Social Engineering, Phishing, Vishing: 3 Common Elements & How to Combat Them

Posted on Wed, Jul 01, 2015 @ 08:00 AM

Tammy_Bangs Author: Tammy Bangs,



Phishing and social engineering accounted for 15 percent of cyber-crime costs incurred by U.S. companies in 2014, according to Statista.comFurthermore, 44% of U.S. companies responding to a recent survey stated that they were targets of social engineering or phishing schemes (Statista).

Social engineering, phishing and vishing are everywhere you look these days.  Fake IRS telephone scammers, recent large financial institution (FI) breaches via email scams, penetration testing failures, executive level breaches, you name it – it has happened. 

Have you been lucky enough to receive a telephone call from the ‘Department of the IRS’ this year?  No?  I actually received two. Being the risk mitigation geek that I am, I couldn’t resist baiting the fraudster just a bit, asking as many questions as I could muster, keeping him on the line with me for as long as possible.  It was a fascinating glimpse into the not-so-sexy world of the vishing scheme. They were probably armed with little more than a search engine and a telephone. They didn’t even know enough about the Internal Revenue Service to use proper nomenclature. 

In my travels hosting risk mitigation seminars over the past 18 months, I have been grateful to hear from numerous bankers about penetration testing results they’ve experienced in their own FIs.  A common scenario is as follows: 

A third party firm is hired to see what they can obtain via external phishing testing.  An email is sent to the entire active directory in the FI.  The email appears to be from the IT officer, but is actually (upon further scrutiny) from an external source, but it looks good - quasi-legitimate.  The email states that if they don’t click the link provided, and give their network credentials and passwords, then the required system maintenance due to be performed tonight cannot be completed and their managers will be notified.  Lots of the bankers – from tellers to C-Level - click the link and provide their credentials.  

Initially the numbers I saw were astounding.  But, having spoken to bankers from coast to coast, I can confidently state that there are employees at every level inside of your FI who would click the link, TODAY. 

So I started wondering: Why?  Why would completely reasonable, intelligent, responsible people in this day and age with so much on the line willingly submit to a fraudster? It’s because most social engineering, phishing, and vishing schemes are built on three elements that suspend common sense:

  1. Legitimacy
  2. Urgency
  3. Consequence

If Bob’s Accounting Firm down the street was on the phone, most people wouldn’t be very likely to cough up their SSN and DOB. But if it’s the IRS, it’s a different story. And if the email mentioned above wasn’t purportedly from the IT officer of the FI, the recipient would not have been nearly as likely to click the link and divulge their network credentials. 

A critical element in establishing the validity of the request is the pretext or backstory of the requester.  Is it a government agency?  Is this a law enforcement officer?  Is this a vendor?  Is it an employee of our FI?  One of the simplest and most effective ways to stop a social engineering attack before it’s off the ground is to simply validate the credentials of the person who made the phone call or sent the email.  How is this accomplished?  Through a separate and independent channel.  Either by calling the agency (IRS or otherwise) back and asking for the purported agent, or via a separate (non-reply) initiated email. 

If there was no urgency in the request by the scammer, there is no reason to act now.  The fraudster wants you to act before your brain has a chance to consider what the down side of that action might be.  How many times have you spoken to an employee or customer after they’ve already opened the email and clicked the link?  “Um … I think I maybe shouldn’t have done this.”  “I may be infected with a virus.” “Something doesn’t look right!”  It’s a common theme.  If that fraudster gets your employee or customer to act prior to considering implications of that action, their rates of success go way up.  According to behavioral psychologists, urgent situations cause people to suspend deliberate thought and act quickly
(Psychology Article).

Consequence is the final leg in our three legged social engineering stool.  If there is no implied or explicit consequence, there can be no true urgency, and therefore no reason to act.  If the IRS isn’t threatening to levy your property, place you under arrest or increase the amount you owe them, why would you agree to wire money immediately or provide information which could later be used to steal your identity?  If that IT officer wasn’t performing system maintenance tonight and your manager was not going to be notified for your non-compliance, why on earth would you agree to give your network credentials to someone – ANYONE?  The elements of consequence and urgency go hand in hand in making people who are rule-following, good-citizens easy pickings for criminals.  Unfortunately, this element is one that makes older-generations even more vulnerable to this type of attack.  Taking the person on the other end of the phone at ‘face value’, and believing them when they tell you that you are in trouble with the IRS is practically a given, unless you can warn your senior citizen’s ahead of time.  Before the wire is sent.  Before the social security number is given out. 

Identifying these three elements is just one part of the strategy.  Your FI can take it from here.  Adopt a review of these components as a part of the training you provide your employees and customers on combating social engineering threats.  Scrutiny is not rude, it’s part of doing business today.  Challenging credentials, validating requests, and critical thinking is as much a part of protecting your assets as locking the front door of the bank each evening.  It’s a necessary part of combating the tactics adopted by these fraudsters.  One additional parting thought – explicitly spell it out in your employment policy as an actionable item.  If an employee gives their network credentials to anyone, this is an offense that can result in termination.  It is a tough-love approach, but one that your security can depend upon.  Helping employees understand that there are consequences associated with actions is a critical deterrent to the click-now, think-later approach.  


