Click to edit Master title style

ARC Internet Banking

Introductory Technical Training
Tran Trung
g – Technical Consultant

© 2008 Temenos UK Ltd. Warning: This document, is protected by copyright law and international
treaties. No part of this document may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of TEMENOS
HEADQUARTERS SA Unauthorized reproduction or distribution of this presentation or any portion of it,
may result in severe civil and criminal penalties, and will be prosecuted to the maximum extent possible
under applicable law.” Information in this document is subject to change without notice
Click to edit Master title style

ARC Introduction
TEMENOS Solutions

Support Services

Products &
Services

Orchestration

CRM

Channels

erational

Customer
Ope

Branch

Security

Slide 3
Enterprise Platform Integration

 Solutions continue to be built along departmental lines producing silos

of functionality which has to be integrated via complex middleware and
orchestration layers
y
Application
CRM Branch Internet Call Centre
processing

Middleware / Orchestration

Credit Card Insurance Core Banking Trade Finance Securities

 Each functional silo has its own database and architecture, requires
dedicated support and has its own release / upgrade program
 The infrastructure required to support such a solution adds significant
cost and complexity which reduces their effectiveness and ability to
deliver a return on investment
Slide 4
TEMENOS ARC

 TEMENOS ARC is a suite of integrated components which address the traditional

front office market. First release of complete suite June 2007.
 Key areas of functionality include
- Operational CRM
- Analytical CRM
- Campaign management
- Workflow management
- Channel delivery
 Generating
g more business
- Tools to improve customer acquisition
- Customer retention through better service and competitive products
- Customer cross selling and up selling to help consolidate a client’s financial portfolio
with the FI
 From less infrastructure
- Single integrated architecture for the front and back office reduces support effort and
costs
- Multi channel access through a generic channel interface
- Can form part of an SOA total solution
Slide 5
TEMENOS ARC Channel banking

Channel banking

Key strategic objective

To p
provide a fully
y integrated
g user configurable
g channel
architecture with secure real time access to T24’s 24x7
core banking platform and its full range of transactions
and data with the smallest technology footprint
possible

Appears to be increasingly important that we are able

to sell integrated channels as core banking system
becomes more of a commodity
Slide 6
Click to edit Master title style

ARC IB Architecture
TEMENOS ARC Internet Banking - Architecture
 Communications
 Security Internet user

 Authentication
 Scalability/Fault-
S /
Internet

tolerance
Firewall/load balancing

Reverse Proxy Servers

Firewall

Web Application Servers

Ser ers
Authentication Servers

Firewall Web
Application
Internal user
T24 Servers Servers

Firewall

Hardware Security Modules

Slide 8
TEMENOS ARC Internet Banking - Architecture
Internet Banking User

Firewall

Reverse Proxy
Server or Load Balancer

Firewall

Servlet container /
Web server File
Hardware storage for
Security
Module static
pages and
graphics

Firewall

Internal network Internal user

Add user only

T24 Servlet container /

Firew
Hardware Authentication Web server
Security server

wall
M d l
Module
Hardware
Security
Module

DB
Slide 9
Click to edit Master title style

ARC IB Branding
TEMENOS ARC Internet Banking – Page layout

Slide 11
TEMENOS ARC Internet Banking – Page layout

Slide 12
TEMENOS ARC Internet Banking – Page layout

Slide 13
Slide 14
ARC-IB

ARC IB High
ARC-IB Hi h Level
L l Design
D i
 Main Browser architectural change - Move from frames
to AJAX
- Helps improve security
Protection against Frame attacks.
- Helps improve user experience
Better sizing of components.
Partial page reloads.
- Uses ‘fragments’
fragments
Sub divide the page according to Composite Screen
specification.
Each fragment is an HTML <div> element
element.
Fragments are updated independently.
 Uses web container (form-based) security
- Custom realm created to communicate with external
authentication server.
Slide 15
TEMENOS ARC Internet Banking - Usability

Major enhancements to T24 Browser

- Frameless composite pages
- Pre-caching of account number drop-downs
- Improved error and override handling and messages
- Back button behaviour
- Continuous save (IHLD)
- C t t flow
Context fl
- New skin
- Header text
- Improved printing to just show data plus header and footer
f
- Recurrence control
- Keep alive on field entry
- Timeout warning (+1 slide)
- Time-out takes user back to a login page with error message
- Menus rendered as tabs (+2 slides)

