• Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
• Information Quality programmes involve, by definition, the implementation of a Quality Management System
• Information/Data Governance… well, that’s another form of Quality Management System
• Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.

The law

There are a few pieces of legislation in Ireland that would come into play here:

1. The Data Protection Acts 1988 and 2003
2. The Criminal Damage Act 1991
3. The Criminal Justice (Theft and Fraud Offences) Act 2001
4. The Postal and Telecommunications Services Act 1983
5. Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
6. The ePrivacy Regulations 2011 (http://www.dataprotection.ie/documents/legal/SI336of2011.pdf)

The Data Protection Acts

The Data Protection Acts require that personal data be obtained and processed fairly.

Journalistic exemptions to this and other provisions of the Acts exist under s22A, but only insofar as there is an actual intent to publish a story or other work based on the information which has been obtained. So… if a journalist and/or a private eye in the pay of a newspaper were to obtain personal information about Celebrity A on foot of a fishing trip through the voicemails of celebrities A through F when there was no intent to publish a story about Celebrity A until such time as the information was obtained, then the journalist might not be able to rely on their exemptions under the Acts. The protection of the right to Freedom of Expression is only protected where there is an intent to actually express something, and if the publication of that story is in the Public Interest (which is a thorny topic I won’t delve into here).

Criminal Damages Act 1991 and Criminal Justice (Theft & Fraud Offences) Act 2001

Journalists who engage in unauthorised access to voicemails may also be committing an offence under the Criminal Damages Act 1991. This Act makes it an offence to access information without authorisation and to modify that information whether or not that modification has an adverse effect. Listening to a voicemail modifies the content and nature of the information (at the very minimum changing a flag from “new” to “listened to”. The Act does make use of the word “computer”, which would suggest to a lay person that it would only be an issue if a device meeting the traditional view of a computer was used. However the term is undefined and as such it is open-ended as to what type of device might meet the legal test of a “computer”. In that regard, the definition applied in the Data Protection Acts (“a device operating automatically in response to instructions”) might be relevant.

So… accessing a voice mail box (which is itself stored on a device operating automatically in response to instructions computer of some sort) without permission and listening to the recording is likely to be a criminal offence in Ireland, given the breadth of the definitions in play.

This is doubly so when the Criminal Justice (Theft and Fraud Offences) Act is taken into consideration. It provides for an offence of “dishonestly” using a computer or causing a computer to be used within the jurisdiction of the State. The big question to answer here is

• What’s a computer?
• What’s dishonest?

It might be argued that going on a fishing trip for personal data without any prior formed intent to publish a specific story about a specific individual could constitute dishonesty.

The 1983 and 1993 Acts

Section 98 of the 1983 Act deals, in the first instance, with a general prohibition on the interception of “telecommunications messages”. In short… it’s illegal except in certain defined circumstances. Interception is defined as being

“listening to, or recording by any means, or acquiring the substance or purport of, any telecommunications message without the agreement of the person on whose behalf that message is transmitted by the company and of the person intended by him to receive that message”

The term “telecommunications message” is not actually defined in the legislation, which creates an interesting situation when you consider that this Act was drafted in the early 1980s when there was no digital voice mail, no email, limited use of fax services, and (importantly) when there was only one company laying cable and connecting people to a telecommunications network in Ireland. Significantly, the 1983 Act only applies to telecommunications services which require a license… which would exclude a lot of on-line communications tools such as VOIP, web-based email or IM chat.

The 1993 Act deals essentially with phone tapping and interception of postal packets. The legislation is couched in terms suggesting that data at rest (e.g. a voice mail recording sitting on a server or an email sitting in in a mail host somewhere) may not be covered.

Digital Rights Ireland argued in 2009 that the framework in place under the 1983 and 1993 legislation most likely did not cover most on-line activities and as such there was, strictly speaking, no clear legislative prohibition on the interception of SMS, email, VOIP etc., technologies which simply did not exist at the time the legislation was being drafted and as such probably left the State falling short of their obligations under the ePrivacy Directive.

The European Commission rejected DRI’s submission at the time

Electronic Privacy Regulations

The new electronic Privacy Regulations place mobile phone operators in an interesting position with regards to phone hacking. The means by which voicemails were accessed, in the main, appears to have been default voicemail passwords being left unchanged. This is a security weakness in mobile phones and, for that matter, fixed line services which provide a voice mailbox service.

For example, for most mobile phone operators, the default password for a voicemail account is 0000. In many fixed line systems, the password might be 1234. Failing to change this password leaves the data which is being recorded in the mailbox unsecure.

The complication in Irish law for the telcos is that section 4 of the EPrivacy Regulations (SI 336 of 2011) requires providers of electronic communications services to

1. Ensure appropriate security safeguards so that data is only accessed by authorised persons, with respect to the state of the art and cost of implementing (section 4(1))
2. Ensure that the security measures can protect against accidental or unlawful destruction, accidental loss or alteration, and unauthorised or unlawful storage, processing, access or disclosure (section 4(2)(b))

Section 4(4) is the doozy I feel.

