Of you? Yeah, sure, sure, please.
Well, guten tag and good afternoon. My name is John Horne. I lead a cybersecurity research practice in the States from DDoS Insights. We're also connected to the RBR folks in London. My practice advises financial institutions, major insurers, but also some of the vendors that are on the floor.
Alright, so good to have you guys here. Thanks for KuppingerCole for having me in this, in this session, this research published yesterday. So you guys are hearing it kind of fresh off the, off the presses. Unified Digital banking is the, is the thesis for this. But siams the heart of the matter, you should know that right? Siams the heart of this and where it's gone.
Why, why even research Siam? Well, it's just not the same as it used to be. All of our financial institution insurers tell us how hard Siam is to get done in this day and age.
There's lots of cyber risks, there's lots of different aspects that are unfolding. What we really wanted to get at in this research, and it's research that evolved 235 financial institutions. We wanted to get at the kinds of decisions that financial institutions made five years ago, 10 years ago, with respect to unified digital banking.
And if you're not familiar with the unified digital banking, I think everyone in the room is, but maybe one is not. That means you put everything together in a common login experience. So you get to mobile banking, online banking, every form of payment, every aspect of managing your debit card, every aspect of managing your profile. And you just, you collapse that all together under a single user login id. But we wanted to see how institutions behaved with that and if that set them up for better decisions now, or perhaps more difficult decisions.
Now, as you know, in life, sometimes you make a set of decisions in one part and then you find that they're better or worse as you go on. And then finally, we, we wanted to look at key business outcomes. I'm zealous for the fact that identity is meant to advance the business. What I tell our financial institutions, even our identity vendors quite a bit, many people don't care about identity. You need to be okay with that.
They, they, they're, they care about what identity can do for the business. They need strong identity partners, but they don't care about identity.
They want, they want identity to power the business. We wanna get at three different metrics to see if that held true or not for these kind of deployments. Quit real quickly.
Again, there, a couple of you may want to understand this. Most of the 208 financial institutions across four regions, you can see there was some of it done here in, in, in Germany.
There was 82 financial institutions done in the, in the European region. But it was all four regions. It was sponsored by Okta. Okta deserves a shout out.
They, they didn't buy us toward the, toward their customers. They just let our fielding team and my network go get financial institutions. They deserve a lot of credit for, for sponsoring.
This one, we did 208 for quant, and by quant that means 30 minute phone interviews. We did 20 of them, 15 financial institutions with me in qual interviews. So you spend an hour with me. And so 15 financial institutions for core banking processes. And actually there was one insurer that we did that way just to kind of see what would happen, but a pretty thorough research methodology.
That's, that's what we do at DDoS. Here's what we started. So where this question was essentially tell us where you're at with unified digital banking.
Right? Blue means I've been in production for two years. Orange means I've been in production less than two years. You put those two two together, that's 53%. So 53% of the financial institutions in our worldwide study have unified digital banking. And Siam deployed today that gray 18% says we're in the progress of building it or we're finalizing our decisions right now.
So we would predict that by end of this year, 65% of financial institutions in our survey, which is pretty directionally consistent, are gonna have this solution by the end of the year. My prediction for you, and you can argue with me during the session or perhaps after the session by by the end of 2027, the unified digital banking piece is gonna be table stakes. Meaning you can't operate as a bank and deliver services to consumers without bringing all this together.
Actually, I don't think for identity people, that's very controversial. But for digital banking people, it is a little bad. And the cyan piece becomes actually the more important piece of all this.
We asked them, tell us why you want this. So if you're not used to use, looking at a stack bar chart, the darkest blue is what people said were critical. The dark teal is what was very important. The lighter teal is what was very important. And then it fades off into nothing.
This, that you don't care about. So not surprising in some ways, not surprising in some ways, but experience improving multi-factor authentication and security and experience were the top two worldwide. They were 55 and 52% in the European financial institutions. It was actually a little higher, 59 to 57%, but no surprise there, right?
