David Reilly's quest: Data that’s portable yet secure

One source now estimates that worldwide there are more than 12,000 fintech startups. That sounds astronomical at first, but spend some time at financial technology conferences today and the sheer scope of what companies can be working on becomes impressive, almost staggering.

At the recent demo day for the New York FinTech Innovation Lab, run by Accenture and the Partnership Fund for New York City, Banking Exchange interviewed David Reilly, chief technology officer at Bank of America, one of the lab’s supporters. This was after hearing presentations by seven new financial technology players.

Reilly—based in New York City—oversees a big sweep of functions. These include the bank’s tech networks, product engineering, desktop and electronic communications, application hosting and data storage, operations management, support services, and data centers.

His team also handles data security. After some discussion about the role of fintech innovation at Bank of America, the discussion turned to Reilly’s thinking on the ever-present threat of cyber risk.

The following Q&A has been edited for length and clarity.

Banking Exchange: Many players talk about partnering with banks. And BofA is one of the sponsors of the NY FinTech Innovation Lab. How much of what you’ll be bringing to banking customers will come from outsiders? And how much from internal sources?

Reilly: There’s no target on how much comes from one source or another. It is still the case, though, that the majority comes from our own research, our own engagement with clients—what we call in Bank of America-speak the “voice of the customer”—to craft the solutions that they need. That may be at the consumer level, at the company level, and at the institutional level.

But we have worked hard to ensure that we’ve got connectivity to the vendor base. That’s including our traditional vendors who have served us well for many, many years. But we also want to augment that with start-up companies like the ones that you saw today.

Today’s event is only one part of that engagement. There are related organizations in Hong Kong and London and we’re a partner on all three.

We marry what we see and learn through such efforts to the work of our own group called Technology Partnership Development. That’s an internal group inside the tech division in Bank of America whose purpose in life is to engage with the emerging and start-up tech community around the world. When we find new players, the partnership development team helps guide them into the bank.

That’s because we acknowledge that it’s hard to sell to companies like us. It’s hard to get a foot in the door and talk to the right people. The partnership group’s work culminates with an event each fall in October.

Day one we present to the community, and to the venture community, on the bank’s strategic priorities. Day two about 40 start-ups present back to us. We’ve been doing this for seven years. Over the previous six years we’ve seen about 230 companies, 16% of which have gone on to be vendors to the bank. It’s a pretty impressive hit rate considering that these companies were brand new, to us.

Banking Exchange: What are the misconceptions people have about what banks are looking for?

Reilly: That we are non-embracing of the start-up community. That we don’t understand how hard it is to sell to us. That it’s just too hard, that the sell cycle is just too long. And it’s not worth your while to engage.

What’s great about the fintech program focus is we’ve been able to remove some of those barriers and lower some other barriers to make it easy for these companies to get a hearing.

Banking Exchange: Once, no one knew they needed an iPad—now almost everyone seems to have three. What are the future iPads for banking, especially on the business customer side?

Reilly: One that everybody is dealing with generally is how you secure your binary environment—cyber security. We all have perimeter defenses, encryption for data when it moves—data security, database security, access security. What we don’t have—what doesn’t exist out there today—is the ability to secure data at the element level.

What I mean is the element of data itself is being secured—knowing where it’s been, where it is, who is accessing it, who is asking for it to be moved. Moved physically, moved logically.

That element-level security is a real gap. And that’s one we’re on the lookout for constantly. We know how to secure physical cash. We know where it’s been, where it is, who has access to it, who is able to move it, where it is going next.

Banking Exchange: And it’s finite—if it’s all in the vault.

Reilly: Exactly. Why can’t you apply those same principles to data?

If you could, then you would add a level of protection that you don’t have today. An absolute and precise chain of custody for every single element of data. And we think that’s an area we’re going to see companies working in, increasingly.

PierceMatrix [one of the companies presenting at the demo day] is getting closer to that, but not quite there. Perhaps the marriage of what PierceMatrix has with some of the blockchain technologies will be part of what we are looking at.

That security issue is one example of what could be coming. I’d say the second one to point to concerns the customer experience.