In the case of a particular risk of a breach of the security of the public communications network, the undertaking providing the publicly available electroniccommunications service shall inform its subscribers concerning such risk without delay and, where the risk lies outside the scope of the measures to betaken by the relevant service provider, any possible remedies including an indicationof the likely costs involved.

My reading of that section is that mobile phone and landline operators who apply default passwords to voicemail accounts need to be more proactive about alerting customers to the risk and, ideally,  implement a process which mitigates or eliminates the risk (such as having a randomly assigned password associated to a voicemail that is SMS’d or posted to the customer – just like bank security codes for on-line banking). I’ve asked the Data Protection Commissioner about it and it appears that my reading is, by and large, correct.

And as the SI implements an EU wide directive this could get interesting in light of the NoTW noises.

Conclusion

The world of telecommunications and person to person linking using tools like VOIP, SMS, Instant messaging, voice mail, email, and “Unified Communications” which we find ourselves in today was almost unimaginable even fifteen years ago. I can recall when I started working with a large telco in the summer of 1997 that digital voice mail was a massively new fangled thing, had you told me that I would be getting voicemails emailed to me from a virtual VOIP phone system which I could open and read or listen to on my mobile phone I’d probably have laughed.

But that is what we do every day now.

The legislation may not have kept pace. However, where the legislation has caught up, providers of telecommunications services need to do their bit to raise awareness and understanding of how the world may have outstripped the law (at least for now).

I invite any comments or corrections from more learned colleagues.

But my experience in getting the phone sums up the difference between the CRM success of the Vodafone retail store and the CRM insanity of the Vodafone Retail policy.

No Sims at the Inn

It turned out that though they had a phone in stock they didn’t have microsims in stock in the shop. Not a show stopper. The manager went to Carphone Warehouse and got one from them for me while his team sorted the phone out and upsold me a case.

What a clever win. Very little effort for him to do so. Kept me in store longer. I will buy from them again soon (I need a bluetooth kit for the baby-carrier car). I will tell the story of how they didn’t let a stock issue prevent them from satisfying a customer.

A1 service. It counterbalances my experience on Friday when they told me they had no phones (now I know they were acting under orders).

Tweet happens

Having had no satisfaction over the last few weeks with Vodafone on the phone (or for that matter in store), it took posts on twitter to get the issue resolved. And it was resolved fast. Less than 3 hours later I have the phone that 4 hours ago I believed I was not going to be able to get.

So, Tweet happens.

But it shouldn’t. It shouldn’t take an angry customer writing an analytical breakdown of their customer value and posting it to twitter (and Facebook) to get action. That is just wrong as it requires the customer to push for what they are entitled to, and it means that the loudest shoutiest customer gets things done.

A better way?

As I stood in the Vodafone store today I noticed how they are doing lots of product pricing offers for customers of both mobile and fixed line business. They should perhaps consider using that as a criteria for rationing phones where supply issues exist. If you are a customer of both, you get preferential treatment for stock. Because you are WORTH more. A customer of the mid-tier Perfect Choice Access package for mobile and a moderate broadband package is worth the better part of €2000 a year to Vodafone just in line rental and connection. They should take preference over virtual customers with an unquantified value.

That’s just a thought.

I have upgraded the SIM (which should have been done by Voda when I got the phone but wasn’t).

Vodaphone have been telling me for the past few weeks that they have no stock. Carphone Warehouse today told me they have stock, just not for existing customers.

This makes very little sense to me.

In effect I’m walking up to Vodafone and saying “hey, I’d like to be handcuffed to you to the tune of at least €720 over the next 12 or 18 months.”

Vodafone are saying “feck off, we are holding out for someone else who MIGHT come along at some point in the future, we don’t know when.”

Of course, the policy doesn’t seem to take into account that I’m a home phone customer and a mobile broadband customer.

That’s another €1000 approx per year just in rental. and I’m out of contract on those too… No barrier to migration.

It doesn’t take into account that my wife is on Vodafone as well. Another €720 per year approx. She’s out of contract soon too.

It doesn’t take into account that I’m an ‘influencer’ on the mobile provider purchasing for about 10 other people. All of whom are up for renewal soon. That’s around another €700 per person.

Then let’s take into account that I’m a blogger and a tweeter with a large network. No direct bottom line impact but there is brand impact.

So. I’m actually worth about a measurable €10000 to Vodafone.

Versus the speculative €700 plus an unknown that the new connection (who incidentally isn’t actually buying iPhones at the moment) might be worth.

Carphone Warehouse told me that in the past week they’ve had a number of customers who have cancelled Vodafone contracts for just this reason.

So, does the revenue from one speculative customer outweigh the value of a half dozen existing customers?

I would love to see the data that says it does.

As markets mature the focus on new customer acquisition metrics becomes increasingly sociopathic and inappropriate. Managing churn is a big challenge in telco. Creating policies that effectively mandate churn is just insane CRM.

As markets mature the focus needs to be on retaining where the cost of doing so is less than the revenue (and it usually is) or where the strategic value of locking the customer in is worth investing.

As markets mature the focus has to shift to moving customers up the value chain and maximising share of wallet to underpin ARPU.

