StrategicallySpeakingBanner

Maintaining Net Interest Margin in a Rising Interest Rate Environment

Posted on Wed, Sep 02, 2015 @ 08:00 AM

Brad Dahlman Author: Brad Dahlman, BDahlman@profitstars.com 

We all know it will happen, the real question is when?  As the Federal Reserve monitors unemployment inflation and global markets closely, it is widely expected that the federal-funds rate will be increased in the last quarter of 2015.  It has been almost ten years since the Fed raised rates!  The Fed dropped rates from 2006 to 2008 and has held them steady ever since.  An increase in the federal-funds rate would signal a dramatic change and should cause all financial institutions to consider the impact of a rising rate environment on their portfolio.  This will likely cause clients to reassess their products, services, and rates with their existing FI. 

Now is the time to:

  1. Quantify the impact of rising rates on your earnings – thru the use of an Asset Liability Management (ALM) tool or service.
  2. Devise customer facing strategies to protect profitable clients and provide pricing guidance.

Today I’ll focus on the customer facing strategies.

Background - As rates rise, we will feel pressure to pay higher rates to depositors and seek to gain higher rates from loan clients.  Our existing portfolio of fixed rate instruments (fixed rate loans, CDs and variable rate loans with “in the money” floors) will not immediately change.  These rising rates will likely cause an FI’s interest expense to rise more quickly than their interest income­, thereby causing some margin compression.  Since margin has historically represented 60-65% of an FI’s revenue, this margin compression should be of paramount concern. (See below)

REVENUE SOURCES

Rising_Rate_Environment_Revenue_Sources

 

Source: FDIC

In looking at margin trends this return toward more normal loan to deposit spreads shouldn’t be a surprise. 

In 2007, our loan to deposit spread was 265bp (7.07% - 4.42%).  It then grew dramatically during the financial downturn as deposits moved to FIs and the fed pushed rates lower.  The result was a healthy loan to deposit margin of 420 – 480bp from 2009 to 2015.  This additional 200bp of spread for the banking industry has been worth over $300 million in additional margin annually, but it is likely to decline as rates rise.

DEPOSIT TO LOAN SPREADS

Rising_Rate_Environment_Loan_Spread

Source: FDIC


As we see rising interest rates, the key client facing questions become:

  1. How do we “protect” our most profitable relationships?
  2. How do we price transactions competitively and aggressively to win profitable business?

How do we “protect” our most profitable relationships?

To protect these relationships the first thing we must do is understand who these clients are.  In most FIs, we see that the profitable relationships are concentrated in the top 20% of clients.   As illustrated below, the top 10% of clients deliver an average profit of $4,623!  These “protect” clients tend to have larger balances, pay higher fees, and have higher spreads than other clients. 

We must identify these clients and build strategies to make sure they never leave.  I previously published a blog titled “Key Client Identification and Retention”, which includes several tactics around protecting these clients including:

  • Segment these clients into various profit tiers (or ranks)
  • Build a series of “benefits” associated with each rank
  • Feed these ranks into your core and CRM solutions
  • Train your employees on how to extend these benefits to key clients

Rising_Rate_Environment_Profit_Concentration

How do we price transactions competitively and aggressively to win profitable business?

When pricing new business we must focus on the proposed transaction and ensure that we are competitive enough to win the business while also maintaining an adequate return. 

Competition is tight but we must avoid “blindly matching our competitors” on every transaction.  This would create a “race to the bottom” with the clients benefitting at the FIs cost.

We must establish targeted returns and provide the lenders tools and education to effectively compete.  A lender must have a tool that allows them to quickly enter in parameters of the transaction and generate various alternative scenarios with comparable returns.

FIs that offer their clients’ options win more business.  Clients like choices: fixed, variable, adjustable, lower rates/high fees, floors, etc.  The options put the client in the driver’s seat but also ensure the FIs returns are adequate.

Pricing is very complex with balance, credit risk, terms, floors/ceilings, and compensating balance all playing a factor into how a transaction should be priced. 

Conclusion: With rates rising and risk of margin compression squarely in front of us, we must make sure our front-line staff have the tools necessary to identify and protect profitable relationships and effectively price new transactions.

