Mobile banking,riskmanagement,Security,technology,Transaction Banking,

Mobile banking,riskmanagement,Security,technology,Transaction Banking,

Commonwealth Bank wants to move a substantial part of its information technology division, including critical cyber security operations, to save costs, amid a growing scandal over its ability to monitor and report suspicious transactions.

Sources said the bank was seeking substantial savings from its group-wide cyber security division, in what appeared to be a change of strategy under new head Yuval Illuz that has ruffled feathers inside the bank and led to several staff departures.

The bank has called a tender to move staff and a range of functions involved in its critical cyber security defences to an offshore location, possibly India, in what industry sources say goes against industry practice.

“There are no other banks that are actually talking about this,” said one source.

It’s understood that NAB has all of its cybersecurity functions in-house, but that CBA’s other two main big four rivals have also looked to outsource some of the IT security work.

According to a source, the operations and people involved range across a number of functions, from managing security access through to real-time monitoring of threats inside and outside the bank, as well as staff use of technology.

The tender comes amid Federal Court action by the Australian Transaction Reports and Analysis Centre over CBA’s failure to report more than 53,000 large cash deposits that may have helped facilitate money laundering and terrorism financing. Last week The Australian and Sky News Business revealed that an internal review of the bank’s compliance with Australian and global anti-money-laundering and terrorism financing laws had found that billions of dollars worth of transactions in the US, Europe and Asia were not being monitored, which could put the bank in the firing line of global regulators.

The review of the Institutional Banking & Markets business, which was presented to executives in February, also confirmed upper levels of CBA management were aware of the large-scale gaps in the bank’s compliance frameworks, well before Austrac filed its explosive 600-page statement of claim against the bank in August.

The mounting scandal sparked an investigation from the Australian Securities & Investments Commission into disclosure issues and an inquiry by the key bank monitor, the Australian Prudential Regulation Authority, into culture and other issues at the bank.

CBA has been highly regarded for its approach to cyber security, with big spending to establish industry leadership in digital banking drawing talent to the bank under its previous head Ben Heyes.

The bank participated in the Prime Minister’s cyber security roundtable and, according to its annual report, continues to be an active adviser to government. It was a founding participant in the government’s inaugural Joint Cyber Security Centre, launched in Brisbane in 2017, and established a scholarship program with the University of NSW to increase the number of local graduates and professionals for an industry that has exploded in recent years.

According to CBA’s annual report, the bank’s information technology services expenses jumped by 31 per cent to $1.9 billion in 2016-17.

However, industry insiders told The Australian that CBA’s IT security operations have been bleeding staff, particularly after the exit of Mr Heyes — the chief information security and trust officer — after what was understood to be a serious illness last year.

Mr Heyes’ position was filled by Yuval Illuz in February this year. Prior to joining CBA Mr lluz served as the global chief security officer for Israeli gaming software supplier Playtech. He had neither worked in Australia nor the banking industry before taking up the role.

“Resources have been tight inside CBA for some time and the agenda has moved towards being reactive rather than proactive,” an industry source told The Australian.

“Given the current threatening landscape and the demands from regulators, banks have a security hole to fill and the question is do they do it in-house or outsource it.”

The outsourcing proposal is understood to cover hundreds of CBA’s IT staff and dozens of the 700-strong cyber security division, and save tens of millions of dollars.

But industry sources said the move could weaken the ability of the staff to monitor and manage threats. “Does anyone think that it would really be better to have a third party doing this offshore — some of those really critical security staff — rather than having all these people here that you can touch and feel and manage the risks?’’ said one.

A spokesman for CBA confirmed the tender.

“Commonwealth Bank works with a number of different global and local IT partners. We’re always looking for ways we can work more effectively with them and use their expertise and we will always safeguard system integrity, security and information,” the spokesman said.

“When we make these decisions, it is driven by our thinking on what is the best workforce mix, and we assess that on several factors including expertise, skills and expense management.”

Outsourcing cyber security-related jobs like penetration testing, and network monitoring is common in the banking industry. Once a product is finished, the internal security teams of the banks assess the product and check if it is fit for purpose.

Re-disseminated by The Asian Banker from The Australian Business Review