Vodafone had me in lockin across 3 markets. I was happy enough with costs. I was probably going to purchase additional services for my business.

Now they don’t. And my € 10000 per year customer value will be going to other operators over the coming weeks. Starting with the €1200 I personally spend on mobile and fixed line communications.

Idiots.

It is probably an easy fix, but it does raise a question about the build quality on Dell laptops when one of the “home” keys for touch typing can come loose so easily.

But it is just one key. Surely not a big thing? I suppose that is a valid view. But often quality and perception of quality hangs on how the small stuff works.

• The hotel might be great, but there’s no coffee with the in-room tea and coffee facilities (I like to make a cup of very strong coffee first thing in the morning when travelling for work)
• The flight might be fine, but the hot sandwich you wanted to order from the attendants wasn’t in stock
• A broken keyboard stops you typing “jumping jeosophat”

A while ago I wrote an article for the IAIDQ about the “long tail of risk”, or the long tail of quality. My basic premise in the article was that as you tackle the big issues of quality and risk in Information, the smaller issues become increasingly important, so there is increasing value to be found in the “long tail” of issues.

That’s why “Zero Defects”, while in part a wonderful slogan, is in fact a valuable goal to set for Quality Management. Setting your sights lower means you are accepting inevitable mediocrity. Why do I say this? Well, simply because the common argument against zero defects is that it is unattainable as a goal (it’s not) and compromises need to be made (they often do). However, if you set your target at 99.9% defect free, you’ll still find compromises being made (“we’ll aim for 60% this quarter and increase again next quarter”) and fudges being introduced.

I saw a great presentation a few weeks ago from a Clinical Quality lead from the UK NHS. He gave some great statistics as to what 99.999% quality means:

• 6200 ATM errors per week in the UK
• 18 fatal airline crashes per year, in the UK
• 2 children given to the wrong parents every day, in the UK

So. My faulty key might be one component out of 108 on the keyboard and many thousands in the laptop. But it being broken has soured my experience and reduced my perception of quality of the laptop as a whole. While it isn’t up there with a fatal airline crash, it does bug me.

(As an aside, it’s interesting to note that Qantas are considering suing Rolls Royce for a minor defect in the engines of the A380 Airbus which lead to oil leakage and an engine fire. It’s only a small thing, but…)

The general format of the event was that a few of the IAIDQ Directors shared stories from their personal experiences or professional insights and extrapolated out what the landscape might be like in 2014 (the 10th anniversary of the IAIDQ).

A key factor in all of the stories that were shared was the need to focus on the needs of your information customer, and the fact that the information customer may not be the person who you think they are. More often than not, failing to consider the needs of your information customers can result in outcomes that are significantly below expectations.

One of my favourite legal maxims is Lord Atkin’s definition of who your ‘neighbour’ is who you owe legal duties of care to. He describes your ‘neighbour’ as being anyone who you should reasonably have in your mind when undertaking any action, or deciding not to take any action. While this defines a ‘neighbour’ from the point of view of litigation, I think it is also a very good definition of your “customer” in any process.

Recently I had the misfortune to witness first hand what happens when one part of an organisation institutes a change in a process without ensuring that the people who they should have reasonably had in their mind when instituting the change were aware that the change was coming.

My wife had a surgical procedure and a drain was inserted for a few days. After about 2 days, the drain was full and needed to be changed. The nurses on the ward couldn’t figure out how to change my wife’s drain because the drain that had been inserted was a new type which the surgical teams had elected to go with but which the ward nurses had never seen before.

For a further full day my wife suffered the indignity of various medical staff attempting to figure out how to change the drain.

1. There was no replacement drain of that type available on the ward. The connections were incompatible with the standard drain that was readily available to staff on the ward and which they were familiar with.
2. When a replacement drain was sourced and fitted, no-one could figure out how to actually activate the magic vacuum function of it that made it work. The instructions on the device itself were incomplete.

When the mystery of the drain fitting was eventually solved, the puzzle of how to actually read the amount of fluid being drained presented itself, which was only of importance as the surgeon had left instructions that the drain was to be removed once the output had dropped below a certain amount. The device itself presented misleading information, appearing to be filled to one level but when emptied out in fact containing a lesser amount (an information presentation quality problem one might say).

The impacts of all this were:

• A distressed and disturbed patient increasingly worried about the quality of care she was receiving.
• Wasted time and resources pulling medical staff from other duties to try and solve the mystery of the drain
• A very peeved and increasingly irate quality management blogger growing more annoyed at the whole situation.
• Medical staff feeling and looking incompetent in front of a patient (and the patient’s family)

Eventually the issues were sorted out and the drain was removed, but the outcome was a decidedly sub-optimal one for all involved. And it could have been easily avoided had there been proper communication about the change to the ward nurses and the doctors in the department from the surgical teams when they changed their standard. Had the surgical teams asked the question of who should they have in their minds to communicate with when taking an action, surely the post-op nurses should have featured in there somewhere?