  Webinar Recording Download:  How to Improve Your   Net Interest Margin

Tags: Profitability Management

How We Build Products to Improve User Experience

Posted on Wed, Aug 26, 2015 @ 08:00 AM

Derik_Sutton Author: Derik Sutton, DSutton@ProfitStars.com

As financial services become more reliant on the technology we leverage to better serve our clients, it would benefit us to view our own product processes through a modern lens.  I believe these principles are not only applicable to building software applications and services, but can also be applied to a financial institution (FI) building a new account type or updating its customer service as it relates to digital customers. Read my recent blog post to learn more about UX/UI best practices. User_Experience

We created a manifesto as a starting point to the team framework.  It is the central point we can reference to make sure we are all on the same page.  The manifesto starts with this statement:

We collaborate alongside engineering, sales, marketing, and operations to consistently design and inspire new and existing products.  We embrace creativity, resourcefulness, and valuing others before ourselves. We live the JHA company philosophy - Do the Right Thing, Do Whatever It Takes, and Have Fun.  

We used the corporate philosophy to guide our framework to ensure that how we worked aligned with the entire organization.  I’ve summarized our primary goals within each corporate principle: 

The Right Thing

  • Deliver an exceptional user experience
  • Provide opportunities of monetization for our customers
  • Elevate the JHA brand

Whatever It Takes

  • Market analysis
  • Product design
  • Technical product discovery
  • Prioritization
  • Documentation
  • Creative collateral
  • Ongoing iteration

Having Fun

  • Build products we want to use ourselves
  • Embrace challenges, reject the mundane
  • Always look for ways to be better
  • Collaborate with our team members
  • Find opportunities to promote others

Once we had our manifesto started (because it is never complete), we then started our “How We Work” document.  “How We Work” is cultural.  We value transparency, constant iteration of our tools and processes, and operating under the trust principle.  Our “How We Work” documents are available to all team members.  Any topic is up for discussion in a weekly meeting that brings our entire team together through video conferencing. 

Our product group works as follows:   

Market Analysis

  • Market research - building competitive analysis, creating white paper summaries, completing heuristic evaluations of existing solutions.
  • Rapid prototyping - low fidelity mockups that give customers something to interact with so they can better articulate their thoughts, emotions and pain points with our concepts.
  • Customer validation - taking initial concepts to FIs and their users to determine market value.
Product_Development

Product Design

  • End user validation - take higher fidelity design (wireframes or prototype) to end users to determine if the product improves their life by solving a problem.
  • Usability testing - evaluate our interaction design by giving tasks to end users and testing our product’s capacity to meet the intended purpose.
  • Iterate - take feedback from usability testing, improve the product and repeat until the product meets MVP status.

Technical Discovery

  • Discovery Team - collaborate to onboard engineering to the problem we’re trying to solve and the solution we’d like to bring to market.
  • Documentation - provide discovery team with documentation so they can start building.

Prioritization

  • Collaborative - determine the priority of new features and/or products.
  • Customer documentation work alongside the internal documentation team to ensure we launch with complete documentation for our FIs and their end users. 

Creative Collateral and Content

  • Empower stakeholders - create all necessary collateral and content in order to empower stakeholders to become knowledgeable about our products and services.

Iterate

  • Always improving - whether we ship a new feature, a new piece of content, or an entirely new product, we never settle - we continually look for new problems to solve and we thrive on improving people’s lives. 

The intent of the process is to make sure the product team is doing its part to maximize the impact the product can have on our clients and their end users.  If our process fails or is broken, there is a direct impact on our clients, their end users, and the teams we collaborate with. 

We are at our best when we ship products that equally balance the needs of our stakeholders:  

  • End users
  • Financial institutions
  • Product platform
  • JHA organization

Learn More: How to Offer Your Customers a Consistent User Experience

Tags: customer experience

Lockbox Business Continuity – Disaster Planning

Posted on Wed, Aug 19, 2015 @ 08:00 AM

rob_hudecek Author: Robert Hudecek, RHudecek@profitstars.com

Stability remains one of the leading challenges for IT departments, especially when supporting ancillary, yet mission critical applications, for financial institutions such as lockbox item processing.  Server positioning for installed products remains in a constant virtual tug-of-war between business needs, audit requirements, and product constraints. As IT works diligently on the delicate balance between security and usability, management can often feel disconnected from their disaster preparedness for business units within their institution. 

Choosing a philosophy for a disaster recovery (DR) plan can provide a much needed framework to the required tasks needed in recovery. Two of the more common philosophies include Active / Active and Active / Passive

A. Production License / DR License (Active / Active)

This scenario typically requires the purchase and installation of two sets of application licenses with identical server sets.  Both license sets are active at all times. In the event of a disaster, production simply picks up where it left off on the primary to the DR environment.

Application installation teams will typically assist the financial institution's IT on setup of the server sets (which should reside in different locations). Replication of information between the server sets will need to include customer related or change information including databases, metadata, configuration files, and images (as applicable).

  • Pro – DR environment is always active
  • Con – Expense of multiple application licenses. 

