“Automation of the process of handling enquiries concerning information constituting a bank secret”

Recently, banks have been increasingly implementing solutions, which facilitate automation of tedious, repetitive processes, both front and back office. The aim of the article is to review the applications of automation of banking processes and to pres-ent implementation of Robotic Process Automation (RPA) in order to optimize the process of handling disclosure of information constituting a bank secret at a bank operating in Poland. Banks are obliged to disclose information constituting a bank secret to a number of authorized institutions not only free of charge, but also within a specified, limited period of time. At the same time, they must ensure an appropriate level of security for legally protected information. The process traditionally carried out by people was time-consuming and error-prone due to the human factor. It required more quantitative efficiency and improvement in task execution. For this purpose, Robotic Process Automation was implemented in the bank in the process of disclosure of information constituting a bank secret at the request of authorized authorities and institutions. After the implementation of RPA, the enquiry handling process was shortened from 7 to 3 stages, including registration of the case in the system, automatic handling of the request and sending a response. Thanks to the RPA implementation, the time needed to complete particular tasks in the process was significantly reduced, which made it possible to shorten the maximum enquiry processing time from 16 to 3 days. The automation significantly improved process profitability and efficiency. It enabled better task management and improved security by reducing errors and ensuring compliance with regulations. The implementation of the RPA tool in the process of disclosing information enabled its quantitative and qualitative optimization, as well as efficient and reliable performance of the obligations set forth in the Banking Law Act.


INTRODUCTION
Currently, the banking sector participates in the digital revolution initiated by the development and use of advanced technologies, and thus automation and robotization of processes and of the processing of large volumes of data.Software is being developed which not only replaces simple actions performed by people, but can also interpret various voice and text commands, anticipate user actions and personalize messages on a large scale.The face of banking is changing radically, software robots replace bankers not only while performing simple activities, but they are also much faster and better at performing activities, which for a long time were reserved for highly qualified specialists.They solve problems by analyzing much bigger data volumes, 24 hours a day, without making mistakes.Banks not only need to lower their operating costs to be competitive, but also to efficiently fulfil their obligations imposed by external regulations, which include a number of activities for which they are not able to charge any fees.

BUSINESS PERSPECTIVES
The need to optimize front office and back office banking processes is becoming more apparent, as their operation has a significant and direct impact on establishing and shaping relations with customers and on the possibility of building a competitive advantage connected to having know-how with regard to practical use of technological innovations.The optimal tool for process optimization is the implementation and application of RPA (Robotic Process Automation).RPA is a tool that can be used to streamline and automate a number of routine, manual banking processes or sub-processes (Wilds, 2019).RPA is best suited for processes that are repeatable and deterministic, with minimal ambiguity and very few exceptions.Processes that are most suitable for RPA implementation have the following characteristics (Mehta et al., 2019):

LITERATURE REVIEW
• have defined rules with a minimum or zero level of assessment; • high proportion of "manual" work in repetitive steps; • processes are standardized from input through process steps to output; • have input data in an electronic (rather than paper) form; • transaction volumes of the process are high enough to justify automation.
RPA tools fall into the category of Business Process Automation (IT) tools, but there is a number of differences between different solutions from this category.The most important is the fact that implementation of RPA solutions does not require any modifications in the software code (it works on the user interface level) and does not involve any reconstruction or optimization of processes (in contrast to other implementations, which are often connected to process reengineering) (Sobczak, 2018).Unlike most IT implementations, an RPA tool can be implemented in stages in specific pro-cesses or parts of processes without the need to reorganize the entire system of processes and without excessive risk of business interruption.
The spectrum of automation extends from simple rule-based automation to advanced cognitive intelligence and artificial intelligence.RPA solutions emulate human actions, providing a virtual workforce with skills comparable to human skills (Hosatburga, 2019).Automation of processes related to keeping documentation and accounting has facilitated elimination of mistakes and increase of efficiency of enterprises.The return on investment time is estimated to be less than one year, depending on the process and its complexity (PCWord, 2018).
RPA technologies can be divided into three main levels (KPMG, 2015): • automation of simple business processes.Automation of processes based on rules and structured data, e.g.transactional processes with large volumes, accounting, data transfers, mass swivel chair tasks requiring the use of several screens/systems; • automation of developed business processes.Management of unstructured data and knowledge bases, automation of processes using unstructured data; • cognitive/autonomic automation.Advanced technologies including artificial intelligence and self-learning applications for database analysis, research and innovation in unmanned processes.