I would be tempted to say “silly Health Service” if I hadn’t seen exactly this type of scenario play out in day to day operations and flagship IT projects during the course of my career. Whether it is changing the format of a spreadsheet report so it can’t be loaded into a database or filtered, changing a reporting standard, changing meta-data or reference data, or changing process steps, each of these can result in poor quality information outcomes and irate information customers.

So, while information quality is defined from the perspective of your information customers, you should take the time to step back and ask yourself who those information customers actually are before making changes that impact on the downstream ability of those customers to meet the needs of their customers.

1. They claim to have had the scoop on this story (no, it was Tuppenceworth.ie and IQTrainwrecks.com)
2. They have “experts” (unnamed ones) who tell them that the actual number of impacted customers over the weekend could be up to 200,000.
3. “Some other banks admitted there have been cases where Laser payments have mistakenly gone through on the double. But they said they have not had any serious problems.” (BOI had that angle on the issue back in June).
4. The bank cannot guarantee that it won’t happen again.

I’ll leave points one to three for another time and focus at this point (as my bus to Dublin leaves soon) on the matter of the Bank of Ireland not being able to guarantee that it won’t happen again.

The Nature of Risk

Fair play to BOI for admitting that they can’t guarantee that this problem won’t happen again. It has happened before (in May), it has happened now, it is only prudent to say that it may happen again.

But are they not able to guarantee that it won’t happen again because they understand the causes of this problem, have properly mapped the process and information flows, understand the Happy Path and Crappy Path scenarios and the triggering factors for them  and have established robust detective and preventative controls on the information processes to prevent or flag errors to have a foolproof process but are hedging their bets against the occurence of idiots?  In that case, they have a managed process which will (hopefully) have effective governance structures around it to embed a quality culture that promotes early warning and prompt action to address the incidence of idiots which inevitably plagues fool proof processes.

Or are they unable to guarantee it won’t happen again because they lack some or all of the above?

Again I am forced to fall back on tortured analogies to explain this I fear.

A few years ago I had an accident in my car. I am unable to guarantee that for the rest of my driving life I won’t have another accident. Hence I have taken out insurance. However, I have also taken a bit of time to understand how the first accident occured and modified my driving to improve my ability to control the risk of accident. Hence I am able to get insurance.

Had I not modified my driving the probability of the same type of accident occuring would have been high, and as a result the cost of my insurance would be higher (no no-claims bonus for example).

However, because I understand the “Happy Path” I want to travel on when driving and also understand the Crappy Path that I can wind up on if I don’t take the appropriate care and apply the appropriate controls (preventative and detective) on how I drive I haven’t had an accident since I reversed into the neighbour’s car many moons ago.

I can’t guarantee it won’t happen again, but that is because I understand the nature of the risk and the extent to which I can control it, not because I am blissfully unaware of what is going on when I’m driving.

Information Quality and Trust

What does this idea of Information Quality and Trust mean? Well, the Indo put it very well this morning:

Revelations about the Laser card glitch, disclosed in yesterday’s Irish Independent, have shaken confidence in banks’ payments systems at a time when people are nervous about all financial transactions.

As I have said elsewhere, information is the key asset that fuels business and trade and is a key source of competitive advantage. In a cashless society it is not money that moves between bank accounts when you buy something, it is bits of information. Even when you take money from an ATM all you are really doing is turning the electronic fact into the physical thing it describes – €50 in your control to spend as you will.

When the quality of information is called into question there is an understandable destruction of trust. “The facts don’t stack up”…. “the numbers don’t add up”… these are common exasperated comments one can often hear, usually accompanied by a reduction in trust in what you are being told or a reluctance to make a decision on that information.

Somewhat ironically, it is the destruction of trust in the information around sub-prime mortgage lending and the bundled loan products that banks started trading to help spread their risk of in mortgage lending that has contributed to the current economic situation.

In the specific case of Bank of Ireland and the Laser card problems, the trust vacuum is compounded by

• The bank’s failure to acknowledge the extent or timescale of the issue
• The bank’s apparent lack of understanding of how the process works or where it is broken. [Correction & Update: Yesterday's Irish Daily Mail says that the Bank does know what caused the problem and is working on a solution. The apparent cause is very similar to the hypotheses I set out in the post  previous to this one.]

This second one isn’t helped unfortunately by the fact that these issues can sometimes be complex and the word count available to a journalist is not often amenable to a detailed treatise on the finer points of batch processing transactions and error handling in complex financial services products.

That’s why it is even more important for the bank to be communicating effectively here in a way that is customer focussed not directed towards protecting the bank.

To restore trust, Bank of Ireland (and the other banks involved in Laser) needs to

1. Demonstrate that they know how the process works… give a friendly graphic showing the high level process flow to the media (or your friendly neighbourhood voice of reason blogger). Heck, I’d even draw it for them if they would talk to me.
2. From that simple diagram work out the Happy Path and Crappy Path scenarios. This may require a more detailed drill down than they might want to publish, but it is necessary. (they don’t need to publish the detail though).
3. Once the Happy and Crappy paths are understood, identify what controls you currently have in place to keep things on the Happy Path. Test these controls. Where controls are lacking or absent, invest ASAP in robust controls.