Business_ContinuityB. Production License / DR Replication (Active / Passive)

This scenario typically requires the purchase and install of only one license set but two identical server sets. In the event of a disaster, application support typically activates the production licenses on the DR server set.

Application installation teams will typically assist the financial institution's IT on the setup of the servers (which should reside in different locations). Replication of information between the server sets will need to include customer related or change information including databases, metadata, configuration files, and images (as applicable). 

  • Pro – Lower license expense
  • Con – Timing required to spin up DR production environment

Testing License (Active)

Though not directly part of an official disaster avoidance plan, lockbox testing environments can be employed as part of DR as a last resort. Testing environments can require the purchase and installation of a limited but active license. These environments can be employed for version testing, project changes, and even DR testing. 

Learn more about business continuity planning by reading our step-by-step guide. 

Regardless of which philosophy (or multiple) is chosen, a plan is never considered complete unless you use it.  As a result, it is much better to perform a controlled switch-over test, than wait for a disaster to be your first run through.

 

ProfitStars Lockbox Services Learn More Today

Tags: lockbox services, business continuity

Making the Case for Bill Pay

Posted on Wed, Aug 12, 2015 @ 08:00 AM

Danny_Payne_Updated_small Author: Danny Payne, DanPayne@jackhenry.com

Before you say anything, I couldn’t think of a better title.  The real irony is I have worked in the bill pay world for over 12 years and have seen plenty of growth, change, and true evolution.  The better part of my professional career has been spent advising, managing, partnering, or selling bill pay.  So why, after 12 years, do I need to make the case for it?  The answer is simple … more than 10 times a week I am told bill pay is a commodity and old news.  Not to mention, last year Gonzo Banker wrote an article titled, “Is bill pay dead and gone in 5 years?” Now let’s be realistic, dead and gone?  Are the billions of bills that go out to consumers and businesses going to stop?  Are we going to immediately have all our bills automatically withdraw from our account as soon as they are due?  This is where the true dilemma comes in for “killing” bill pay.  The Gonzo Banker article is only looking at one fraction of bill pay (that is currently responsible for almost 50% of the payments made every month).  There is a whole other world of bill pay out there and it is not dying, it is growing by the day. 

So making the case for bill pay starts with the definition.  I am going to define bill pay as “moving money from a personal or company account to another person or company”.  Therefore, you could pay a person, a bill, a traffic ticket, or your baby sitter and it is all bill pay.  Now that we have it defined, let’s defend its use and the importance of it in the financial technology world. 

  • Making the case for - Online Bank Bill Pay – Not dead, not dying, and according to our numbers, not even shrinking.  I won’t bore you with the details but more and more people are paying through their online banking account.  The average user is paying more bills and the average financial institution has more users.  I attribute that to the better look and feel and ease of use for most bill pay products.  Any updated product is going to have features that make it easier to add a new biller and easier to click through a make a payment.  Both consumers and businesses are offered unique bill pay options through banks and offer a way for the FI to service their entire group of customers.  The integration of eBills and paper shut off make online bank bill pay a “one stop shop” for paying your bills.  The addition of P2P gives you the ability to pay your billers that don’t exactly invoice you each month, and your friends and family.  Lastly, while bill pay is a cost center for the financial institution, it is also a sticky product, that drives customer loyalty.  Ask yourself if you are interested in moving all the bills you pay at your bank to a brand new bank down the road because checks cost less or they have more ATMs?  I know it makes it incredibly hard for me to think about closing or moving an account when I am paying more than 12 bills a month through my account.Online_Bill_Pay
  • Making the case for – Biller Direct Payments – Growing, evolving, and important to billers large and small.  The use of bill pay at the biller level reaches from your largest utility companies to your smallest utility cooperatives.  It doesn’t stop there, if you bill for legal needs or garbage pickup, you are now looking at options to receive your money faster than a check and more efficiently.  Better yet, there are companies ready to give you both without the massive volume.  Let’s not forget why consumers love biller direct.  They love immediate gratification.  The truth is, more people pay direct to the biller because they pay right at or around their due date.  ACI Universal Payment reported that 62% of consumers demand “light speed” for bill payment services.  The additional ability to use credit and debit cards give the biller the ability to post a payment in real time and update balances and amount due.  Your ability to take care of a late payment with credit can help you dodge collection for another month.  Biller direct is in a war with the previous mentioned online bank bill pay for the loyalty of consumers.  But the truth is, they are not fit for the same type of customer every month.  Although, there is a unique opportunity for financial institutions to get in the market as billers are looking for this technology from their bank or credit union.
  • Making the case for – Alternative methods of Bill Pay – This is the section where growth and evolution is happening.  The ability to pay is everywhere, but the ability to move money is also everywhere.  Many of these options include a social media aspect.  It is hard to ignore companies like Google, Amazon, and Facebook offering pay options along with PayPal acquiring companies like BrainTree/Venmo .  The world is filled with small business and billers who are more than willing to accept a payment method that doesn’t involve checks or the need to pay merchant fees to accept a card payment.  Funding from account to account is making it  easier for people to move money.  While I acknowledge these types of payments chip away at traditional electronic bill pay methods, they are also focusing on a different demographic.  If these larger companies want to focus the time and money on payments, they could be disruptors in the payments world. 

