CU Journal Tech Panel
Reader Question #1: In your particular area of expertise or service, where would you recommend credit unions concentrate their efforts in 2005-and why?
Rick Fleming, CTO,
Digital Defense, Inc., San Antonio
In the area of information security, two areas will be the primary focus for credit unions during 2005; vulnerability management and risk assessment. Vulnerability management will continue to be a concern of both IT users and regulators requiring credit unions to focus on solutions that can help them identify and eliminate the vulnerabilities within their IT systems.
Unlike technologies such as Intrusion Detection or Prevention Systems that only monitor or try to prevent the threats to a network, vulnerability assessment and management systems allow the user to eliminate the vulnerability thus nullifying both the threat and the weakness in their system. Being able to illustrate to management and regulators that threats are being addressed on multiple fronts will be key to an institution's ability to demonstrate due diligence. Likewise, as organizations mature in their security processes, the need for risk assessments will grow. Unlike the tools in vulnerability management that focus on the threats and the weaknesses related to a computer system, risk assessment and management factor in both the value of the system and any associated resources.
Considering both of these variables will allow the institution to more effectively prioritize their limited IT resources towards remediating the weaknesses that have the greatest potential for impacting the credit union.
Doug True, president, FORUM Solutions, Indianapolis
In 2005, credit unions should focus on efficiency and how they can accomplish more with less. Gains in productivity are especially important for credit union lending programs. How can the credit union generate more loan volume without increasing the variable costs associated with the profitability of the loan portfolio? Specifically, how can the credit union disburse more loan dollars per credit union employee? Four possible answers to this question are as follows.
1. How can technology positively impact the time and energy it takes to process a loan application from start to finish? Looking at the credit union work flow is an important part of this assessment. For example, how many employees touch a loan application and are there any practices in which the credit union participates for which the value earned is less than the expense associated with the practice? Possibilities include processing functions such as debt ratios (do they actually predict good versus bad loans?), full appraisals (do they really add the proportionate value over other estimating tools?), and automated underwriting (Are you approving the "no brainers" in an efficient manner?).
2. Can the credit union increase loan volume with flat or minimal new member growth? Cross-selling always receives a lot of talk from credit unions, but is the credit union ready to get multiple loan products with each member's application? Demonstrating value to the member for all of their lending needs is essential for loan growth. Can the credit union serve the member with a full suite of loan products? Credit union employees should feel the urgency to not let any member exit the loan application process without evaluating his or her entire lending needs. Any good investment broker does the same thing on the deposit side so why not our lending personnel?
3. Are there new frontier delivery channels available? For example, indirect lending may be a possibility or it may already be a proven channel for the credit union. If it is already a proven channel, are there new channels where the credit union can apply successful practices learned from the automobile indirect lending process, like medical financing or retail outlets that would crave the value of credit union financing?
4. Is there a new audience for which the credit union could serve? Possibilities might include pay day lending alternatives or tax refund anticipation loans. Where might the credit union be able to positively affect consumers' financial lives with better products, while earning the credit union a nice yield?
Expanded loan growth is vital to a credit union's success and to sustain and most importantly improve on loan growth credit unions need to be both efficient and innovative.
Greg Crandell, VP, Digital Mailer, Herndon, Va.
A 2005 Challenge: Is e-mail marketing dying because of deliverability problems? No, it's evolving. Legitimate, wanted e-mail from CUs is being blocked by ISP and corporate spam filtering. After spending years collecting members' e-mail addresses, and the permission to use them, filtering has rendered this valuable communication channel unreliable-just as more business processes are moving to e-mail! Credit unions' e-mail messages are being sent to members' valid addresses, but never actually making it to their inboxes.
Wrongly blocked permission e-mail is rapidly approaching 20%, with an economic cost of over $3 billion in 2004 (Ferris Research).
Credit unions can always tell how many e-mails were sent, opened and the click-throughs, but there is no way of knowing specifically how many (or which ones) are blocked at the ISP or corporate filters. Most anti-spam programs are not set to return bounce-backs that would let anyone know. Measuring results with e-mail marketing used to be easy, but no longer.
A new breed of e-mail solutions will help manage the "deliverability" challenge and continue to make the e-contact more valuable. Proactively managing the e-mail delivery channel will continue to reduce operating expenses and increase the value of a member's e-mail address, but CU Executives have to be more sophisticated when using the channel.
Reader Question #2
We require passwords to be changed regularly, and employees have them written everywhere, including on sticky notes or the bottoms of their keyboards. That defeats the purpose. How can we require passwords be changed, but not overwhelm the "human-ware?"
Robert Fallon, VP-IT, United Nations FCU, New York
While the technology to ensure data security and regulatory compliance often take precedence when determining IT expenditures, sufficient planning needs to be devoted to ensuring that a credit union has the necessary infrastructure to accommodate these systems.
Without proper backbones networks, routers, switches and pipelines to deliver data, system delivery can be slow, unreliable and cumbersome to maintain. With technologies such as dark fiber becoming less cost prohibitive and easier to install, credit unions have the ability to both safeguard their data as well as increase throughput and reliability. It is these 'back office' technologies that can either make or break the core platform's ability to service the users who rely on it for member service and communications.