The key thing now is that the banking system needs to be able to demonstrate that it has a handle on this to restore Trust. The way to do this is to ensure that the information meets the expectations of the customer.

I am a BOI customer. I expect to only pay for my lunch once. Make it so

What is LASER?

For the benefit of people reading this who aren’t living and working in Ireland I’ll very quickly explain what LASER card is.

LASER is a debit card system which operates in Ireland. It is in operation in over 70,000 businesses in Ireland. It is operated by Laser Card Services Ltd. Laser Card Services is owned by seven of Ireland’s financial services companies (details here) and three of these offer merchant services to Retailers (AIB, Bank of Ireland, and Ulster Bank). In addition to straightforward payment services, LASER allows card holders to get “cashback” from retailers using their card.

There are currently over 3million Laser Cardholders nationwide, who generated more than €11.5billion in retail sales in 2008. On average, over 300 Laser card transactions are recorded per minute in Ireland.

How it works (or at least the best stab I can get at it)

As Jennifer Aniston used to say in that advert… “now for the science bit”. Children and persons of a sensitive disposition should look away now.

One problem I’ve encountered here is actually finding any description of the actual process that takes your payment request (when you put your card in the reader and enter your pin) , transfers the money from you to the retailer, and then records that transaction on your bank statement.  Of course, there are valid security reasons for that.

So, I’ve had to resort to making some educated guesses based on my experience in information management and some of the comments in the statement I received from Bank of Ireland back in June. If I have any of this wrong, I trust that someone more expert than me will provide the necessary corrections.

1. The card holder presents their card to the retailer and puts it in the card reader. The card reader pulls the necessary account identifier information for the card holder for transmission to the LASER processing system (we’ll call this “Laser Central” to avoid future confusion).
2. The retailer’s POS (point of sale) system passes the total amount of the transaction, including any Cashback amount and details of the date, time, and retailer, to the Laser card terminal.  Alternatively, the Retailer manually inputs the amount on the Laser POS terminal.
3. This amount and the amount of the transaction is transmitted to the Laser payment processing systems.
4. ‘Laser Central’ then notifies the cardholder’s bank which places a “hold” on an amount of funds in the customer’s account. This is similar in concept to the “pre-authorisation” that is put on your credit card when you stay in a hotel.
5. At a later stage, ‘Laser Central’ transmits a reconciliation of transactions which were actually completd to the Laser payment processing sytem. This reconciliation draws down against the “hold” that has been put on funds in the card holder’s account, which results in the transaction appearing on the card holder’s bank statement.

Point 5 explains why it can sometimes take a few days for transactions to hit your account when you pay with your laser card.

The Problem

The problem that has been reported by Bank of Ireland today and which was picked up on by Simon over at Tuppenceworth.ie in May is that customers are being charged twice  for transactions. In effect, the “hold” is being called on the double.

Back in May, Bank of Ireland explained this as being (variously):

• A problem caused by a software upgrade
• A problem caused by retailers not knowing how to use their terminals properly
• A combination of these two

The Software Upgrade theory would impact on steps 3,4, and 5 of the “strawman” Laser process I have outlined above. The Retailer error theory would impact on steps 1 and 2 of that process, with potentially a knock on onto step 5 if transactions are not voided correctly when the Retailer makes an error.

But ultimately, the problem is that people are having twice as much money deducted from their accounts, regardless of how it happens in the course of this process. And as one of the banks that owns and operates Laser Card Services, Bank of Ireland has the ability to influence the governance and control of each step in the process.

The Risk of Poor Information Quality

Poor quality information is one of the key problems facing businesses today. A study by The Data Warehousing Institute back in 2002 put the costs to the US economy at over US$600billion. Estimated error rates in databases across all industries and from countries around the world range between 10% and 35%. Certainly, at the dozens of confernces I’ve attended over the years, no-one has ever batted an eyelid when figures like this have been raised. On a few occasions delegates have wondered who the lucky guy was who only had 35% of his data of poor quality.

The emerging Information Quality Management profession world wide is represented by the International Association for Information & Data Quality (IAIDQ).

Information Quality is measured on a number of different attributes  (some writers call these Dimensions). The most common attributes include:

• Completeness (is all the information you need to have in a record there?)
• Consistency (do the facts stack up against business rules you might apply- for example, do you have “males” with female honorifics? Do you have multiple transactions being registered against one account within seconds of each other or with the same time stamp?)
• Conformity (again, a check against business rules  - does the data conform to what you would expect. Letters in a field you expect to contain just numbers is a bad thing)
• Level of duplication ( simply put… how many of these things do you have two or more of? And is that a problem?)
• Accuracy (how well does your data reflect the real-word entity or transaction that it is supposed to represent?)

In models developed by researchers at MIT there are many more dimensions, including “believability”.

In Risk Mangement there are three basic types of control:

• Reactive (shit, something has gone wrong… fix it fast)
• Detective (we’re looking out for things that could go wrong so we can fix them before they become a problem that has a significant impact)
• Preventative (we are checking for things at the point of entry and we are not letting crud through).

