In their efforts to satisfy demand from corporate treasury managers for more information about their accounts, banks are also beefing up their security tools.
A handful of banks have introduced products using different types of authentication technology, including tokens, biometrics, and digital certificates. The diversity of offerings — each seeking a balance between security and simplicity — reflects the immaturity of the authentication software market.
Several of the approaches were on display this week at the annual convention of the Association for Financial Professionals, a trade group for corporate treasury executives, in San Antonio.
JPMorgan Chase & Co., the largest provider of corporate cash management services, showed off what it called a first-to-market digital signing system for its Internet cash management portal.
The New York banking company said its JPMorgan Access uses SecurID tokens from RSA Security Inc. of Bedford, Mass. The tokens use a mathematical algorithm to generate a six-digit passcode that changes every 60 seconds. (The same algorithm runs on JPMorgan Chase’s computers to validate the passcode.)
Some other financial companies, including E-Trade Financial Corp. of New York, already use RSA tokens with consumer accounts, but JPMorgan Chase says it is the first to offer them to commercial customers for access to high-value cash management accounts.
It also says the tokens offer an easier way to verify users’ identities than public key infrastructure, which is commonly used now. PKI uses matched pairs of mathematical keys — long numerical strings — to encrypt data and authenticate users of financial systems.
Nikhil Sathe, the chief treasury architect, in JPMorgan Chase’s treasury services unit, said the token provides “portability and ubiquitous access” to accounts regardless of location, which is especially valuable to small and midsize companies.
Unlike PKI certificates, which may exist within the workstation where a user typically accesses the client’s accounts, the token enables the bank to verify “who is on the other end of the connection, rather than where they are,” Mr. Sathe said. The bank plans to make token-based authentication mandatory for all users who authorize transactions or control access for other people. The switch, now about 20% complete, should be complete by January for the 25,000 client companies that use JPMorgan Access.
Though PKI technology has long been one of the most secure and reliable ways to conduct business online, trying to implement it has historically been a complex, expensive, and unwieldy process. In the last few years banks and vendors have started to embed PKI into packaged security applications, to make the technology easier to use and provide a faster return on the investment.
Hilary L. Ward, the director of global information cash management services at Citigroup Corporate and Investment Banking, said it plans to incorporate PKI-based digital credentials next year into its new TreasuryVision service for aggregating corporate financial information from institutions around the world.
More security tools are being incorporated into treasury management tools that give corporate customers better control over their accounts. For example, Ms. Ward said PKI credentials will be used to authorize treasurers to add signatories digitally to all of a company’s accounts with a “search and replace” function, rather than requiring the executive to sign cards for each account.
Some government agencies may still require physical documentation, but Citigroup could act as “an electronic notary for transactions” on behalf of its clients.
The feature will initially work for Citi accounts around the world, she said. However, it could also become interoperable with other banks’ systems, because the credentials are compliant with the industry standards established by Identrus LLC of New York, the bank-owned rulemaker for online identity.
KeyCorp of Cleveland has developed a different type of tool — fingerprint-based biometrics — to authenticate corporate customers that use its Key Total Treasury online cash management system.
Veronica Correa-Janssen, a senior vice president at KeyBank and the product management team leader in its global treasury management group, said it was displaying the biometric tool at the conference as a form of “market research” to gauge the reaction of corporate clients and prospects.
The biggest concern for treasurers was having their fingerprints stored in a database, Ms. Correa-Janssen said, but the system does not record the print itself; it uses a mathematical algorithm to describe the unique pattern of whorls and loops on the print.
“Once you walk through that with the customer or prospect, they feel very much at ease with it,” she said.
The biometric approach also is simpler to use than tokens or digital certificates, Ms. Correa-Janssen said. “It’s very easy, very convenient. You don’t have to remember a log-in or password. You just swipe your fingerprint and go.”
KeyCorp probably will incorporate the fingerprint reader into a log-in system upgrade planned for next year, and the feature will be an option for corporate customers, she said. “There are a lot of different policies out there. We need to make sure we fit in.”
Ariana-Michele Moore, an analyst at the Boston market research firm Celent Communications LLC, said the variety of approaches is “a reflection of the infancy of the overall authentication market.”
Though much of the technology used in these systems has been available for several years, adoption has been slow, but that is changing, Ms. Moore said. “Corporate customers are beginning to demand it, because of all the threats that are emerging.”
She predicted that biometrics would be the long-term winner, but that such systems could be used in combination with tokens or credential-based systems for years to come.
Maggie Scarborough, the senior analyst for corporate banking at Financial Insights Inc., a Framingham, Mass., research unit of the Boston technology publisher International Data Group Inc., said banks are using things such as authentication systems to differentiate themselves in the market.
Many bank exhibitors at the conference were showing cash management applications, such as remote check-image capturing for electronic deposit, but such systems have become commonplace, she said. “All the standard stuff is commoditized, and you must innovate, or you become part of the wallpaper.”