Jim Berthelsen, SVP-general manager,
Harland Financial Solutions, Lake Mary, Fla.
With a rising interest rate environment, credit unions need to focus efforts on alternative ways in which to grow while continuing to reduce overall costs. Entering into markets, such as the commercial lending market or through indirect lending channels, may be ways in which to increase or maintain loan growth to compensate for the failing rates.
In addition, member relationship management solutions can assist in understanding member relationships and households in order to gain more of the relationship and share of wallet through one-to-one marketing techniques.
At the same time, focusing on cost cutting is key. Self-service channels are continually becoming more critical and more sophisticated and will help to further reduce overall costs per transaction if the credit union remains up to speed with features and functionality. Automating as many internal processes as possible, especially in the back office area, and looking at opportunities to extend technology and leverage the benefits of current investments are other important ways to enhance efficiencies and reduce costs. Today, industry standard technologies enable integration between the core data and virtually any other application. Credit unions can reap the benefits of the vast technology choices available to them. This strategy provides credit unions with the ability to continually develop ways in which to better serve their members, provide more products and services to members, and streamline their operations' internal efficiencies.
Bruce Cormode, CEO, Symitar, San Diego
Credit unions should focus their 2005 strategies on what competitively differentiates them-what makes them different and what makes them great. Starbucks did not achieve their success by following the market and selling a cup of coffee for less than a dollar and offering unlimited refills. Instead, they delivered a high-quality product in a place where people like to be. It sounds like a credit union doesn't it?
Credit unions should determine their strengths and expand upon them. Risk-based lending and account cross-selling should be considered as vehicles to reach both members and non-members, and to enhance service offerings. Community-based credit unions should consider member business services as an offering capable of deepening community ties. And loyalty programs that offer higher savings rates, lower lending rates, free checking, overdraft protection, and other high-demand services such as electronic bill pay, debit card programs, automated payroll deposits, and electronic statements should be considered as opportunities to further penetrate member bases.
John Schooler, President, USERS, Valley Forge, Penn.
Based on the feedback we're hearing from our clients, the top priority is integration of the credit union's many disparate systems and applications. As credit unions utilize more software applications for a variety of purposes, it's important to look ahead toward how to integrate them effectively. The reason this is becoming an increasingly important initiative is because it offers tremendous, tangible benefits to the credit union-including improved efficiency, elimination of redundant labor and the associated costs, fewer errors, and lower training costs. Just think about the many systems and redundant steps it takes to open a new member account at the average credit union, and you can see why the potential is so great. While there is no magic bullet as of yet, the use of modern, XML-based interfaces, Web services, and other industry standards can help to make the integration of disparate software applications much easier. So as you upgrade or add to your systems, one of your primary considerations should be whether the providers you choose to work with can position your credit union for better integration of their applications down the road.
John San Filippo, VP-marketing and business development, Bluepoint Solutions, Inc., San Diego
Credit unions have traditionally had the competitive advantage of being more nimble than banks. However, as credit unions grow and add a wider range of products and services, and as banks devote more time and money to technology, that advantage is beginning to dissipate. So in broad terms, I think it's very important for credit unions to look for new ways to increase productivity and efficiency, reduce operating costs, and most important, improve member service. In other words, credit unions need to run "lean and mean," while continuing to focus on the outstanding service for which they're famous.
One area where credit unions get bogged down-and they're not alone in this-is in the shuffling of paper. Some credit unions see paper as a necessary evil. But given the advanced state of document management technology, paper for the most part really is an unnecessary evil.
It was probably 10 or 15 years ago that I first heard whispers about the paperless credit union. Back then, the technology just couldn't deliver on the promise. Today that's not the case. One customer of ours, Houston Postal Credit Union, has eliminated 95% of its paper. They're absolutely thrilled to be a paperless CU.
John Edwards, President, XP Systems
CRM implementation is still tops-this is the tool that yields a great deal of insight on member service areas of opportunity, such as commercial lending, online delivery channels, etc. It can help you form your member service vision, and reach it as well. Your CRM solution needs to be fluid, functional, and easy to customize. It is best if CRM is built in to your core solution, so it works with member data more efficiently, and employees don't have to switch applications for contact management.
United Nations FCU, New York
There are now new and emerging technologies available to apply methods other then typing passwords to authenicate users with the proper applications. Fingerprint readers and smart cards are becoming industry standards and are fairly easy to implement. Not only do these methods avoid lost passwords and the associated administrative duties, they also provide much greater levels of protection from unauthorized access to sensitive data and applications.
Jim Berthelsen, Harland Financial Solutions
This ongoing issue holds true for financial institutions and companies alike. With fraud and identity theft at an all time high, maintaining the utmost level of security is imperative.
Technological Solution: From a technological perspective, implementing a two-factor authentication solution can help reduce the number of password changes over time, yet still provide a second layer of security. This solution has an initial capital cost plus additional administrative requirements.
