Reader Questions Answered By CU Journal Technology Panel
Reader Question #1:
How do CUs comply with e-mail storage and archiving legislation? How important is compliance in this area? E-mail compliance seems to be a particular mystery. I just spoke with one of our managers who uses an e-mail management and compliance application but doesn't know anything about the compliance side of it!
David P. Turner, Chief Information Officer
Integrasys, Plano, Texas
E-mail retention is quickly becoming a major burden for many organizations, including credit unions. From Sarbanes-Oxley, to SEC Commission Rule 17A-4, to Gramm-Leach-Bliley, to US Patriot Act, almost every organization is impacted in some way. With so many regulations on the books related to e-mail retention, it can be difficult to determine the best direction to take.
Establishing an e-mail management policy is a good business practice-regardless of the regulations. A documented policy can help protect your credit union from a wide range of fraud and productivity challenges, as well as enable you to efficiently comply with today's legislation. An e-mail management policy should be clear and consistent, outlining what must be retained, and how long it must be retained. A clearly stated policy can also aid in effective individual enforcement, the approach most organizations use today.
Technically speaking, most e-mail applications were never intended to become document repositories. So it's not enough to simply add storage to handle the ever increasing volume of e-mails. As a credit union leader, you must be able to access those e-mails quickly and efficiently. Automated processing solutions can be a useful choice because they direct every incoming and outgoing e-mail to a central repository for indexing and storage, allowing easy message retrieval and sorting capabilities.
With an automated solution, e-mails can be scanned for policy enforcement, like a search for specific words or context that, if found, would trigger an alert. For example, a credit union may want to scan outgoing e-mails for account numbers or social security numbers as a way of identifying and preventing fraud.
While automating the process can make it more efficient, many of those tools can be very expensive. So it's important to weigh your perceived risk against the cost of implementing an automated solution.
Tom DeSot, VP of Operations
Digital Defense, Inc., San Antonio
Does the credit union use e-mails as part of a transactional record? Are they a broker-dealer as defined by the SEC/NASD? Are they publicly held and therefore bound by statutes set forth in SOX?Though new legislation or regulatory guidance is always being developed, if the credit union can already answer yes to any of these questions, they are bound to retain their e-mail correspondence. As an example, under SEC 17 CFR Parts 240 and 242 a broker-dealer is required to retain e-mail for up to six years.
Keep in mind that as with any retained document, there are legal considerations that the credit union should evaluate. As such, the best advice would be to discuss the matter with the credit union's compliance officer or legal counsel to ensure that the credit union has properly developed and implemented its e-mail retention policy as part of its overall record retention program.
John San Filippo, Bluepoint Solutions, San Diego
The first question to ask concerning e-mail retention is: What e-mail needs to be retained? The answer to this is simple. Records retention regulations are all based on content, not on medium. Both laws and court rulings have held that e-mail now carries the full force and effect of any other document. So whether an e-mail must be retained depends entirely on its content. Stated another way, you must apply the same retention policy to your e-mail that you apply to any other medium, i.e., paper documents.
This is why it's so important to have a document management system that can handle any type of digital file, versus one that only accepts scanned images. In our solutions, for example, you can "drag and drop" an e-mail into a member's file, and it becomes a permanent part of the member's record, just like a loan document or statement.
The more credit unions transmit information electronically, the more seriously they must take this very important issue.
Jim Berthelsen, VP and General Manager
Harland Financial Solutions, Pleasanton, Calif.
The Federal Government now recognizes e-mail as a vital piece of doing business today. The administration and preservation of e-mail are becoming crucial to an organization's internal policies. The ULTRADATA System has several approaches to adhering to retention requirements.
The ULTRADATA System's integrated Touch? Sales & Service Member Relationship Management Solution enables e-mails to be attached to a member's contact record and contact history when using Microsoft Outlook. This way the e-mail can be archived for future reference. In addition, the ULTRADATA System's integrated document management system, OnBase from Hyland Software, Inc., adheres to retention requirements for many regulations including SEC 17a-4 and Sarbanes-Oxley, among others, providing several methods to manage the archival and storage of e-mail and its associated attachments in assistance with archive legislation.
