Outsourcing meets Identrus

Japanese banks select SECOM to host Identrus digital certificate services.

Outsourcing of IT requirements has been a hot topic for a while, and particularly in the financial services industry, where the infrastructure is becoming increasingly complex and expensive.

With many global financial institutions racing to offer digital certificate services based on the global standards established by Identrus, this is one particular area that will see a huge growth in outsourcing contracts.

The latest to come to light is Japanese company SECOM, recently selected by Bank of Tokyo Mitsubishi (BTM), Industrial Bank of Japan (IBJ) and Sumitomo/Sakura to provide the Identrus component of their B2B e-commerce risk management solutions.

On top of its existing clients this means that it’s likely SECOM will provide Identrus PKI services on Sun Microsystems hardware for all four of the mega-banks being formed by mergers in Japan: Mitsubishi Tokyo Financial Group (BTM, Mitsubishi Trust), Mizuho Financial Group (IBJ, Fuji Bank, Dai-Ichi Kangyo Bank), Mitsui Sumitomo Financial Group (Sumitomo, Sakura) and United Financial of Japan (Sanwa Bank, Tokai Bank).

Forty-two of the world’s leading financial institutions are members of the Identrus network and are able to act as Identrus Certificate Authorities (CA). These CA will provide digital certificates, or ‘Global IDs’, that will enable corporate customers to participate in business-to-business Internet commerce as trusted trading partners within a global community of similarly certified trading partners.

It is perhaps not surprising that Japanese banks are beginning to embrace the outsourcing of key IT projects. In terms of technology standards and budget size, most Japanese institutions are well behind their Western counterparts, and remedying this is one of the major reasons behind the recent round of mergers.

According to Identrus, it typically takes a year or more plus a $5 million to $10 million up-front investment for a financial institution to build its own digital certificate authority infrastructure. Using an Identrus Express partner, a financial institution can deploy one in approximately 90 to 120 days (provided the financial institution meets pre-qualifying criteria) for minimum up-front investment.
There are currently eight e-commerce security companies in the Identrus Express network, including SECOM, that operate data centres where they build and activate a separate security infrastructure for each financial institution client.

The first banks to offer Identrus-enabled applications when the global system was launched in early December last year were ABN Amro Bank, Bank of America, Deutsche Bank and HypoVereinsbank.

The two latter banks also outsourced their Identrus infrastructure, which helped them bring their products to market with such speed. But rather than outsource to an independent third party, Germany's four leading private financial institutions: Commerzbank, Deutsche Bank, Dresdner Bank and HypoVereinsbank have joined together to create TC Trust Center, a subsidiary company that hosts their Identrus infrastructure. The banks are then free to develop their own unique business applications that connect to TC Trust Center.

Global Standard

Identrus is not yet established enough to truly be called a global standard for identity trust, as only a few banks are offering products and services that use Identrus digital certificates. But by the end of 2001 it should be more thoroughly entrenched in the global financial services industry.

The company is currently working with a team of US-based lawyers on the legal infrastructure for bringing Tier 2 banks into the system, and Asia Pacific representative George Mathanool says this should be completed around the third quarter of this year. Identrus operates as a global Root CA, with two tiers of Financial Service Institutions (FSIs) in a descending hierarchy.

Tier 1 FSIs must meet certain stringent financial rating requirements and will be the issuing CA for smaller Level Two institutions. Tier 1 FSIs can also issue digital certificates to their employees, corporate customers and applications servers as well as building e-commerce products around key identification services such as authentication and explicit warranties.

Tier 2 FSIs can, through a Tier 1 sponsor, provide certification authority, liability tracking and risk management services for their business customers. It is expected that towards the end of this year many smaller regional banks in the Tier 2 category will begin establishing relationships with Tier 1 banks and begin offering Identrus-based services.

In other recent developments, Identrus has signed deals with the ubiquitous messaging network SWIFT and Bolero.net, a secure electronic system for transmitting trade documents. This has eased fears in the financial community of a proliferation of security and identification standards for different networks.

The company is also working on interoperability issues with other CA and vendors of PKI and digital certificate services such as Verisign and Entrust. Once these vendors have incorporated the Identrus standards into their products, digital certificates issued by different CA, using different technology, should be compatible.