Within any information process there is the risk that the process won’t work the way the designers thought/hoped/planned/prayed (delete as appropriate) it would.  In an ideal world, information would go in one end (for example the fact that you had paid €50 for a pair of shoes in Clarks on O’Connell Street in Dublin on a given day) and would come out the other end either transformed into a new piece of knowledge through the addition of other facts and contexts (Clarks for example might have you on a Loyalty card scheme that tracks the type of shoes you buy) or simply wind up having the desired outcome… €50 taken from your account and €50 given to Clarks for the lovely pair of loafers you are loafing around in. This is what I term the “Happy Path Scenario”.

However lurking in the wings like Edwardian stage villains is the risk that something may occur which results in a detour off that “Happy Path” on to what I have come to call the “Crappy Path”. The precise nature of this risk can depend on a number of factors. For example, in the Clarks example, they may have priced the shoes incorrectly in their store database resulting in the wrong amount being deducted from your account (if you didn’t spot it at the time). Or, where information is manually rekeyed by retailers, you may find yourself walking out of a shop with those shoes for a fraction of what they should have cost if the store clerk missed a zero when keying in the amount (€50.00 versus €5.00).

Software upgrades or bugs in the software that moves the bits of facts around the various systems and processes can also conspire to tempt the process from the Happy Path. For example if, in the Laser card process, it was to be found that there was a bug that was simply sending the request for draw down of funds against a “hold” to a bank twice before the process to clear the “hold” was called, then that would explain the double dipping of accounts.

However, software bugs usually (but not always) occur in response to a particular set of real-world operational circumstances.  Software testing is supposed to bring the software to as close to real-world conditions as possible. At the very least the types of “Happy Path” and “Crappy Path” scenarios that have been identified need to be tested for (but this requires a clear process focus view of how the software should work). Where the test environment doesn’t match the conditions (e.g. types of data) or other attributes (process scenarios) of the “real world” you wind up with a situation akin to what happened to Honda when they entered Formula 1 and spent buckets of cash on a new wind tunnel that didn’t come close to matching actual track conditions.

This would be loosely akin to giving a child a biscuit and then promising them a second it if they tidied their room, but failing to actually check if the room was tidied before giving the biscuit. You are down two bikkies and the kid’s room still looks like a tip.

In this case, there is inconsistency of information. The fact of two “draw downs” against the same “hold” is inconsistent. This is a scenario that software checks ont he bank’s side could potentially check for and flag for review before processing them. I am assuming of course that there is some form of reference for the “hold” that is placed on the customer’s account so that the batch processing knows to clear it when appropriate.

In the case of my horrid analogy, you just need to check within your own thought processes if the posession of two biscuits is consistent with an untidy room. If not, then the second biscuit should be held back. This is a detective control. Checking the room and then trying chasing the kid around the houseto get the biscuit back is a reactive control

Another potential risk that might arise is that the retailer may have failed to put a transaction through correctly and then failed to clear it correctly before putting through a second transaction for the same amount. This should, I believe, result in two “holds” for the exact same amount being placed on the customer’s account within seconds of each other. One of these holds would be correct and valid and the process should correctly deduct money and clear that hold. However it may be (and please bear in mind that at this point I am speculating based on experience not necessarily an in-depth insight into how Laser processing works) that the second hold is kept active and, in the absence of a correct clearance, it is processed through.

This is a little more tricky to test for in a reactive or detective controls. It is possible that I liked my shoes so much that I bought a second pair within 20 seconds of the first pair. Not probable, but possible. And with information quality and risk management ultimately you are dealing with probability. Because, as Sherlock Holmes says, when you have eliminated the impossible what remains, no matter how improbable, is the truth.

Where the retailer is creating “shadow transactions” the ideal control is to have the retailer properly trained to ensure consistent and correct processes are followed at all time. However, if we assume that the idea of a person validly submitting more than one transaction in the same shop for the same amount within a few moments of each other is does not conform with what we’d expect to happen then one can construct a business rule that can be checked by software tools to pick out those types of transaction and prevent them going through to the stage of the process that takes money from the cardholder’s account.

Quite how these errors are then handled is another issue however. Some of them (very few I would suggest) would be valid transactions. And this again is where there is a balance between possiblity and probability. It is possible that the transaction is valid, but it is more probable that it is an error. The larger the amount of the transaction, the more likely that it would be an error (although I’ve lost track of how many times I’ve bought a Faberge egg on my Laser card only to crave another nanoseconds later).

Another key area of control of these kinds of risk is, surprisingly, the humble call centre. Far too often organisations look on call centres as being mechanisms to push messages to customers. When a problem might exist, often the best way to assess the level of risk is to monitor what is coming into your call centres. Admittedly it is a reactive control once the problem has hit, but it can be used as a detective control if you monitor for “breaking news”, just as the Twitter community can often swarm around a particular  hashtag.

The Bank of Ireland situation

The Bank of Ireland situation is one that suggests to me a failure of Information governance and Information risk management at at least some level.

1. It seems that Call Centre staff were aware in May of a problem with double dipping of transactions. This wasn’t communicated to customers or the media at the time.
2. There was some confusion in May about what the cause was. It was attributed variously to a software upgrade or retailers not doing their bit properly.
3. Whatever the issue was in May, it was broken in the media in September as an issue that was only affecting recent transactions.