OnBase can poll a Microsoft Exchange Server to capture and store e-mail messages and attachments directly into the OnBase repository. A Microsoft Outlook or Lotus Notes user can also store e-mail messages and attachments into OnBase through the familiar Outlook/Lotus Notes interface.
Reader Question #2:
We are a $600-million credit union. Each year the CEO has our IT Department create a strategic plan of our own that we present to the board. One question we have to answer is where we believe our credit union and others are weakest technology-wise. Could your panel give some input here?
David Van Pelt, VP, Chief Technology Officer
IA Systems, Albany, N.Y.
Credit unions typically have many technology platforms and systems that perform specific, but separate, functions. For example, many credit unions have a variety of systems for CRM, loan origination, loan servicing, member services, call center inquiries, share accounting, general ledger functions, etc. The biggest weakness we see is the lack of interfacing-or reliable, seamless interfacing- between those systems. Credit unions are increasingly looking at investing in the interfaces between their "best of breed" systems to achieve maximum productivity, efficiency, and data sharing. The proliferation of web services and XML as technology standards for interfacing has opened the door beyond the credit unions' internal systems and provided new opportunities for interfacing to their partners and outsourced systems. It is important for credit unions to work with technology companies that understand this need and that have expertise and experience implementing interfaces between a variety of platforms and technologies.
Rick Fleming, CTO
Digital Defense, Inc., San Antonio
For the past five years, I've had the opportunity to review the information technology used by hundreds of credit unions of all asset and membership sizes. Increasingly, credit unions are using that technology to deliver more of their services, particularly in the form of home banking and online loan processing. In the rush to deliver new and improved services, many credit unions expose themselves to excessive risks. These risks come primarily in the form of not testing for and identifying vulnerabilities in their policies, processes and systems and not adapting to new technologies that could improve their overall security risk posture.
One primary area is in the performance of required recurring security assessment. Many credit unions are still utilizing the once-a-year approach to addressing system/network security. As a result, the organizations remain exposed for extended periods of time and make little impact on the issues plaguing their systems and network.
Credit unions should utilize software systems that let them assess the security of their network on at least a monthly basis. These systems should also provide them the functionality to assign and track progress to ensure issues are being addressed. In addition to monthly assessments of all systems, new systems should be thoroughly tested and their security approved before they are deployed in production environments. While the third-party vendor selling the credit union the system may say the system is secure, only independent testing can verify that security.
Likewise, many credit unions overlook the security implications of new technologies like IP based and wireless ATMs. While the credit union should remain aware of new security risks associated with the use of IP based ATMs, they should also evaluate and embrace the freedom and revenue benefit that they provide. With IP based or wireless ATMs credit unions are no longer required to run serial lines for connectivity as the new units provide the ability to place them in locations that previously would have been out of reach. These technologies can be used in a secure manner, but to do it right often requires an expert level of expertise only available externally to the credit union.
John San Filippo, Bluepoint Solutions, San Diego
Some people may look at this as a "Where should we spend more money?" type of question. I don't think spending more money is necessarily the answer. Quite the contrary, my observation has been that the biggest weakness in most credit unions is not making the most of the technology they already own.
New software versions are released. Employees come and go. Literally before you know it, you're behind a technology curve that you were once ahead of.
Many times, the best solution is to retain the consulting services of your technology provider. I know that to many, "consulting" is a four-letter word. However, my experience throughout my entire credit union career is that credit unions willing to invest in this sort of consulting usually see that investment returned many times over. And when you consider that a consulting engagement might be a viable alternative to paying for and adding new technology, it becomes that much more attractive.
The bottom line is this: Before you go shopping for new technology, check with your current vendor to make sure you're getting the most from what you already have.
Doug True, president,
FORUM Solutions, Indianapolis
Resource management is an on-going reality for credit union information technology teams. Instead of reflecting on this question as what is the "weakest" technology area I would suggest reframing the question and looking at how your credit union can get the largest return for your members based on your resource allocation. Too often information technology teams look at the "weakest" area that affects their team and they allocate resources that make the lives of the technology team easier, but do not have a positive impact on the membership.
With the membership in mind, ask where might you better strategize to allocate resources? Some examples could include:
* Improvements to online account access and management.
* Improving member service in the retail outlets.
* Providing improved turnaround time on loan requests.
