Heading back from Las Vegas following ICBA’s annual convention, I can’t help but think about that heist flick, Ocean’s Eleven, as I consider today’s fraud landscape. The movie’s premise is this: A group of guys set out to steal an exorbitant sum from three casinos. Somehow, they are successful in outsmarting security systems, and they walk away with a cool $150 million.
Contrast that with today’s cyber version of vault-busting thieves. Most often, these criminals don’t stray far from the digital comfort of sophisticated tech and the dark web, taking advantage of the weakest link in the financial transaction: the customer as a point of entry. In fact, the FBI reports that cybercrime losses in 2016 were $1.33 billion, with email account compromise the number one source of loss.
With threats continuing to emerge, I sat down with ICBA’s cyber expert, Jeremy Dalpiaz, assistant vice president of cyber and data security policy, to discuss what community banks can do to thwart cyberattacks. Our conversation uncovered three important tips for banks in navigating today’s cyber landscape.
1. Ensure the authentication procedures match the current risk environment. After the Equifax breach, hackers took hold of an enormous amount of information that, when cobbled together, can give thieves the keys to a person’s identity. Banks need to be one step ahead, updating their customer authentication procedures to ask for verification points that have not already been breached.
“Banks have to look at the type of information that was released and the type of information that they hold that they can use to authenticate customers,” Jeremy notes. “We haven’t seen the Equifax information on the dark web yet, but that really shouldn’t comfort anybody. If anything, that should raise the red flag.”
Asking the right authentication question, unique to your data, remains one of the best things a bank can do. More insights for how to strengthen internal processes can be found in the resource, “Tips for Community Banks Following the Equifax Breach.”
2. Elevate cybersecurity to an enterprise-wide initiative. Everyone within the bank has a responsibility to watch out for cybercrime. Because it often happens at the point of entry, every department from customer service to executive management needs to be on the lookout for anomalies in customer behavior or inconsistent requests.
“Cybersecurity is a field that has gone from a technical focus to a whole bank focus,” Jeremy shared. “It is in every line of business and in everyone’s interest that bank employees become familiar with how fraud can occur – whether that’s through hacking, phishing, spoofing or another method.”
As an enterprise-wide activity, banks also should test their incident response policy. Every year, FS-ISAC offers a free Cyberattack Against Payment Systems (CAPS) exercise that allows financial institutions to identify gaps in their processes.
This year’s exercises take place Oct. 9-10 or Oct. 16-17, and it’s worth considering for your institution.
“These exercises are good not only for cybersecurity resiliency but for business resiliency in general,” Jeremy says. “We receive great feedback from banks that participate.”
3. Share information with one another—and with your customers. One of the simplest ways to counter cybercrime is to participate in information-sharing with other banks. When banks communicate with each other, each entity strengthens. Individual financial institutions get to know hacker tactics, techniques and procedures and identify ways to address potential vulnerabilities.
“With FS-ISAC, you can share information in a trusted environment,” Jeremy points out. “Everybody is sharing information about how to better protect each other’s systems. It’s a pretty unique opportunity.”
In terms of sharing with customers, ICBA is involved in Operation Stop It! which is a joint initiative between the International Association of Chiefs of Police, the Identity Theft Council, and the Identity Theft Resource Center, to help protect communities from identity theft and to make sure victims get the help they need. This group is a great resource for your customers as issues arise, and there are opportunities for community bank involvement as well.
While these tips provide support in updating your fraud mitigation procedures, financial institutions must stay vigilant against cybercrime in ways that align with their organizations’ strategic direction.
No matter the approach, today’s cyberattacks call for something more sophisticated than the surveillance found in an old-school casino caper. A bank’s job is to identify ways to outsmart cybercriminals and stay a step ahead to safeguard customer accounts.
Cybersecurity Resources for Community Banks
ICBA Cybersecurity Resource Center & ICBA Data Security Resource Center – Provides tools and resources for community banks to stay up-to-speed, including a data breach information center and a cyber and data security toolkit
FS-ISAC – Offers a Community Institution Council for information-sharing
Operation Stop It! – Community-based identity theft initiative
Krebs On Security - A daily blog covering computer security and cybercrime, published by American journalist and investigative reporter, Brian Krebs.
Verizon Threat Intelligence Report - A comprehensive analysis of breaches and incidents investigated by Verizon personnel or reported by one of their 65 partner organizations.
FireEye - FireEye is an intelligence-led security company.
Fraud Mitigation for the Win
I recently came across a Harvard Business Review piece titled, “Do You Play to Win—or to Not Lose?” At the surface level, these choices seem like the same thing, but the article goes on to discuss that the difference lies in individual motivation. Simply put: If you’re playing to win, you’re taking advantage of opportunities; if you’re working to “not lose,” your focus is on preventing the other team from dominating.