Slide 16
Branding

Slide 17
Click to edit Master title style

ARC IB Authentication and Security

TEMENOS ARC Internet Banking - Authentication

User Authentication ((ActivIdentityy 4TRESS))

 Two-factor hardware token authentication as

standard Meets FFIEC guidelines.
standard. guidelines Various token
types.
 Other methods of OTP deliveryy could be supported
pp
(e.g. mobile phone)
 Can be downgraded to password and user secret
(random characters)
 Different classes of user can have different
authentication
h i i mechanismsh i
 Same authentication system available to other
channels (e.g.
(e g IVR)

Slide 19
Two-factor devices

Tokens generate One-time password (OTP)

Tokens with keypads can also do transaction Mac-ing (signing)

Slide 20
ARC IB Deployment

A th ti ti Configuration
Authentication C fi ti
 Requires
q third p
party
y authentication server
(ActivIdentity 4TRESS or RSA
Authentication Manager currently)
 Requires JKS (Java Key Store) or HSM
(
(Hardware Securityy Module)) e.g.
g NCipher
p
NetHSM
 Tomcat only at present & WebSphere

Slide 21
ARC IB Deployment Partners

4TRESS supports tokens, uid/pw/mem data, admin interface

Scope for additional memorable data
Soon - Phone tokens, Managed service in UK
Requires a database
Can support VASCO tokens

Authentication Manager 5.x and 6.x (formerly known as ACE)

Tokens only or very basic password only
only.
No admin interface to T24.

One of HSM vendors supported by 4TRESS. NetHSM

avoids need for three devices (or six in fault-tolerant
system). 4TRESS can use NCipher HSM to compare
partial memorable data within HSM
HSM.

All three can provide global pre-sales support direct to prospect. We

do not resell, but may receive a finder’s fee.
Contact Thomas Kurishingal or Robert Burch for contact details.

Slide 22
TEMENOS ARC Internet Banking - Security

Menu
Restriction
of rights Version/Enquiries

hierarchy Servlet Filter

Enquiry Selection CUSTOMER EQ !EXT.CUSTOMER

SMS CUSTOMER: !EXT.SMS.CUSTOMERS

USER.SMS.GROUP

Slide 23
TEMENOS ARC Internet Banking - Security

Securityy
 Multi-level firewalls
 Optional
p Reverse Proxy
y server
 Generic User application restriction
 IBServlet filter to restrict to specified Versions and Enquiries
 Pi
Primary authentication
th ti ti system
t third-party
thi d t validated
lid t d supplier
li
 HSM for encryption key storage
 Minimum code in Servlet Container/Web Server
 Application security between system components
 Obfuscation of JavaScript and commands
 Specific measures against SQL injection
injection, cross
cross-site
site scripting and replay
attacks
 Bank-defined inactivity timeout
 Third-party
Thi d t Penetration
P t ti Testing
T ti (Ethical
(Ethi l HHacking)
ki ) dduring
i d development
l t
and recommended during implementation and subsequently at regular
intervals
Slide 24
ARC IB Deployment

Security Configuration
 Obfuscation
- Internal: Obfuscate version and enquiry names (browserParameters.xml)
- E t
External:
l Obfuscate
Obf t JavaScript
J S i t (browserParameters.xml)
(b P t l)
 Servlet filters
- Block p
particular character sequences
q ((browserParameters.xml))
E.g. <script> to protect against cross site scripting
- Authentication
Interfaces third p
partyy authentication server using
g standard web
application security mechanisms
- Versions / Enquiry filter (WEB-
INF/conf/versionsEnquiriesFilterConfig_production.xml)
O l versions
Only i and
d enquiries
i i that
h are on a lilist can b
be run

Must restart Tomcat after filter change for it to take effect

Slide 25
Click to edit Master title style

ARC IB Implementation and Configuration

TEMENOS ARC Internet Banking – Project planning

 Temenos consultant skill set requirements

 Involves most areas of the bank

- IT
- Each relevant business area
- Compliance
- Security
- Legal
- Marketing
 Potential third-party involvement
- Hardware suppliers
pp
- Penetration testers
- Web designers
 Go live phasing
phasing, if possible
possible.

