Priding itself on the adoption of new channels whilst maintaining high levels of security, HBZ began offering internal on-line transfers through its HBZweb portal some four years ago. This service has been described as the bank's 'funds transfer' facility, and in part the latest launch has been positioned as a 'cash management system' as the terminology is universally recognised. It has also been pushing adoption of its secure combined Web and mobile-based e-banking services, to the extent that 70.12% of credit customers and 60.05% of deposit customers have signed up for the combined HBZweb and HBZgsm offering.

Building on the success of its e-channel customer penetration, the bank has now decided that it's ready to launch external on-line fund transfers. Assuming that the customer has HBZweb, HBZgsm and HBZsecure key access, funds can be transferred through HBZcms denominated in Swiss francs, UAE dirhams, US dollars, UK pounds, euros or Canadian dollars. Other than the STP transaction having to pass through the compliance module of the bank's hPLUS 'scream engine', there are no limitations on the destination account that funds can be transferred to.

Speaking about demand for HBZcms, HBZ Assistant VP, Amer Farid (pictured facing page), says that the security and convenience built into the service will appeal to both individual and corporate customers alike. Cost is a factor as well as convenience, and transfers via the new service cost pilot UAE customers just AED25, compared to AED60 for traditional methods. Farid is also confident that from the bank's perspective the new service will not damage its transfer fee earnings, as by leveraging new technologies HBZ has been able to cut internal costs dramatically. "We believe that the intelligent use of technology should offer convenience and security to our clients," he says. "HBZ's hPLUS core banking system from BiLOGiC Systems Inc enables the bank to use STP. The reduction in manpower costs and redundancies then enables HBZ to pass on the savings to clients."

Layers of security
HBZ recently implemented a new security feature in its on-line banking service - a four digit challenge embedded in a graphic background for all users logging into HBZweb. In addition to the traditional login user ID and password, the challenge authentication is mandatory, and users can opt to include secure key authentication in their logins as well for added security. While the four digit challenge prevents automated processes from entering the site after guessing HBZweb passwords, the bank also employs a proprietary firewall and 128-bit SSL encryption.

"Security was not considered a single element residing somewhere on the network, like a firewall," explains Reza S. Habib, Joint President of HBZ. "It was a design principle for all tiers and layers of the application, the required software infrastructure and the physical infrastructure. In short, it was integrated security across the board and implemented as an integral part of the security policy."

The HBZsecure key is used to complement the password challenges and is mandatory for HBZcms. This key comes on hardware such as mini CD ROMs, SD cards and USB flash drives, depending on client preferences, and is uniquely configured for each client with a VLVP (very long variable password). Once a user has this key, he can access HBZcms from any computer with Internet access and a suitable CD drive, card reader or USB port. Given that the hPLUS engine is fully integrated with the bank's back office operations, a transaction then issued by the user, and passed by the bank's compliance systems, will leave the user's account immediately. In the event that a secure key is lost, the bank will only issue a replacement, containing a new configuration, upon receipt of a written request from the account signatory.

Authorisation rights
Of course if a company is to issue passwords and secure keys to a number of staff, it is vital that senior management can also control who is transferring company funds and to which accounts. For this reason the customer is able to build authorisation layers into the service agreement; for example allowing an accountant to enter fund transfer details at one level, while requiring one or more user approvals for the actual transfer to be authorised.

As Farid explains, each new beneficiary transfer request is first checked against client Web transfer limits. When a client first requests that a new beneficiary be added to its HBZcms registration, the e-Banking department checks client and beneficiary details and then confirms all details back to the client within one working day. This information is transmitted via an HBZweb secure email and via an SMS sent through HBZgsm. After the first transaction takes place, a template is automatically generated so that all future transfers to that beneficiary will be completed automatically.

"Automatic processing of Web electronic transfers is subject to a 24 hour individual Web transfer limit set for each client," Farid says. "This limit is initialised for each client at $10,000. Requests to increase that limit can be made in writing or through a secure mail, and may be sanctioned by the client's branch only after receiving clearance from the Compliance Department."