In banking, a lot of times, we err on the side of “not lose.” And that reaction is justified. For example, the newly released 2017 Financial Institution Payments Fraud Mitigation Survey from the Federal Reserve Bank of Minneapolis revealed three out of four FIs experienced fraud losses in 2016, and 96 percent of debit card issuers faced card fraud losses. What’s more, 63 percent of banks reported increased fraud loss over 2015.
With fraud continuing to rise, losses growing, and new types of attacks emerging, sometimes it feels like we need to lock down our vaults and throw away the keys. But if we do so, we cease to improve our game and strengthen our competitive edge. So, in this mode of prevention, how can we, as community bankers, switch our focus from losses to wins?
To me, the answer rests in how we protect our house. It’s the systems we put in place to bolster our defense against fraudsters. And it’s in how we work with our partners.
For starters, having the right mix of multi-layered tools is a must. The Fed Minneapolis survey found that for debit and credit card transactions, 70 percent of respondents use seven of 11 fraud screening and scoring tools—yet they still suffered losses. Why? It may be because they don’t have the right mix of tools in play.
In addition, banks expect their customers to be their last line of defense. The Fed report concluded that there is “some reliance on customers detecting fraud when other methods did not block the transaction from occurring.” The problem with this? At this stage of the game, the fraud has already occurred.
Yet the solution is within our grasp. By working with trusted partners to assess our areas of vulnerability and recommend solutions to strengthen our infrastructure, we can lessen our reliance on the customer as a last-stop tool in combating fraud.
To that point, there are many reliable sources out there who can help banks better safeguard their systems and grow fraud detection programs. So, talk to your current providers and ask them to evaluate where there may be gaps in your protections. Research new entrants to the market to ensure you’re on top of the latest technology and how it responds to ever-changing attacks. Reach out ICBA Bancard to learn about solutions that can augment existing channels, like its new partnership with Cardinal Commerce on a card-not-present authentication tool. Take that next step to make sure you stay one step ahead of fraudsters.
All this goes to say, it doesn’t take an enormous investment to strengthen fraud protections. It just takes a shift in mindset—with the goal to play to win.
2018: The Year of the Community Bank
There’s something about the start of a new year that breeds optimism and fresh perspective. Challenges give way to opportunities, and obstacles become puzzles to solve.
That positive tenacity intensifies for me as I look at 2018, a year in banking like no other. From the digital revolution to the role of fintechs, a new day has dawned, and in its light, we see the sprouting progression of community banking.
The future hinges on one key ingredient: technology. Technology is upending traditional banking by standardizing what once was science fiction. From artificial intelligence (AI) and wearables to the Internet of Things, the marketplace has transformed from analog to digital in all capacities, leaving banking poised to reinvent itself in this new space.
By capitalizing on the changes in the following three areas, community banks can take advantage of these market shifts to position their services for the future:
- Digital Payments – Above all, community banks need to think digital-first when it comes to payments, starting with a rock-solid strategy (see my posts from last January and February). Gone are the days when the digital component was an add-on to an existing bank service. That won’t cut it in today’s culture where the norm lies in smart, connected solutions, a.k.a. the Internet of Things—a movement McKinsey Global Institute estimates could have an annual economic impact of up to $11.1 trillion by 2025. The good news? Community banks have a nimble mindset and corresponding infrastructure that allows them to adapt and drive a seamless, digital customer experience.
- Artificial Intelligence – Whether it’s Alexa, Watson, Bixby, Siri, Google Assistant or some other AI tool, this technology extends far beyond the digital assistant moniker. For community banks, the AI framework gives them a solution to collect and quickly analyze data that can support existing efforts around predictive analytics, fraud detection, service personalization, and workforce productivity. While most community banks lack experienced staffers to filter and evaluate the information at hand, many new fintech solutions can do it for them.
- Fintechs and Application Interfaces (APIs) – And just like that, former fintech competitors now offer a strategic advantage. We have seen a paradigm shift in fintechs realigning their strategies to partner with community banks to deliver innovative products and services to market. Just witness our partnership with linked2pay for real-time posting of payments to community banks and their small business customers. With core providers finally willing to open their legacy systems to APIs, community banks can offer cutting-edge, digital solutions faster than ever.
And the speed of change continues, but when this technology revolution syncs with the innovative, entrepreneurial spirits of community bankers, opportunity abounds. Mark my words: The rise of technology will signify the rise of the community bank.
That growth will start now, in the strategies we develop, the partnerships we cultivate, and the solutions we offer. It’s up to all of us to evolve with our customers’ needs, not just looking at what they’re asking for today but anticipating what they will need tomorrow.
With that in mind, I’m calling for one collective New Year’s resolution: Let’s make 2018 the year of the community bank.
