Monday, November 19, 2012

Planning Ahead: Budgeting vs Strategy

Here's a year end thought for you: budgeting is not strategy. While preparing and managing to a budget is an important part of your "looking forward" activities, don't let your annual budget substitute for a real strategic plan. Budgets lack vision, passion, and can't convey leadership directives.  Strategies need to clearly outline Executive Management's vision of the markets to be served, the types of products and services to be offered, and efforts to establish and enhance your company's brand in the marketplace.  From these strategies, clear tactical guidelines can be developed for executing initiatives and affecting real change.

Most strategic planning efforts fall down on execution.  By establishing clear tactical directives, naming responsible parties, and demanding regular progress updates, you can avoid the "dusty plan on the shelf" trap that so many fall into.

Often, an outside moderator can offer value by preparing for and conducting planning sessions, aiding in the development of tactical initiatives, and mentoring your key players to actually get things done.  Don't be afraid to ask for help - successful strategic planning is worth the investment.

Monday, October 1, 2012

Alert on Recent Hacking Activity

Quite a lot of buzz in the last few days over some of the largest US banks being the target of hacking activity.  While few community banks will be affected, customers who see the media coverage may, nonetheless, express concern.  Here are some talking points that I hope will help you in communicating to your employees how to address customer concerns.

1) These are denial of service (DDOS) attacks on the web sites of the banks in question.  The result of these attacks is to make some or all of the web site unavailable for use.  In some cases, the pages and links customers use to access Internet banking may be targeted.  These are NOT hacks into the customer information, however, merely a denial of access.  To date, no data has been exposed or compromised.

2) While the banks are of course the target of this activity (which appears to be politically motivated) the site hosts for the banks' web sites are actually being hacked, NOT the banks themselves.

3) Customers remain the weakest link relative to security breaches.  Use any opportunity to discuss such matters with customers to remind them that it is crucial that they have, and continue to update, current virus protection on their own computers and other devices.

4) Take this opportunity to be sure that your bank's systems are properly protected, with all security updates and patches applied.  Firewall reports should be monitored for unusual activity, as should all internal systems.  Raising your bank's and your customer's level of awareness goes a long way toward preventing unauthorized access.

As always, contact me if I can be of assistance in these or other matters.

Thursday, September 6, 2012

Today's Speaking Engagement

I'm in Kansas this morning, to address the KBA's Young Bankers Conference. We are going to get serious about the challenges of supporting customers in an era where much of our technology is customer-facing. "This Stuff Doesn't Work" is both a funny and serious look at customer expectations and the work banks have to do in order to be successful. Very excited to talk to this group of rising stars!

Wednesday, August 29, 2012

Telephone Banking - The Forgotten Technology?

By far one of the most popular customer facing technologies banks have introduced is Interactive Voice Response (IVR). Customers flocked to this technology, calling over and over to hear a balance or see if a payment has cleared, many calling multiple times per day even if account balances and other information was not in real-time. The advent of Internet Banking may have slowed the usage, but it did not go away. Convenience might be an issue: a customer checking an account balance may find the touch tone phone faster than logging into your web site. These systems are simple and easy to use.

Internet Banking is well into its second decade, however, and many of you are already investing in the next generation: Mobile Banking. The question is, what to do with our IVR systems? Especially if you are running IVR “in-house,” it is likely that your system is aging, and support may be lacking. If you've priced a new system, you may be taken aback by the cost. If you can keep that old clunker running a bit longer, here's my step by step process for getting a handle on this technology before it causes you a real problem.

  1. Do an operational and contractual assessment of your current system. Get the vendor involved (if they are still around) and make sure you have ready access, in the short term, to replacement parts and support in the event of a failure. Get your core vendor involved (if they are not the IVR vendor) and ask them to help you plot a backup strategy, if your IVR vendor is not around. Or call an expert (that would be your humble author) Your goal here is to put together a strategy to keep the technology working for another year or two, while you move these users to other solutions.

  2. Take a hard look at the number of calls you are receiving, and who these folks are. Generally, you will find a significant group of “repeat offenders.” Hopefully, your system produces reports, but if not, go to the phone logs to see what you can learn.

  3. If you have outsourced your IVR, think about aligning the efforts listed below with that contract's expiration date, so that you can retire the technology at that time. A benefit of outsourcing is that you are relieved from worry over the state of your system. A downside, however, are the costs associated with the technology and the calls.

  4. Taking into account (based on available reporting) the frequency and type of activity you see, design an aggressive marketing campaign to move those folks to Internet Banking.

