The décor at Pubali Bank’s head office at Dilkusha is very reminiscent of a bygone era when heavy wooden furniture was the norm and thick apple green carpets would shroud the floors inside high ceiling rooms. But Pubali Bank’s approach to digitalizing banking, as we find out through our conversation with Mr Ali, is anything but old-fashioned.
Mohammad Ali is among the few professionals in the banking sector that shed the cloak of ‘just the IT guy’ and merge his technological expertise with commendable business education to morph into a truly modern banker. The deputy managing director and the chief technology officer at Pubali Bank, Mohammad Ali has been one of the key figures in the innovative digital transformation of his organisation. Awarded “Legend of the ICT’ by the CTO forum, Mr Ali in his interview with Fintech magazine shared his thoughts on the important issues in the banking sector and ICT. We also got an exclusive and exciting peek into the process of building Pubali Bank’s IT ecosystem.
Here is the full interview for Fintech readers:
FINTECH: Could you tell us a little bit about your background and how you came into banking?
MA: I come from an engineering background. I did my bachelor’s and master’s degrees in computer science and engineering from BUET. Initially my career started at Ahsanullah University as a faculty. I joined as a lecturer and became an assistant professor. I was also working simultaneously as the director of Ahsanullah Institute of Information and Communication Technology of Dhaka Ahsania Mission. As part of my work there I used to oversee all the IT related NGO projects. At that time, I thought I would do a master’s in development studies, as I was working in the field of development. To be frank, I didn’t have much knowledge in the field. But I actually ended up doing quite well in the master’s program. I got the highest GPA and received the Dean’s Award.
FINTECH: You have always been academically inclined, it seems?
MA: Yes, that’s right actually. I love to study. I still read and all of my colleagues know this too. Anyways, I also worked in the ICT Task Force as a consultant from 2003 to 2008. The designation was IT Management Specialist. We did automation in different ministries. After this I joined Pubali Bank in 2008. I joined as the CTO. After three months I was promoted to general manager, in addition to my post as the CTO.
In the meantime, I had done an MBA in finance from Dhaka University. I acquired a 3.98 GPA in the finance MBA. I did another master’s from IBA on marketing. So, I actually have four master’s degree (laughs). One is the computer science master’s, another is on development studies, an MBA in finance and an MBA in marketing.
FINTECH: That’s fascinating. So, how you have been putting all that knowledge into work, specifically, please tell us about the things you have been doing here at Pubali Bank.
MA: After joining here my first assignment was to introduce core banking. The board and management made a very bold decision that we will have our in-house core banking solutions. So, we decided that our centralized real time online banking system was going to be built in-house. We recruited a lot of people for this. We initially launched it in December 2008 in ten branches. In 2009 it was deployed in 54 branches. We hadn’t developed DRs (disaster recovery) system then, but within the DC (data centres) we created server replicas so that we can provide uninterrupted service. We installed Oracle Data Guard at that time. After that we prepared our DR and DC. We got EMC solution for the data centre and for disaster recovery. At that time, we had a lot of works done. One of those was that we received principle membership for Visa Card and Master Card. So, cards started to get integrated into our system. We also strengthened our data centre and disaster recovery centre. The architecture we implemented was Maximum Availability Architecture or MAA by Oracle.
I remember I was asked by the board how I can assure that the system is secured. So they suggested that we get an international consultant to evaluate our core banking solution. Since we were going to heavily invest in the DC-DR, we wanted to know if the homegrown software will hold. So, through a tender, we gave the work to PricewaterhouseCoopers or PwC. They carried out rigorous evaluation processes. This was by international tender, by the way. It was their UK team. We spent Tk1 crore for this. It was a total evaluation. The report is astoundingly detail, as you would expect. They even tested if this will work if there are one thousand branches in the system. They did stress testing, penetration testing and everything else. After that they certified that the system is ok. Then the board gave me the green light to deploy it completely. We implemented the CBS in all branches at the beginning of 2014.
Since then we have had ICT audits every year by external firms. Every time we got satisfactory results. We always employ all the leading technologies in our data centre and DR centre. For example, the best software in the world for vulnerability test is Qualys. So, we employed that. Oracle Exadata is the best for data centre. So, we deployed that machine. We are seen as a traditional bank. But on the technology front we adopted the best technologies. So, for penetration we have Core Impact. If you think next generation firewall, we have that too. We have deployed Cisco’s Next-Generation Firewalls. Because, ultimately, your duty is to secure the customers’ money. In light of the recent attacks of zero-day virus and similar threats we have put in place all the required sandboxing and other measures.