Are You A Goal Digger? Six Professional Development Ideas for Payments Leaders
When I gaze back on my career, I see peaks and the valleys; the times where I knew where I was headed and the times where I felt I was driving at night without headlights. In my role as a community banker, in particular, things seemed to accelerate with lightning speed. Sometimes, I was clairvoyant, reading that market crystal ball like a road map, and sometimes, well, let’s just say that we adapted.
In our industry, that ability to adapt and change is what sets us apart and drives bank growth. But change can be hard; how do we know how to change, let alone when to change?
No one has definitive answers to those questions, but I can tell you from personal experience that staying on top of industry developments made me more nimble and gave me the courage to take calculated risks. I invested in my professional development to benefit me, but ultimately, also to benefit my bank. And this investment paid off, both in my career trajectory and in the bank’s offerings.
As I think back, there were a few key things I did that made all the difference. With that in mind, I’ve assembled a short list of development opportunities that may give you the same leg up and support you as you navigate this new world of digital payments.
- Find a mentor. I’m a big believer in learning from others. Having a mentor to brainstorm ideas with opens many channels and helps you see the world from varying perspectives. So, take a look back at your career and seek out your best leaders. Introduce yourself to others who share original perspectives at conferences. Reach out to professional organizations like ICBA. Do what it takes to find a trusted advisor who can help you to process ideas.
- Learn more and get involved. With such rapid change in the industry, you need a resource who can give you a quick version of what’s most important. Regional Payments Associations (RPAs) offer this knowledge and can keep you apprised of the most relevant changes for your institution. In addition, there are numerous volunteer opportunities with RPAs that help you grow as a leader.
- Join the FS-ISAC Community Institution Council. Having the right information is critical when developing business strategies, particularly when it comes to risk and fraud. To that point, it makes sense to consider joining your peers on FS-ISAC’s Community Institution Council where key topics include: attacks and technology issues, regulatory changes, changes to examination processes, and peer comparisons on topics of interest.
- Explore continuing education and certification programs. Investigate The Payments Institute; it offers an in-depth look at payments today. In addition, NACHA and the RPAs offer the Accredited ACH Professional (AAP) and the Accredited Payments Risk Professional (APRP) certifications for expert-level knowledge. ICBA’s own Community Banker University offers numerous online classes and workshops on a variety of topics throughout the year.
- Look to industry leaders for the latest tools and resources in digital payments. Simply staying up-to-date on what’s happening with major payments initiatives will give you insights into market direction. As payments evolve, those responsible for some of the changes offer free tools to support you. Visit the Federal Reserve’s Payments Improvement site, NACHA’s Same Day ACH Resource Center, and The Clearing House’s Real-Time Payments site for more information. For other topics, your RPA also can be a great source of support.
- Check in with the ICBA Bancard team. As a former community banker, I understand the unique position you’re in and can offer tips on things that worked for me. We also have numerous payments experts on staff who bring years of knowledge to the table and are happy to share their thoughts as well. Contact us anytime and follow me on Twitter @tnagiorgio.
With a wealth of resources, there’s no shortage of opportunity, just time to accomplish it all. So, as 2017 reflection gives way to 2018 goal-setting, I hope you can use these ideas to determine what aligns best with your professional development plan. Based on my experience, committing to doing just one new thing will have a profound impact.
What Does the Faster Payments Revolution Mean for Community Banks?
ICBA Bancard President and CEO Tina Giorgio discusses how community banks can deliver on the promise of ubiquitous real-time payments.
“My goal is not only to ensure that community banks stay relevant when it comes to real-time payments but ensure that solution providers are delivering affordable, integrated solutions for community banks that are easy for them to deploy," says Giorgio.
Listen to NEACH’s Pacing Payments podcast below:
Read the NEACH Podcast Transcript
Protecting Consumers After the Equifax Data Breach
Read the e-Book "Protecting Consumer Identity"
Getting A Slice of the $86 Billion P2P Pie
Business Insider estimates that P2P mobile payments could represent $86 billion in 2018, but as I speak with community bankers from across the country, the common refrain I hear when I broach the topic of P2P is, “Why does my bank need a P2P solution when there is already an abundance of P2P solutions in the marketplace?”
While it’s true that consumers have a number of P2P options, as I referenced in my last blog post, the majority of consumers prefer to use financial solutions offered by their bank and would gladly make the switch. There is a twofold reason for this: security and privacy. Consistent with federal and state laws and regulations, banks have trusted procedures for protecting, storing and accessing customer data and are routinely examined to ensure compliance. Many nonbank P2P apps are more social than secure. They can access social media sites and features on the device such as cameras and contacts, in addition to accessing bank account login information. Some even post customers’ payment activities on social media sites. Nonbanks offering financial services are subject to the same laws and regulations as banks, but not the same oversight and examination.
