Global Bank Transforms How It Secures Loan Applications

Summary

A global bank’s loan department had processed more than 1.5 million loan applications in the previous year. Their business goal was to significantly increase this number as they expanded offerings, but a critical issue stood in the way. How could the bank ensure the integrity of the countless discrete bits of XML data in every application as they moved through systems at machine speed?

Company profile

This global financial institution provides lending and financial services at scale, with operations spanning multiple regions. It supports high-volume loan processing and maintains a robust internal software ecosystem focused on automation, data integrity, and regulatory alignment. Through ongoing modernization of its systems and processes, the institution applies policy-driven controls and code governance to reduce risk, ensure operational continuity, and adapt to the evolving demands of a digitized financial landscape.

Challenges

Every piece of XML code associated with application forms, whether it contained the applicant’s name, Social Security number, income, credit score, or other private data, needed to be tamper-proof. Data integrity needed to be maintained no matter how many hops an XML file took through innumerable application programming interface (APIs), internal and external, to reach its destination.

Because API usage had to be consistent with Zero Trust architectures, every packet of XML code needed to be authenticated at every hop “like a hot potato,” said the bank’s vice president of loan products management.

The department lacked a coherent policy and enforcement mechanism for how business units stored code signing keys used for these files. While some developers stored keys in HSMs, others stored them unprotected on servers. Meanwhile, their homegrown solution required anyone signing code to have direct access to private keys.

This process increased their exposure because it allowed a copy of a given key to be anywhere and with just about anybody. And InfoSec had zero visibility into any of this.

“It was becoming a key sprawl nightmare,” said the vice president. “We didn’t know who was using them to decrypt the code or where and how they were being used. And our homegrown code signing solution simply couldn’t scale to handle this level of data—nor has it ever been able to provide us with defensible audit trails. The risk was clearly becoming too great.”

The director of public key infrastructure (PKI) services mentioned his frustration with the company’s struggles with phishing—and his suspicion that some connection existed between the malicious payload and internal scripts. One of the solution architects asked if the company knew that internal macros and scripts could be code signed—and that any macro that wasn’t signed could be prevented from executing with the proper security controls in place.

Solutions

CyberArk Code Sign Manager for securing code in the software supply chain when the question arose: could it also protect sensitive XML files?

During a discussion about securing macros and PowerShell scripts, CyberArk confirmed that the solution could help secure all code, regardless of type. At the vice president’s request, CyberArk conducted a proof of concept to demonstrate XML signing.

Code Sign Manager proved it could maintain data integrity across multiple API hops— and its automation capabilities meant it could easily scale to handle as many loan applications as the bank could generate.

“That’s what sold us,” said the vice president. “The ability to handle whatever we could throw at them is what melted any remaining resistance to the solution.”

Results

Once CyberArk helped the InfoSec team set up automated policy enforcement, the InfoSec team quickly saw how Code Sign Manager provided them with the visibility and control they had lacked for years—and were especially pleased that all private signing keys were now stored in a centralized HSM. End users no longer required direct access.

Meanwhile, users who needed to sign this code were equally satisfied. Code Sign Manager not only preserved file integrity but also removed the burden of managing private keys. Better yet, it accelerated file movement through APIs, allowing loans to be processed faster.

The loan department also appreciated that Code Sign Manager could scale easily to handle increased amounts of XML data. When news reports indicated that the federal interest rate was set to rise, customers rushed to lock in lower rates—causing a dramatic surge in loan requests.

“We saw loan applications go up by a high percentage in those couple of months before the first rise, and the bulk of these applications originated online,” the vice president said. “That meant we were dealing with insane numbers of XML files. Code Sign Manager didn’t break a sweat.”

Even with U.S. loan applications temporarily dropping after the federal rate hike, the vice president said he still expected to see applications growing overall in the long term, particularly as the bank spread into other regions and nations. He said he has no doubt that Code Sign Manager is the bank’s long-term solution because of this ability to scale.

Finally, Code Sign Manager gave the bank something it had never had: an irrefutable, real-time audit trail of every code signing activity across the department. If a file from a third-party partner was tampered with, the team could identify and remediate it immediately—before it affected customers or the business.

It also supported compliance with regulatory requirements, providing provable logs for audits tied to Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), and other mandates.

“Code Sign Manager has the automation to do it all: provide much-needed visibility, enforce policy and make it easier and faster to sign code. It’s just been a revelation to us.”
-Vice President, Global Bank

Key benefits

• Control: Centralized certificate and key management eliminated key sprawl and removed the need for users to directly handle sensitive signing credentials.
• Scalability: Automated policy enforcement and code signing workflows enabled the institution to handle surges in loan volume without compromising security or performance.
• Integrity: Code Sign Manager ensured tamper-proof validation of XML data as it moved across APIs, supporting secure loan processing and protecting against supply chain threats.