Executive Summary: Credit Suisse Direct Net Internet Banking Service.

Company Background. Credit Suisse is the regional retail banking arm of the Credit Suisse Group, a major global financial services organization. Members of the Group include Credit Suisse Private Banking, Credit Suisse First Boston, Credit Suisse Asset Management, and Winterthur Insurance. The Group, headquartered in Zurich, Switzerland has assets of over $480 billion and nearly 39,000 employees.

Credit Suisse retail banking services are delivered to over 2 million customers through 250 branch offices, a nationwide network of ATMs and other self-service devices, a telephone banking service, and online banking. There are more than 200,000 customers for telephone and online banking. Retail banking strategies at Credit Suisse are based on a vision which blends innovative use of advanced information technology with a high level of personalized service, identified as "high tech with high touch ". The strategies foresee the Internet and Web-based technologies as key to future retail service delivery. The goal is to use the Internet to deliver traditional products and services at lower cost, and premium products and services without the need for premium pricing. Another goal is to provide global access to Credit Suisse online banking services via the Internet.

Old Credit Suisse Online Computing Environment. Until the introduction of the Direct Net Internet banking service which is the focus of this report, Credit Suisse provided online banking through a Videotex solution. Videotex banking services, available through the Swiss PTT Videotex (VTX) service, are offered in standardized form by many Swiss banking organizations. There are about 200,000 subscribers to VTX banking service, of which more than one-fourth are Credit Suisse customers. The VTX banking solution offered by Credit Suisse is illustrated in Figure 1.

Credit Suisse recognized that the future of VTX as a delivery system for retail banking was limited. The advent of the personal computer followed by the rapid growth of the Internet and the explosive increase in Internet usage with the availability of Web-based technologies promised to make Videotex obsolete. In addition, the VTX banking services are local to Switzerland and could not be used to meet the Credit Suisse goal of global access. Credit Suisse decided in 1996 to design, develop, and deploy an Internet banking service.

Criteria for the New Solution. Credit Suisse chose Direct Net as the name for the new Internet banking service and set about to specify and acquire a total new solution. A number of business and technical criteria were established to guide the project:

• Credit Suisse must be the first Swiss bank to offer Internet banking services to its customers. To meet this goal, two technical requirements were established: (1) the Videotex transaction monitor would be retained as the initial interface to backend processing systems, and (2) HTML would be the initial basis for communication exchanges between Direct Net and customers. The objective was to limit technical risk during rapid development, implementation, and deployment.

• The Direct Net service must be available not only in Switzerland but to private banking and other clients of the Credit Suisse Group on a worldwide basis - through the Internet at any time from any place.

• A robust end-to-end security environment must be established to provide access, authentication, encryption, and intrusion protection for Credit Suisse and its customers. Robust security mechanisms were required at the customer location, over the Internet, at the boundary between the Internet and the Direct Net Web site, at the Web site itself, and for all Credit Suisse internal networks and computing resources.

In addition, a rigorous business plan with objectives in terms of cost levels, new customers, VTX conversion customers, transactions, business volumes, and revenues was established as the economic framework within which Direct Net would be developed, operated, and measured. Although such goals are confidential, it is reported by Credit Suisse that all are being met or exceeded in the initial year of Direct Net service.

Selection Process for the New Solution. Credit Suisse solicited bids for the new solution from multiple suppliers and received particularly strong bids from four sources: IBM, Hewlett-Packard, the team of Ergon Informatik AG and Sun Microsystems, and a German firm, Brokat GmbH, supplier to Deutsche Bank of an Internet banking system. Following a detailed evaluation of offers from both technical and economic perspectives, Credit Suisse selected the team of Ergon and Sun for the project. Key decision factors included:

• Ergon, a Zurich-based software development firm, enjoyed an excellent reputation at Credit Suisse as a result of other projects performed for the bank. A quality, Swiss-based source of ongoing software support was deemed essential for long range project success.

• Sun and Ergon had a lengthy and strong technical alliance. Sun's UNIX® servers and the Solaris™ operating system were well known and extensively used by Ergon for other customer projects. Sun platforms also enjoyed an excellent reputation in other parts of the Credit Suisse Group, for example by Credit Suisse First Boston in the United States.

• Sun was able to provide price/performance advantages over its two leading competitors, IBM and Hewlett-Packard, both of whom offered strong platform and security proposals.

• The Sun and Ergon team offer addressed all of the business and technical criteria established by Credit Suisse for the Direct Net project, including the integration of key components from other suppliers: Innovative Security Systems, Delta Consulting Group, and Security Dynamics Technologies, Inc. The expertise of Sun's Professional Services (Sun PS) organization also was available to support system integration, testing, and installation.