A good concept to keep in mind is that the business plan should drive the technology and not vice versa.
David P. Turner, Chief Information Officer, Integrasys
Over the next 12 months, credit unions should focus their technology efforts in two key areas-system architecture and fraud.
When it comes to their technology systems, credit unions must ensure that their overall architecture is sufficient to handle the ever-changing needs and demands of their members. Keeping pace with demand includes the ability to integrate new products and services quickly in order to remain competitive.
Web services, combined with a properly conceived service oriented architecture, offers exciting new possibilities for credit unions, creating an environment where they can experience faster deployment of new technologies and seamless integration with third-party applications.
If your current technology architecture can't support these same rapid implementation capabilities-whether as a result of a legacy solution or a proprietary system that is anything but open-seek out providers who can deliver core solutions and ancillary applications that are compatible with web services technology. The partner opportunities are out there. A recent study by the Yankee Group showed that 48% of respondents have already deployed web services, and another 39% expect to deploy the technology within one year.
The other area credit unions ought to focus on in the next 12 months is fraud management. Fraud is a major issue that continues to move downstream and impact more and more credit unions and their members. In fact, fraud is costing credit unions an average of $3 to $5 per member per year.
Credit unions can limit their exposure through a combination of effective technology and proactive member education. The good news is there are tools available today that can monitor transaction activity from all delivery channels on a real time basis to identify fraudulent patterns.
The real-time aspect is critical because it allows the credit union to take immediate preventative action, rather than learning about the suspicious activity in a report the next day.
Sue Pogatschnik, Credit Union Market Manager
Many credit unions can take advantage of technologies that help automate processes for Bank Secrecy Act and US PATRIOT Act compliance as well as documentation for business lending transactions.
Fraud Prevention: Compliance with the BSA and the US PATRIOT Act is more important than ever before. In February, the FTC reported identity theft topped its consumer complaint list for the fifth year in a row. And according to comments made by NCUA board member Debbie Matz in a speech earlier this year, examiners will likely take a closer look at the programs and corresponding technology that CUs have in place to protect their members from identity theft in 2005.
Automating your member identification and anti-money laundering processes can result in greater efficiency and productivity for your staff, and reduced risks for your credit union. Automating your processes will allow you to most effectively know your member's true identity, know your member's "normal" activities, and generate legally required reports.
Business Lending: Documenting business loans can be much more complex than documenting consumer loans. An automated documentation solution can help your credit union reduce the amount of time it takes to document a loan and be more confident in the compliance content found within your documents.
A technology solution that automatically selects the documents needed for each business lending transaction can help you eliminate any guesswork on your part.
Such a feature is helpful if it accesses documents that are compliant in all 51 jurisdictions-especially if you plan on doing business in more than one state.
Jim Berthelsen, VP and General Manager,
Harland Financial Solutions, Pleasanton, Calif.
Technology weaknesses for ULTRADATA System mid- to large-size customers tend to be related to product adoption rather than availability. Some areas where adoption has been a bit slower are with data warehousing, or business intelligence, and Customer Relationship Management (CRM). While these technologies have been available from us for some time, customers have been somewhat slow to adopt them.
More tangible products, such as Business Services, Privilege Pay or Branch Accounting, are quickly adopted and rolled out to members. Boards appear more ready to approve technology when there is a hard ROI attached and a clear and immediate member benefit. Softer ROIs, such as those obtained from BI and CRM, tend to be more subjective and thus, boards are more reluctant to approve. These solutions typically come with business rules and involve 'culture change' within the credit union with the overall benefits to the credit union and members often taking some time to reap.
Even when technology is adopted, if the business rules and processes aren't implemented and the culture change not successful, the technology may have a lower success rate.
Credit unions need to be mindful of what it takes internally to prepare for new technology with staffing, process change, etc. to ensure success and to make sure there is no single point of failure with staffing or otherwise.
And lastly, once technology is purchased, the credit union needs to put emphasis on end-user utilization of the technology. Focus should be placed on training and better usage and utilization of the software owned.
User training boosts employee productivity and ensures the most efficient use of the technology is achieved. Often, credit unions find they may already own the technology within the system and not have to look further.
Have A Question For The Journal's Technology Panel?
E-mail the question to fdiekmann