Q&A: Bank of France’s CTO talks cyber security, data lakes, and blockchain

By Emma Olsson | 22 November 2019

Daniel Cukier has been at Banque de France (BdF) for over 18 years. He has been chief technology officer (CTO) since March 2016, leading the central bank’s IT charge through digitisation. He talked to bobsguide about the BdF’s approach to blockchain, data lakes, cyber security, regtech, and more.

You’ve been at Bank of France for 18 years – what has changed since you came on board?

I think things have changed quite a lot in the past few years because we’re much more involved in the digital transformation. There are a few key projects going on and those projects have big implications for IT, and business-oriented of course, but it does create new challenges for the IT.

We’re dabbling with blockchain, we’re setting up a big data lake, we’re also more and more involved in European infrastructure projects; we’re cooperating more and more at a European scale. Also, we’re introducing new ways of working, basically. Business was very stable, it was very steady and well-controlled, and now things are moving faster so we’re changing to be more agile, and introducing new ways of working, standard meetings, designing methodology to design new solutions for the business. Even in the business side they’re really changing a lot gradually, so it’s an interesting time.

What blockchain developments you see going on?

We did a blockchain experiment to improve the interbank system and to enable the exchange of Single Euro Payments Area (SEPA) creditor identifiers between SEPA Direct Debit (SDD). And we are involved in some initiatives going on even at a European scale about blockchain technology and crypto currency, but I can’t discuss them yet.

I think blockchain is a very important technology for the future of the financial sector, but it’s not yet easy to know whether it’s going to transform our role as a central bank. Everybody has heard about Libra and Facebook, and you probably think that most government and central banks are quite wary of this kind of initiative because it’s not clear how it’s going to work, especially since those initiatives are private.

Last year, we did some primary assessment of this kind of technology for identity and access management, too, and it wasn’t mature enough, but things are progressing, so we’ll try again probably next year.

What about blockchain technology being used in the digital identity realm?

First, it’s very much linked to our security and cyber resilience strategy. This is very important to us of course because cyber threats are more and more prevalent and dangerous in the financial sector and the economy at large, so we do invest more in those kinds of topics. Identity access management is a key part in this kind of solution, because more and more people are working from outside of our set-ups. They could be at home or traveling; because of this we do collaborate more and more with other central banks typically, or governmental organisations, so some of those systems are common.

We have an ongoing Open Data Room project to give them some controlled access to data we have in our data lake, and some of that data are very much of value to researchers because there’s not much of it, but it is of a very high quality because of our role as a central bank. Since we have some regulatory oversight, we gain access to very precise and important information. So, we give access to them and to do that, we need up to date and adapted economic solutions for people, and this solution has to be very secure.

Are cryptocurrencies a concern for you?

Yes, I think it’s a concern for us, but I’m just an IT guy. I monitor this field from a technological perspective, but of course central banks are concerned about cryptocurrency.

What other concerns do you have for the market at the moment?

It’s not really sexy – but it’s compliance, and cyber resilience. Those topics are a very high priority. First, we have to be compliant more and more with regulation. And since we’re kind of a systemic actor in the market, if we are down and/or hacked, the consequences could be dire for the whole economy, for the functioning of the financial system. We’re constantly improving our information system to make it more secure, and this requires investments and compliance. We’re audited all the time – I think there’s more than one audit each month on some key system or to secure our information systems are processed – so it’s a very big concern to us currently, and we have to be more industrialised to be able to face those requirements, and it means more automated. Automation is very important to us to meet those changes.

Which types of cyberattacks are the greatest concerns for you?

It’s complicated – typically there are a few key technical services that have been attacked over the past few years: for example Maersk were attacked a few years ago and I think it cost them a few $100m. But we can’t assume that will be the only component attacked. We have a security strategy that we are deploying and the idea is to cover everything, to be as secure as possible, taking into account the fact that it’s impossible to be fully protected. At some point you’ll be attacked and we have a team in place to monitor the system, and to try to find intrusion we have what we call a SIEM [Security Information and Event Management] a kind of big data set up, so we’re able to monitor things and if there is an attack going around we could catch it before it’s too late. 

So it’s really a comprehensive strategy encompassing things from designing more resilient infrastructure, to changing human processes, to educating people about what they should do and should not do.

Is there any regtech that concerns you?

There are a lot of suppliers on the market today. I’m called by some of them all the time, especially since I went to a summit on this topic. The thing is if you don’t have the organisation and the people able to use those tools, it means nothing. It’s not because you just bought this new shiny tool that things will improve. Regarding this point, we are really scaling up on compliance and the first step is not to buy a new tool, but to try using what we have available, to improve our process and maturity, and when we’ve gained some experience we can think about using a tool to go to the next level. I think we’re starting to review since we’ve gained some maturity, we know a little bit more how we’re going to proceed in the future. But the tool is not the solution, it’s only a tool.

And in terms of other organisations using regulatory technology or collaborating with regtech firms: Are you wary of regtech arbitrage across Europe?

We know from some other financial institutions that things sometimes look prettier than they are in reality. It’s really hard to be up-to-date and compliant, when you start to dig around you see it’s more complicated than that. It’s difficult to have a clear view on the situation in the market currently. So, I’m not sure about that. But our point of view is that using those kinds of tools is not to look compliant, it’s to be compliant, which is maybe a little bit different.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development