HDFC decided to interconnect its branches, it was looking
for the most cost-effective method. The hub and spoke
architecture proved to be beneficial in many ways. by
HDFC Bank had a centralized
IP-based network right since its inception. All branches
across the country converge at their respective zonal
hub location, which in turn conects to the data center
at Chandivili, Mumbai.
Based on the
bank's hub & spoke architecture for the network,
the branches are distributed under different regions
and each major location has a regional hub. The branches
falling under a location connect to the hub at the main
region. These hubs then connect to the central site
(data center) using a combination of 2 Mbps and 64 Kbps
pipes, depending on the total volume of the transactions
that pass through.
C.N. Ram, Head-Information
Technology, HDFC Bank says, "Each branch is connected
to their regional hub, as to connect every branch directly
to the data center involves huge costs. This kind of
architecture helps save cost."
of HDFC Bank's network is the presence of two or more
hubs in one location. "To balance the load and reduce
the dependency on a single line, the bank has two hub
locations within a region to share the load. The branches
are split between the two hubs, so that one hub failure
does not incapacitate all the branches in that region,"
explained C.N. Ram.
A step ahead
In the coming
years HDFC Bank plans to deploy connections, with built-in
redundancy in the network. For example, Madras could
be connected to Bangalore and Kolkata, with all three
of them being connected to Chandivili. Therefore, if
the Kolkata-Chandivili link fails, then Kolkata will
use the Madras link to connect to the Chandivili data
The bank is
also considering alternate connectivity solutions as
VSATs are relatively more expensive, and in remote areas
it is difficult to set up the required infrastructure.
The bank has
tested CDMA and GSM solutions—specially for ATMs as
they consume very small bandwidths.
The bank's servers
have also undergone phases of development inline with
the bank's expansion plans.
The bank started
with applications on SCO-Unix boxes from Compaq almost
eight years back. The software then used was MicroBanker
from i-flex Solutions (then called CITIL). The set-up
supported about 10 branches initially.
"With an expansion
in the number of branches the bank felt the need to
consider Unix/RISC boxes rather than an Intel/SCO Unix
platform, and selected the Sun platform. Since then
the bank has been running applications on a Sun platform,"
said C.N. Ram.
With the growth
in transaction volumes, number of branches and the number
of users the hardware platform has also been upgraded.
Till recent times the database was operating on a direct
attached storage (DAS), and from 1st April 2003 the
bank switched to storage attached network (SAN).
The bank's earliest
server was a Sun Ultra 170; over time it moved to Sun
Ultra 3500, 4500, and then Sun E10 K. Now the applications
run on Sun's Star Fire 15K Server.
The bank uses
separate software for corporate and retail banking as
there was no single package that met both their business
On the corporate
side HDFC Bank started with MicroBanker and then moved
to Flexcube in 2002. They use Flexcube UBS, which operates
on a Compaq Alpha box-GS160. This database was also
on DAS and was moved to SAN over last year (December
2002). The bank uses SAN solutions from Hitachi Data
Systems. On the retail side the bank uses Finware from
The bank did
not face any serious migration issues as they use upgraded
products or new products usually from the same vendors.
The vendors have programs that enable the migration
"When HDFC Bank
had acquired Times Bank in 2000 all the Times Bank customers
were shifted from their package (called Kapiti) to HDFC
Bank's Finware and MicroBanker. We had the vendors develop
the software required to migrate the data from Kapiti
to Finware so that the task for the operating departments
was greatly reduced and the conversion was done in a
short space of three months with minimum disruption
to customer service," said C.N. Ram.
The bank currently
deploys SAN but feels they will need to consider NAS
sometime in the future. According to C. N. Ram the bank's
storage requirement is growing at a rate of four to
five percent every month. With an increase in data volume,
the capacity of the hardware also needs to be updated.
This calls for huge investments as all areas like backup,
disaster recovery and others need to be addressed. The
bank has to store data for seven years as per the RBI
guidelines, and as it is not necessary to store the
data on-line—the bank uses tapes for off-line storage.
The bank anticipates storage costs to come down, and
bulk purchases would be economical.
Disaster Recovery setup
C.N. Ram says,
"Our approach is that we need to protect our data first
as the basis for a business continuity plan."
The bank has
a disaster recovery (DR) site at Chennai. The data at
the main center is replicated in real-time on-line at
the Chennai site. The data is stored on the servers
at the DR site and the database is constantly replenished.
If some disaster was to occur, data (up to the last
second) will be replicated, and be available. This gives
both, the bank and the customer a feeling of security.
Security at HDFC Bank
during the pre-Internet period had more to do with the
internal activities of a business. Right from the early
days technology solutions—like banking applications
for mainframes, AS400 or Unix—had lot of security built-in.
Transactions that are directed from the branch to the
main server are encrypted; there are individual passwords,
and numerous functions have two levels of authorization.
Thus security in banking, to a large extent, is built
into the software or the application itself.
The moment a
business opens up through a medium like Internet, external
security becomes of prime importance. One has to start
considering protection tools like firewalls, IDS, and
others. According to C.N. Ram, it is not enough to take
care of security from the hardware or software perspective,
one needs to have security policies in place, which
will tell you how to review the logs.
that HDFC Bank has a mechanism in place where a third-party
is hired to manage their entire security. This third-party
is constantly onsite looking at logs, making the required
changes, as there are patches and upgrades being constantly
released, and it is imperative to incorporate all of
"You are protecting
the infrastructure, but you also have to keep a vigil
on the logs to see who is trying to attack you or hack
into your system," says Ram. The bank also has safety
measures in terms of who has access, or who is authorized
to access certain
kinds of data.