Slide 27
TEMENOS ARC Internet Banking – Browser Deployment

Deployment
p y

There is one Browser product

W ship
We hi ttwo configurations:
fi ti
- Browser
Used for internal deployments
p y
- ARC-IB
Used for external (Internet Banking) deployments
Supports Authentication Server to log in (as External User)
Controlled by Arrangement rather than Browser Preferences
Obfuscated JavaScript
Servlet and script filters
No client-side logging

We would expect a bank to host internal and ARC

ARC-IB
IB
Browser code on separate application servers.
Slide 28
TEMENOS ARC Internet Banking – Browser Deployment

tcserver xml
tcserver.xml

OFS SOURCE RECORD FOR ARC IB

PORT number
Slide 29
TEMENOS ARC Internet Banking – Browser Deployment
WEB-INF\conf\channels.xml

WEB-INF\conf\browserConnection.xml

TCServer port
TCServer IP

browserParameters.xml

In Model Bank, it should only be

necessary to edit channels.xml
and change the IP address and
Port number.
number
Not used if Instance specified – uses
setting in browserConnection.xml

Slide 30
TEMENOS ARC Internet Banking – Browser Deployment

Other things to set up – EB.CHANNEL

EB CHANNEL

Slide 31
TEMENOS ARC IB – Personal Banking Arrangement
INTERNET.SERVICES CUSTOMER
ARRANGEMENT
~~~~~~~~~
CUSTOMER ~~~~~~~~~
~~~~~~~~~ ~~~~~~~~~
~~~~~~~~~ ~~~~~~~~~
~~~~~~~~~ ~~~~~~~~~
~~~~~~~~~ ~~~~~~~~~
~~~~~~~~~