The New Credit Suisse Direct Net Computing Environment. Direct Net was developed, tested, and implemented within eight months and became operational in April 1997. Its major components, and the supplier team members active in each component, include:

• The Direct Net Web site provides the user environment for Credit Suisse's Internet banking service. It was designed, developed, and implemented by Delta Consulting Group and includes the user interface, home page graphics, HTML transaction pages, and navigational aids for users. Delta worked closely with Ergon and Credit Suisse in the Web site development.

• The technical framework within which the Direct Net solution was developed and tested is the Trusted Internet Application Framework (TIAF) from Ergon Informatik. TIAF, illustrated in Figure 2, includes five main components: (1) Web Server, (2) Security Gateway, (3) Session Manager, (4) WebEval Application Server, and (5) the Trusted Operating System, Sun™ Solaris™ 2.5.1 with Argus B1 Extensions. The architecture of TIAF is illustrated in Figure 2.

• The equipment platform for Direct Net is duplicated at two Credit Suisse sites and includes Sun Ultra™ Enterprise™ 4000 servers with two processors and one gigabyte of memory. Sun SPARCstation™ workstations also are used for each Checkpoint Firewall 1 boundary security mechanism in Direct Net.

• The end-to-end security solution implemented to meet Credit Suisse's rigorous requirements is comprised of three groups of security mechanisms: (1) access and authentication security which employs the SecurID and Access Control Module (ACM) software under license from Security Dynamics Technologies, Inc., (2) encryption services to provide privacy and message integrity security across the Internet which uses 128-bit SSL encryption technology available from two Swiss providers, and (3) boundary security that includes filtering routers, firewalls, and the secure platform version of Solaris™ 2.5.1 with Argus PitBull B1 extensions. The secure platform is the focal point of security between the Internet and the internal processing facilities of Credit Suisse. It was developed through joint effort by Innovative Security Systems and Sun Professional Services (Sun PS) in close coordination with Ergon. With B1 certification by the European Information Technology Security Evaluation Criteria (ITSEC) organization, it provides the highest level of platform security found on commercial systems. The total end-to-end security capabilities of Direct Net are shown graphically in Figure 3.

• The customer desktop client options for access to Direct Net include any computing device that supports a Web browser with 128-bit SSL security and is able to connect to the Internet. The most common access client is a Windows-enabled PC with a modem, a browser such as the Netscape Navigator 3.0, and Internet service provider (ISP) access services. A Direct Net customer can connect to the service from any place in the world that has Internet access.

The complete Direct Net Internet banking solution is illustrated in Figure 4.

New System Benefits. Direct Net has been serving Credit Suisse customers, both in Switzerland and from around the world, since April 1997. It processes between 12,000 and 15,000 customer transactions daily, and transaction volumes as well as the number of customers, are growing rapidly. According to Markus Simon, head of PC and Internet banking at Credit Suisse, "Credit Suisse is very satisfied with the Direct Net service and with the outlook for the future. Based on initial results, we are confident that Direct Net will play an increasingly important role in the future of service delivery for Credit Suisse and for other members of the Credit Suisse Group."

Credit Suisse met its goal of being the first Swiss bank to offer Internet banking service and the acceptance of that service by customers is meeting or exceeding business plan objectives established by Credit Suisse. The global reach of Direct Net services has proved to be a significant market differentiator for Credit Suisse, and Direct Net is fulfilling its projected role in the banking strategies of Credit Suisse.

Future Outlook. Although Direct Net is fulfilling its business objectives, Credit Suisse already is making plans and initiating actions to improve and expand the service. Markus Simon states that, "Our primary goal is to stay ahead of the market with a secure and reliable service that meets our customers' expectations. We see a number of both near term and longer range opportunities for expanding the service. Several of these have been defined in terms of specific new releases."

Short term improvements include: (1) an option for customers to download a browser with the 128-bit SSL security functions imbedded, (2) providing customers with an interface between Direct Net functions and personal financial management (PFM) software packages such as Intuit's Quicken, and (3) adding new transaction and information services for customers.

Longer range considerations include adding more options for access to backend processing systems in addition to the Videotex transaction monitor, the introduction of Java™ -enabled services in addition to or in lieu of HTML-based customer transactions, and further personalization of Web-based customer services.

Concluding Comment. Credit Suisse has implemented Direct Net Internet banking as a part of its "high tech with high touch" strategy for service delivery. Online banking over the Internet, not only for Swiss-based customers but also on a global basis, is a key part of the banking strategy of the future at Credit Suisse. The rapid development and deployment of this secure, easy-to-use, and reliable solution speaks well not only for Credit Suisse but also for the team of IT suppliers who were involved in its implementation.

In a matter of only eight months, Credit Suisse, working with Ergon Informatik AG, Sun Microsystems, Inc., Delta Consulting AG, Innovative Security Systems, Inc., and members of the Sun Professional Services (Sun PS) organization as well as other suppliers, deployed a complete Internet banking service. That service, Direct Net, is secure, reliable, easy to use, and provides a solid foundation for future growth and expansion.

---