A Trusted Advisor to Financial Institutions

Upcoming Speaking Engagements

  • July 2020:
    • 22/23: Western Bankers: Director's Conference, Virtual
  • August 2020:
    • 11: Nebraska Bankers: Tech Conference, Virtual



    Trent Fleming

    Contingency Planning
    Contingency planning is a rare item these days: a regulatory requirement that is also a prudent business practice. You have to be sure, through analysis and testing, that you have plans and methods in place for business continuation. All contingency planning has a three pronged focus:
    1. Prevention – taking steps to greatly reduce the possibility of an occurrence. This is easier for things you control (installing redundant power supplies and hard drives in your network servers) than things you don’t control (weather).

    2. Minimization – planning and testing will contribute to a lessening of the impact of any occurrence

    3. Restoration – again, the planning and testing you’ve done will enhance your ability to respond and begin to restore operations.
    In the context of technology planning, be sure that contingency and DR are integrated into all of your efforts.

    Vendor Contracts
    I continue to do a lot of work in this area, as banks often have contracts with terms and conditions that they don’t fully understand, in part because they haven’t carefully read what they are signing. The contracts that you have in place now are important, because they dictate what you can and can’t do in terms of buying new products from third parties, or discontinuing the use of certain products, and they commit you to fees and penalties for changes and early termination that can be significant. Make sure you know exactly what you’ve committed to, especially with your larger contracts, such as core accounting and item processing, so that your decisions are in line with those contractual relationships. Finally, don’t forget that when new contracts are considered (whether for an add-on product, or a complete renewal or new relationship) that you must carefully review those, and consider the terms and conditions so that you improve your position relative to your older contracts.

    More Comments Regarding Online Security

    As a follow up to last week’s post about the risk of hacking attacks on Internet gaming sites, I felt it useful to expand on this topic. The customer remains the weakest link, in two main areas. First, poor password composition. An article in the March 24, 2012 edition of The Economist provides insight into just how lightly most people take password security. Almost 1 percent of a particular web site’s users had selected 12345 or 123456 as their password. Others used a single letter (only takes 26 guesses) or a readily identifiable name, word, or phrase. Second, failure to maintain a secure environment on their personal computers, smart phones, and tablet devices. Recently, a customer fell victim to a scam while shopping on-line. Due to a lack of current virus protection, the customer had unknowingly been infected with a program which was watching her on-line activity. When she entered her card number to complete a transaction on a legitimate site, the rogue program produced a “pop-up” window with some VERY clever language, similar to this: “We are working with your bank to improve on-line security. Please re-enter your credit card number, expiration date, and CVV code” unfortunately, the customer did just that, and the information was gathered by a criminal who began using the card for other purchases.
    Regardless of the source of, or the reason for, a particular breach, banks are generally held responsible for losses customers incur (even in the face of overwhelming evidence as to the customers’ culpability) Banks must fight a battle on two fronts: Ongoing education of customers regarding safeguarding their private data is essential. At least a few will heed this advice, and act accordingly. Getting customers to keep virus protection up to date is even harder. Some banks have begun offering free access to virus protection as a part of online services. Even doing this, the software is useless if customers don’t keep it up to date, so education and reminders must continue.
    Second, invest in as much anti-fraud technology as you can to identify and block criminal activity, whether from debit or credit cards, ACH, or wire transfers. Since banks are ultimately held accountable for these losses, anything you can spend now to reduce your exposure is warranted . . . .to a point, of course.
    Finally, remain alert. When you see evidence of one or two card fraud issues, be alert for many more, as these may in fact be “testing” transactions to verify account information and balances before larger transactions are attempted. Involve your EFT and core provider as soon as you feel there is any issue.

    On Line Gaming and Payments ALERT

     I’ve recently encountered an issue with several of my bank clients that I think would be of interest to many of you. The company, Blizzard, that offers the popular World of Warcraft on-line game, has increasingly become a target of hackers in search of fresh credit and debit card numbers.
    You may want to consider a general alert to your customer base about carefully monitoring for any unusual activity on their debit and credit cards. 
    One suggestion would be to consider a pre-paid card to use only for this activity, limiting exposure to any such breach. Blizzard is not the only such gaming company with these issues, but we are presently seeing a LOT of activity around their site.