Social Engineering: defines it as “the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information.”
Phishing: defines Phishing as trying “to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.”
Vishing: defines Vishing as Fraudsters who “uses social engineering and phishing techniques to steal people's identities using Voice over Internet Protocol (VoIP) phone lines”
Personally Identifiable Information: (PII) The US Department of Labor defines it as “information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.)” 


Tags: phishing campaigns, cybersecurity awareness, social engineering,

Consumer, do we really know you?

Posted on Wed, Jun 24, 2015 @ 07:30 AM

miltonking_50x50 Author: Milton King,

I was having breakfast with some friends recently, when I noticed something odd about the conversation.  None of them were talking about their banking institution.  Nor did someone breakout their new banking app and share it with everyone else at the table.  Clearly these people were not “in the business”.

Because I have been around the banking industry for so long, I decided to test the market.  I smoothly inserted the question, “who do you bank with?”  Once I got their answers, I asked “why ____?”  To a guy who is in the business, their answers were very low-tech.  The top three answers were as follows:

  1. Convenient
  2. I have been with them for years
  3. Low cost

Notably absent was a list of new technology their bank or credit union offers.  This was a group with several generations represented and the answers didn’t fall along age lines.

This got me thinking, are we totally misreading the consumer?  Let’s look at their responses individually:

We keep saying “who goes to a branch anymore?”  Apparently, someone does according to the Wall Street Journal, as they estimate the current U.S. branch count at 93,000 (see relative comparison list below).  Is that lower than the historical high, yes.  Is that because the consumer turned his/her back on the branch, not so clear.  Much of that branch reduction was due to consolidation and downsizing by the largest FIs, not consumer preference.  In fact, per the WSJ, branch count had been growing until 2011/2012. Branch_Structure_profitability

For comparison:

  • 121,000 gas stations in the U.S.  (U.S. Census 2012)
  • 93,000 Bank branches in the U.S. (WSJ Online 3/2013)
  • 4,540 Wal-Mart stores (Wal-Mart 2015)

Bank tellers were thought to be going the way of elevator operator.  By simply averaging five tellers per branch, you realize there are a half million tellers and their support infrastructure going strong today.  Elevator operators are not fairing as well.

I have been with them for years
“Electronic banking will make it easier for consumers to switch financial institutions, so they will”.  Per Market Watch, in 2010 between 1 and 2 million people switched banks with the trend slowing.  That’s not much when you consider most adults in the U.S. have at least one bank account.  For the sake of this discussion, the 1 – 2 million is overstated, as it doesn’t consider those who changed because they relocated or their bank closed or merged.  The numbers seem to support what my breakfast companions stated.  Most people stay with their FI and will only leave under duress. 

Low Cost
Cost, probably the greatest of all consumer drivers!  My uncle/cousin Pete comes to mind (those of you who know me personally I will explain the mixed title to you later), he is known for his frugality.  I can just hear an earnest young teller showing my uncle the cool iPhone app, internet banking site and high tech kiosk; not knowing that he is probably getting closer to losing my uncles’ business than he is winning it.  All uncle Pete is thinking of is “Who is paying for all of this stuff? It better not be me!”

What is my message to you?  While technology has a role to play in banking, what stood out for me was how fundamental their responses were.  Simplify my life (convenient), keep my cost down and not only will you win my business, but you will likely keep it for a long time.

Those of us in the financial industry or servicing it can get caught up in the weeds, bubble, or echo chamber, and get away from the fundamentals my breakfast mates identified.  I am always amazed at the lengths we will go through to get consumer feedback, “Mrs. Jones if you fill out this survey you can win a trip to Maui.”  We literally have to bribe people to tell us how to serve them.  I would bet that a similar breakfast conversation back in 1995, 1975 or 1955 would have yielded similar responses.  The consumer hasn’t changed much; our challenge is to stay focused on those fundamentals even when the technology is changing daily. 

What are your thoughts?  Do you think the consumer has changed?  Please share your feedback in the comments. 


Tags: branch banking, customer relationship

Banking Better Than Before

Posted on Wed, Jun 17, 2015 @ 07:30 AM

Craig_Laures Author: Craig Laures,

Banking professionals are always looking for a way to “do better.”  Doing better comes in many shapes and sizes.  To some, banking better might mean improved earnings, innovation, enhanced risk mitigation, growth or expansion, and new lines of business.  To others it could mean the opportunity to further serve a greater good or additional giving to charitable programs.  When your bank does better shareholders, employees, customers, and communities win.

Banking statistics for Q1 2015 were just released by the FDIC. The results reflect that banking is indeed getting better, much better than recent years.  More institutions are now profitable and more are reporting better earnings than last year.  ROA and ROE continue to trend up.  Efficiency Ratio, Allowance for Loan Loss, and Cost of Funds continue to trend down.  None of these performance metrics improved on accident, so what will sustain these trends?  It has to be better banking or at least banking that is better than before.

Most industry pundits remain upbeat regarding the outlook for banking in 2015. Many are citing business growth as one of the lead drivers for bank tech spending in 2015.  Does bank tech spending lead to better banking?  It certainly plays a significant role.  Better banking can be fully realized when paired to sensible, strategic IT spending.  For example, recent statements by research firm Ovum found mobile and online banking investments should grow 7.5% and 7%, respectively.  Let’s look at areas which deserve extra attention when we focus on better banking.