Benefits of implementing RPA
Robotization of banking processes is a great business opportunity for the banking sector -it may radically improve process profitability and efficiency (Del Rowe, 2017).Apart from savings, automation facilitates better management of repeatable tasks (im-provement by 21%), better standardization of work process flow (increase by 19%), reduces dependence of process completion on multiple systems (by 14%) and reduces bottlenecks (by 11%) (Agarwal, 2017).
The main benefits resulting from implementation of banking process automation are: • Cost savings -RPA implementation facilitates cost reduction by between 25% and 75% by improving the performance indicators of the applied functions while maintaining production quality (AutomationEdge, 2019).At Alior Bank (Poland), it is estimated that digitalization of over 100 processes carried out as part of the project by 2020 will bring a total of PLN 20 million in savings (Burta, 2019).It is expected that the consequence of automation of banking processes will reduce the number of branches, in case of the US by up to 20% within five years and reduce the size of an average bank branch from 5,000 to 3,000 square feet, which will lead to savings of as much as USD 8.3 billion annually (Shukla & Rebello, 2019).
• Reduction in employment -RPA implemented in financial services may result in a 28-41% reduction in employment over five years and over ten years by 48-53% (PulsBiznesu, 2019).
• Increased operational efficiency -robots perform tasks 20 times faster than people (PulsBiznesu, 2019).A leading bank in the UK, following implementation of RPA for transaction processing, has increased its banking transaction management efficiency by 20% (Wilds, 2019).
• Reduced business response time -robotization can reduce the time of opening a new account by 30% and accelerate the accounting process by up to 300% (Wilds, 2019).The time of execution of instructions handled in cooperation between people and robots has been reduced from 30 to 70% (Stankiewicz, 2019).By implementing RPA, the CB&S Bank (USA) has been able to reduce the required credit processing time from 2-3 hours to just one hour, saving 900 hours of work in one year (Wilds, 2019).NY Mellon Corp (USA) reports that thanks to RPA it has been able to achieve an 88% fast-er processing time, 66% faster execution time for commercial enquiries and 1/4-second automatic identification of erroneous transactions as compared to 5-10 minutes in case of execution of the task by humans (Sennaar, 2019).
• Reduction of banking fraud by employeesthe use of robots increases security, especially when processing confidential information, where the risk of information security breach by employees is the greatest (Del Rowe, 2017).Robotization significantly reduces fraud for a simple reason -in times when processes will mainly be managed by robots and algorithms, the human factor, which can be the source of fraud, will be significantly reduced or even eliminated (Pruchnik, 2018).
• Error reduction -robotization minimizes manual processing of large volumes of data to avoid errors.Depending on the source and type of automated process, the error rate can be reduced on average from 10% (PulsBiznesu, 2019), 21% (Agarwal, 2017) or even down to zero (Wilds, 2019).
• Better compliance with regulations -by embedding relevant rules into algorithms it is possible to guarantee that they will be applied (Del Rowe, 2017).
Due to the numerous benefits of automation, robotics is one of the main priorities of many organizations, also in the banking sector.It is indicated as a priority by 30% of banks worldwide and by 45% in Poland (MGI, 2017).McKinsey predicts that in the next few years machines will perform 10 to 25% of the work as part of various banking functions, increasing productivity and allowing employees to focus on higher-value tasks and projects (Berruti et al., 2019).