Being a part of a payments company that services both billers and financial institutions, it is an exciting time in this industry.  Bill pay is only part of the entire “payments” world that includes ACH, card processing, RDC, and more.  Financial institutions have the chance to be at the forefront of payments in so many ways by partnering up with the right companies to offer bill pay as a way to gain and retain customers, build revenue and service business customers, and be the service provider for their customers that companies like Google and Amazon can never be.  Much like we strive to be the trusted advisor to our FI customers, financial institutions need to work to be that same for their customers, or other technology providers will.  Learn more by reading these tips on how to grow your online bill pay.

So there you have it, my personal case for why bill pay is relevant, is growing (not dying), and why it is still a very exciting and ever changing industry.  Who knows who or what will be next, or how we will be offering new ways to move money from one person or company to another; but here’s hoping I will be here to see it!

7 Key Attributes to Look  for in a  Bill Pay Provider

Tags: online bill pay, payments

Commercial & Industrial Loans: the stuff dreams are made of

Posted on Wed, Aug 05, 2015 @ 08:00 AM

clarke_farmer Author: Clarke Farmer, CFarmer@ProfitStars.com

Yep, that title sounded a little cheesy when I read it too.  Humor me for a minute, and read on.

I met with a small business owner this week and we talked about what he wants to accomplish in the nextCommerical_and_Industrial_Lending-1 six months.  The business is in industrial coating and injection molding.

Although he has a nice building, we did not talk about his commercial mortgage.   Rather, he discussed updating some old equipment and adding a new machine.  He talked about welcoming back old customers that had left his high quality for lower prices.  Finally, his near-term plan is to use excess cash reserves to negotiate better pricing with suppliers.  All of this will be possible with a bundle of C&I loans from a local banker in the total amount of approximately $375,000.  His “new” lender agrees.  It won’t be long before he has the real estate loan too.

So, how could I link this common experience to something as dramatic as a business owner’s dreams?  Two ways: 

First, anyone who has ever been responsible for supporting a dozen or so reliable employees and their families knows the stress related to keeping the small business afloat.  Consider the number of people adversely affected if he/she makes a few bad business decisions.  Not to mention the many challenges that are beyond their control. Therefore, having reliable equipment, adequate working capital and strong supplier relationships are critical components to running a sound business.   As a result, the business owner will actually sleep better at night … and a good night’s sleep is often accompanied by a few good dreams.

Second, I have met with enough small business owners to point out that many of them will actually refer to their business very emotionally as the manifestation of a dream or vision.  Nearly every banker I have ever met has one good story about a fantastic business that they helped along the way.  And the owners of that business will be that banker’s customer for life.

With all of these “dreamy” benefits to C&I lending, it’s no wonder that so many banks are ramping up to grow these portfolios.

Consider these statistics from the FDIC.gov Q1 2015 call reports:

  • Total net charge offs to loans – 0.11%
  • Total net charge offs to loans (C&I only) – 0.16% (0.05% difference in relation to all loan types)
  • Non-current loans to loans (FIs over $1b assets) – 1.87%
    • Non-current loans to loans (C&I only) – 0.49%
  • Non-current loans to loans (FIs $100m - $1b assets) – 1.28%
    • Non-current loans to loans (C&I only) – 1.27%

The data shows that the C&I lending business is a risk vs. reward dream come true.  The spreads are considerably higher than commercial real estate loans.  While, the loss ratios are trending towards identical or even better in the larger institutions.

In addition to the data, a C&I relationship brings advantages in terms of knowing the customer.  Lenders that have the equipment and/or working capital have their finger on the pulse of the borrower.  Monitoring these relationships affords a far more intimate knowledge of the current performance and future needs of the client.