  5. If you currently have mobile banking, even better. Promote that directly to your IVR users, with particular attention to the SMS “text” capability, as it offers the path of least resistance to their using the product.

My hope is that, over time, with some concentrated effort, you can eliminate your IVR system in favor of newer technology that offers customers even more functionality.

Thursday, August 16, 2012

Mobile Banking Webinar

There is still time to sign up for my webinar on mobile banking this Monday afternoon.  Use the link below, and click on your state to sign up.  If your state isn't listed, just adopt a state for the day!  Looking forward to a rousing discussion of current issues in mobile banking.

Tuesday, August 7, 2012

New Password Security Threats

Please take time to read the attached article, and be sure that your IT and Operations staff sees it as well.  It points out the flaws in many of today's common password and authentication methods.  It also clearly points out the need for multi-factor authentication in almost every situation.  While few banks are currently storing data in "the cloud" such methods are, for both technological and economical reasons, trending, and will be something that must be dealt with.

Tuesday, July 24, 2012

BANK OPERATIONS UPDATE: Supporting Internal Customers

Supporting multiple locations, whether branches or discrete banks, brings a variety of challenges. From an operations and technology perspective, however, the key is to provide a consistent customer
experience across all locations. This means the ability of the teller, loan, and deposit platform systems to serve customers from any location. It further means that line speeds and server horsepower, two key components of the speed with which applications load and run on your employee's computers, must be up to par across all locations. In addition to purchasing systems and data communications capacity that are properly sized, the walking around test is necessary. That is, get out into the remote locations and watch your employees as they use their systems . . are screens slow to load and change, making it hard for employees to serve customers in a timely fashion? If so, it's time to begin addressing why, by looking at communications lines, network capabilities, and other components of adequate access times.

Tuesday, July 10, 2012

Contingency Planning
Contingency planning is a rare item these days: a regulatory requirement that is also a prudent business practice. You have to be sure, through analysis and testing, that you have plans and methods in place for business continuation. All contingency planning has a three pronged focus:

  1. Prevention – taking steps to greatly reduce the possibility of an occurrence. This is easier for things you control (installing redundant power supplies and hard drives in your network servers) than things you don't control (weather).

  2. Minimization – planning and testing will contribute to a lessening of the impact of any occurrence

  3. Restoration – again, the planning and testing you've done will enhance your ability to respond and begin to restore operations.

In the context of technology planning, be sure that contingency and DR are integrated into all of your efforts.

Thursday, June 21, 2012

Vendor Contracts
I continue to do a lot of work in this area, as banks often have contracts with terms and conditions that they don't fully understand, in part because they haven't carefully read what they are signing. The contracts that you have in place now are important, because they dictate what you can and can't do in terms of buying new products from third parties, or discontinuing the use of certain products, and they commit you to fees and penalties for changes and early termination that can be significant. Make sure you know exactly what you've committed to, especially with your larger contracts, such as core accounting and item processing, so that your decisions are in line with those contractual relationships. Finally, don't forget that when new contracts are considered (whether for an add-on product, or a complete renewal or new relationship) that you must carefully review those, and consider the terms and conditions so that you improve your position relative to your older contracts.

Monday, April 2, 2012

More Comments Regarding Online Security

As a follow up to last week's post about the risk of hacking attacks on Internet gaming sites, I felt it useful to expand on this topic. The customer remains the weakest link, in two main areas. First, poor password composition. An article in the March 24, 2012 edition of The Economist provides insight into just how lightly most people take password security. Almost 1 percent of a particular web site's users had selected 12345 or 123456 as their password. Others used a single letter (only takes 26 guesses) or a readily identifiable name, word, or phrase. Second, failure to maintain a secure environment on their personal computers, smart phones, and tablet devices. Recently, a customer fell victim to a scam while shopping on-line. Due to a lack of current virus protection, the customer had unknowingly been infected with a program which was watching her on-line activity. When she entered her card number to complete a transaction on a legitimate site, the rogue program produced a “pop-up” window with some VERY clever language, similar to this: “We are working with your bank to improve on-line security. Please re-enter your credit card number, expiration date, and CVV code” unfortunately, the customer did just that, and the information was gathered by a criminal who began using the card for other purchases.

Regardless of the source of, or the reason for, a particular breach, banks are generally held responsible for losses customers incur (even in the face of overwhelming evidence as to the customers' culpability) Banks must fight a battle on two fronts: Ongoing education of customers regarding safeguarding their private data is essential. At least a few will heed this advice, and act accordingly. Getting customers to keep virus protection up to date is even harder. Some banks have begun offering free access to virus protection as a part of online services. Even doing this, the software is useless if customers don't keep it up to date, so education and reminders must continue.