The process of disclosure of information constituting a bank secret by the Bank upon request of external entities
Bank secrecy is one of the most controversial issues in banking law.This results from its very nature.Protection of information held by banks is an accepted custom of economic trading -bank secrecy is one of the elements that give the bank the status of a public trust institution (Janiak, 2003).
Banking secrecy includes all information about a bank's customer, i.e. the person who is a party to the agreement on the basis of which the bank performs a given banking activity.
Pursuant to article 105 section 5 of the Banking Law (Banking Law, 1997), the bank is liable for damages resulting from disclosure of banking secrets and its misuse, if the damage results from the bank's own actions.This provision may constitute -in connection with the relevant provisions of the Civil Code -the basis for the bank's liability in contract or tort (Civil Code, 1964).
The Bank's obligation is not only to prohibit disclosure of confidential information to other entities and in a different scope than specified in Articles 104 and 105 of the Banking Law, but also to ensure that such information is not disclosed to unauthorized persons.The Act does not regulate the manner of providing information.Banks have to establish it independently.If this information is made available to persons other than authorized persons as a result of a lack of due care or negligence in physical transmission of the information, the bank will be held responsible for this situation.An entity entitled to request from the bank to provide access to confidential information should indicate in its request that the statutory conditions for disclosure of information protected by secrecy are met.As an administrator of information covered by bank secrecy, responsible for any disclosure of such information in a manner inconsistent with the banking law, the Bank is indirectly entitled to verify requests in terms of compliance with the regulations governing the disclosure of such information (Ofiarski, 2013).
Article 105 of the Act exhaustively lists the entities, organizational units and institutions to which banks must or may disclose information covered by bank secrecy.The Bank is obliged to provide information constituting a bank secret to such institutions, obviously only to the extent necessary to comply with the provisions applicable to such institutions.Among the eligible entities are (Banking Law, 1997): • other banks and credit institutions to the extent that such information is necessary for the performance of banking activities; • Head of the National Fiscal Administration and clearing house; • suppliers providing payment transaction initiation services; • payment service providers; • insurance companies, reinsurance companies; • Financial Supervision Authority; • courts; • the prosecutor's office; • President of the Supreme Chamber of Control; • Bank Guarantee Fund; tensively.However, a characteristic feature of successive amendments to the Banking Law Act are systematic extensions of this statutory catalog to include new categories of entities (Ofiarski, 2013).
As it results from an analysis of the formal and legal context related to the processing of information constituting a bank secret, the essence of the bank's activities consists in planning and implementing necessary measures for the purpose of: • comprehensive protection of information constituting bank secrets; • ensuring the security of data transmitted to competent authorities and bodies.
When talking about information security, it is mainly understood as security in an IT sense, i.e. a certain state, which is characterized by a specific level of the most important attributes, such as (Gospodarowicz, 2005): confidentiality -the data remain confidential, and only persons authorized to do so are able to access them; • integrity -the data have not been changed, corrupted or destroyed by an unauthorized person; • accessibility -it is to ensure that information is available to the authorized person whenever he or she requires it; • accountability -this property confirms that an entity's actions can be assigned only to that entity in an unambiguous manner; • authenticity -ensuring that the identity of an entity or resource is as declared; authenticity concerns entities such as users, processes, systems and information; • reliability -a property denoting coherent, intended behavior and effects.
Thus ensuring the security of information constituting a bank secret, which is physically shared with another entity, becomes a challenge for the bank.
The main difficulty of this solution revolves around ensuring security of information, which physically falls outside the bank's security monitoring systems, e.g. the DPL (Data Loss Protection) system.
A prerequisite for proper performance of the obligations imposed on the bank is development of a systemic and procedural solution which determines the conduct of the bank's organizational units involved in the process of disclosing information constituting a bank secret.The essence of such a process is, in particular, to properly assess and handle a given case initiated by an enquiry of a third party in terms of its character and qualifications and to determine the legitimacy and material scope of disclosure of information constituting a bank secret or to provide a reply with a different content.

