Internet-Based Financial EDI: The Case of Bank of America and Lawrence Livermore National Laboratory Pilot

By Arie Segev, Jaana Porra, Malu Roldan

URL: http://haas.berkeley.edu/~citm

Email: segev@haas.berkeley.edu

porra@haas.berkeley.edu

roldan@haas.berkeley.edu

Prof. Arie Segev is the Director of the Fisher Center for Information Technology and Management at the Walter A. Haas School of Business, University of California Berkeley. Dr. Jaana Porra and Dr. Malu Roldan serve as Research Fellows at the center. The Fisher Center for Technology focuses on research in electronic commerce and the impact of the Internet on business.

Visit for more related articles at Journal of Internet Banking and Commerce

Abstract

Bank of America (BofA) has used Electronic Data Interchange (EDI) to transmit financial transactions between itself and its customers for years. Until recently, however, BofA has used direct private lines or third-party value-addednetworks (VANs) as the carrier of the EDI data. In 1994, BofA initiated a pilot project with its customer Lawrence Livermore National Laboratory (LLNL) to investigate whether the Internet could be used for secure, reliable, and fast financial EDI (FEDI) transactions. The results of the pilot project, which ended June 30th, 1996, are presented and possible implications are discussed. The results suggest that the Internet is a viable alternative carrier for critical or sensitive business transactions.

Bank of America and Financial EDI

In early 1995, it was estimated that BofA processed on the order of 10million ACH payments per month. Approximately 0.5% (50,000) of these payments are generated by instructions from more than 100 different customers via EDI (Wan, Beam, and Weinrot, 1995). While this percentage is small compared to the bank's total processing volumes, such capabilities are necessary to meet specialized customer demands and to maintain technological leadership. Furthermore, building the capability to handle Financial EDI (FEDI) payments puts the bank into position to profit from the potentially huge market for electronic payments services.

Before the FEDI pilot, BofA used two primary channels -- private networks and VANs -- to transmit FEDI and other EDI transactions between itself and its customers. The Internet presents a seemingly attractive alternative for both of them. It is widely available and reputably inexpensive when compared to VANs. Since the bank already has an Internet connection for other applications, e.g. electronic mail, the incremental cost required to carry EDI traffic over the Internet is minimal. The bank views the flat-fee, volume-independent and time-of-day independent pricing structure of the Internet as one major benefit over other types of networks, like VANs. Because of the large volume of transactions, the bank expects to achieve tangible savings, over the long term, by either redirecting EDI traffic from other channels, generating new customers from current Internet users, or both.

Financial EDI over the Internet Pilot Project

In late 1994, individuals at BofA teamed up with Lawrence Livermore National Laboratories (LLNL) to start a pilot project. The key objective of the project was to demonstrate that it was possible to achieve secure and reliable transmission of sensitive data like payment instructions over the Internet. The pilot was meant to dispel negative perceptions of the Internet held by the general public and the business community. The pilot would be especially valuable in addressing the concerns in the Banking Industry over sending critical financial data over the distributed public networks of the Internet. As discussed above, these perceptions centered primarily on two concerns: security -- that transactions over the Internet were easily intercepted and tampered with, and reliability and speed -- that transactions tended to get lost and/or delayed as they were passed from node to node over the Internet. The FEDI pilot included two phases. The first phase limited the exposure of both LLNL and BofA to the risk of financial loses due to compromised payment instructions. Success with this limited test led to the relaxation of the limits during the second phase of the pilot. The second phase also included volume testing to simulate any problems that might result from a full-scale implementation.

In general, the FEDI pilot system involved the exchange of EDI documents containing payment instructions and acknowledgements. In the pilot system, FEDI based business transactions flowed from the BofA's EDI system, over the corporate network, through a firewall and an e-mail server, over the Internet to LLNL's equivalent system. To achieve security, the documents were processed through servers running PEM/MIME at entry into and exit from each organization's existing network of EDI systems. A system of e-mail and human monitoring tracked messages through the system insuring that payments were completed accurately, and collecting data to assess system performance.

A system of multiple acknowledgements, information matching at LLNL's EDI server, and encryption and signing of all e-mail transmissions containing EDI documents formed the basis for addressing the minimum security requirements concerning confidentiality, authentication, data integrity, nonrepudiation, and selective application of services (Bhimani, 1996; IETF-EDI Working Group, 1993). Confidentiality was achieved using encryption, while a system of digital signatures, encryption and one-way hash functions helped achieve authentication, data integrity and nonrepudiation. Lastly, selective application of services was achieved by transmitting any clear text only through dedicated network lines. Any text that went through shared networks like the Internet was encrypted and digitally signed as PEM/MIME documents.

Results

Security. In the assessment of participants from both BofA and LLNL, the results of the pilot provided support for the viability of the secure and timely transmission of sensitive information over the Internet. Most of this support comes from the finding that none of the problems with payment transmissions were due to any breach of the network or tampering with the messages being transmitted. Most of the problems encountered during the pilot were due to non-recurring software and procedural issues that were resolved. Problems stemming from the situation where Bof's PEM server was a shared, non-production machine are expected to be alleviated when the process moves to the dedicated interim system in the next few months.

Reliability. No messages were lost in transit between BofA and LLNL. Any reliability problems encountered occurred at the internal systems of the pilot partners. The reliability measures also showed that, despite delays and problems, information on payment instructions, acknowledgements, and payments remained consistent. This suggests to the participants that, given the security measures used and despite its decentralized nature, the Internet has the capability to accurately transmit critical data like payment instructions.

Speed. The results of volume testing showed that as the number of payment instructions contained in a message increased, processing time increased. The total processing time ranged from 11 minutes for messages containing zero to five instructions, to 58 minutes for those containing 1000 instructions. However, this increase can be attributed to the increased time required to process the instructions and not to increases in the time required for transmission of the email message over the Internet.

For the pilot participants, the results of the pilot testing showed that many of the problems of security, reliability and timeliness stemmed from problems with their own FEDI systems and not from the use of the Internet as a transmission channel. The pilot participants were satisfied that the system of acknowledgements, cross-checks, and encryption/decryption processes provided a level of performance that is acceptable for sending sensitive information

Conclusions

Today, the project group is confident about the future of EDI. As a large corporation, BofA has the opportunity to influence the shape and form EDI will take. As a member of CommerceNet, BofA is participating in the ongoing development of inter-organizational standards of which EDI is one. The bank is also involved in several other standardization activities. As a large organization, BofA is also an attractive partner in development of more open EDI solutions by software and hardware vendors interested in the area. It is likely that EDI will evolve toward easier to use solutions as inter-organizational standards are implemented in environments such as the WWW and the Internet, influenced by corporations such as BofA and its customers.

(The full report can be found at the Fisher Center for Technology: http://haas.berkeley.edu/~citm/EDI-proj.html )

(A longer summary of the report is published in EDI Forum: The Journal of Electronic Commerce at http://www.premenos.com/t.edigroup/)