Online Experience
Since banks began launching websites in the 1990’s customers and prospects browsed your site looking for products, rates, promotions, applications, and online banking logins.  The result was financial institutions (FIs) being placed in reactionary positions if the customer decided to call or email you about their interests. Today, the opportunity be proactive is here.  Is a proactive approach to marketing supportive of better banking practices? Certainly. By consistently engaging website visitors with ads for products that are actually appealing and important to their individual interests is now a reality.


Branch Experience
The branch shows no signs of slowing in its evolution.  For example, we’ve seen FIs move customer/member interactions to a kiosk or even a tablet environment.  FIs in a tablet environment are mobilizing their representatives with touch screens.  This allows business to be transacted from anywhere in the branch or at a local business. Read our recent post on branch banking anywhere for more information.   

Commercial Lending
In recent meetings with retail focused FIs they have shared a commitment to adopting a Commercial & Industrial (C&I) lending competency as part of their strategic direction. But how are they going to succeed?  It’s nothing like you might imagine. Artistic creativity and transparency in the pricing and structuring of C&I loans will be key ingredients to achieving sustainable growth in this area.  Borrowers love choices and appreciate insight into how their loans are priced.  Also, the ability for community FIs to partner with alternative lenders (dare I say it?!) will bring you and your clients unique funding strategies. Finding a properly vetted alternative lending partner is the variable to success.  You’ll be better off partnering with an alternative lender instead of treating them as a competitor. 

Many borrowers lean toward the online experience.  Online applications, automated prices, and efficient approvals result in quick-turn decisions leading to happy borrowers.  Speed and convenience, without sacrificing good underwriting practices, will have a stronger influence on a borrower’s decision than “rate” or “relationship”.

Risk Management
Fraudsters find new ways to keep us on point and vigilant.  According to the 2015 Association for Financial Professionals Payments Fraud and Control survey, incidence of payments fraud in 2014 was unchanged at most companies when compared to 2013.  With that said, 25% of organizations experienced an increase in payment fraud attacks. For 39% of the more than 2,000 surveyed organizations, the potential loss from fraud in 2014 estimated to be less than $25,000; for 31% the potential loss is between $25,000 and $249,999. The potential loss is $250,000 or more at 19% of organizations. Your customer is the weakest link and the biggest threat to fraud.  Let’s bring better banking to your clients.  Let’s teach your clients to be better at preventing financial fraud.  Utilize fraud experts that have documented proven practices to minimize the risk and payments fraud exposure your clients face daily.

Many FIs are moving their IT environments to a secure cloud environment. These FIs are committed to getting back to banking.  They made strategic choices to place the management and support of their IT infrastructure on those who are experts. How would such a move contribute to better banking? 

At ProfitStars we‘ve documented best practices and catalogued successful outcomes leading to you, our clients, and ultimately your clients winning.  Now that is better banking.

Tags: online banking, commercial lending, branch experience

Online Lending: Time to Get in the Game

Posted on Wed, Jun 10, 2015 @ 07:30 AM

Mark_Messick Author: Mark Messick,

Do you remember the days when financial institutions (FI) didn’t have websites?  For those millennials out there who just fell out of their chair, yes, there was a time when banks and credit unions didn’t have websites.  What we heard in those days was that community-based banking was a relationship business and that FI’s knew their client base so well they didn’t “need” a website.  It certainly was, and still is, a relationship business.  But, can you imagine an FI operating without a website today?  I didn’t think so.  What about the days before cell phones?  If I had a dollar for all of the people I heard say, “I’ll never get one of those”, who now own, not only a cell phone but a tablet as well, I’d be writing this blog post from a beach somewhere instead of my office.  The point is, time and technology continue to march on.  FI’s are finding new and unique ways to connect with their customers and members, and as innovation increases, product offerings increase as well.  Unfortunately, since the recession, non-FI competitors have emerged within the lending marketplace and have moved ahead of FIs in a number of ways.

You can pay bills or open a checking account, but can you request financing directly from your FIs website?  Probably not.  What if you’re a small business owner and need financing related to your company?  Even more unlikely.  In fact, we surveyed a number of FI’s last year and less than 8% had any kind of mechanism for a business to request financing online.  Yet, we know that people are increasingly using technology to do most everything in life; including finding sources of financing and credit.  The explosion of online alternative lenders over the last several years is proof enough of that fact. Read more in this blog post on small business lending trends to watch that we posted in 2013. Consequently, the number of loans done online with these types of lenders has an exponential growth curve attached to it.   Still, FI’s have been slow to react and even slower to compete, even though every institution is crying out for loan demand.  Maybe you’ve seen these headlines from recent periodicals:

“Why Your FI Needs a Digital Lending Platform—Now”
“Community FI’s Need Sleeker Approach to Small-Business Lending”
“FI’s Conspicuously Scarce in Supercharged Online Loan Field”

This bold but necessary leap forward doesn’t require an FI to change its credit culture or lending standards, it simply begs for the institution to meet the borrower’s needs in a new and unique way.  It asks you to leverage the technology channels that you’ve already invested in, but in ways that are meaningful to those who wish to access your services.  Online banking, for example, wouldn’t be a very powerful tool if when you logged in, you had to call to get more info, or click on the “Contact Us for More Info” button.  Why should your loan products be any different?  Think about it this way, the top three responses from borrowers when asked what they are looking for in a lender are usually:

  • Make it easy for me to apply
  • Give me a quick initial response
  • Help me get the capital I need, even if you can’t do it yourself

Ask yourself if your FI’s loan methodology meets those responses.  If not, it’s time for you to get in the game and stop sitting on the sidelines.  Someday we’ll all look back and remember the days when nobody offered loans online and wonder what took so long.