Second, invest in as much anti-fraud technology as you can to identify and block criminal activity, whether from debit or credit cards, ACH, or wire transfers. Since banks are ultimately held accountable for these losses, anything you can spend now to reduce your exposure is warranted . . . .to a point, of course.

Finally, remain alert. When you see evidence of one or two card fraud issues, be alert for many more, as these may in fact be “testing” transactions to verify account information and balances before larger transactions are attempted. Involve your EFT and core provider as soon as you feel there is any issue.

Wednesday, March 28, 2012

On Line Gaming and Payments ALERT

 I've recently encountered an issue with several of my bank clients that I think would be of interest to many of you. The company, Blizzard, that offers the popular World of Warcraft on-line game, has increasingly become a target of hackers in search of fresh credit and debit card numbers.
You may want to consider a general alert to your customer base about carefully monitoring for any unusual activity on their debit and credit cards. 
One suggestion would be to consider a pre-paid card to use only for this activity, limiting exposure to any such breach. Blizzard is not the only such gaming company with these issues, but we are presently seeing a LOT of activity around their site.

Monday, February 20, 2012

Thoughts on Using Social Media for Your Bank

By now, you are either actively involved in social media for your bank, or seriously considering it. Key social media channels today include your web site, Facebook, Twitter, and blogs. Following are three ideas to help you leverage social media, while protecting your bank from both a compliance and reputation risk perspective.

First, you have to be “all in.” Commit to the required ongoing effort to maintain timely and accurate postings across all of your media channels. Having a Twitter account, Facebook page, or web site that is only infrequently updated is as bad as a stale billboard. Doing so requires two main efforts – identifying and supporting a point person (I prefer “social media manager”) to manage the technology, and ensuring a steady flow of information from your various departments and locations that allow this individual to make frequently, pertinent posts via social media sites.

Second, address the matter of managing feedback that you receive. Unlike virtually all other forms of advertising, social media allows, even encourages, feedback. Your social media manager must have the skills, and a support group, to segregate responses into three categories. First, there are those responses that we like because they are positive toward the bank and its activities. Second, there are those that require discernment in handling . . . while the post may be negative, is it objective enough that we should deal with it from a customer relations standpoint? Some of the posts you receive may contain a specific complaint. If you can, without divulging personal data, publicly address and resolve the issue, this becomes a great opportunity to demonstrate your focus on customer service.

Finally, there will be posts that must be immediately removed, because they are obscene, offensive, or otherwise inappropriate. Examples of inappropriate posts may also include those where customers (in spite of your admonitions to the contrary) may reveal account information. Ensure that our social media manager is monitoring ALL activity, on a timely basis, by receiving email or text updates when posts are made to your sites.

As an executive, be sure that you are at least basically familiar with current and future social media channels, so that you can provide guidance and insight to your organization in these areas.

Thursday, February 2, 2012

Payment Processor Risks

Payment Processor Risks

On January 31, 2012, the FDIC issued FIL-3-2012 addressing the risks of providing services to third party payment processors. The document is available here

In general, the FDIC is concerned that banks may not be properly monitoring the activities of its customers who provide third-party payment services, in part because many of the third-party processor's customers may not be direct customers of the bank. Examples are varied, but include debt collection, on-line magazine subscriptions, and on-line gambling services. Included in the document are guidelines for creating a risk management document and a risk assessment relative to your relationships with such third-party processors. I will not restate those guidelines here, but instead offer the following key points:

  1. It is hard to overstate the importance of knowing your customer and their activities.

  2. Companies that aggressively pursue an account relationship with you, including those offering to keep large balances, or acquire an ownership stake in your institution, require additional scrutiny.

  3. This is another FDIC issuance that raises the spectre of your bank being charged under Section 5 of the Federal Trade Commission Act “Unfair and Deceptive Acts or Practices” if you are seen as contributing to such behavior on the part of your customer.

  4. As with any relationship whereby you allow customers to originate payments, constant oversight: establishing and monitoring daily limits, both dollar and transaction volume wise, monitoring and addressing high return rates on debit items, and “smell testing” (do these feel like legitimate business practices?) are all appropriate.

  5. As always, you should document your risk assessment, risk management practices, and your monitoring and oversight of customer activity.

If you in fact have such relationships now, they should be reviewed promptly in light of the new guidance. Any new business opportunities should be carefully evaluated along these same guidelines.  As always, let me know if I can assist you in any way.