Does your institution want to compete for commercial loan relationships without increasing portfolio risk?  Dream on …

Commercial_Lending_Dreams

Learn More at Our Commercial Lending Center

Tags: commercial lending

Biometric Technology on the Rise for Authentication and Payments

Posted on Wed, Jul 29, 2015 @ 08:00 AM

Penny_Webb_Headshot_50x50 Author: Penny WebbPWebb@profitstars.com

There has been a lot of talk (and some actual movement) in the financial service industry around the increased use of biometrics. The use of biometrics as a layer of security has long been an option for authentication efforts initiated from a personal computer, but there was lackluster acceptance in most segments of the payments industry. Thanks to rapid expansion in the mobile space, however, expanded use of biometric security is now one of the fastest growing means of authentication, while reliance on traditional passwords as a primary source of identification is becoming obsolete.

Apple’s incorporation of a fingerprint scanner in its latest smartphone models is one primary factor in bringing biometrics to the forefront for mobile and alternative payment security. The iPhone fingerprint sensor is clearly a front runner and the most widely recognized biometric security feature in use today. Many companies have jumped on Apple’s Touch ID bandwagon as a means of handling payment authentication. Biometric_Technology_fingerprint_authentication

Not all smartphones have a fingerprint scanning device, but they all have a camera and voice recorder. Enter the selfie as a biometric screening option. While talk of facial pattern recognition as a means of authentication started in earnest in 2013, institutions such as USAA, MasterCard and Barclays are a few of the companies leading the charge by including it in product releases in 2015. This year, USAA will offer its customers face recognition and voice recognition as authentication options. MasterCard and Barclays have face recognition pilot programs underway with the expectation of deployment later in the year.

How face recognition and voice recognition work

The facial recognition feature uses the smartphone or PC’s camera to view the customer’s face. It also requires the user to blink on demand in order to verify that what it’s seeing is an actual person rather than a photo. The phone or PC captures a photo to complete the payment authentication.Biometric_Technology_facial_authentication

In the case of voice recognition, the institution securely stores a recording of a customer’s voiceprint. When initiating a payment, the user is required to read a randomly generated phrase on queue in order to verify their speech patterns by comparing it against stored patterns.

Although some institutions’ solutions store an actual photo, fingerprint or voice recording, in most cases the solution stores a unique code generated by an algorithm based on data derived from those original sources. For each new authentication attempt, the device uses the same algorithm to extract a new code from the fresh fingerprint, picture or voice recording, then compares the new code against the stored one to determine if they are similar enough to warrant authentication. This method restricts the user’s (or the financial institution’s) ability to recreate the original source data and reuse it to thwart the authentication system.

Other emerging biometric security methods

A few other biometric options that are in their infancy are Vein Pattern Scanning and the Digital Tattoo. In Vein Pattern Scanning, the palm of the hand is scanned in a manner similar to the techniques used in a fingerprint scan. The individual patterns are used as payment confirmation. Google’s Advanced Technology and Products group in partnership with VivaLnk developed the Digital Tattoo. It consists of a nickel sized, paper thin adhesive which is worn on the skin. This product’s initial application provides electronic authentication to unlock the user’s smartphone. It remains to be seen whether this technology can transition to the payment space.

Microsoft is also jumping in the mix with a new product called Hello, which is designed for use with the Windows 10 operating system. MS Hello uses face recognition for its layered authentication approach. The Microsoft solution will not use the PC standard camera, but will require an infrared camera, reporting that they didn’t feel the standard camera approach was secure enough. In a statement from Microsoft, “Windows Hello has a 1 in 100,000 false accept rate, which is very high. It’s a lot safer than a password, which we know, can easily be forgotten, lost, stolen or hacked.”

Conclusion

A true multifactor approach to authentication has long been a requirement for financial institutions. Relying on passwords or other currently available sources for authentication will no longer be enough to authenticate customers and make payments secure. As they mature, the expanded use of biometric options as part of the payment and authentication process may substantially strengthen authentication efforts in the future, potentially making the online environment much safer for us all.

 

 

Tags: payments

A Step by Step Guide to Business Continuity Planning

Posted on Wed, Jul 22, 2015 @ 08:00 AM

EricFlick Author: Eric Flick, EFlick@jackhenry.com

According to the FFIEC, “It is the responsibility of an institution's board and senior management to ensure that the institution identifies, assesses, prioritizes, manages, and controls risks as part of the business continuity planning process.”