To me, this suggests that there was a problem with the software in May and a decision was taken to roll back that software change.

• Where was the “detective” control of Software Testing in May?
• If the software was tested, what “Crappy Path” scenarios were missed from the test pack or test environment that exposed BOI customes (and potentially customers of the other 7 banks who are part of Laser) to this double dipping?
• If BOI were confident that it was Retailers not following processes, why did they not design effective preventative controls or automated detective controls to find these types of error and automatically correct them before they became front page news?

Unfortunately, if the Bank’s timeline and version of events are take at face value, the September version of the software didn’t actually fix the bug or implement any form of effective control to prevent customers being overcharged.

• What is the scenario that exists that eluded Bank of Ireland staff for 4 months?
• If they have identified all the scenarios… was the software adequately tested and is their test enviroment a close enough model of reality that they get “Ferrari” performance on the track rather than “Honda” performance?

However, BOI’s response to this issue would seem to suggest an additional level of contributory cause which is probably more far reaching than a failure to test software or properly understand how the Laser systems are used and abused in “the wild” and ensure adequate controls are in place to manage and mitigate risks.

A very significant piece of information about this entire situation is inconsistent for me. Bank of Ireland has stated that this problem arose over the past weekend and was identified by staff immediately. That sounds like a very robust control framework. However it is inconsistent with the fact that the issue was raised with the Bank in May by at least one customer, who wrote about it in a very popular and prominent Irish blog. At that time I also wrote to the Bank about this issue asking a series of very specific questions (incidentally, they were based on the type of questions I used to ask in my previous job when an issue was brought to our attention in a Compliance context).

I was asked today if Simon’s case was possibly a once off. My response was to the effect that these are automated processes. If it happens once, one must assume that it has happened more than once.

In statistical theory there is a forumla called Poisson’s Rule. Simply put, if you select a record at random from a random sample of your data and you find an error in it then you have a 95% probability that there will be other errors. Prudence would suggest that a larger sample be taken and further study be done before dismissing that error as a “once off”, particularly in automated structured processes. I believe that Simon’s case was simply that random selection falling in my lap and into the lap of the bank.

Ultimately,  I can only feel now that Simon and I were fobbed off with a bland line. Perhaps it was a holding position while the Bank figured out what was going onand did further analysis and sampling of their data to get a handle on the size of the problem. However, if that was the case I would have expected the news reports to day to have talked about an “intermittent issue which has been occurring since May of this year”, not a convenient and fortuitous “recent days”.

Unfortunately this has the hallmark of a culture which calls on staff to protect the Bank and to deny the existence of a problem until the evidence is categorically staring them in the face. It is precisely this kind of culture which blinkers organisations to the true impact of information quality risks. It is precisely this kind of culture which was apparent from the positions taken by Irish banks (BOI included) in the run up to the Government Bank Guarantee Scheme and which continues to hover in the air as we move to the NAMA bailout.

Tthis kind of culture is an anathema to transparent and reliable managment of quality and risk.

Conclusion

We will probably never know exactly what the real root cause of the Bank of Ireland double dipping fiasco is. The Bank admitted today in the Irish Times that they were not sure what the cause was.

Given that they don’t know what the cause was and there are differences of record as to when this issue first raised its head between the Bank and its own customers, it is clear that there are still further questions to ask and have answered as to the response of Bank of Ireland to this issue. In my view it has been a clear demonstration of “mushroom management” of risk and information quality.

Ultimately, I can only hope that other banks involved in Laser learn from BOI’s handling of this issue which, to my mind, has been poor. What is needed is:

• A clear and transparent definition of the process by which a laser transaction goes from your fingers on the PIN number pad to your bank account. This should not be technical but should be simple, business process based, ideally using only lines and boxes to explain the process in lay-person’s terms.
• This can then form the basis in Banks and audit functions for defining the “Happy Path” and “Crappy Path” scenarios as well as explaining to all actors involved what the impact of their contribution is to the end result (a customer who can pay their mortgage after having done their shopping for example)
• Increased transparency and responsiveness on the part of the banks to reports of customer over charging. Other industries (and I think of telecommunication here) have significant statutory penalties where it is shown that there is systemic overcharging of customers. In Telco the fine is up to €5000 per incident and a corporate criminal conviction (and a resulting loss in government tendering opportunities). I would suggest that similar levels of penalties should be levied at the banks so that there is more than an “inconvenience cost” of refunds but an “opportunity cost” of screwing up.
• A change in culture is needed away towards ensuring the customer is protected from risk rather than the bank. I am perfectly certain that individual managers and staff in the banks in question do their best to protect the customer from risk, but a fundamental change in culture is required to turn those people from heroes in the dark hours to simply good role models of “how we do things here”.

There is a lot to be learned by all from this incident.

Back in May 2009, Simon over on Tuppenceworth.ie reported this problem to Bank of Ireland and blogged about his customer service experience. On foot of what Simon had written, I emailed Bank of Ireland to try and get details on the issue before I wrote it up over at IQTrainwrecks.com.