I mean, just with user experience has been the king or the queen, whatever your preferred metaphor is there for a decade now. And certainly with all the cyber risk, multi-factor authentication, security to get that normalized is super important. And when I say normalized and consistent, that doesn't mean security goes down for anything.
It means everything comes up to what digital banking required in the first place.
So the, the, the financial institutions are motivated to, you know, make experiences better. They're motivated to improve security. I will say in our qual research, our 15 financial institutions that spend an hour with me, and I've known them for, well, my hairline suggests a long time improved fraud detection actually was a key aspect that kept coming back in the discussions. We need cyan, we need this to be able to tie together with fraud ecosystems so we can get a better catch rate. So I think that's an important one.
But if you look at the bar chart too, there's a lot of other things that are important. There's, there's cost reduction that financial institutions are looking for.
There's, there's just like a, an aspect of of of, of squeezing out a business unit.
Specifics and all this.
But, but no, no surprise on this part. Consumer experiences improving security, making it all consistent for the consumer. Were one and two. Here's the interesting part. I find it interesting. I think you will too.
So again, I believe identity is meant to empower the business that many people don't care about identity. But, but maybe in this room that's more than I'm used to talking to that care about identity. I love that. So I'm talking to my people here, but this is, these are three places, three places. We said did, is there a business metric we can quantify and can we track that says identity and Siam have helped move the business with unified digital banking. First one was increased revenue. So putting unified digital banking together.
And Siam, you might know executives that just assume that's gonna increase your user counts by 10% year over year.
Well, that happened a little bit, but mostly what happened is cross sales improved. In other words, I come into digital banking, I see the whole story of the financial institution and my wife says, actually they do this, honey, they do this too. Let's just get this from our bank.
So cross sales actually were improved significantly across all of our qual research partners so that they would argue that the Siam solution built well was in a position where they could onboard data that was clear, high quality, no, no bumps in that road. So cross sales were the primary reason why the business grew with unified digital banking and Siam. It wasn't just overall users grew, but it was just existing users that bought more stuff at the financial institution. Secondly was reduce support calls, password resets. Everybody killed this, right?
Nobody, nobody didn't have at least a 50% reduction in password reset calls to the call center.
So that makes sense. Or if it doesn't, if you're in that kind of deployment and you're not pressing down passwords, if you're not pressing that out by 50%, that means your solution's not working.
Well, I just need to be candid, right? There's this is like, there's something not right because you should be able to collapse all your password reset capability, turn into user self-service.
We had a, a couple financial institutions you would know by name that squeezed five teams into one. We had an 80% reduction for another major financial institution you would know about. You should get. My recommendation is you could, you should get 60% reduction in password resets.
Finally, faster time to market, you should get a 50% reduction. We, if we saw nine, nine month integration for a new business service to three months, we saw in six months to three months, I, this was terrible.
But in this room you might understand, I saw an 18 month get reduced to nine months. I'm like 18 months to bring a digital banking service to market. I just felt bad for the person in that. But that's just what a big bank requires nowadays. But getting stuff to market faster because you have a common, common stack, common identities, common auth authorization principles.
So you should reduce this by 50%. And again, if, let me say this, if you're not in a bank today, these are the same kind of services and optimization you want if you're not a financial institution. But three places where we, where we saw, and the report goes into this a little bit deeper. Three places where identity was able to drive a metric that the executives put on the table before the project. And a metric that was delivered during the project.
The only one that was kind of opaque and more qualitative was the revenue part.
Where, where the most of the financial institutions we talked to just didn't measure it well enough. They, they confessed in the interviews. They didn't have the guts to, to put a revenue number on the Siam Unified digital banking piece. But now they are 'cause they're seeing other people. One there. Let's talk about this one.
There's a, there's an interesting, we, we have follow-up research on this. That's, that just started last week. So this was the, how did you get unified digital banking and Siam to market?
How'd you, how did you do it? Financial institutions of choices you'll see in the darkest teal and put a red box around Europe to help your eyes a little bit. The darkest teal except for APAC, was they chose their core digital banking provider.
