AVP IT Consulting,
Credit Union Resources, Inc
On the heels of the FFIEC issuing their Cybersecurity Assessment General Observations, they issued their Cybersecurity Toolkit to assist financial institutions in defending against the sophisticated and dynamic cyber threats. Letme preface by saying that I am not sick. I was actually happy when it came out and excited when reading through it. Reason being is that working in the realm of cybersecurity in the credit union industry for ten years, this guidance echoes the messages those of us in the cybersecurity space have been saying for years by giving guidance. With the breaches being more rampant and cybersecurity being a hot topic of examiners, the toolkit serves to be timely and relevant.
As with most new cybersecurity news and guidance, my phone and e-mail tends to get a little more love than normal. This new toolkit is yielding no different results. So I figured this blog post would be ideal to share with the masses what I’ve been sharing with a few. Here are a few answers to questions that I’ve received as well as some observations:
1) Credit Unions’ Response: The vast majority of credit unions I’ve communicated with who have reviewed this toolkit are very intimidated. So if you read it and feel overwhelmed, you are not alone. Keep in mind that with any new guidance, the pain is usually on the front end.
2) Don’t freak out… Yet: Although the FFIEC is not a regulatory body that governs credit unions, the NCUA does reference their guidance to credit unions based on some FFIEC standards. We still haven’t seen how NCUA or your State examiners will be using this tool; however, what we can expect is for them to be more intrusive when it comes to cybersecurity.
3) Where is the framework coming from: The NIST (National Institute of Standards and Technology) framework is used by the FFIEC to build their framework. Having used this framework in the cybersecurity portion of our information security risk assessment fieldwork, I can say that it is proven and yields great results.
4) Encourages pro-activeness: There are five levels of cybersecurity maturity which have been set. Of these levels, the baseline includes regulations and compliance. Therefore, this encourages credit unions to mature from the most basic cybersecurity into a new maturity level of ‘evolving, intermediate, advanced, and innovative’.
5) Achieving Compliance: Although portions in the FFIEC cybersecurity maturity model addresses compliance, it does not fully achieve compliance with NCUA Regulation 748 Appendix A. Reason being is that the regulation states that a credit union must have a risk-based Information Security Policy & Program addressing physical, administrative, and technical security. The tool only addresses the technical aspects of a credit union’s Information Security Policy & Program.
Being reactive is a vulnerability to not only credit unions and their members’ assets, but a vulnerability to the industry as whole due to the new landscape of cybercrime and cyber warfare. Per the White House, President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation. It was also stated that we are not adequately prepared to counter. As a result, abiding by and being able to identify and adjust to, at a minimum, baseline standards is necessary.
Feel free to reach out to me should you come across any questions, concerns, or feel like commenting. As mentioned before, I’m not sick, this just happens to be a topic which I like to discuss.
|Categories: Compliance, Technology Consulting & Compliance
Director of Research,
Cornerstone Credit Union League
If you’ve ever taken a course in anthropology, you probably learned about ethnography. This refers to the onsite investigation of a culture in order to understand what its members do and feel. Perhaps a pith-helmeted professor with pen and notebook in a remote village comes to mind. Today, various types of ethnographic research are found in the corporate world. Many companies - including financial institutions - use this methodology to better understand how their consumers live, work and play – and how their lives make them more or less receptive to various products and services. 1
Wells Fargo is one such company. It’s helpful to review the way they conducted an ethnographic study and, in addition, how their results may benefit credit unions. The problem that prompted the ethnography was that Wells Fargo sends out a lot of communications, both online and offline, to their members. This includes statements, among other things, marketing offers, and deposit notifications. The communications come from different units within the bank, which can mean a wide variation in design, tone, and content. To insure that its communications were user friendly, the bank, along with Forrester Research, took the following steps in their ethnographic project :
- Recruited 20 customers to collect all communications from Wells Fargo and select competitors over a one-month period.
- Facilitated immediate feedback on communications by allowing the customers to call a toll-free number and leave their “in the moment” reactions to each piece of communication they received. The bank also sent each participant a large scrapbook to archive everything and stickers to indicate whether they thought the piece was good, neutral, or bad.
- Brought in thirteen of the most engaged participants for 90-minute interviews to walk through all their communications and debrief their scrapbooks. The research team also conducted a competitive exercise in which participants picked a brand they felt had something to teach Wells Fargo.
And what did this research show? Forrester Research discovered that:
- Communications delivered the basics but didn’t build relationships. The bank fell short on being perceived as approachable and empathetic, which were two areas they believe set the tone and gave an image of their brand.
