“The customer should be empowered to manage the access to their data and have the highest expectations regarding how safely that data is kept.”
Insightive.tv: Can you begin by describing some recent projects that are further transforming ING into a digital business?
Ron: If you think about “digital” as a transformation goal it is hard to say that there is an end to the process — so it is actually quite difficult to talk about specific projects. I think that it is often unhelpful to look solely at what you could call “lighthouse programs” that highlight how “cool we do digital.” Our Dutch origin is called Postbank — which do not have branches. So we started adopting technology as a driver of customer contacts back in the mid-1980s. We were one of the first banks in Europe endorsing remote banking, or telephone-based banking, and have a long history of using technology to drive innovation.
In more recent decades we enhanced our model and introduced ING Direct in Canada, the US, UK, Australia and much of continental Europe. We are known for our customer centricity, but we do not offer a full branch service — making us extremely focused on offering a digital experience, either through the internet or mobile channels that are either self-service or assisted with a call centre or video chat option.
At ING, digital is not necessarily a project or a program, it is in our DNA, it is the core platform of the company. This, I think, is what sets us apart from other banks. I think it is part of the reason that in seven out of the thirteen retail markets in which we operate, we are the bank with the highest Net Promoter Score. I think this says a lot about our ability to utilise technology to meet a range of customer needs.
Insightive.tv: Do you think that increased levels of digitalisation, and the use of technology, are creating new levels of risk in the business?
Ron: IT does not necessarily increase your risk profile, but the maturity of your information security — be that data protection or protection against DDOS — should go hand in hand with your digital capabilities. The more you reach out into an open ecosystem, the more you expose your services to risk. I think that it is actually this change — open ecosystems, open APIs and platforms that are managed by third parties — that is truly increasing risk, rather than simply digital adoption. But, even here, this is something that is only a problem if it is not appropriately planned for and mitigated.
Insightive.tv: Do you see information security as an enabler or a necessary cost?
Ron: It is an intrinsic and embedded element of everything we do. To a certain extent, I would call it a necessary cost. But I do not think we are at a point of saying “come to this bank because we are the safest digital bank.” That sounds like advertising a hotel because you have the most accessible fire exits. It must be taken as a standard. It is an embedded part of everything we do, and to that extent, it is a continuous and necessary investment, but this is not a unique feature of ING. On the other hand, as I said, because your cybersecurity capabilities must mature to meet levels of technological implementation, security can enable the development of projects that may previously have been disregarded as unsecured.
Insightive.tv: Have any recent regulatory changes had an impact on your thinking around digital transformation or information security?
Ron: I think that there is an increasing attention, within the financial service industry, among supervisors and regulators on data protection and retaining integrity of service. I think that this is a good trend. As we all become more digital, this needs to be embedded in what we do. We see an increasing amount of regulation, specifically in the realm of data protection, and that is extremely relevant to digital transformation projects. But we are not currently and specifically investing for particular new regulations. From our perspective, specifically, we are not rolling out new features because of new regulations — we have a very secure platform already built. This is something we have always embodied through our embedding of cybersecurity protocols in everything we do. So we are not all of a sudden spending a lot more money on projects because of any new regulations. We have our programs, and it is a continuous investment. It is always an opportunity. We always look at things in terms of what we can protect. But the necessity to protect these assets is ultimately a cost. But it is a cost we gladly pay.
Insightive.tv: Do you have thoughts on the GDPR specifically?
Ron: In principle, I think that the customer should be empowered to manage the access to their data and have the highest expectations regarding how safely that data is kept. On the other hand, you see that some regulators tend to limit the free flow of data across countries. And that is not always inspired by motivations to protect the customer — there are other motivations as well. I think that the customer is not always protected in the best way by limiting this flow of data from one country to another. But I am a strong believer in retaining our trust by keeping the customer identity as safe as possible. We have to maximise the investment needed to make this happen. ING has a long background of giving the customer as much empowerment as possible to manage the data held by the bank.
I think that all regulations should be founded on empowering the customer. To that extent, I think that protecting data is the most important reason for regulation. This is not, per se, saying that the GDPR is more important than any other particular set of regulations. In the end, most regulation is to protect the customer, and customer protection is the relevant reason to invest in information security. All regulations are important, but I am inclined to view the GDPR with particular importance just because it focuses specifically on empowering customers.
How would you summarise your digital agenda?
Ron: The main message here is that digital has been in our DNA for decades. It is not a hype thing for us. We need to be good at digital because in many countries we operate as a digital first bank. Even in countries where we have a branch based network, we still position ourselves as a primarily digital bank. That means that our investment level, in terms of digital channels, automating our service layers, investing in STP processes, making our back ends real time, are all serious priorities for us. These are all technologies that are needed to operate digitally and are all topics that could be discussed for a long time. This includes changes in engineering, change away from traditional waterfall and project-based methods of working to fully agile modes and global scale rollouts. These are all challenges. But, fundamentally, these are the priorities that make ING the bank that it is.
Ron van Kemenade is CIO at ING. We spoke with Ron to get an understanding of the digital strategy at ING, and his take on how greater digitalisation is impacting the industry, ING and the development of cybersecurity.
ING Group provides retail, direct, and wholesale banking services through an omnichannel distribution to a global market. They are one of Europe’s largest banks and have a robust and historically significant digital and remote banking presence — known as leaders of technological adoption.
THE GDPR AND THE GLOBAL DATA PROTECTION HORIZON