OCBC wants technology safe and tested

Because banks manage customers' money and confidential data, IT innovation must at times give way to security, says OCBC Bank CIO Lim Khiang Tong.
Written by Eileen Yu, Senior Contributing Editor
Lim Khiang Tong

CIO 1-1 As CIO of a major bank, Lim Khiang Tong works in an industry that not only deals with one of society's most valued assets--money--it is also a market that can be extremely volatile, as the current financial turmoil has shown.

The head of group technology at OCBC Bank, however, embraces this challenging environment, noting that the fast-faced industry makes his involvement in IT more interesting.

In an interview with ZDNet Asia, Lim discussed how the bank uses technology to differentiate itself from the competition and explained why IT innovation must sometimes be sacrificed for the customer's sake.

He also called for tech vendors, amid their haste to shorten their time-to-market, to be more mindful about delivering products that are tried and tested.

We've seen how the U.S. credit problem snowballed into a global financial crisis. Moving forward, how do you think IT tools can play a role in helping to address this issue? For example, through credit-scoring applications and governance, as well as to restore customer trust in financial institutions through CRM components, for instance?
Lim: We will continue to invest and strengthen ourselves in areas such as credit scoring and risk management.

How has the current economic climate impacted OCBC's IT strategy for the coming months and 2009? Are you looking more closely at how tech can help enhance specific areas in the bank's overall business strategy?
With the current challenging market conditions, we may see technology vendors being squeezed into cutting costs amid the stiff competition. In that sense, the coming months may present a good opportunity for technological investments in areas that will support our business growth.

Thriving under challenges

Name: Lim Khiang Tong
Job title: head of group technology (CIO), OCBC Bank

About Khiang Tong:
Majored in computer science and economics. He left a foreign-owned bank 20 years ago to join OCBC.

About OCBC Bank: Singapore's longest established local bank, with roots that go as far back as 1912, OCBC today has a network of over 470 branches and representative offices in 15 countries and territories including Singapore, Malaysia, Vietnam, China and the United States. Its group assets are worth S$184 billion (US$120.4 billion).

Being a bank, there are policies and compliance issues that you'll need to adhere to. Are there meetings to discuss how IT can be tweaked and automated to meet these requirements?
Yes. In banking, security is considered one of our top priorities. In addition, we are regulated by guidelines set by the Monetary Authority of Singapore. In order to ensure we are in compliance with these guidelines, we conduct regular review meetings with our internal audit and information security departments to continuously address any existing or potential gaps.

In the markets which OCBC has a more established presence, like Singapore and Malaysia, what's your strategy for these segments?
In line with OCBC's five-year strategy from 2006 to 2010, which we call New Horizons II, the emphasis is on embedding the bank in the region through a build-and-transfer approach and continuing our efforts to build a high-performance bank through a balanced scorecard discipline.

Our IT approach focuses on two fronts. We continue to build on our capabilities to achieve operational efficiencies between Singapore and Malaysia. On the customer front, we differentiate ourselves by coming up with innovative products and services that meet our customers' needs. Where innovation is concerned, I believe technology plays a very important role here. We continue to put in new capabilities in our delivery channels to make the interfaces more customer-friendly.

For example, we built a feature in our automated teller machine to enable our customers to update their home addresses. Also, when we introduced two-factor authentication, as part of a security initiative to provide greater online protection for Internet and mobile banking users, we recognize that the additional level of security should not come with additional levels of complexity or inconvenience. So, we went the extra mile to offer choices for our customers that best suit their lifestyle, from hardware token to mobile phone, to SMS-based authentication.

No matter how innovative you are, I think security and customer data has to be the first priority. We cannot compromise on that. It's the one rule that we cannot break.

How do you decide, with all the technology available out there, to go with a specific one to improve a particular service?
The working philosophy of our IT department is to treat the bank's business units as partners and keep in close touch with their needs. We need to understand how IT can be leveraged to bring about operational efficiencies to help our business partners meet their business objectives. We work as a team to set priorities, business objectives and balance these against investment cost and margins.

We are aware that business developments evolve by the week, so we have to continue to make the judgment call from time to time. At the same time, we stay focused. One of the ways we want to differentiate ourselves is through customer service. So, from the supporting end, we need to provide useful and efficient systems for our business units to meet our customers' needs.

For example, two years ago, we invested in an infrastructure we call Enterprise Management System, to serve as a control center for us to have a bird's eye view of OCBC's entire IT infrastructure. We set certain thresholds for our various IT systems, so any abnormalities can be detected immediately.

What would you say then is unique in your role as CIO of a bank? What needs do you have that are different from your peers in other industries?
For banks, because we deal with customers' money and confidential information, we have to regard data security and sensitivity as our topmost priority.

The banking industry is also a very competitive market, where margins are thin, so we have to run our operations as efficiently as we can. This is where IT can come in to play a very key role. As CIO of a bank, I have to continuously explore that opportunity and find ways to deliver our services in a cost-efficient way.

But it must be tough being a bank, having to manage potential security risks and ensure sensitive information is protected, when at the same time, you want to be an innovative IT provider and be the only bank that provides a certain service. How do you balance these issues?
There's always a trade off, but no matter how innovative you are, I think security and customer data has to be the first priority. We cannot compromise on that. It's the one rule that we cannot break, so that's pretty clear cut.

Doesn't that make trying new technology particularly worrying for you?
Yes, that's why we have to be very careful and we can't just roll out any technology that the vendor claims it can do. That's something I need to manage with my internal users. If a vendor or an advertisement claims a technology can achieve certain things, I need to make sure it can be deployed successfully in the banking industry and not compromise on security.

The financial industry isn't always an easy industry to be in. Wouldn't running IT in a non-banking environment be more sane for you?
I majored in computer science and economics, and my background is very much entrenched in the financial industry. When I first joined a bank, I wasn't sure it was what I wanted to do. But, I realized later that this industry is fast-paced, exciting and it's always changing, and I like that kind of environment.

Yes, it can be very taxing, but that's what makes being involved in IT in this industry so interesting.

If you look at the IT industry now, and the vendors that play in this market, what's the one thing they're still not getting right and that you hope they can better provide to allow you to do your job more easily?
Vendors usually believe that you can just buy a product and plug-and-play, but the reality is, you just can't do that. There's always a certain level of customization that you need to do. Of course, you can try and be disciplined to make sure you don't customize a product unnecessarily, but there's still a gap that needs to be filled--though this void has been narrowing over the last few years.

Vendors can also play a role in helping to devise a sourcing strategy that will allow me to deploy an IT project in the most cost-eficient way across the region. For example, how can I deliver an IT project in China that's also cost effective elsewhere? My cost structure for implementing that project in Singapore would be different from that in China.

Another area that needs to be addressed is product quality and testing. Very often, today, vendors tend to compromise on product quality in order to shorten their time-to-market and be competitive. So they ought to improve on their testing methods in order to deliver a more reliable product to customers.

Is the quality affected by their testing method, or the length of time they take to test a product?
I wouldn't know for sure. But, gone are the days where vendors had the luxury of dedicating six or nine months to test a product because things are moving faster today. Perhaps it's about how they can automate the testing process, or the need to run a more comprehensive testing procedure. As a bank, we buy technology, we don't build it. So I depend very much on the vendors' assurance that their product quality is tested and proven.

Editorial standards