    Thoughts on Using Social Media for Your Bank

    By now, you are either actively involved in social media for your bank, or seriously considering it. Key social media channels today include your web site, Facebook, Twitter, and blogs. Following are three ideas to help you leverage social media, while protecting your bank from both a compliance and reputation risk perspective.
    First, you have to be “all in.” Commit to the required ongoing effort to maintain timely and accurate postings across all of your media channels. Having a Twitter account, Facebook page, or web site that is only infrequently updated is as bad as a stale billboard. Doing so requires two main efforts – identifying and supporting a point person (I prefer “social media manager”) to manage the technology, and ensuring a steady flow of information from your various departments and locations that allow this individual to make frequently, pertinent posts via social media sites.
    Second, address the matter of managing feedback that you receive. Unlike virtually all other forms of advertising, social media allows, even encourages, feedback. Your social media manager must have the skills, and a support group, to segregate responses into three categories. First, there are those responses that we like because they are positive toward the bank and its activities. Second, there are those that require discernment in handling . . . while the post may be negative, is it objective enough that we should deal with it from a customer relations standpoint? Some of the posts you receive may contain a specific complaint. If you can, without divulging personal data, publicly address and resolve the issue, this becomes a great opportunity to demonstrate your focus on customer service.
    Finally, there will be posts that must be immediately removed, because they are obscene, offensive, or otherwise inappropriate. Examples of inappropriate posts may also include those where customers (in spite of your admonitions to the contrary) may reveal account information. Ensure that our social media manager is monitoring ALL activity, on a timely basis, by receiving email or text updates when posts are made to your sites.
    As an executive, be sure that you are at least basically familiar with current and future social media channels, so that you can provide guidance and insight to your organization in these areas.

    Payment Processor Risks

    Payment Processor Risks
    On January 31, 2012, the FDIC issued FIL-3-2012 addressing the risks of providing services to third party payment processors. The document is available here
    In general, the FDIC is concerned that banks may not be properly monitoring the activities of its customers who provide third-party payment services, in part because many of the third-party processor’s customers may not be direct customers of the bank. Examples are varied, but include debt collection, on-line magazine subscriptions, and on-line gambling services. Included in the document are guidelines for creating a risk management document and a risk assessment relative to your relationships with such third-party processors. I will not restate those guidelines here, but instead offer the following key points:
    1. It is hard to overstate the importance of knowing your customer and their activities.

    2. Companies that aggressively pursue an account relationship with you, including those offering to keep large balances, or acquire an ownership stake in your institution, require additional scrutiny.

    3. This is another FDIC issuance that raises the spectre of your bank being charged under Section 5 of the Federal Trade Commission Act “Unfair and Deceptive Acts or Practices” if you are seen as contributing to such behavior on the part of your customer.

    4. As with any relationship whereby you allow customers to originate payments, constant oversight: establishing and monitoring daily limits, both dollar and transaction volume wise, monitoring and addressing high return rates on debit items, and “smell testing” (do these feel like legitimate business practices?) are all appropriate.

    5. As always, you should document your risk assessment, risk management practices, and your monitoring and oversight of customer activity.
    If you in fact have such relationships now, they should be reviewed promptly in light of the new guidance. Any new business opportunities should be carefully evaluated along these same guidelines.  As always, let me know if I can assist you in any way.

    Debit Card Fees Create Opportunity for Community Banks

    Bank of America (BofA)’s announcement that it will impose a fee on the use of debit cards is probably the first of many by large banks. Rather than setting a precedent that all banks should follow, this move provides a tremendous opportunity for community banks to strengthen existing relationships, and perhaps attract new ones, by continuing to make debit cards available as a part of low cost checking accounts. Don’t let the noise over the “loss of fee income” distract you from an important fact: from a cost standpoint, every debit card transaction (whether PIN or signature) costs less than processing a check. Whether BofA customers will grudgingly pay a fee, revert to check writing, or move their accounts to another bank without such fees, the imposition of a fee (effectively creating an economic barrier to the acceptance of debit cards) is a bad move, period.
    The need to offset the loss of fee income is frequently given as the motivation for imposing such a fee. If the result of the fee is increased operational costs, this will certainly impact a bank’s earnings, to the negative. There is much confusion over the reduction in interchange fees for banks over 10 billion in assets. This interchange fee only applies to signature transactions, which are already being threatened by the determination of merchants (through configuration of POS devices) to force customers to enter a PIN.
    I want to encourage my friends in community banking to do what many have begun to do – promote your already free debit card more heavily – encouraging even more use, so that both your and your customers benefit from this popular, cost effective transaction tool. My twitter feed @techadvisor has been full of such posts from right thinking community banks doing just that.