Business_Continuity_Planning

Here are the steps to a successful Business Continuity Planning process:

  1. Business Impact Analysis (BIA). When you conduct the Business Impact Analysis, look at all of the business functions and processes at the department level. Then identify interdependencies between functions and departments. And, finally pinpoint the risks to the institution as the result of unplanned or uncontrolled events that impact the ability to do business at the department level. 
  2. Recovery Time Objective (RTO) and Recovery Point Objective (RPO). The RTO is the maximum amount of time that the institution can be without the function. The RPO is the maximum amount of data loss.  As an example, if you say you need your core software running again within four hours of the incident and that you can’t lose any data, your RTO is “within four hours” and your RPO is “all data” up to the time the incident occurred.  For the next step in your Business Continuity planning, you must determine all RTO and RPOs for those business functions determined in the Business Impact Analysis. Recovery_Time_Objective
  3. Risk Assessment. The Risk Assessment looks at the Business Impact Analysis assumptions and applies various threats to those assumptions and measures the potential impacts to the business.  Base the threats on the most likely risks to the business.  Institutions closer to the Gulf of Mexico or the Atlantic coast should give high risk to hurricanes, where institutions located in Tornado Alley should place a high potential on that risk.  During this time, the RTO’s and RPO’s should be reviewed for gaps – the difference between senior management expectations and the IT department’s actual abilities to deliver on those expectations.  Citing the previous example, where senior management is expecting the core system back within four hours and zero data loss, does IT actually have those capabilities in place today?
  4. Risk Management. Once documented, you’ve laid the foundation for all of the details that will comprise the Business Continuity Process.  Now define steps as to how your people, processes, and places will resume business following the unplanned interruption.
  5. Risk Monitoring and Testing. This is a cyclical process. Just as you wouldn’t make a loan without reviewing credit history, and you wouldn’t make another loan to the same person a year from now without reviewing their credit history again, the institution needs to regularly monitor the risks and conduct an exercise at least once each year to see how the employees and management team perform in responding to the various business impacts.

Business Continuity Planning is manageable if you follow the elements and processes as defined by the FFIEC.  It is also an important component of your institution’s overall enterprise risk management program.  Regular review of the plan, along with annual exercises and results reported to the board and senior management are critical to the overall risk position of the institution.

Do you have a question about the Business Continuity Planning process?  Send us your questions in the comments section and we’ll be in touch!

Learn More About Business Continuity Planning

Tags: business continuity plan, business continuity guidelines

The Endless Cybersecurity Summer

Posted on Wed, Jul 15, 2015 @ 08:00 AM

kcrumbley_50x50 Author: Karen Crumbley, karenc@gladtech.net

The 1966 surf movie The Endless Summer is a documentary where filmmaker Bruce Brown follows two surfers on a surfing trip around the globe. “Its title comes from the idea, expressed at both the beginning and end of the film, that if one had enough time and money it would be possible to follow the summer around the world, making it endless.” The concept of endless activities is a familiar one for financial institution (FI) employees. A great example of one of these continuous activities for FIs is information security awareness and education. New threats are constantly emerging and FIs are tasked with staying up-to-date on the best ways to educate stakeholders on how to recognize the signs of fraud. Presently, the IT Regulatory Compliance topic on everyone’s radar is “cybersecurity” since the FFIEC piloted a cybersecurity assessment for 500 community FIs in 2014. Cyber risks compel the FI to look outside of their physical network. Additionally, the online community continues to be active outside of work hours and therefore so does cybercrime.Cybersecurity

The summer of 2015 is an important benchmark for cybersecurity. First, the much-anticipated Cybersecurity Assessment Tool from the FFIEC was released, which provides insight on assessing cyber risks and managing cybersecurity initiatives. Equally important to note is summertime lends itself to vacation travel and outdoor activities, and as a result, mobile devices and social media are more widely used. Understanding cyber criminals use these channels for malicious activity is significant.

The National Cyber Security Alliance (NCSA) and ConnectSafely organizations kicked off the summer with Internet Safety Month.  The campaign creates cybersecurity awareness by including tips on how to safely use social media and mobile devices. The information is particularly important for FI stakeholders to recognize because they are targets for cybercrime due to their access to systems that allow them to initiate wires and transfer funds. Cybercriminals look for clues about FI employees through social media in order to create social engineering opportunities and compelling spear phishing emails. Check out our recent post on social engineering, phishing, and vishing. 

The following are recommendations to make your summertime a safer online experience and protect non-public information:

  • Be skeptical and do not believe everything published online. Communicate wisely and authenticate contacts.
  • Ensure that all of your mobile devices are password protected or have a security feature in case they are lost or stolen.
  • Delete apps on your phone that you are no longer using. Unnecessary apps increase opportunities for cybercrime.
  • Limit the amount of information you post about travel plans through social media such as location and schedule. Criminals look for people who are out of town to target for cybercrime.
  • Turn off mobile device location services such as GPS maps and cameras when they are not in use. They provide your whereabouts to cybercriminals.
  • Turn off Bluetooth and Wi-Fi when not in use. They can also reveal your location and allow cybercriminals to hack your devices.
  • Be cautious when accessing Wi-Fi hot spots at airports. Thieves “sniff” these spots to see if they can obtain information to further their schemes. Always use a VPN when transmitting private or non-public information.