The response I received from Bank of Ireland on the 4th of June was:

When BoI receives an authorisation request from a retailer, a ‘hold’ is placed on those funds until the actual transaction is presented for payment. The transaction is posted to the customer’s account on receipt from the retailer.

Relative to the number of transactions processed there are a very small number of instances where a transaction may appear twice. For example these may occur if the retailer inputted the wrong amount and then re-input the correct amount or the transaction is sent in error twice for authorisation. These types of transactions are not errors or a system issue created by the Bank. The Bank receives an authorisation request and subsequently places a hold on those funds. These types of transactions are not unique to Bank of Ireland.

Bank of Ireland responds to all customer queries raised in connection with above.

(I have the name and contact details of the Bank of Ireland Press Office person who sent me that response).

So. Basically the response in June was “those kind of things happen. They happen in all banks. If customers complain to us we sort it out on a case by case basis”.

These are the questions I submitted to BoI in June. The quote above was the response I received to these detailed questions.

Fast forward to today. Today, the bank is telling the media that in “recent days” there was a “technical error”. I’m as baffled by the Bank by this, but for different reasons.

• The first question I put to the bank in June was “When did you become aware of  ’double dipping’ of customer accounts?”.  The answer is not “in recent days” or “over the weekend” (as the Bank spokesperson told the Irish Times today) and is more correctly “at least since June”.
• In May, Simon had been advised that the cause of the problem was a software upgrade. In June I asked the Bank
  • “We have been informed that this issue was triggered by the deployment of new software. Is this the case?” AND
  • “If it is the case that a new software deployment has caused the problem, is it not possible to ‘roll back’ to the previous version of the software until the software bug can be resolved?” AND
  • “Do you feel that sufficient care was taken to ensure the software was fully tested against ‘real-world’ operation scenarios before being deployed to prevent this type of duplication of transaction? For example, was the software tested to see what would happen in common usage scenarios such as leaving a tip, having multiple transactions in succession in one store (perhaps at one Laser terminal), or retailers resorting to ‘old’ processes out of habit?”
  • In June the Bank did not address these points.

In June, Bank of Ireland was explicit in its identification of the root cause for this type of error.

…there are a very small number of instances where a transaction may appear twice. For example these may occur if the retailer inputted the wrong amount and then re-input the correct amount or the transaction is sent in error twice for authorisation.

In today’s Irish Times they are less certain

A spokeswoman for the bank said that she was unable to say how customers had been affected by the error, but that she believed that the customers affected were from across the State and not from one particular area.

The good news from today’s Irish Times report is that I’ve finally gotten an answer to one of my questions, which was:

Does Bank of Ireland have the capability to identify any “shadow transactions” raised against customer accounts in error independent of any action by the customer? If yes, how will the Bank inform customers of these errors?

It would seem that they have, at least since this past weekend, and their method for notifiying customers is a report to the Irish Tmes.

So, what does this mean for Bank of Ireland (from an Information Quality perspective)?

It would suggest that there are weaknesses in their “Quality Culture” and Customer Focus.

The response to a report of overcharging by the bank (and potentially significant overcharging at that) was summarily dismissed and was being handled on a case by case basis. It would seem from the reports (and I worked in Compliance long enough to know that what is in the paper isn’t necessarily the whole story, so I’ll admit this may be a stretch) that the issue was only taken seriously when it was “spotted” by BOI staffers over the weekend.

Of course, it may well be that the surprise find over the weekend was the result of a long period of investigation and analysis within the Bank by a crack team of information quality specialists (even if they are not called that). If so, they should be given credit for their diligent work, not airbrushed from the story like so many other “special forces”.

It means the time span they need to look at for remedying the over charging may be a lot longer than they think

If the Bank is looking just at transactions over a period spanning a few days either side of last weekend, then they are potentially missing customers who have been overcharged through their error. Bear in mind that this issue was first brought to the Bank’s attention in May 2009. It is now September.

That is a 4 month window. How many Laser transactions do Bank of Ireland process per day? Tens of thousands? Times 120 days (approximately)?

It suggests that their Customer care and Media responses to reports of overcharging need to become more, well… Customer and Quality focussed.

Simon was effectively dismissed by BoI when he tried to flag the issue. They were handling things on a case by case basis. I was effectively dismissed by BoI. Yes, I got a response, but the response didn’t address any of the questions I actually raised. The response simply repeated the line Simon had been given.

The story in the Irish Times reads to me like a truthful and well meant attempt to explain the situation that actually highlights the failure of Bank of Ireland to have in place sufficiently adequate processes to deal with reports of Information Quality problems from their customers which resulted in Simon’s complaint and my subsequent queries not triggering any sort of alarm bells.

The alternative (that it is a fabrication put together to spin the story as positively as possible for the Bank) is unthinkable, surely.

And the other alternative is that maybe they did but it just took 4 months to get to the bottom of the issue.  I have worked on projects like that. Sometimes the problems are hard and take time to figure out. But the timescale the Bank quotes for the error suggests that this is not the case.

By the way….

Bloggers had this story 4 months ago.