"Much of the
security deals with the classification of the information
you have. Thus people who are functionally responsible
for a particular area are also responsible for the data
they have. For example, a corporate banking customer
will not have access to retail banking data, and vice-versa.
These are generally built-in the banking packages systems,"
said C.N. Ram. Security is directly related to the business.
The banking systems over the years have been built with
lots of security concern based
on the kind of business they do.
He further added
that security is not limited to hardware and soft-ware—premise
security also plays an equally important role. Physical
access is combined with data access. One has to have
swipe cards to access the area where the data is. Thus
there is lot of emphasis on access control mechanisms,
which is in fact physical security.
can be reached at firstname.lastname@example.org
Today banking is not limited to a branch. People
have lesser time to spend on their banking activities
and would like to avail the banking services through
other channels. In a competitive market where
the services offered command market share, banks
are constantly vying for customers. Banking has
become a process of choice and convenience.
By offering different channels even the banks
have been successful in diverting their operations
from a branch to other channels. The result of
which has been a cut in the cost per transaction
at the branch. An average transaction at the branch
costs around Rs.100; at an ATM it is about Rs.40,
and on the Internet it's around Rs. 20.
"But unfortunately a very small percentage
of the customers out there use the Internet. This
is due to factors like low PC penetration, and
penetration of Internet itself is low. A large
number of our customers use ATMs. Typically 55
percent of our transactions are on the ATM, 30
percent branch, 8 percent on telephone and 7 percent
S.R. Balasubramanian, VP-IT, HDFC Bank explained
the branch set-up procedure. The bank follows
a standard procedure and the entire process is
well streamlined. From the selection of the location,
physical set-up of the branch, the infrastructure
requirements, hardware, software, connectivity,
is all documented to have standardized branches
across the country.
He further explained that they have some regular
vendors for purchases. The bank follows the reverse
auction system, wherein all preferred vendors
are called and a base price is quoted according
to which the vendors quote their prices.
"We have to reach to all areas of the country
and wherever there is an opportunity we have to
identify it, connect and reach our customers.
Earlier it took us around 14-15 days to open a
new branch after the physical set-up was ready,
but now it takes just five days to set up a branch.
The entire process is so well documented and streamlined
that it is easy to roll out a branch," said
The bank follows a similar procedure to roll
Some countries have a credit bureau that collects
information from all banks in the country. It
is mandatory for all financial institutions to
give data to this bureau. If this data is not
exchanged, every bank is vulnerable to fraud.
For example, someone could defraud a particular
bank, then go to another bank for a new account,
and defraud them too.
Thus this bureau plays an important role and
all the banks contribute data to it, which enables
them to screen their new and existing customers
and keep a tab on defaulters.
A similar kind of credit bureau is being setup
in India and it will be called CIBIL (Credit Information
Bureau of India limited). It is a joint venture
between Housing Development Finance Corporation
Ltd. (HDFC), State Bank of India (SBI), Dun &
Bradstreet Information Services India Pvt. Ltd.
(DB) and Trans Union International Inc. (TU).
This system will keep a check on defaultersin
case there is a defaulter with one bank, the chances
of that person getting into another bank are reduced.
Over a period of time all banks are expected
to become members and share data with CIBIL.
According to C.N. Ram, the future is integration
as people will have less time for banking. People
will want to process more transactions on the
Internet. There will be more activity in terms
of applications and services on the mobile. Geography
will not be an inhibitor any more as everything
is executable on the Net.
"Integration is the next real big thing.
As a customer you will want a one-stop shop that
will take care of all your needs. For instance
people will want to buy their mutual funds, redeem
their mutual fund, buy insurance policies, renew
policies, buy cinema tickets, railway tickets,
and numerous similar transactions through the
bank. The ATM will still serve as a cash dispensing
medium, but the Internet and mobile will be very
active," says C.N. Ram.
Cost of infrastructure is coming down considerably.
Service providers are providing alternative routes
to customers and prices are coming down, as there
is healthy competition in the market. Bulk purchases
will result in affordable prices.
With the advent of convergence on mobiles and
PDA's, there is going to be lot more security
built-in on the equipment and the applications
running on them. "The kind of transactions
that are allowed or executed on the mobile phones
are restricted only because we feel that customers
are not confident about the security levels. That
is why we can not open up a lot more transactions
even if we want to. People like to use a particular
technology for some time to get accustomed and
be comfortable using it. Then they decide if they
would continue to use it."
There are many security features that can be
incorporated in the mobile phones as technology
improves. C.N. Ram feels that if people start
developing applications using standards then it
will be easier to put security (encryption) on
the mobile itself. This will enable the communication
between the mobile and the bank server to be secure.
Currently sms (short messaging system) on the
mobile is in the clear. The messages go from the
mobile to the SMSC and from the SMSC they are
sent to HDFC Bank. From the SMSC to the bank the
message can be encrypted but between the SMSC
and the mobile it is in the clear. This leaves
an opening for people to snoop. Thus a password
mechanism on the mobileif it is transmitted
in the cleardefeats the entire purpose of
a password as it is vulnerable and can be hacked.
"Once security on these channels is taken
care of we can offer more and more applications
to our customers," says C.N. Ram.