We have recently introduced call centre service. We procured a software for that. We are very comfortable exploring all the technological arenas. Now we are looking to start agent banking. The Division has just started and policy has been approved. We will apply to Bangladesh Bank and after getting the license we will go for deployment. Here, too, we are bringing in innovation by basically involving customers. We will enable the customer to initiate the transaction, as involvement of agents often causes fraud. Terminal will be in the customer’s hands. Once the customer initiates a transaction and inputs his pin, biometric information etc, he will be able to provide the receipt of the transaction to the agent and then the agent can make a transaction. There will be no agent initiated transactions. So, it’s a dual check.
If you look at when national payment switch is collected at Bangladesh Bank, three banks connected to the payment switch first and the first among them was Pubali, and then Southeast and Dutch Bangla. We are also connected to the RTGS system.We have a very strong anti-money laundering and sanction screening system. For anti-money laundering we use a homegrown software. But for card we use Latitude. For patches we use Flora Systems.
Yes, we developed our CBS, but it’s not that we would develop our own system even if when that is not a logical choice. When we know that another system would be more robust we adopt that. We never really contemplated creating something like the Core Impact or Qualys. Similarly, in agent banking if we see that we need to deliver the system very quickly then we will adopt a fintech technology that will serve the purpose. We deal with the mass people. Go to any branch and you will see people pouring in by thousands. We have to continuously support three million active customers. If you include the inactive customers, then it’s a much bigger figure.
FINTECH: Sorry to interject, but how many branches you have at this moment ?
MA: We have the highest number of branches, 455 as of now. This is not very well known but we have the biggest online network, as well as largest network of branches. We have branches in places like Rangamati, Bandarban, Khagrachhari, Sandwip, Shiberhat, and they are all connected real time online.
FINTECH: That must have been a mammoth operational task. What are the challenges for maintaining good uptime for your network?
MA: We have 16 servers at our DC for keeping the uptime for our core banking. Each processing unit comprises of 64 CPUs. We have the backup for all of this at our DRC. We have very high investment in it. The Exadata we have is the latest. It cost about Tk42 crores. It’s a huge investment. It’s a single machine, but it has tape drive, so backups are created in tape. It has Exadata secure backup, which is another device and it backs up everything automatically. The same replica is preserved at the DR. DR back up is created before data go to the branches. If we have any server down, then DR automatically turns on and keeps system online. That’s why Oracle calls this Maximum Availability Architecture.
For branches uptime we have two different vendors. We ensured that there are two completely different backbones that tie the networks. One extra wireless backbone is there by either Grameenphone or Banglalink. So, if both physical backbone is disconnected because of road repair or something like that, we still operate through the wireless. We have done everything to make the operation fail-safe. Even after all the repair work that goes on all the time, particularly some overhead cable of ISPs that are being worked on from time to time, we make sure that doesn’t disconnect us. If I were to evaluate one particular branch, as opposed to the whole network, I would say any single branch has over 99 percent uptime. We use two optical fibers going through two different physical channels. Sometimes we can’t do it, for example, at the Jamuna Bridge. You can’t put two cables on two sides, because the government designated only one side for this. But that’s not a problem because it’s a very secure site.
FINTECH: What system you use for the IT infrastructure monitoring?
MA: We use the open source software Nagios. Through this we monitor who are trying to hook into us from outside. And we observed that on average there are 40 to 70 attempted penetration into our network every day. This is from many different countries. We have a team of eight members who monitors this constantly. They keep track if network is down somewhere and so on. Sometimes we observe how far a penetration goes. If it goes far enough we understand something might happen potentially. There might be leakage. We are dealing with the public’s money. We can’t afford to be vulnerable. Government banks can recover, but if we lose, let’s say, a hundred crore taka we may not be able to pay dividend for the next eight or ten years.
FINTECH: Are you thinking about using this backbone for any additional use?
MA: Yes, of course. We are going to deploy something called Unified Communication by Cisco very soon. It will have a VOIP based video conferencing, audio-video calls, available throughout our network. So, we can be connected to all branches through video call, conferencing etc. The backbone we have developed for the core banking will be used here. It’s the same channel. We have floated the tender for this. We just need to employ the work order. It’s in the final stage. It will be the first of its kind in Bangladesh. Once it is done, we can have RM video conference. The whole communication will be recorded as well.
This will change the whole dynamic of our work. If you ask an RM, let’s say, ‘did you visit there?,’ you can see him and hear his answer and it’s all recorded. With facial expressions visible the communication dynamic is so much more effective. Sometime what you hear on telephone can be misleading. Someone might say ‘yes’ to something, but if you see his face you will know it’s a very unconvincing ‘yes’. Ultimately the more I’m secure, the better it is for the bank’s and the company’s health. This also means that the customer gets more affordable price. If we suddenly have decreased classification in all the banks, there are no defaulters, then what will happen? Immediately all interest rates will go down to single digits. If my classification is at five percent, I’m not getting any return on that money. If we need to classify five percent, then that’s five percent less from the income.
