Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
Issue of May 2003 
[an error occurred while processing this directive]
 Home > Cover Story
 Print Friendly Page ||  Email this story

Tech Update: Technology in Banking
Technology converges at HDFC Bank

When HDFC decided to interconnect its branches, it was looking for the most cost-effective method. The hub and spoke architecture proved to be beneficial in many ways. by Minu Sirsalewala

HDFC Bank had a centralized IP-based network right since its inception. All branches across the country converge at their respective zonal hub location, which in turn conects to the data center at Chandivili, Mumbai.


Based on the bank's hub & spoke architecture for the network, the branches are distributed under different regions and each major location has a regional hub. The branches falling under a location connect to the hub at the main region. These hubs then connect to the central site (data center) using a combination of 2 Mbps and 64 Kbps pipes, depending on the total volume of the transactions that pass through.

C.N. Ram, Head-Information Technology, HDFC Bank says, "Each branch is connected to their regional hub, as to connect every branch directly to the data center involves huge costs. This kind of architecture helps save cost."

A highlight of HDFC Bank's network is the presence of two or more hubs in one location. "To balance the load and reduce the dependency on a single line, the bank has two hub locations within a region to share the load. The branches are split between the two hubs, so that one hub failure does not incapacitate all the branches in that region," explained C.N. Ram.

A step ahead

In the coming years HDFC Bank plans to deploy connections, with built-in redundancy in the network. For example, Madras could be connected to Bangalore and Kolkata, with all three of them being connected to Chandivili. Therefore, if the Kolkata-Chandivili link fails, then Kolkata will use the Madras link to connect to the Chandivili data center.

The bank is also considering alternate connectivity solutions as VSATs are relatively more expensive, and in remote areas it is difficult to set up the required infrastructure.

The bank has tested CDMA and GSM solutions—specially for ATMs as they consume very small bandwidths.

The bank's servers have also undergone phases of development inline with the bank's expansion plans.


The bank started with applications on SCO-Unix boxes from Compaq almost eight years back. The software then used was MicroBanker from i-flex Solutions (then called CITIL). The set-up supported about 10 branches initially.

"With an expansion in the number of branches the bank felt the need to consider Unix/RISC boxes rather than an Intel/SCO Unix platform, and selected the Sun platform. Since then the bank has been running applications on a Sun platform," said C.N. Ram.

With the growth in transaction volumes, number of branches and the number of users the hardware platform has also been upgraded. Till recent times the database was operating on a direct attached storage (DAS), and from 1st April 2003 the bank switched to storage attached network (SAN).

The bank's earliest server was a Sun Ultra 170; over time it moved to Sun Ultra 3500, 4500, and then Sun E10 K. Now the applications run on Sun's Star Fire 15K Server.

Banking applications

The bank uses separate software for corporate and retail banking as there was no single package that met both their business requirements.

On the corporate side HDFC Bank started with MicroBanker and then moved to Flexcube in 2002. They use Flexcube UBS, which operates on a Compaq Alpha box-GS160. This database was also on DAS and was moved to SAN over last year (December 2002). The bank uses SAN solutions from Hitachi Data Systems. On the retail side the bank uses Finware from i-flex solutions.

The bank did not face any serious migration issues as they use upgraded products or new products usually from the same vendors. The vendors have programs that enable the migration or upgrades.

"When HDFC Bank had acquired Times Bank in 2000 all the Times Bank customers were shifted from their package (called Kapiti) to HDFC Bank's Finware and MicroBanker. We had the vendors develop the software required to migrate the data from Kapiti to Finware so that the task for the operating departments was greatly reduced and the conversion was done in a short space of three months with minimum disruption to customer service," said C.N. Ram.


The bank currently deploys SAN but feels they will need to consider NAS sometime in the future. According to C. N. Ram the bank's storage requirement is growing at a rate of four to five percent every month. With an increase in data volume, the capacity of the hardware also needs to be updated. This calls for huge investments as all areas like backup, disaster recovery and others need to be addressed. The bank has to store data for seven years as per the RBI guidelines, and as it is not necessary to store the data on-line—the bank uses tapes for off-line storage. The bank anticipates storage costs to come down, and bulk purchases would be economical.

Disaster Recovery setup

C.N. Ram says, "Our approach is that we need to protect our data first as the basis for a business continuity plan."

The bank has a disaster recovery (DR) site at Chennai. The data at the main center is replicated in real-time on-line at the Chennai site. The data is stored on the servers at the DR site and the database is constantly replenished. If some disaster was to occur, data (up to the last second) will be replicated, and be available. This gives both, the bank and the customer a feeling of security.

Security at HDFC Bank

Pre-Internet banking

Security concerns during the pre-Internet period had more to do with the internal activities of a business. Right from the early days technology solutions—like banking applications for mainframes, AS400 or Unix—had lot of security built-in. Transactions that are directed from the branch to the main server are encrypted; there are individual passwords, and numerous functions have two levels of authorization. Thus security in banking, to a large extent, is built into the software or the application itself.

Internet banking

The moment a business opens up through a medium like Internet, external security becomes of prime importance. One has to start considering protection tools like firewalls, IDS, and others. According to C.N. Ram, it is not enough to take care of security from the hardware or software perspective, one needs to have security policies in place, which will tell you how to review the logs.

Ram informs that HDFC Bank has a mechanism in place where a third-party is hired to manage their entire security. This third-party is constantly onsite looking at logs, making the required changes, as there are patches and upgrades being constantly released, and it is imperative to incorporate all of these.