CASE STUDIES
An analysis of the process of optimizing disclosure of information constituting a bank secret upon request of external entities was conducted at one of the banks with State Treasury's capital in Poland.
The process of fulfilling the statutory obligation to disclose information constituting a bank secret to an authorized entity should take into account the following purposes: • maintaining continuity of the Bank's operational activities within the scope of disclosing information constituting a bank secret to authorized entities; • disclosing information of a proper type and quality to requesting entities, after carefully establishing the legal basis for the Bank's response to the request within the scope indicated in the enquiry/request; • management by the Bank of information constituting a bank secret, which, after processing, may constitute information disclosed to authorized entities (taking into account special protection provided for such information); • proper assessment and qualification of issues within the Bank in terms of efficient preparation and response to the enquiry/request and in this context efficient cooperation between organizational units of the head office, corporation centers and branches, which are the depositories of information constituting a bank secret, needed to respond to the authorized entity; • meeting the deadlines for providing a response, taking into account, on the one hand, the needs of external entities submitting enquiries/requests to the Bank and, the other hand, the Bank's operational capacity to prepare the content of the response and to provide full information; • verification by the Bank of documentation containing information constituting a bank secret, in particular, with regard to the existence of grounds -as a matter of principle -for the Bank to make the information available to an external entity, as well as of an appropriate material scope of the contents of the response, taking into account special protection of information constituting a bank secret.
The primary objective of optimization of the process was, first of all, its quantitative and qualitative improvement, necessary due to the centralization of the process, resulting in a serious burden on the bank's organizational unit entrusted with this task.The optimization process assumed centralization of tasks related to handling enquiries of authorized authorities by transferring the performance of duties previously performed by dispersed branches and organizational units of the Bank to one organizational unit of the Bank.At the same time, preliminary assumptions for process optimization were established: • ensuring continuity of the process of providing information constituting a bank secret; • inability to increase employment figures at the Bank's organizational unit responsible for managing the process; • a need to ensure security of information processed as part of this process (taking into account the fact that information may be processed by various organizational units of the Bank, which indirectly results from the possibility of authorized institutions and bodies to submit enquiries); • ensuring quantitative efficiency of the process in connection with the takeover of tasks from other organizational units of the bank and the inability to increase employment; • a need for automation, replacement of simple, typical and repeatable tasks performed on the IT level by specific employees by implementing of robotization; • ensuring rapid access to information and data necessary to respond to requests from competent authorities; • construction and implementation of an e-archive in order to digitize the existing correspondence of the bank with authorized bodies.
The works on process optimization have been divided into the following stages: • analysis of the current process in order to identify key areas, possibilities for their optimization and points of contact with other processes in the organization; • analysis and indication of a specific technology adequate to the nature of the organization, IT architecture, process management model and cost effectiveness; • building, implementing and testing RPA components in test environments; • implementation of corrections and their validation; • aligning the process with internal/executive regulations; • implementation of a comprehensive training system at the organization; • internal communication with regard to the implemented changes; • adaptation of new roles and responsibilities of the employees involved in the automated process; • production implementation and measurement of the efficiency of the adopted solution; • analysis of the legitimacy of modification of other processes in the organization; • reporting to senior management.
In the scope of technological solutions, the DPC (Data Processor and Collector) tool was used.It is particularly noteworthy that the system covers the whole process cycle, from receipt of a letter/request from a competent authority to preparation of the reply and the data covered by the competent authority's request.Data Processor and Collector is a modern tool, which uses the latest technologies in the area of data processing.It is a combination of a database system based on relational databases with a grid computing system for variable and diverse data sets.Processing and analysis of such data is demanding and complicated for banks, but at the same time valuable, because it allows them to gain access to a new dimension of knowledge about their customers.
DPC system architecture is a typical three-tier architecture (or three-layer architecture) -it is a client-server architecture in which the user interface, data processing and data storage are developed in the form of separate modules, usually on separate platforms.This type of architecture makes it possible to update or replace individual modules independently of each other, as business requirements change, including changes in the technological conditions of the market.
The DPC system has: • Data Presentation/Management layer -its main task is to translate requests and results of the application's operation into and from a language understandable for the user.It consists of a set of forms of access to data operated through a web browser, integrated with a user authentication and authorization system.DPC forms are used for entering, searching and reporting data.The forms also have the function of graphical and tabular representation of data.
• Business Logic Layer -coordinates the operation of the application and processes user requests, applies logical rules and performs calculations.Additionally, the layer deals with exchange/correlation/buffering of data and handling of errors between other bank systems.