The internet is an invaluable tool for summer travel and event planning. Unfortunately, cybercriminals do not take a vacation from stealing information. Cybersecurity awareness is an endless process, so stay guarded and have a fantastic summer.

  Learn More About ProfitStars Information Security & Risk  Mgmt Solutions

 Do you have any travel tips to share for protecting NPI and your online presence?

Tags: cybersecurity, cybersecurity awareness

How to Educate, Engage and Retain Your Customers

Posted on Thu, Jul 09, 2015 @ 09:00 AM

Lauren_Gleim_Headshot_50x50 Author: Lauren Gleim, Lgleim@jackhenry.com

None of us want to lose customers or money.  It seems obvious doesn’t it?  Regardless of the business, we all want to drive traffic and increase our customer base. To successfully execute effective online marketing initiatives, a plan in place will help, and you don’t have to start from scratch. Here are some suggestions from our best practices pocket guide to gain and retain your audience.

Mobile banking

Let’s begin with mobile banking. Your customers’ misperceptions of mobile banking can be your biggest barriers to their adoption and usage of that service. Whether they fear it lacks security or that it is too complicated, you can ease their apprehension with educational marketing that counters those misperceptions.  Highlight why your mobile app is the smart, secure banking option. FAQ’s and demos are a great way to show your app in action. 

Bill Pay

Have you ever tried breaking an old habit? Maybe you made a New Year’s resolution. It’s now July. Have you kept it up? You can relate this to your customers. Steering them away from old habits like paying bills through mail and starting new habits like adopting online bill pay can be life changing. Go beyond a single communication about your services to multichannel campaigns. Execute campaigns that build awareness about bill pay, educate consumers on how to use the service, and ultimately drive them to enroll and start making payments.

 RDC

Email

Email is a huge asset for your digital marketing communications efforts. Get the basics of email marketing right. For starters, you can base your messages on customer behavior throughout the product stages. If you need more advice, access my previous post on email marketing where I detail ways to connect with your customers through email by customer behavior, personalization, education and social media. 

Responsive Design

While working through your marketing plan, consider your customers’ viewing experience. Whether on a mobile device, tablet or desktop, your customers’ desire to easily navigate and view your website or marketing materials.  Websites, emails, and landing pages can all be responsively designed and the success of your marketing initiatives will depend on your customers’ experience. 

Video

One of my favorite mobile apps is Bodeefit, which is fitness app that provides a daily workout. The best part is that if I don’t know how to do a plank split, for instance, they provide a short video of how to do it. Genius! For your customers, videos can guide them through the benefits of your product or simply how to use it. Make it easy for them and share the visual experience. 

Social Media

Join your customers on the social level. Social media provides an outlet with your customers beyond your branch location and outside of your internet banking or bill pay platform. Not only can you use social media for traditional marketing of your products and services, but you can also provide them with educational marketing such as those videos we just mentioned. Sharing content leads to engaged, happy customers.

Now that you have your handy best practices pocket guide, want to see the full guide?

 

Best Practices for  Financial Institution  Marketing

The iPay Resource Center has marketing materials to help you with your email marketing customer journey. Don’t miss out on FREE marketing!

Tags: customer retention, customer engagement, email marketing,

Social Engineering, Phishing, Vishing: 3 Common Elements & How to Combat Them

Posted on Wed, Jul 01, 2015 @ 08:00 AM

Tammy_Bangs Author: Tammy Bangs, TBangs@jackhenry.com

Social_engineering

 

Phishing and social engineering accounted for 15 percent of cyber-crime costs incurred by U.S. companies in 2014, according to Statista.comFurthermore, 44% of U.S. companies responding to a recent survey stated that they were targets of social engineering or phishing schemes (Statista).

Social engineering, phishing and vishing are everywhere you look these days.  Fake IRS telephone scammers, recent large financial institution (FI) breaches via email scams, penetration testing failures, executive level breaches, you name it – it has happened. 

Have you been lucky enough to receive a telephone call from the ‘Department of the IRS’ this year?  No?  I actually received two. Being the risk mitigation geek that I am, I couldn’t resist baiting the fraudster just a bit, asking as many questions as I could muster, keeping him on the line with me for as long as possible.  It was a fascinating glimpse into the not-so-sexy world of the vishing scheme. They were probably armed with little more than a search engine and a telephone. They didn’t even know enough about the Internal Revenue Service to use proper nomenclature. 