Learn More at Our Commercial Lending Center

Tags: lending opportunities, small business lending, commercial lending

Growth in Asset Based Lending Calls for a Return to Fundamentals

Posted on Wed, Jun 03, 2015 @ 08:00 AM

pattrue_50x50 Author: Pat True,

According to the Commercial Finance Association’s annual survey, asset based lending (excluding factoring) commitments rose to $216 billion by the end of 2014, with funded balances reaching $90 billion.  This represents a 12.3% increase in funded balances from 2013.  Overall credit line utilization rose 41% for the year.  During a year that saw a return to commercial real estate lending for many, working capital lines were also clearly a factor.  This trend was recognized by regulators as the OCC distributed new guidance for management of asset based lines, recognizing that banks are doing more in this arena.  Times like these call for a return to the fundamentals of working capital finance.  Among these are the five keys to depending on accounts receivable as a repayment source:

  1. Strong initial credit decision
  2. Accurate and timely information
  3. Control of the cash (payments from account debtors)
  4. Sound monitoring practices
  5. Protection against changing circumstances

Improvements in technology have enhanced every one of the five keys.  Account management systems today provide fresh daily information to lenders rather than a dependence on borrowing base certificates or other monthly data.  What’s more, this information is designed to match the accounting system of the borrower, and new verification techniques can help to assure validity.  Systems also reveal trend data regarding the performance of key debtors as well as individual invoices.  As you evaluate your financial institution’s strategy for working capital financing, consider whether you would attempt to develop this capability internally or work in partnership with a third party vendor.  Consider these questions:

  1. Does your organization have a formal credit policy addressing the unique characteristics of working capital lines?
  2. Do you have systems in place that will provide accurate and detailed information regarding your borrower and their account debtors?
  3. How fresh is the information you are using to make decisions on advances under each line?  Is it refreshed daily or is it based on a once-a-month process?
  4. Are you requiring account debtors to remit payments to an ACH account or lockbox that you control – thus reducing the likelihood of evergreen lines and assuring the line becomes a self-liquidating facility?
  5. Does your current system notify your lending staff when circumstances change within the relationship?  Does it incorporate risk triggers and automated alerts thus allowing for an exception management process?
  6. Have you considered the use of credit insurance for larger account debtor exposures?
  7. Have you identified the industry sectors that would be the most likely targets in your market area, as well as those that involve higher risk due to the nature of the sales transaction?
  8. Does your system foster consistency among lenders and lending units in regards to monitoring of your revolving lines?
  9. Last but certainly not least, is your approach to working capital financing profitable?  Does it reward your bank for the service or has it simply become a loss leader for other products and services?

One last factor to consider is the size of your targeted asset based lines.  While many lines in the industry exceed one million dollars, consider a strategy that allows you to attract the younger emerging businesses,Shaking_hands typically two to five years old.  Line sizes for this group will most likely be in the $250 - $750k range.  In order to effectively manage this business, you need a system which offers efficiency.  By developing these relationships earlier, though, you diversify risk across the portfolio and you win them earlier in the business life cycle.  These businesses are likely to be longer lasting clients of your institution and enjoy at least six or seven other products, representing a full range of financial services.  As they grow, they become less dependent on working capital financing and more on cash management services.

If working capital financing is not part of your overall market strategy, consider why?  Evaluate its place in your organization as well as the inside or outsourced expertise needed to make it happen.

Learn More at Our Commercial Lending Center

Tags: small business lending, commercial lending, asset based lending

Same Day, Different Solutions?

Posted on Wed, May 27, 2015 @ 07:30 AM

moland1_50x50 Author: Kevin Moland,

May 19th was a banner day for the payments industry. In case you missed it, a major payments entity announced its plan to speed up electronic transactions by allowing credits to flow through its ubiquitous network at unprecedented speeds. Over the last decade, new technologies and nimble payment startups had been driving major industry players in this direction. The announcement on May 19th could turn out to be a watershed event, one of those defining moments where an industry makes a pivotal shift and moves in a new direction that will define its relevance for years, maybe even decades.

If you think I’m talking about NACHA’s announcement that its voting membership approved the ballot initiative for Same Day ACH, don’t be so sure. That news may ultimately be overshadowed by another announcement made on, well, the “same day.”

To be fair, NACHA’s Same Day ACH announcement will likely turn out to be important. It will cut the time selected ACH payments spend in transit, making it possible to send funds (in Phase I) and debit accounts (in Phase II) with transactions that settle and, more importantly, post to the recipient’s account that same day instead of the next business day. Granted, the rule is limited to domestic U.S. transactions sent by the appropriate cut-off time, which could be as early as noon if you live in the Pacific Time zone. In addition, to help offset the receiving financial institution’s costs, the originating financial institution will have to fork over an additional nickel per transaction, which will likely be passed on (with an appropriate upcharge) to the originator. While the transactions will post the same day, the receiver may not have access to the funds until 5:00 p.m. Eastern Time. But even with those limitations, NACHA’s rule change will definitely make it possible for selected ACH transactions to move more swiftly—assuming the Federal Reserve Bank opts to implement it in its prescribed form. (The Fed has requested input from FIs and other payments entities regarding NACHA’s proposal. The comment period is open until July 2nd.) 