• Data Layer -here data from the database are stored and retrieved.The information is transferred to the business logic layer and ultimately to the user.The DPC system data layer is a combination of relational databases and grid computing based on proprietary DPC system tools and Open Source tools.
Implementation of Robotic Process Automation in the process of providing information which constitutes a bank secret at the request of authorized authorities and institutions has enabled optimization of this process in the logical layer.Following the implementation of RPA, the process has been reduced from 7 to 3 stages, as part of which the following activities are carried out: • Registration of the case in the system for handling requests: -digitalization of the enquiry along with its description with metadata; -specification of the type of enquiry; -defining the boundary conditions for data acquisition; -identifying the employee responsible for handling the case; -correlation with other letters concerning the given case.
• Automatic request handling: -sending data enquiries to distributed bank systems; -correspondence on the possible need for obtaining a legal opinion; -developing a draft response; • Sending a response to the request: -substantive verification of the Bank's response; -printout and preparation of the letter to be sent.A comparative analysis of provision of information constituting a bank secret without RPA and with the use of RPA confirmed the effectiveness and potential of the RPA tool.
The essence of RPA's application in the process was the robotization of individual activities previously performed by a bank employee as part of the process.The process was heavily burdened with repetitive activities performed by bank employees related to data processing, i.e. preparation of data within the scope specified in the request of an authorized body -i.e.obtaining data from distributed bank systems (maximum completion time: 5 days) and tasks related to processing the application itself (assignment, formal and legal analysis, sending).
The interface used by the user -bank employee in the indicated activities was replaced with a grid computing system for variable and diverse data sets based on three functional layers (Presentation/ Management of Data, Business Logic and Data Layer).
The practical effect of using the RPA tool was replacement of time-consuming activities (which, due to the human factor, were additionally burdened with errors), radical reduction of the amount of time required for their performance and optimization of the whole process.
Another challenge was automation of tasks related to the processing of a requests of an authorized body (understood as a document -data carrier).For the purpose of this task, a functional layer was developed -Data Presentation/ Management, which, by using standardized types of requests from authorized bodies, made it possible for any Bank employee (without IT qualifications) to prepare an enquiry for distributed bank systems and consequently to ob-Source: Own elaboration.tain the result of the enquiry within minutes (the time needed to obtain requested data by an organizational unit of the bank carrying out a given process in a manual manner should be estimated to be multiple working days).
The next step in the digital transformation of the process of providing information constituting a bank secret at the request of authorized bodies and institutions was to plan and implement new roles for employees who, before the implementation of RPA, performed their activities manually, with a high risk of making errors.The implementation of RPA required creation of roles such as: substantive supervision related to the operation of automated mechanisms (performance control), system maintenance and administration (e.g.access management, change management), and provision of training for employees playing important roles in other related processes.
In terms of quantitative measures, the implementation of RPA has drastically reduced the time needed to perform tasks in the process, in particular those related to the actual handling of enquiries, i.e. from assigning the case to the appropriate organizational unit of the bank, to formal and legal analysis, to obtaining and preparing data in the process of preparation of the response.It is particularly important to reduce the time needed for the data acquisition task, which, when performed manually, was burdensome for individual employees who prepared such data in the entire process.
It is worth noting the process step described for the purposes of this paper as registration of the request and registration of the case in the system.Although this is the first step in the process, as RPA is used in the process, it is an activity which further implementation of the process.Namely, in a manual process, the action -regis-  tration of a request -means only registration of the letter in the book of incoming correspondence, whereas in a system using RPA, a written request from an authorized authority is subject to a kind of transformation, digitalization, i.e. into a scanned letter -a request of an authority is scanned, described with metadata, and the type of enquiry and legal qualification are determined, the consequence of which is the of boundary conditions for automatic import of data from the bank's distributed IT systems.After specifying the conditions for the enquiry, further steps in the process using RPA are executed by the RPA tool.
A confirmation of the qualitative measures of the process after the RPA tool implementation is its ability to generate expected results in accordance with specific requirements, i.e. the information provided is consistent with the enquiry sent by an authorized body or institution, taking into account the centralization of the project and the inability to grow human resources.The properties of the process which prove its quality are also the manner of data processing and ensuring the security attributes of processed data.For the purposes of process quality management, new roles for employees controlling and supervising the process were planned and distinguished.Any identified non-conformity is verified and reported to the system administrator.This is possible thanks to the use of RPA and analysis of the activity of the system users and the system itself based on log analysis.In contrast to the manual process, with many organizational units and users, the use of the RPA tool has facilitated access to information online; in the manual mode, it was difficult or even impossible to determine such information.