And that makes sense, right? It makes sense that the core digital banking provider has a lot of services. Sos Fiserv, my former employ FIS is all those companies of the world, they're motivated to bring that, those solutions together. They can make it a increased spend. It's easy to integrate. It's usually less expensive.
And if you look at Europe, Europe was the number one, like greatest of all, like 65%. So two out of every three financial institutions in Europe are using their core digital banking provider according to the research. Here's the question. The question is, is that a good thing or a bad thing moving forward? So the research gets into that pretty deeply because if unified digital banking was the most important thing a decade ago, and we could say it was more than half of financial institutions in that 65% had self-built their Siam solution.
They just, and I would even call it in this audience, maybe a pre Siam deployment. Just a simple, really simple user ID hash password tenant. Id kind of construct how does that leave the financial institution to pursue? Phishing was just an mfa. How does it, how does it increase resiliency? How does it get to decentralized identity? That's what our research effort this year is gonna try to mine out.
Will the processor get that work done on behalf of all their financial institutions or financial institutions gonna have to take back some of their siam autonomy to go get some of these important things done. We'll see, we'll see, see what the research looks like. But I think the, the 65% for Europe reflects the, just the ease of contracting and the ease of getting there. We'll see what the next phase of research looks like. 'cause some days, and again, I come from one of those companies, Fiserv, 24 years.
Some days I didn't see us go after some of those new cutting edge things as much as, as much as maybe we needed to. So there's new research coming out on that front. One of the things I felt was interesting, if you're considering the unified digital banking, now you're looking only at third party vendor solutions. You're not looking to self-build. There was like less than 5% were looking to self-build a solution, but many who did it before. Sometimes we call that a first mover disadvantage.
Many that did it before chose to self-built some limited version of Siam, which may not be in their best interest long term.
We asked what's important Now it's 2024, what's important. Now there's a quant version of this with 208. There's a four banking processor version of this. My 15 quality interviews with financial institutions across the world. Four of 'em we're here in Europe. We're the best answers.
They, we were able to hang out in what's most important by category. Now let's hang out in what's the very top, you'll see I marked as table stakes. The ability to integrate with online banking, the ability to integrate with other platforms. I don't mean to offend, but if you know that just, that just needs to happen now, right?
That was, that was interesting a decade ago. But integrating to online banking is just not interesting anymore to me. It just should be that way. So what rose to the top was platform kind of thing.
So, so operational resiliency and uptime was number one.
And identity infrastructure and risk mitigation was number two. Uptime was every one of the 15 Bank Siam leaders could tell me their revenue loss per hour on Siam. They knew the number of what they lost every hour when Siam was down. Tell me if you could have done that a year ago if people could have done that a year ago. I don't. I was one of those people, I don't think that was in place a year ago.
So, or sorry, 10 years ago. I'll say it that way, 10 years ago. But every fi Siam leader could tell me the money they were losing per hour when Siam was down. That's calling for resiliency beyond four nines, right? That's what Siam and the business needs right now. The second piece is the identity infrastructure. So that risk mitigation can, can tie itself down and, and keep the blast radius small when a breach occurs.
There's some good work actually going on, on all the platform fronts right now. Nobody's there. There was a little bit of a pushback with some of the major identity players.
Hey, we're not quite there yet. Well, an analyst firm gets to just say, we need to get there, right? 'cause it's a, it's a high value for financial institutions and other services for risk mitigation to play out in a way that's auto automatic. I was at averse last week in the States. There's a lot of discussion around implementing MFA as a base control you can't get out of, right? And there's some wonkiness. Google just went through with it. Microsoft is trying to make progress there right now, but Google's was OTP. So don't get super excited. But they got everybody to it.
But being able to put MFA in as a base product offering that you opt into and probably hence pay for.
So we can stop looking at breaches and say, what was the customer's fault? They didn't choose MFA. That's in 2024. That just doesn't, that doesn't fly anymore.
So, so these, some of these platform specific things are really important. Getting to API, there was some two discussions ago around API security getting that same Siam ecosystem in API security is, is was number three. Phishing resistant. MFA or what we'll call PAs keys for today was number four. And I'll tell you again, there are a lot of important things in this, but it's interesting that in 2024 that Siam leaders for the business are drawn to uptime and automated risk mitigation. That's the number one and number two things for the business.