- Customers want the bank to know them. One participant brought a newsletter from AARP and commented, “AARP knows when I turn 50; why doesn’t my bank?” Another said, “Netflix can tell me what to watch; why can’t the bank tell me how to reach my financial goals?” This feedback compelled the bank to invest in delivering relevant communications and also highlighted the need to seek best practices from outside of the banking industry.
- Marketing messages are viewed with suspicion. Participants tended to be skeptical of communications that seemed like marketing. They disliked pieces they deemed as “trying to sell me something.”
- Bad news can be delivered tactfully. One participant received an insufficient funds notice that she perceived as very helpful. The letter informed her of the problem, told her in three easy steps how to rectify it, and even gave her helpful financial management suggestions such as signing up for overdraft protection. One of the most frequent examples that participants brought in from competitors were notices of bad news that they liked. Wells Fargo executives concluded that a message delivered with relevant advice, in the appropriate context, can be well received, even if it’s bad news.
- Customers still have an appetite for good communications. The bank worried that customers might say it was communicating too much. On the contrary, customers said they wanted to hear more from the bank – specifically, tips, suggestions, advice, and relevant recommendations. Communications written from a customer-advocacy point of view, as opposed to a bank or product-centric point of view receive favorable assessments. Customers want to feel that the bank communicates with them as people.
- Different customers want different messages. The research showed that novice users of Wells Fargo want the bank to play an advisory role and teach them how to develop financial intelligence before they get into trouble. Moderately savvy users don’t want to be sold products; they want to see the pros and cons of offerings so they can make up their own minds. Financially savvy customers want to know the bank cares that they are customers and want the bank to provide them an edge that competitors can’t.
Clearly, ethnography yields deep insights. It’s a methodology applicable to virtually any area of member interaction, including communications, Web site design, branch layout, product features, member segmentation, and call center scripting. 2 Credit unions should regard it as a viable option in their marketing research toolbox.
If you have any questions, or would like to know more about conducting marketing research at your own credit union, please contact email@example.com
1 MIT Sloan Management Review.
2 Forrester Research.
AVP Staff Analyst,
Credit Union Resources, Inc
I am often asked what the focus of a credit union’s travel and conference policy should be. Of course what is included in the policy will vary from place to place, based on the individual institution’s philosophy, field of membership, and other factors. However, there are some basics that should be included in all policies.
Review and authorization is a very important control issue that should be addressed by all credit unions. Policies should spell out who is authorized to approve travel and conference expenses, when pre-approval is required, and how these expenses will be reviewed – for example, all expense statements submitted by members of the Board of Directors will be reviewed monthly by the Supervisory Committee. How approval and the review process are documented should also be addressed.
Limitations on the amount that may be spent, on the number of conferences that may be attended, and on the locations where conferences may be attended may also be included in policy. Sometimes a specific number of conferences or seminars is set, or sometimes an annual amount of money to be spent on education is determined and once that limit is reached no further education sessions may be attended. In an attempt to limit expenses, we often see policies that limit attendance to in-state conferences; however, that may not always have the intended effect. For instance, if a credit union is located in Beaumont, Texas it may be more cost effective to attend a conference in Lake Charles, Louisiana than to attend a conference in Amarillo, Texas even though the one in Amarillo is in the same state because Lake Charles is closer to Beaumont that Amarillo is. Perhaps it would be more productive to limit attendance to those states covered by the home trade association or those that abut the home state in an effort to exclude trips to Las Vegas or similar locations that might be considered more of a vacation than a true educational session.
Another question that should be addressed is the requirement of receipts. Some credit unions elect to allow a per diem – that is a set amount per day for expenses such as meals. Others reimburse for actual expenses and require receipts. This decision could possibly have tax implications.
The timeliness of submitting expense statements and receipts is often overlooked when drafting policies. This should be addressed in policy so that items are not outstanding for long periods of time.
The question of paying for spouses to attend conferences often elicits heated opinions on both sides. NCUA’s Letter to Federal Credit Unions 05-FCU-02 states that federal credit unions may reimburse volunteer officials and one guest per official for reasonable and proper costs incurred in carrying out official responsibilities of the credit union.
One requirement that has been popping up in policies more often recently is that of asking employees and officials to bring back the information they obtain at education sessions and share it with the other employees and officials of the credit union, thus maximizing what the credit union gets for its dollar.
It is important to have a policy in place so that everyone knows what is expected and is held accountable. The policy should reflect the credit union’s philosophy and should be consistent in nature with other policies and procedures.
|Categories: Financial & Auditing