FINTECH: There has been a lot of awareness on compliance lately. A lot of training and workshops are being conducted by many organisations, from in-house to training by external experts. What are your thoughts on this?
MA: Basically, risk and compliance are two very vital issues right now. If you look at our corresponding banks, we have correspondence with one hundred banks like, the CTNA, Standard Chartered, HSBC and correspondence with 66 exchange houses. 6 exchange houses may sound small, but each of these houses have 20 to 30 thousand branches. So, this correspondence is possible only through compliance. Those who are most compliant and best at mitigating risk will be best linked. The reason is simply that we have Tk12 to Tk13 thousand crore export, Tk10 to Tk13 crore import and Tk2 to Tk3 thousand crore remittance going through us; and if they have even one money laundering or terrorism financing transaction then the kind of fine/penalty the exchange houses will face from the likes of Bank of America will be devastating. They can’t afford it. That’s why we are very compliant on the ICT security guideline by Bangladesh Bank. We try to follow every step of that guideline and the guideline they made is quite comprehensive too. You have to put in a lot of work to comply with that.
We also thought about how to evaluate the gaps. When Obama was president he formed an organisation called NIST through an executive order. They created a document on gap analysis for cyber security. We use this document for all of our components. It has very usable templates and anyone can use it. I have mentioned this on many occasions, when speaking to a public forum.
Another matter is having the essential document instruments. The UK government created a document called ICT Security Essentials. We have also studied this document. Since the cyber security issues started to come to the forefront after the heist, we created a roadmap, which we implemented in three stages.
The issue of compliance is related to the safety and security of the country. We have automated OFAC screening into our system. We have incorporated all the black listed names, countries, vessels in the list. Transactions over Tk10 lakh get put under CTR, transactions that appear unusual are put under STR. We have maintained compliance in every sphere. We are also very vigilant about PEPS (politically exposed persons) accounts. We never allow a foreign transaction if the client does not have passport endorsement. We are a little conservative that way. We have real time SMS as well.
Our next step is getting the biometric data into our database. We will then connect that to the corporates. They can have two factor authentication. This will bring comfort for the customer. Before, there wasn’t awareness among customers and the corporate culture was not there; so you couldn’t deploy biometric equipped services. Now, the young generation is getting into leadership positions and they know the latest technologies. So, banks can now afford to rely on the customers to do the LC process, rely on them for fund transfers and so on. If we can do this, we will be able to significantly reduce the number of customers coming to the branches.
FINTECH: There are a lot of transactions within the banks on a daily basis. Do you think the corporate clients could be given the tools for carrying those out, with the help of biometric enabled database?
MA: Yes, that’s right. A huge amount of money goes through inter-bank transactions every day. The amount is approximately Tk500 to 600 crores per day. Most of these are from and by corporate clients. If we can implement finger ID, iris recognition through the companies who already use these devises then payment could be made from the customer’s premises, but with customer’s authorization. We are thinking about implementing this in the next step.
But another major challenge is there. All the retail shopping we do on a daily basis in the consumer market are from informal shops. If you go to a bazaar, none of the sellers have a trade license. There are thousands of stores like that. How do you make a database for the informal sector? The Central Bank requires every organisation to have a trade license. They have nothing, and yet, huge amount of transactions is happening there every day, every moment. No other sector has so frequent transactions. How to bring that into a regulatory framework is the challenge. Since they are unlikely to get trade license at this moment, it is necessary to create a model for them. After they get into the financial market they will soon realise that they need to have a trade license, they need to have a legal basis. They will realise that they can get a car by taking out a consumer loan. They can have the convenience of transporting their sales goods to the bazaars on their own cars. So, a major intervention is needed there.
FINTECH: The enabling instrument for that will have to be a national database, which will be built, at least primarily, from the NIDs. Is that going to be possible anytime soon?
MA: NID is centrally connected now. We are also connected. This has stopped all fraud. They haven’t provided us with the biometric verification system. But as a leading bank we are now connected to NID. Before that we had people coming in with fake IDs. That stopped after we got connected. We warned the customers and asked them to get NID, or we will freeze their accounts.
FINTECH: When you did get this connectivity?
MA: About a year ago. This is the reason we can even think about starting agent banking. We know that we can verify through the NID.
FINTECH: Apart from the NID data, the commercial banks have huge amount of data available to them. Why these aren’t being used? How far are we from being able to use and get benefited from Big Data?
MA: The data isn’t sitting idly actually. The main point of Big Data is getting behaviour pattern analysis. It has many uses. We are still at the starting point for a digital country. You have to give it time. We are in the stage of connecting. After we get connected we will start to exploit the full potential of these data. But the positive aspect is that we are going to grow exponentially.
FINTECH: Thanks very much for taking the time to talk to us.
MA: You are welcome.