EB EXTERNAL USER
EB.EXTERNAL.USER

CUSTOMER
~~~~~~~~~~
ARRANGEMENT
~~~~~~~~~
~~~~~~~~~
~~~~~~~~~
~~~~~~~~~

Slide 32
Relationship between Products and Arrangements

TEMENOS Maintained

Property Class
Product Line Property Class
Attributes

Named types of

Product Group Property

Specific values of

Sub set of

Product
Product Property
Condition

Bank Definable
Specific instances of

Arrangement
Arrangement
Conditions
Customer Specific
All share a common set of attributes
Slide 33Slide 33
Tracking Product Changes

There are three ways that an Arrangement can be impacted by changes to

its underlying Product:
 Tracking
- Changes to attributes at the product level will be reflected
C f in the
Arrangement
- At the Arrangement level, all attributes are non-inputtable as a result
- Any negotiation rules will be ignored
 Non-Tracking
- Arrangement attributes are unaffected by product-level changes
- At the Arrangement level, Attributes can be negotiated, subject to
Negotiation Rules in corresponding Product Condition
 Custom Tracking
- Tracking behaviour can vary across attributes
- Individual attribute behaviour defined in Product Condition’s
Condition s Negotiation
Rules
This is called the Arrangement Link. The Arrangement Link is configured
in the Product and is specified once for each Product Condition

Slide 34
TEMENOS ARC Internet Banking – Class of Service

Class of service

e.g. Personal, Premium Personal, Corporate inputter,

Corporate
p View Only,
y, Corporate
p authoriser,, Private,,
Intermediary
Controls:
 Look and feel – branding, menus, toolbars
 Allowed product types
 Functionality – Menus, Versions, Enquiries
 Daily transaction limits
 Context flow (page workflow)
 User p
preferences e.g.
g language
g g
 etc.
Slide 35
 ARC IB Class of Service (AA architecture)

INTERNET.SERVICES
(Product Line)

1 User Rights 2 UI Appearance 3 UI Behaviour 4 Product Access 5 Arrangement 6 Protection limit

(Property Class) (Property Class) (Property Class) (Property Class) (Property Class)
Preferences
(Property Class)
• Company • Skin name • Contract attribute • Product allow • Application
• SMS G Group • Tool style • Enquiry attribute • AC group allow • Transaction Type
• Primary account
• Allowed days • Language • Toolbar type • Category allow • Allowed ccy
• Arrangement
• Allowed hours • Date format • Toolbar • Portfolio allow • Beneficiary risk
• Nickname
• Alllowed Customer • Amount format • Commit type •Time of day
Disallowed/hidden:
• Proxy Arrangement • Flow type • Limit ccy
• Arrangements
• Flow value • Accounts • Limit Amount
• Categories
g
• Portfolios

7 CUSTOMER 8 EB.EXTERNAL.USER
(Property Class) (Table)

(Customer number) • Name

Example Products:
• Customer
• Company
Standard Personal Internet
• Channel type
• Status
Premium Personal Internet
•T C Accepted
• Product Line
Corporate Internet
• Arrangement
• Memorable data
Intermediary Internet
•Authentication service
• Login method
• Start date
• End date
•Auto update server
• Last use date
• Last use time
(phase 1 deliverable) • Last use duration
TEMENOS ARC Internet Banking – Protection limits

Bank can define wide range per user. e.g.

 Overall daily limit in Local Currency
equivalent
 Daily limit on payments to high risk
beneficiaries
 Daily limit for FX transactions
 Daily
D il lilimit
it per ttransaction
ti ttype

Slide 37
Click to edit Master title style

ARC IB Personal

Slide 38
ARC IB Personal Model Versions and Enquiries
Enquiries
Term deposits
One-off payment to a beneficiary
Account details
Transaction details
Open term deposit
Account summary
Welcome message
Personalise a standard beneficiary
Direct debits

Transactions Transfer between own accounts

Future payments

Loans and deposits enquiry Amend beneficiary

Loan/Deposit details Amend STO

Message details Cancel future payment

Messages from the bank Cancel DD

Personal beneficiaries Cancel STO

Recent
ece t internet
te et ba
banking
g act
activity
ty Create new international beneficiary

Standard beneficiaries Create new local beneficiary

Standing orders Create STO

Statement with selection, last month default Delete beneficiary

Message to the bank

Slide 39
Click to edit Master title style

ARC IB Intermediaries
ARC IB Intermediary support

Product Code ‘AP’

AP

Slide 41
Click to edit Master title style

ARC IB Corporate
ARC IB Corporate Support
There is a PROXY.SERVICES
Arrangement for each Internet
user who has access to the
Corporate CUSTOMER Corporate’s accounts
CUSTOMER PROXY.SERVICES
ARRANGEMENT
~~~~~~~~~
~~~~~~~~~ CUSTOMER Corporate employee user 1
~~~~~~~~~ PROXY.PERMISSIONS
~~~~~~~~~ PROXY 1
~~~~~~~~~ ACCOUNT 1
~~~~~~~~~ ACCOUNT 7 Every user has
E h th their
i own
ACCOUNT 9 arrangement. There are
PROXY.SERVICES different classes of service for
ARRANGEMENT corporate users e.g. inputter,
CUSTOMER
view only, inputter and
PROXY.PERMISSIONS authoriser, administrator.
PROXY 2
ACCOUNT 1 Generally these do not need to
ACCOUNT 7
ACCOUNT 9
b specific
be ifi tto a single
i l corporate.
t
PROXY.SERVICES INTERNET.SERVICES CUSTOMER
ARRANGEMENT ARRANGEMENT
~~~~~~~~~
CUSTOMER CUSTOMER ~~~~~~~~~
PROXY.PERMISSIONS ~~~~~~~~~ ~~~~~~~~~
PROXY 3 ~~~~~~~~~ ~~~~~~~~~
ACCOUNT 1 ~~~~~~~~~ ~~~~~~~~~
ACCOUNT 3 ~~~~~~~~~ ~~~~~~~~~
ACCOUNT 5 ~~~~~~~~~
ACCOUNT 7 USER.RIGHTS
ALLOWED CUSTOMER 1
PROXY ARRANGEMENT 1

Customer record so
bank knows details of
Normally for corporate users user
there will only be one allowed
customer However,
customer. However employees
of a parent company may have EB.EXTERNAL.USER
access to accounts of CUSTOMER
subsiduaries, so there would ~~~~~~~~~~
ARRANGEMENT
then be an entry for the parent ~~~~~~~~~
~~~~~~~~~
and each subsidiary ~~~~~~~~~
~~~~~~~~~

Slide 43
Corporate additional Model functionality
Transactions Administration
Enquiries
FX deal Add user
Transactions for authorisation
Account sweeping and topping Amend user
Letter of Credit status
One-to-many payments Delete user
MM Deposit
Open Letter of Credit View user activity
Bulk payment status
MM Deposit View all activity

Create/Amend Mandate

Other

Authorise transaction

Reject transaction

Payment file upload

Download PDF document

Slide 44