This mortgage program may be small-time, but it demands big-time information security.
For $169-million First Source Federal Credit Union, that means automated encryption for e-mails containing applicants' private financial information, said Tom Koehler, IT director at the CU.
"Since October, every e-mail sent to our mortgage servicing vendor's domain name is automatically encrypted," Koehler explained.
Members first apply for a loan at a branch, and then the CU sends the application data to a third party servicing vendor for decisioning.
"We were up against the wall," said Koehler. "E-mail was the easiest way to send the data, but before we had the encryption capability, e-mail was a very insecure way."
The CU opted to fax the data to the vendor instead, he continued. "But faxing was very unwieldy. Sometimes, we didn't get a response from the vendor for a couple days. We'd call, and they'd say they never got the fax. Plus, if we had a lot of mortgage applications going through, we were tying up the fax machines and phone lines."
First Source now sends the application data instantly and securely to its mortgage vendor via SecureWorks' new Encrypted E-mail service. SecureWorks, a managed security service company, protects corporate networks, servers, and e-mail.
"Our mortgage officers now rest assured that e-mail is encrypted on the way in and out of our network," said Koehler. "And we know we're using the best possible solution we can use to protect our members' info."
Encrypted E-mail does more than protect members: The product also helps First Source comply with Gramm-Leach-Bliley privacy guidelines.
The encryption process is automatic, and requires no extra hardware or software. "I don't have to buy, install or update any devices," said Koehler. "That's less outlay for us from the start."
First Source pays $6,000 per year for Encrypted E-mail, based on its user-base of 20 lending officers and 80 additional CU employees.
First Source just clicks "send," and all e-mails-not just mortgage messages-go through its e-mail server to SecureWorks' off-site encryption device. The program decides whether to encrypt the e-mails-based on First Source rules-before sending them out to the Internet.
Recipients can read the e-mail by following a link to a secure decryption portal or by using a desktop decryption device. First Source also receives a read receipt when the recipient opens the e-mail.
Previously, First Source experimented with a licensed encryption product. "The product was very secure but not easy to use. We had to manage the encryption keys and we could only afford to install it on five users' desktops."
In addition to automatically encrypting all e-mails to the mortgage vendor with the SecureWorks product, any First Source employee can ensure an e-mail to a vendor or member is automatically encrypted by including the word "confidential" in the subject line, Koehler added.
"At this point we don't send a lot of e-mails to members, so the main reason for encryption is to easily and securely send mortgage data," he continued. "However, as we go forward using the Internet and e-mail as a business tool, I could definitely see us using e-mail encryption with members during a live chat session, for example."
First Source was the first financial institution to use Encrypted E-mail. For the past two years, the CU has also used the SecureWorks E-mail Filtering and network intrusion prevention services.
CUJ Resources
For additional information:
First Source FCU
* www.fsource.org
SecureWorks
* www.secureworks.com