But NACHA’s big news may not have been the most important announcement made on May 19th. MasterCard picked that same day to roll out its new MasterCard Send program. MasterCard Send is the card processor’s new service that allows businesses or consumers to send money to anyone with a debit card in seconds instead of days. MasterCard’s new service will leverage the existing debit network to send credits, and they aren’t the first ones to do so. Square Cash began using the debit card network to send credits in 2013 by labeling their transactions as payment “reversals.” (This practice was initially controversial, since there was no original debit transaction being “reversed.”)

MasterCard’s plan to allow credit transactions to flow down the debit card rails has the potential to make that system a truly ubiquitous, real-time channel through which businesses or consumers can send money to anyone—banked or unbanked—with an appropriate receiving vehicle, including MasterCard or non-MasterCard debit cards, mobile money accounts, bank accounts, or a relationship with a cash agent outlet. MasterCard also plans to allow international payments via Send in the near future.

Did MasterCard intentionally time its announcement to upstage NACHA’s news? Consider these phrases from MasterCard’s press release:

  • “It’s fast! 24/7/365 access to funds anytime vs. several days for checks or ACH transfers to process.”
  • “MasterCard Send is the only personal payments service that can reach virtually all U.S. debit card accounts and enable funds to be sent and received typically within seconds – far superior to existing solutions that either limit transfers within a closed-loop network or involve ACH, which can take several days for funds to be received.”

In any case, MasterCard’s announcement provided an alternative focal point for bankers and payments professionals who happened to be watching the headlines last Tuesday.

The good news for financial institutions is that the majority of recent payments system innovations, including NACHA’s Same Day ACH and MasterCard’s Send, still leverage the existing transaction rails established and operated as part of the traditional banking system. Apple Pay, for instance, uses the debit and credit card networks for its new mobile payments initiative. PayPal settles its P2P transactions through the ACH network. FIS’ PayNet leverages the debit network to move payments in almost real-time. Early Warning is developing a faster payments solution compatible with the ACH and check rails. While the Fed has stated that the creation of a new payments rail is an attractive option, it doesn’t appear likely that the existing rails will be replaced by something entirely new anytime soon. 

Whether you see NACHA’s Same Day ACH initiative or the MasterCard Send announcement as the highlight of the May 19th news cycle, the one certainty you can take from these two stories is that the payments industry will continue to change rapidly. Other players, including The Clearing House, are working on their own initiatives to provide more rapid payment options. The Federal Reserve has called on financial institutions and payment service providers to move towards a faster system, and both NACHA and MasterCard referenced the Fed’s initiative as one of their motivations. As the industry looks for ways to make the payments system faster, you can bet these two announcements won’t be the last news stories about solutions that move money more quickly. 

Is your financial institution factoring faster payments into your future product plans?

Tags: ACH Network, payments

Blind Spots in Banking: Fraud, Branches & the Brains of Gen Y

Posted on Wed, May 20, 2015 @ 08:00 AM

Lee_Wetherington Author: Lee Wetherington,

Bankers often fancy themselves “numbers people”. Blind_spots_in_banking

Interest rates. Balance sheets. Performance metrics. Bankers will calculate a Return on Anything (ROA) and Everything (ROE).

So, if there is a subset of our species who are rational, surely it’s bankers. Right?

Wrong. Bankers are no more rational than the rest of us. In fact, confidence in their own numbers can sometimes blind bankers to probabilities governing areas of uncertainty and to trends shaping alternative futures.

Over the past 40 years, behavioral psychology has documented over 60 cognitive biases that skew our perceptions and impair our judgment. Bankers aren’t immune to cognitive biases, but recognizing the most prevalent biases and their attendant blind spots provides an opportunity to control for them and to make better strategic decisions as a result.

Fear Factor

According to both Gallup and the Pew Research Center, most Americans feel less safe this year than last—a perception that has grown steadily over each of the past 15 years—even though America is safer now than at any time in its past. Violent crime in the U.S. is down 70% since the early 1990s. Homicides are down by 50%. And wars today kill 90% fewer people than in the 1950s.

Most of us don’t maintain a proportionate sense of fear. We are hardwired to overreact to dramatic threats and to ignore others with a less compelling narrative. Preventable harm in hospitals claims between 200,000 and 400,000 American lives each year. And you are 4X more likely to die in a bathtub in the U.S. than at the hands of a terrorist. So which scares you more: hospitals, bathtubs or terrorists?

I recommend you avoid taking baths in hospitals. Just saying.

In banking, most fear centers upon security threats and fraud. Last year’s unprecedented number of data breaches fueled alarm across the industry. But was there more identity theft in 2014? No. According to Javelin Strategy & Research, there was actually less: fewer victims of identify fraud, lower fraud losses, and faster fraud resolution times. The reality is that 2014 was a banner year in the fight against fraud, but you probably won’t hear much about that since fear sells and good news doesn’t.

The real challenge with security is understanding where fraud is growing and where it’s declining, but we often give the past much more weight than the future. This year, EMV chip cards are dominating bankers’ radar while the real story is beyond the point-of-sale (POS) where card-not-present (CNP) fraud is exploding online. By 2018, CNP fraud is expected to grow to 4X that of card-present fraud at the POS.

Missing the bigger picture of CNP fraud, bankers may delay allocating resources to the tokenization, online authentication, and real-time transaction analytics necessary to protect them and their cardholders against what is by all counts a materially bigger threat.