Policy/Procedure Solution: Based on risk assessment by legal and IT departments, increasing the time between password changes, reducing the number of password changes before a password can be reused, and beginning a re-education program with end users emphasizing the need for security, including the ramifications of a security breech in real financial terms, is another viable alternative. In addition, creating policies that provide for possible punitive responses to basic security breeches at the end user level will help in the education process. This solution does not have initial capital costs, however, it does have possible continuing high administrative costs. There is also a real need to follow through with the punitive components and the effect of negligence on the part of the end users.
Some combination of a technological and a procedure/policy solution appears to be the most likely scenario for establishing a secure, somewhat easy to use, solution that still provides the required level of security.
John Edwards, XP Systems
Of course, most company policies do not permit passwords to be written on sticky notes or other similar places, but the habit is hard for many people to resist. Very often "human-ware" is the weakest link in the security infrastructure. Allowing single sign-on access, where users sign on once to access multiple systems, can minimize the sticky note situation. People are much less likely to write down passwords if they are required to remember only one. Also, why not try a two-method access system? Not only require a password, but also some sort of key card identification. Now, to login, the user needs something he knows (password) and something he has (keycard). If the password is stolen but the keycard is not, then an unauthorized login is not possible. This may not solve your sticky note problem entirely, but it safeguards access to your system.
John Schooler, USERS
In today's security conscious world, it's imperative to create solid policies on the use of passwords, to require staff to adhere to them, to audit regularly for compliance and to take appropriate action when they're not followed. Those policies must inevitably include changing passwords regularly and keeping them secure from others.
But if your password requirements are too complex, you can see why employees might resort to sticking Post-Its in plain sight. After all, who can be expected to remember a 15-character password that changes every three days? When creating your password requirements, it's important to strike a balance between security and practicality, between the need for strong password controls and the ability for employees to remember them.
While there's no immediate panacea, several emerging trends will eventually help to mitigate the problem. For instance, one benefit of the integration discussed in question No. 1 is that it would require fewer passwords, as authorization could pass automatically from one software application to another.
Another possibility is that as technologies like biometrics become the norm, your fingerprint or retina may become the only password you need to access your computer and its applications.
Bruce Cormode, Symitar
The answer is to eliminate passwords with biometrics technology. But like most leading-edge technologies, it has survived the peak of inflated expectations and the trough of disillusionment, and has clearly entered the phase of acceptance.
The need to use and administer multiple passwords in today's technology-dependent credit unions inherently generates security risks and operating inefficiencies, and is positioning biometrics as the dominant method for individual sign-on security.
Technological advancements have solved the issues of privacy, diverse demographics, skin conditions, and varying user techniques; and have made biometrics extremely cost-effective. In many financial institutions, this technology pays for itself within months by eliminating the use, maintenance, and administration of user names and passwords; enhancing employee efficiency; and significantly improving security. Verinex Technologies, a subsidiary of Jack Henry & Associates, provides an innovative and cost-effective biometrics solution for credit unions.
Additional information is available at www.symitar.com or at www.verinex.com .
Rick Fleming, Digital Defense, Inc.
There are two basic technologies that can help in this endeavor and when combined, prove to be a very effective security solution. These technologies are password vaults and biometrics. Simply put, password vaults are encrypted files where users are able to store user-id and password credentials for the various systems they have access to. The problem in the past has been that should the password for the vault be compromised by another person, so were all of the passwords for every system.
With the introduction of biometric devices for authentication, it became possible to secure the password vault in such a way so that only a single person could open the vault. Biometric devices make use of things such as fingerprints, retinal, voice and facial patterns, or a combination of these as a means of identifying a person. Once the biometrics are input into the system and recognized, the user then has access to the secured components of the system, in this case the password vault.
In several customers, the deployment and integration of the biometric devices into their network has been accomplished in a matter of a few days and was readily accepted by the employees.
Once deployed, very complex passwords could be generated for all of the systems thus improving the overall security of the environment.
These systems can be deployed both on a network basis where the credentials are stored on a central server and made available to the employee regardless of where they login to the system or can be stored on removable media such as USB pen drives that can be taken from workstation to workstation.
John San Filippo, Bluepoint Solutions, Inc.
I know from my own perspective as an end-user that password management can be a very frustrating endeavor. One obvious way to counter the proliferation of sticky notes and passwords that change by adding a "1" at the end is to eliminate them. Of course, I'm talking about biometrics.
We're in the process of developing a biometric component for use in member identification with our teller-line products. Quite frankly, I don't understand why simple fingerprint readers have not become more popular for employee identification. The cost for the hardware has dropped significantly, and the burden on the end user is almost non-existent.
But suppose you're not interested in biometrics. Then what? One area that I think gets overlooked is employee education. I mentioned that password management can be frustrating, but I'm willing to endure that minor frustration because I know what damage can be done if passwords aren't managed properly.
On the other hand, the typical employee probably sees periodic password changes as just another way for those paranoid IT guys to make life more difficult. I believe that if you take the time to familiarize your employees with the perils that their bad habits can bring about, they'll be much more willing to comply with security policies.
It's obvious to every employee why you keep all the cash in a vault. It needs to be just as obvious to your employees why password management is important.