They don't sound like identity a whole lot anymore as an old timer and identity. They sound like things. The business is critical, critical on. As we head to the home stretch, a couple things.
CIO's been always the budget holder for identity of the Siam side. CISO's strong. Number two.
In fact, in Europe the CISO is tied for first place with the CIO. There's some controversy around this, maybe more in the states than in the eu. Why is the ciso, the, the budget owner for Siam? He or she doesn't really have a good aspect on what all needs to get done.
Well, did the CIO again, this is a hard space, right? The siams a hard space. So as you could see worldwide, CIO was at 34%. CISO was at 25 in terms of the budget holder. And in Europe it was even. So we need to watch this solution continue to, to take more business emphasis. And certainly just because you're the budget holder doesn't mean you're working on your own, right? It means you're collaborating across parties quite a bit.
But the, the striking part of how CISO has become even with CIO here in Europe where we did the most surveys, 82, we did the most of interactions was interesting. And then finally, just to wrap up 'cause we are short on time. The number one problem was internal organization challenges with Siam.
My, my message is, hang in there, right? I had a hairline before I led Siam and Fiserv, it's just hard, right? Who owns it? And ownership means, oh, you're paying for it or why wouldn't you as the business unit share in that resource? So most of the Siam leaders said we're we're struggling with our own people to prioritize what we need to do. I think we could have said that a decade ago, but if you're in that situation, hang in there, could use some of these business metrics to help move this along.
And that's my second one. Embrace business metrics. Don't be afraid of those.
If you're, if you're on the hook for a SIAM improvement that, that says we've gotta reduce password resets by 50%. Take take that, right? Take that. The business needs that if you need to increase integration time as part of the, the, the, the project goals and KPIs that embrace that. But business metrics more and more are gonna be how Siam in my mind kind of finds its legs continues to grow up and mature in the market identity for the sake of identity. Just isn't that dog doesn't hunt anymore.
Sorry, that's an American term, but that dog doesn't hunt anymore. It's got to advance the business. And then finally, I, there was a such a large segment in our, in our survey and our, and even our qual interviews where I found self-built Siam, I don't see self-built Siam.
I'm not of a, a vendor proponent, I'm not selling you anything. I just don't understand how self-built Siam except for a few financial institutions that have the chops, that have the people and the rigor to budget year over year. I don't see how that works to get to, to decentralized identity.
I don't see how that works to get to the resiliency numbers you need to get to as a business. So for more, for more often than not, financial institutions should, should pursue third party built for purpose. I am solutions. And that is all I've got. Any questions? I don't know. We're outta time. Thank you John.
Very, very
Good. Thank you very much. Oops. Is there we have time for a question just before lunch or?
Yes, hang on. Just bring the microphone to
You. I know with lunch pending, that means questions have, they're being vetted right as you speak now, isn't it? Yeah. How good's, the lunch and all that kind of stuff. Right. Thanks. You're
Free to go for lunch if you that,
That was quite very interesting. Just are you able to share, because you had some Australian banks included in the survey. Yes. Are you able to share which ones they were or
Actually I cannot as a researcher.
I'm, I, I had, I shield their privacy there. Two of them, there were two qual interviews in Australia and there were 20 quant, the two qual interviews in Australia. You would know their names. They're major, major financial institutions in, in Australia. But I can't share their names. That's part of the, part of the research. They wouldn't talk with me otherwise. Right. Yeah.
Fair, fair, fair question.
Are, are they in the top three maybe? What's that? In the top three?
They're in the top five.
Two of,
There you go. Two
Of the top five. How's that?
Okay, great. Well thanks a lot.
Oh, actually, is this available for people to download this research? Any?
It is,
Yeah. The PDF is Okay. Is
Available.
Alright.
And
If you, if you're interested in the research report, hit me up on LinkedIn and publish yesterday.
Okay. Thanks again, John. Great. Thanks.