Branches and Historical Bias

The FDIC’s recent report, Brick-and-Mortar Banking Remains Prevalent in an Increasingly Virtual World, has reignited debates surrounding the future of branches. The report looks backward to 1935, cites a fairly steady rise in branch density, and concludes that technology hasn’t significantly impacted branching in the U.S.

This despite a 45% decline in branch transaction activity since 1992. Despite a 68% decline in check usage since 2003. Despite the U.S.’ top 50 banks all reducing their branch networks. And despite the decline in branch density generally since 1989. Despite it all, the FDIC report leaves bankers thinking the status quo of branching hasn’t changed and therefore won’t change anytime soon.

Classic. Historical. Bias. As Brett King correctly points out, the problem with the FDIC’s report is that it focuses upon lagging rather than leading indicators of branch health in the U.S. Crucially, it doesn’t measure or track the “average number of visits to a branch per customer per year.” If it did, it might discover—as 4 of the U.S.’ largest banks have reported—that that number of visits per customer has plummeted to 1-2 per year—from approximately 24 visits per year twenty years ago.

Past results do not guarantee future performance. This is a well-worn admonition against historical bias, i.e., our tendency to assume that the past is a sufficient predictor of the future. But clarity on the future of branches is made especially difficult given we are at a tipping point. For the first time in the history of banking, digital channels reached parity with the physical branch in 2014—half of applicants opening new checking accounts did so online, or via smartphone or tablet.

And here’s the kicker: while half of consumers opened new checking accounts through digital channels last year, 70% plan to do so this year, according to Javelin.

Adjusting for historical bias requires deeper insights into present trends and better extrapolations into future developments.

Brain Bias

Our brains are the very last organ of the body to mature, and that process doesn’t end until a person reaches his/her mid-twenties or early thirties.

Several females I know insist this process never actually ends in males.

Gender politics aside, neuroscience research has established that the brain matures from the back to the front—which means that throughout childhood, adolescence, and young adulthood, the executive function of the pre-frontal cortex (front of the brain) isn’t mature enough, i.e., isn’t processing fast enough, to keep the impulses of the amygdala (back of the brain) in check. The amygdala, incidentally, drives appetites for food, fire, physical affection, and shiny things.

This has big implications for financial services. In recent years, several innovators in mobile Personal Financial Management (PFM) apps have incorporated real-time feedback loops to help Gen Y and others control spending impulses and save more. The idea is that if you show someone in real time that he doesn’t have enough money to buy the thing he wants, he won’t buy it.

But there’s a problem. Providing real-time feedback isn’t effective when provided to people whose pre-frontal cortexes can’t process that feedback quickly enough to stop the amygdala’s impulse to buy.

So, what can bankers do to help? Automate. That is, help Gen Y automate savings and investments in the background by moving small amounts from checking to savings/investment accounts when cash flow is positive and upcoming bill obligations are not threatened. Digit and Acorns are two notable innovators on this front.

Last week, Moven, a third-party debit card and mobile PFM solution, unveiled an “impulse savings” feature that proactively presents a one-tap savings opportunity whenever the consumer is comfortably under budget (and flush with funds) throughout the month.

Return on Bias (ROB)

Whether its allocating resources in the fight against fraud, transforming branches, or serving Gen Y, bankers would do well to verse themselves in the biases that distort perceptions and impair judgment—both in themselves and their clientele.

And whatever you do, stay away from hospital bathtubs.

Tags: cybersecurity, millennials, branch network

Incident Response Plans & Vendor Mgmt: Lost in the Cybersecurity Mix

Posted on Wed, May 13, 2015 @ 08:00 AM

Jenny_Roland Author: Jenny Roland-Vlach,

If you find yourself in need of a stark reminder on how quickly time passes by, consider this: CybersecurityMay marks one year since the FFIEC officially announced their focus on cybersecurity for financial institutions. Even though official guidance is still pending, the FFIEC has been using the past year to continue underscoring the importance of cybersecurity. In addition to periodic updates being provided by the FFIEC, there have been a multitude of articles on the topic of cybersecurity. While there has been an emphasis on areas such as C-Suite training and information sharing, I have noticed two items in particular that seem to be getting lost in the mix of cybersecurity discussions. Those items are Incident Response Plans (including testing plans) and critical vendor management. Let’s look at Incident Response Plans first.

Every financial institution has an Incident Response Plan in place, but what varies is how detailed the plan is and its efficacy. In order to properly respond, FIs first need to have a plan in place that can actually be followed. A high level, one to two page plan is not going to suffice. If this sounds similar to your own plan, pay close attention to the following.

  • Detail how you plan to respond in certain scenarios that can be classified by severity levels (from virtually no impact on your FI to immediate and severe consequences) and make sure that cyberattacks are included in the list of potential scenarios.
  • Your plan should also clearly indicate the members of your Incident Response Plan team and what their responsibilities are during an incident. Ensure that team members understand these responsibilities.

In November 2014, the FFIEC released two documents, one of which was the Cybersecurity Assessment General Observations (read our recent blog). This document highlights essential questions that FIs and their Board of Directors need to consider. For Incident Response Plans, the FFIEC has stressed the importance of knowing how to respond internally and with customers, vendors, regulators, and law enforcement. Procedures for these items should also be addressed within your own plan.