DISCUSSION
Banks in Poland are increasingly willing to implement automation solutions for both front and back office processes.2018).According to Gartner, by 2020 no less than 85% of all customer service interactions will be automated (Marous, 2019).The International Data Corporation has stated that the banking sector is the second largest investor in artificial intelligence technology in the world, after retail trade (Kulp, 2019).Banks should prepare to be part of the revolution.One thing they can and should do is to create an internal center of excellence, where a group of people will become experts and help implement RPA in the bank.They will test technology and manage business units in the scope of implementation of artificial intelligence solutions.Citigroup and BBVA (Spain) are among the banks that engage in such activities (Crosman, 2017).
In Poland, some banks are introducing modern solutions that enable employees who are not IT specialists to quickly implement a wide range of automation solutions of varying degrees of complexity.An example is ING Bank Śląski, where an original RPA platform, called RoboPlatform, is being developed.This solution is characterized by high flexibility and the possibility of quick implementation of robots without generating high costs.At ING, the Operations Division uses over 1,500 process automating robots, which are used by about 500 users (Sobczak, 2019).

CONCLUSION
Use of solutions, which automate processes in banking institutions processing huge amounts of data becomes a necessity.Robotic Process Automation (RPA) is replacing humans on the first line of contact with the customer, assisting with operational processes (opening accounts, handling payments), credit processes (starting from application analysis, to risk assessment, to posting and renewal) and support processes (handling statements, complaints and debt collection activities).With RPA it is possible to reduce the costs of banking processes by up to 75% and office space costs by 40%.At the same time, efficiency and productivity are increased and the number of process errors is reduced or eliminated.At the presented bank, the implementation of the RPA tool enabled optimization of the process of disclosing information constituting a bank secret at the request of authorized authorities and institutions.The application of RPA not only shortened the time of enquiry processing by over 80%, but also mitigated the risk of receiving penalties for unreliable or untimely fulfilment of statutory obligations or a lack of proper protection of information constituting a bank secret.In the context of the bank's operation as a public trust institution, fulfilling the obligations specified in the Banking Law Act, quantitative and qualitative optimization of the enquiry handling process is a factor which helps ensure security and business continuity.

Figure 1 .
Figure 1.The process of provision of information constituting a bank secret prior to the use of the RPA tool

Figure 2 .Figure 3 .
Figure 2. The process of provision of information constituting a bank secret with the use of the RPA tool after the RPA implementation Task completion time before the RPA implementation