    Helping Your Customers Prepare for Natural Disasters

    One of the best ways to avoid crisis issues after a disaster is to be better prepared BEFORE a disaster.  The following material, from FDIC, is good information to share with your customers about ways they can prepare beforehand.  Effectively communicating these ideas to your customers can make all the difference in how well your institution is able to serve customers after a disaster:

    Press Release

    The FDIC Offers Tips on Preparing Financially for a Natural Disaster or a Fire 
    Other topics in the latest FDIC Consumer News include personal payments by smartphone or mobile computer, plus solving mysteries of old bank accounts

    September 7, 2011
    Media Contact:
    Jay Rosenstein (202) 898-7303
    E-mail: jrosenstein@fdic.gov

    Hurricane Irene, the earthquake that shook the East Coast and the deadly tornado that hit Joplin, Missouri are recent reminders that disasters rarely give advance warning and can happen anytime. That’s why it’s important for households to have a plan for protecting important assets and conducting day-to-day financial transactions in the event of an emergency. The Summer 2011 issue of FDIC Consumer News features tips on how to prepare financially for a natural disaster, a fire or another tragedy, especially one that requires people to evacuate their home and not return for days or weeks.
    Other timely topics in the latest issue include what to know before signing up for person-to-person, or “P2P,” electronic payment services using a smartphone or mobile computer; how to solve mysteries of old bank accounts; and an update on new standards for and disclosures by mortgage loan professionals.
    Here are examples of some of the consumer tips in the latest newsletter:
    Preparing financially for the unexpected: The FDIC newsletter suggests that consumers:

    • Anticipate what could go wrong by thinking about the most likely hazards for their community and periodically reviewing their insurance coverage;
    • Consider services that can help access funds and manage finances away from home, such as direct deposit and banking by computer or smartphone;
    • Have essential items in one or more emergency evacuation bags or boxes that are waterproof, easy to carry and kept secure; and
    • Be on guard against fraudulent “charities” or “businesses” scheming to profit from the situation.

    Making personal payments by mobile devices: As with any form of payment, understand the costs and potential risks of this increasingly common service from some banks and non-banks. Legal protections for P2P services may differ depending on whether the services are provided by a bank, and the security of the device should always be a concern.
    Researching old bank accounts and, perhaps, recovering something valuable: A consumer who finds old account information should first determine whether the bank is open, closed or has merged with another bank. The FDIC’s Bank Find database at www2.fdic.gov/idasp/main_bankfind.asp can be used to trace the history of any FDIC-insured institution. Consumers should also beware of people who demand money up-front for help recovering unclaimed property, something that most people can easily do on their own for free.
    Finding a mortgage loan originator: As a result of a 2008 law to enhance consumer protections and reduce fraud in the residential mortgage industry, a free, searchable database now provides useful information about all state-licensed and federally registered mortgage loan originators. In the future, the database will be expanded to include information about certain relevant disciplinary or enforcement actions.
    The goal of FDIC Consumer News is to deliver timely, reliable and innovative tips and information about financial matters, free of charge. The Summer 2011 edition can be read or printed at www.fdic.gov/consumers/consumer/news/cnsum11.
    To find current and past issues of FDIC Consumer News, visitwww.fdic.gov/consumernews or request paper copies by contacting the FDIC’s Public Information Center toll-free at 1-877-275-3342, by e-mail topublicinfo@fdic.gov, or by writing to the FDIC Public Information Center, 3501 North Fairfax Drive, Room E-1002, Arlington, VA 22226.
    There are two ways to subscribe to the quarterly FDIC Consumer News. To receive an e-mail about each new issue with links to stories, go towww.fdic.gov/about/subscriptions/index.html. To receive the newsletter in the mail, free of charge, contact the Public Information Center as listed above.
    The FDIC encourages financial institutions, government agencies, consumer organizations, educators, the media and anyone else to help make the tips and information in FDIC Consumer News widely available. The publication may be reprinted in whole or in part without advance permission. Organizations also may link to or mention the FDIC Web site.

    # # #