Another critical component related to Incident Response Plans is testing. FIs not testing their plans certainly is not a new concern; in fact, this has been an ongoing issue. If your FI has never tested your plan, or it has been a significant amount of time since it was last tested, now is the time to make testing part of your routine.

  • Incident Response Plans should be tested at least annually and remember, testing is your opportunity to find out if your plan can actually be followed properly during an incident.
  • Table top test scenarios can be elaborate or as simple as you would like, but a cyberattack scenario is certainly recommended.

If your FI experiences a cyberattack, knowing that your plan is well developed and has been tested will go a long way in making the response process easier.

Vendor management of critical vendors is the other topic that seems to be getting lost in the cybersecurity discussion. It would be a mistake to not consider how vendor management impacts cybersecurity. The cybersecurity controls that your critical vendors put into place and how well they manage those controls will inevitably impact your FI. If your vendors lack sufficient controls, a breach at one of their locations could put your corporate and customer non-public information at risk. This is why the FFIEC stressed appropriate vendor management in the Cybersecurity Assessment General Observations document. Specifically, they highlight the importance of considering the risks of vendors’ connections to your systems and evaluating the controls that they have in place on their end.

In early February of this year, the FFIEC released Appendix J: Strengthening the Resilience of Outsourced Technology Services. Initially, it appears that this new guidance is focused entirely on Business Continuity Planning, however, it is full of valuable vendor management information. The guidance focuses on a number of items for your FI to consider and how they are essential to critical vendors’ (and ultimately your FI’s) cyber resilience. These items include:

  • Evaluation and selection of vendors;
  • Initial and ongoing due diligence;
  • Contracts;
  • Management of multiple vendors;
  • Contingency planning; and
  • Cyber resiliency efforts.

If you have not done so already, I would encourage you to review Appendix J and evaluate how to update your own Vendor Management Program. By having and maintaining an effective Vendor Management Program, your FI will find itself in a better position to address cybersecurity on all fronts. The Superintendent of Financial Services for the State of New York, Benjamin Lawsky, summed up this idea quite well with his recent statement in a Press Release, “A bank’s cybersecurity is often only as good as the cybersecurity of its vendors.”

As your financial institution is working to establish a strategic plan for addressing cybersecurity, it is important to remember all the components that make for an effective plan. Incident Response Plans and vendor management are easily overlooked when tackling a topic such as cybersecurity, but both will greatly impact your efforts. Devoting the necessary time to update your Incident Response Plan (and ensure testing) and appropriate management of critical vendors, will strengthen your own cybersecurity controls and make you better prepared to prevent and respond to any potential cyberattacks. While these two elements may not be at the forefront of the discussion on cybersecurity, Incident Response Plans and Vendor Management Programs will prove to be just as crucial at the end of the day. Learn More About ProfitStars Information Security & Risk  Mgmt Solutions

Tags: Information Security & Risk Management, cybersecurity, Incident Response Plan

Jack Henry & Associates to Deliver Best-in-Class Solution to Mobilize Bank Branches with Surface Pro 3

Posted on Mon, May 11, 2015 @ 03:08 PM

Back in November, Jack Henry & Associates and Microsoft announced the introduction of the innovative new Branch Anywhere application for Microsoft Windows and Surface Pro 3.  The Branch Anywhere app allows banks to centrally manage all aspects of customer info and allows bank employees to become mobile branch managers who can better meet their clients by safely and securely accessing important customer and account information from any location.  Surface Pro 3 enhances the Branch Anywhere experience by providing employees with a lightweight tablet when they are mobile and a powerful laptop/desktop when they’re at their desk.

The response by financial institutions to the launch of Branch Anywhere has been extremely positive.  Banks like First Florida Integrity Bank and IBERIABANK are already using the new Branch Anywhere app on Surface Pro 3 to give their branch employees the ability to be more productive in more locations by seeing account and activity information quickly and easily. From an IT perspective, Surface easily fits into a bank’s existing processes for supporting computer hardware–saving them considerable time and money.



By providing core processing services for more than 11,300 financial institutions, Jack Henry & Associates continues to be a stalwart software provider for financial services.  Jack Henry & Associates provides more than 300 products and services that enable its customers to process financial transactions, automate their businesses, and succeed in an increasingly competitive marketplace.

Surface has also seen considerable success in the financial services industry, as banks that are looking to transform their branches or provide greater mobility to their employees have gravitated to Surface as their single device solution--leading to savings in device costs and IT management.  More importantly, customers are amazed to learn how much they can do with this lightweight device—whether running all of their desktop apps, administering their security and device management protocols, or using Surface as a full desktop workstation powering multiple monitors, full size keyboard & mouse.  

Today’s banks are faced with increasing pressure to differentiate themselves and provide more engaging customer options than their competition.  To achieve this, they require tools that meet these new demands and provide them with unprecedented levels of flexibility and mobility—yet in a powerful and secure manner.  The combination of Jack Henry & Associates’ best-in-class banking software and award-winning Surface mobile hardware help to deliver on that promise.

Now even more value for banks with Surface and Jack Henry & Associates

We are happy today to announce steps between our two organizations that will help us continue to enhance the solution we’re offering for banks looking to mobilize their employees. In an effort to better serve our joint customers in the financial services sector, we’re working closely to make a best-in-class combination of software and hardware available for the financial services market.