"You are protecting the infrastructure, but you also have to keep a vigil on the logs to see who is trying to attack you or hack into your system," says Ram. The bank also has safety measures in terms of who has access, or who is authorized to access certain
kinds of data.

"Much of the security deals with the classification of the information you have. Thus people who are functionally responsible for a particular area are also responsible for the data they have. For example, a corporate banking customer will not have access to retail banking data, and vice-versa. These are generally built-in the banking packages systems," said C.N. Ram. Security is directly related to the business. The banking systems over the years have been built with lots of security concern based
on the kind of business they do.

He further added that security is not limited to hardware and soft-ware—premise security also plays an equally important role. Physical access is combined with data access. One has to have swipe cards to access the area where the data is. Thus there is lot of emphasis on access control mechanisms, which is in fact physical security.

Minu Sirsalewala can be reached at

Banking through multi-channels
Today banking is not limited to a branch. People have lesser time to spend on their banking activities and would like to avail the banking services through other channels. In a competitive market where the services offered command market share, banks are constantly vying for customers. Banking has become a process of choice and convenience.

By offering different channels even the banks have been successful in diverting their operations from a branch to other channels. The result of which has been a cut in the cost per transaction at the branch. An average transaction at the branch costs around Rs.100; at an ATM it is about Rs.40, and on the Internet it's around Rs. 20.

"But unfortunately a very small percentage of the customers out there use the Internet. This is due to factors like low PC penetration, and penetration of Internet itself is low. A large number of our customers use ATMs. Typically 55 percent of our transactions are on the ATM, 30 percent branch, 8 percent on telephone and 7 percent Internet."

Rolling out new branches
S.R. Balasubramanian, VP-IT, HDFC Bank explained the branch set-up procedure. The bank follows a standard procedure and the entire process is well streamlined. From the selection of the location, physical set-up of the branch, the infrastructure requirements, hardware, software, connectivity, is all documented to have standardized branches across the country.

He further explained that they have some regular vendors for purchases. The bank follows the reverse auction system, wherein all preferred vendors are called and a base price is quoted according to which the vendors quote their prices.

"We have to reach to all areas of the country and wherever there is an opportunity we have to identify it, connect and reach our customers. Earlier it took us around 14-15 days to open a new branch after the physical set-up was ready, but now it takes just five days to set up a branch. The entire process is so well documented and streamlined that it is easy to roll out a branch," said S.R. Bala.

The bank follows a similar procedure to roll out ATM's.

Interesting development
Some countries have a credit bureau that collects information from all banks in the country. It is mandatory for all financial institutions to give data to this bureau. If this data is not exchanged, every bank is vulnerable to fraud. For example, someone could defraud a particular bank, then go to another bank for a new account, and defraud them too.

Thus this bureau plays an important role and all the banks contribute data to it, which enables them to screen their new and existing customers and keep a tab on defaulters.

A similar kind of credit bureau is being setup in India and it will be called CIBIL (Credit Information Bureau of India limited). It is a joint venture between Housing Development Finance Corporation Ltd. (HDFC), State Bank of India (SBI), Dun & Bradstreet Information Services India Pvt. Ltd. (DB) and Trans Union International Inc. (TU). This system will keep a check on defaulters—in case there is a defaulter with one bank, the chances of that person getting into another bank are reduced.

Over a period of time all banks are expected to become members and share data with CIBIL.

Future of banking and technology
According to C.N. Ram, the future is integration as people will have less time for banking. People will want to process more transactions on the Internet. There will be more activity in terms of applications and services on the mobile. Geography will not be an inhibitor any more as everything is executable on the Net.

"Integration is the next real big thing. As a customer you will want a one-stop shop that will take care of all your needs. For instance people will want to buy their mutual funds, redeem their mutual fund, buy insurance policies, renew policies, buy cinema tickets, railway tickets, and numerous similar transactions through the bank. The ATM will still serve as a cash dispensing medium, but the Internet and mobile will be very active," says C.N. Ram.

Cost of infrastructure is coming down considerably. Service providers are providing alternative routes to customers and prices are coming down, as there is healthy competition in the market. Bulk purchases will result in affordable prices.

Security trends
With the advent of convergence on mobiles and PDA's, there is going to be lot more security built-in on the equipment and the applications running on them. "The kind of transactions that are allowed or executed on the mobile phones are restricted only because we feel that customers are not confident about the security levels. That is why we can not open up a lot more transactions even if we want to. People like to use a particular technology for some time to get accustomed and be comfortable using it. Then they decide if they would continue to use it."

There are many security features that can be incorporated in the mobile phones as technology improves. C.N. Ram feels that if people start developing applications using standards then it will be easier to put security (encryption) on the mobile itself. This will enable the communication between the mobile and the bank server to be secure. Currently sms (short messaging system) on the mobile is in the clear. The messages go from the mobile to the SMSC and from the SMSC they are sent to HDFC Bank. From the SMSC to the bank the message can be encrypted but between the SMSC and the mobile it is in the clear. This leaves an opening for people to snoop. Thus a password mechanism on the mobile—if it is transmitted in the clear—defeats the entire purpose of a password as it is vulnerable and can be hacked.

"Once security on these channels is taken care of we can offer more and more applications to our customers," says C.N. Ram.

- <Back to Top>-  

© Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.