by Richard Veryard
Transcript from Podcast [34:30-38:38]
[Richard] Let me talk about the relationship I have with my bank. As a typical banking customer, I get a very simple set of services from my bank, and quite frankly it’s not really what I want, but all the other banks offer me pretty much the same services, so I don’t really have much choice. What I would like from my bank would be for me to define my own data model, which would be more complex and more fitted to what I need than the data model the bank gives me. What I would like is to be able to define my own policies on the bank account – give me a policy language, I’ll code my own policies, I’m happy to do that – and let the bank execute them. But no, the bank’s not interested in doing that, the bank can make money just giving me a standard one-size-fits-all bank account, and so they’re not going to do that, and they’re probably not going to do that for some years to come. But other industries are starting to respond to that kind of asymmetric demand.
[Ron] That sounds really interesting about the bank, but I can’t even imagine or conceive of how a bank could possibly allow me to define my own policies, or the kind of data that’s going to be related to those policies. Can you give me an example of something that might work that way?
[Richard] Yes, let me talk about security policies. At the moment, my bank gives me a simple choice: either everybody with my password can access my internet bank account, or my bank account simply isn’t available over the internet. And so it’s a very crude binary: either it’s open or it’s closed. Now what I would like is to define much more precise security policies on my account, that says for example I can take money out of my account to these specific destinations up to these amounts of money, but if I want to pay vast amounts of money to an overseas company that I’ve never dealt with before, I do not want that to happen over the internet, I’m quite happy to go into the branch and do that over the counter, and sign all the paper that I need to give myself the extra security. I could write those policies over and above the policies the bank itself has, and the bank would be able to execute my security policies in composition with its own security policies, and that would give me greater security and me greater control over my account, without taking anything away from the bank. And if everybody had their own security policies it would make it a lot harder to have mass attacks on bank accounts, which would make everybody safer. And so there seems to be a win-win-win all round if banks were able to provide just simple kinds of user-defined policies of that kind.
[Ron] Okay, I can imagine how if that kind of thing were possible, that a bank who was willing to offer that might attract the kind of customers that would result in more profitability. I would imagine that might appeal to a higher-end type of customer than a typical customer that maybe doesn’t care that much about the bank’s security.
[Richard] But you see with SOA, the technology is all there to do that. Technologically, that’s very easy to do now. It’s purely a question of whether the bank is willing to manage that additional complexity.
For further discussion, see Banking Services and User-Defined Policies 2, in which I discuss who is going to want these kind of user-defined policies, and what are the strategic implications for banks and other service providers?