In my travels hosting risk mitigation seminars over the past 18 months, I have been grateful to hear from numerous bankers about penetration testing results they’ve experienced in their own FIs.  A common scenario is as follows: 

A third party firm is hired to see what they can obtain via external phishing testing.  An email is sent to the entire active directory in the FI.  The email appears to be from the IT officer, but is actually (upon further scrutiny) from an external source, but it looks good - quasi-legitimate.  The email states that if they don’t click the link provided, and give their network credentials and passwords, then the required system maintenance due to be performed tonight cannot be completed and their managers will be notified.  Lots of the bankers – from tellers to C-Level - click the link and provide their credentials.  

Initially the numbers I saw were astounding.  But, having spoken to bankers from coast to coast, I can confidently state that there are employees at every level inside of your FI who would click the link, TODAY. 

So I started wondering: Why?  Why would completely reasonable, intelligent, responsible people in this day and age with so much on the line willingly submit to a fraudster? It’s because most social engineering, phishing, and vishing schemes are built on three elements that suspend common sense:

  1. Legitimacy
  2. Urgency
  3. Consequence

Legitimacy
If Bob’s Accounting Firm down the street was on the phone, most people wouldn’t be very likely to cough up their SSN and DOB. But if it’s the IRS, it’s a different story. And if the email mentioned above wasn’t purportedly from the IT officer of the FI, the recipient would not have been nearly as likely to click the link and divulge their network credentials. 

A critical element in establishing the validity of the request is the pretext or backstory of the requester.  Is it a government agency?  Is this a law enforcement officer?  Is this a vendor?  Is it an employee of our FI?  One of the simplest and most effective ways to stop a social engineering attack before it’s off the ground is to simply validate the credentials of the person who made the phone call or sent the email.  How is this accomplished?  Through a separate and independent channel.  Either by calling the agency (IRS or otherwise) back and asking for the purported agent, or via a separate (non-reply) initiated email. 

Urgency
If there was no urgency in the request by the scammer, there is no reason to act now.  The fraudster wants you to act before your brain has a chance to consider what the down side of that action might be.  How many times have you spoken to an employee or customer after they’ve already opened the email and clicked the link?  “Um … I think I maybe shouldn’t have done this.”  “I may be infected with a virus.” “Something doesn’t look right!”  It’s a common theme.  If that fraudster gets your employee or customer to act prior to considering implications of that action, their rates of success go way up.  According to behavioral psychologists, urgent situations cause people to suspend deliberate thought and act quickly
(Psychology Article).

Consequence
Consequence is the final leg in our three legged social engineering stool.  If there is no implied or explicit consequence, there can be no true urgency, and therefore no reason to act.  If the IRS isn’t threatening to levy your property, place you under arrest or increase the amount you owe them, why would you agree to wire money immediately or provide information which could later be used to steal your identity?  If that IT officer wasn’t performing system maintenance tonight and your manager was not going to be notified for your non-compliance, why on earth would you agree to give your network credentials to someone – ANYONE?  The elements of consequence and urgency go hand in hand in making people who are rule-following, good-citizens easy pickings for criminals.  Unfortunately, this element is one that makes older-generations even more vulnerable to this type of attack.  Taking the person on the other end of the phone at ‘face value’, and believing them when they tell you that you are in trouble with the IRS is practically a given, unless you can warn your senior citizen’s ahead of time.  Before the wire is sent.  Before the social security number is given out. 

Identifying these three elements is just one part of the strategy.  Your FI can take it from here.  Adopt a review of these components as a part of the training you provide your employees and customers on combating social engineering threats.  Scrutiny is not rude, it’s part of doing business today.  Challenging credentials, validating requests, and critical thinking is as much a part of protecting your assets as locking the front door of the bank each evening.  It’s a necessary part of combating the tactics adopted by these fraudsters.  One additional parting thought – explicitly spell it out in your employment policy as an actionable item.  If an employee gives their network credentials to anyone, this is an offense that can result in termination.  It is a tough-love approach, but one that your security can depend upon.  Helping employees understand that there are consequences associated with actions is a critical deterrent to the click-now, think-later approach.  

Definitions:

Social Engineering:  Webopedia.com defines it as “the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information.”
Phishing: Dictionary.com defines Phishing as trying “to obtain financial or other confidential information from Internet users, typically by sending an email that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake website that replicates the real one.”
Vishing: About.com defines Vishing as Fraudsters who “uses social engineering and phishing techniques to steal people's identities using Voice over Internet Protocol (VoIP) phone lines”
Personally Identifiable Information: (PII) The US Department of Labor defines it as “information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.)” 

 

Tags: phishing campaigns, cybersecurity awareness, social engineering,

Subscribe to Email Updates