“With the recent launch of Jack Henry & Associates’ new Branch Anywhere application, there’s a natural fit with Surface to jointly help customers in the new world of branch transformation,” says Cyril Belikoff, Senior Director—Microsoft Surface.  “Because of its combination of mobility and power, Surface has seen great success with banks that are looking to transform their branches or provide greater mobility to their employees. Customers—many of whom had previously been forced to deploy both iPads and laptops to their users—can achieve everything with a single Surface device. With the recent announcement of the new Surface 3, these financial institutions now have multiple options with Surface to meet their different needs of their varied employees. We believe that our work with JHA truly helps to offer a “best of breed” combination of software and hardware that financial institutions can build around.” 

Mark Forbis, chief technology officer at Jack Henry & Associates, said, “This partnership is a pivotal step in helping our customer’s build the branch of the future, and Branch Anywhere is the perfect tool for that transition. As banks look for ways to transform the branch experience, Surface tablets enable a single device approach that saves banks time and costs as they do not have to deploy and manage separate hardware – one device acts as a full desktop workstation or a secure mobile tool. We are confident that the power and flexibility provided by Surface Pro 3 is a strong fit for the financial services industry.” 

Jack Henry & Associates has successfully piloted Surface Pro 3 within its organization and has selected Surface as one of the preferred devices for all Jack Henry employees.  Surface Pro 3’s combination of light weight, high performance, and long battery life in a single package will provide Jack Henry & Associates employees with greater mobility and flexibility in their day-to-day activity.    

In addition, the two organizations have partnered with CDW to implement a purchase portal specifically for Jack Henry customers.  Through this program, Jack Henry customers will now have access to a unique online destination through which they will be able to easily acquire Surface devices together with Jack Henry & Associates’ software with special discounts. 

Ben Weiss, Director of Financial Services Sales with CDW, said, “We see great value for the market resulting from our effort to work closely with Jack Henry & Associates and Microsoft. The customer solution the two organizations can now offer will no doubt enhance the experience of financial services customers. CDW is excited to contribute to this offering by delivering custom solutions to fit each customer’s particular needs.” 

To learn more about Jack Henry & Associates, visit: 

To learn more about Surface in financial services, visit:

Learn More About  Branch Anywhere

Tags: customer experience, branch banking, branch channel

Branch Banking from Anywhere

Posted on Wed, May 06, 2015 @ 09:00 AM

Richie_Dodgen Author: Richie Dodgen,  

We are an extremely mobile society. Most of us own multiple mobile devices: phones, tablets, and wearables; and as customers, we are accustomed to interacting with retail businesses via a mobile device. Traditional forms of banking technology and delivery channels don’t completely satisfy this customer preference, but the good news is that changes in the banking industry and bankers’ eagerness to adopt new technology are beginning to bring about a new and exciting era. 

With compliance now a large cost of doing business and continued regulatory pressure on fee income, efficiently run delivery channels are a necessity. The physical branch is the most costly of the channels, and foot traffic continues to decline. As most banks are beginning to see a shift in new customer and account acquisition through electronic channels, the importance of an efficiently run branch is more important than ever. The average branch is 25 years old and was laid out for a different era – directing customers to many areas of the branch for a specialized need. Now, many banks have begun to focus on the customer experience as a competitive advantage. With the introduction of pods and the universal banker, the customer can have a single interaction with a cross-trained banker that can address a wide range of needs.

Banks like First Florida Integrity Bank and IBERIABANK are already using new branch transformation apps with transforming tablet devices like the Microsoft Surface Pro 3 to give their branch employees the ability to be more productive in more locations by seeing account and activity information quickly and easily.

The newest evolution of branch transformations has certainly aided the industry in beginning to resemble the rest of the retail world by focusing on a much more modern and sophisticated atmosphere. We are starting to see high top tables or couches instead of big wooden desks. Coffee bars and much more casual layout that resembles a Starbucks or Apple store are becoming more common. Not only is this more familiar to millennials, but it allows for a much smaller footprint.

A critical component in these branch transformations is the use of technology and mobile devices to complement this effort. The use of tablets allows for a more comfortable and collaborative interaction with customers that provides a new perception of banking. Not having to go and sit down for a lengthy session is far less intimidating, and having the right tools that work seamlessly with the rest of the bank’s systems enable these interactions to be efficient. Many banks that are looking to transform their branches or provide greater mobility to their employees have gravitated to Microsoft.  This interest and adoption in the financial services industry is being driven by the convenience and safety of using an already deployed Microsoft Office Suite of products coupled with the security that the Microsoft products offer.

Providing the right mobile tools not only assists with modern branch transformations, but it frees the banker up to leave physical locations. They can now take their systems with them in a manner that is meant to be mobile – a true mobile app, not one that is merely connected remotely to an in-bank system. It allows them to go to customers’ and prospects’ places of business to meet with them for a more productive lunch. They can also service customers at community events, or even provide for worker-on-the-go tools by having the in-bank app on their phones.

What would effective branch transformation look like at your financial institution? Fewer branches? Smaller or redesigned branches? Increased mobilization? Leave a comment and let us know!

Jack Henry clients will have access to a new Surface purchase program through CDW, which provides banks a unique online portal through which they can purchase Surface tablets and Jack Henry & Associates’ Branch Anywhere software together with special discounts.

Learn More About  Branch Anywhere


Tags: customer experience, branch banking, branch channel

Subscribe to Email Updates