative immaturity of secure email technology and solutions that have
been selected and implemented within FSTC member institutions, the team
agreed that this project should be put on hold while those decisions are
made.  It is expected that later in the year, a discussion about enhancing
secure email through federation will be started up again.

7.  Transformation to Open Mission Critical Systems

The transformation of systems from higher cost or proprietary delivery to
open systems is one of the most hotly debated and discussed topics in
financial services IT. While there is great promise in the flexibility and
efficiencies gained, there is also risk and cost. An FSTC project will soon
form up to determine answers to such key questions as, "Are those
transformations viable?" and "What are the costs and processes by which a
successful transformation program will be run?" The vision of this
initiative is to bring together financial institutions to investigate the
needs, processes, best practices, technology issues, risk factors,
organizational issues and lessons-learned for transformation projects which
move core business processes from legacy IT assets to open systems.  We will
provide additional details shortly.  If you are interested in joining an
interest group around this topic, please contact us.



To subscribe or unsubscribe from this elist use the subscription
manager: <http://ls.fstc.org/subscriber>

--- end forwarded text

R. A. Hettinga <mailto: rah@ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'