Anything that provides more customer intimacy and more customer applicability. Something that makes you feel as a customer that you can do business on your terms when you want to where you want to on the device of your choosing.

To make that experience frictionless and personal—anything in that space is something we’re looking for. Our goal is to make the financial lives of our customers better.

Banking Exchange: At the events I’ve attended, I keep hearing people talking about the potential of blockchain. One of the companies demonstrating today is in that space. I keep thinking, “Sounds wonderful—but can anything really be impregnable?”

Reilly: There’s no easy or single answers to any of these problems. Technologies like blockchain may play a part. They may end up being transformational. But alone that won’t provide the level of security that we all need.

Who has access? Technologies like blockchain don’t help with that. We have to be skeptical that any one of the solutions people are talking about is a panacea.

When it comes to security, even the solutions that you are using are ones you must question and test all the time. That’s an absolute must in this day and age.

Your question is the right one. There is no single answer. Can’t be. I don’t think I will ever see that answer in my own career in this space. And even the ones that we use today, that we rely on, we’re testing their vulnerabilities constantly because there are no perfect solutions.

If anybody purports that what they’ve got is the solution, we tend to back away from them pretty quickly.

Banking Exchange: Going back to what you were saying earlier about data. You’re talking about some way of storing data that can only reside in one place?

Reilly: No, because you have to accept that data needs to move. It needs to be accessed from multiple points. Where it can be accessed from will change. The rules around the geography from which you can access it are often regulated.

So the fact that the data will move is a given. Being able to secure it so that wherever it moves to, the attributes about who is able to see it, who is able to change it don’t change—that’s the key. And not because you’ve isolated it in a database.

Over time we think we want to do even more than that and find ways that at the element level it is secure. The minimum level of protection would travel with the data itself regardless of the form it was stored on.

This would go way beyond what we think of as encryption, and the difference between encrypted data at rest and encrypted data in motion. What it would look like is undefined.

That’s what we’re looking for—protecting data at the very lowest level of granularity. The element itself.Something that’s transportable and mobile and doesn’t need some connectivity to an uber-host somewhere to protect it. Security that travels with it.

Banking Exchange: That’s fascinating. I’ve read about codes in ancient Greece when they would have a strip of animal hide  wrapped around a rod and only another rod of the same size could produce the message.

Reilly: Otherwise itwouldn’t match, yeah.  And we’ve not found anything that does this. We are very proud of the level of security we offer every day, but we are not complacent.

Banking Exchange: What about the human element? How do you improve the containment of the leakiness of the human element?

Reilly: Access management and identity management, which we touched on, yes, that remains critical.

At BofA, we reduce access as much as we possibly can to only the information that you need for the job you need to do. You don’t inherit access as you travel through the company and your role changes. We try to revoke access. We have policies around what we call “Use it or lose it.” If you haven’t used a certain set of accesses in a particular period of time they’re automatically revoked.

That even extends to building access, which can be incredibly annoying. But if you haven’t happened to have traveled onto a floor over a certain period of time you will lose your access to that floor.

Annoying, but it’s a smart way to go. It helps to self-police constantly that if you don’t use something we’re going to assume we can take the access away.

You also have to ensure that you don’t put humans in harm’s way. We worry just as much about the mistake as the deeds of the genuine bad actor.

Laptops are an example. All of that sort of thing is encrypted. So if we do lose one it is not going to be a lot of good to you.

If you make the mistake of then connecting it to a network, we’re looking for that lost laptop the entire time. We’ll remotely wipe it. If we lose a handheld device we have remote-wipe capabilities for that too.

And we store very little information on a laptop at BofA—it’s really a virtual desktop. It is very much a pane of glass that allows you to get to information that’s resident in the data center. But that data can’t be on that device because they’re going to get lost. They’re going to get stolen.

So while we encrypt, while we have remote wipe capability, the ultimate defense is to not have anything on there in the first place other than the software that you need to run email, to browse, those kind of things.

Read last week’s “Can fintech halt elder abuse?,” a report on the NY FinTech Innovation Lab demo day mentioned earlier in the article