Let’s take a look at what I consider some of the best-in-class P2P solutions in the marketplace today.
Easiest Enrollment – Square cash – While enrollment in Square cash is one of the quickest and easiest to complete, the service has limitations. Square cash holds your money in your Square cash wallet until you request the funds be transferred to your bank account. Transfers take one to two business days, unless you are willing to pay a 1 percent fee for immediate availability.
Greatest Flexibility – Paypal – Without a doubt, Paypal has the most flexibility and the most users. In recent months, Paypal’s partnerships with banks and the card networks allow it to offer the fastest availability without a fee (debit card). However, users do not have to transfer their money to their bank account (a process that can take at least a day). They can simply leave it in their Paypal account and use it for purchases.
Speed – Venmo – Owned by Paypal and geared toward millennials, who are adopting Venmo at double digit rates, Venmo is easy to navigate. Sending money is fast and it sends messages in social media about payments giving it appeal with millennials (This is why it is coined a “Social Money App”). However, it still takes one to two business days for a Venmo transfer to be available, and it requires the user to immediately surrender the login credentials to their bank account.
Biggest Potential Game Changer – Zelle - According to Early Warning Systems, the bank owners of Zelle (short for Gazelle), their app will represent 60 to 70 percent of the U.S. DDA market. This could be the first P2P system with ubiquity thanks to the integration being built by FIS, Fiserv and Jack Henry, eliminating two of the biggest adoption hurdles – user fees (Zelle is free) and interoperability of existing apps. Couple that with near-time and eventually real-time payments, this one is sure to disintermediate the fintech solutions.
Of course, there are many other P2P solutions on the market – Dwolla, Amazon, Snapcash, Google, and Apple Pay (fall 2017) to name a few. P2P solutions are expanding into e-commerce, m-commerce, and small business applications, which should further increase their popularity.
Now is the time for community banks to embrace P2P. Even if your clients aren’t asking for it, they will use it, and they will thank you. Next month we will dive into The Clearinghouse’s Real Time Payments (RTP) system, the first new payments system “rail” in decades.
Mythbusting Digital Misconceptions
According to a new Price Waterhouse Cooper digital payments study, 46 percent of bank customers interact with their banks EXCLUSIVELY through digital channels (e.g., mobile, tablet and PC). This staggering trend away from traditional banking methods begs this important question: “What products and services is my bank delivering to customers living a digital life?” If your answer is none and you think that your bank will be unaffected by the digital payments tsunami because your customers aren’t asking for digital services, think again. If you’ve subscribed to the notion that older customers don’t bank digitally or that younger customers won’t be attracted to a community bank, let me dispel those myths right now!
Myth #1 – My customers aren’t asking, so we don’t need to provide it.
Guess what? If your customers are not asking for digital services, it’s because they are already getting them elsewhere. According to First Annapolis Consulting, 51 percent of respondents in their 2016 Study of Mobile Banking & Payments have a mobile wallet. Yet, only 7 percent are getting the wallet from their bank! Not surprisingly, Apple is leading the pack as the purveyor of digital wallets, followed by PayPal and Google. But guess who is tied for fourth with banks? Amazon! If you just sucked in your breath when you read the name Amazon, don’t despair. Forty-five percent of respondents in the same study indicated that they would prefer a mobile wallet from their bank versus a non-bank provider.
Myth #2 – My bank serves an older clientele.
The average age of a community bank customer is just over 51 years old. Don’t let age fool you, the First Annapolis study indicates 64 percent of consumers aged 45-54 have made a mobile payment - even baby boomers are getting in on the action! According to the 2017 FIS Consumer Banking PACE report, baby boomers have 9.1 touches per month with their bank through digital channels and only 2.9 via a branch or ATM. That number would probably be higher if it wasn’t for consumer concerns regarding merchant acceptance, privacy and security.
Myth #3 – My bank doesn’t attract younger customers.
Why not? According to FIS, 5 million (about half) of all small businesses are owned by millennials and Gen Xers (age 18-52). But here’s an interesting statistic - by 2020, millennials and Gen Xers will make up 70 percent of the workforce in the United States. So, the number of this group who are business owners is likely to grow. Unlike consumers, small businesses use their bank’s mobile services slightly more than services from non-bank providers. In fact, these small business owners wish they could offer MORE digital services through their trusted bank partner.
It’s not too late to get in the game.
Now for the good news - it’s not too late to get in the game! While the speed of change is beyond anything we have historically experienced, there are many partners out there to help your bank succeed in navigating the digital payments space (including ICBA Bancard). Customers will still seek digital services from their bank first. Not only that, if they are already with a non-bank provider, they will switch back to their bank when the digital solutions become available. Why? Because banks offer security and regulatory protections that non-banks cannot. Year to date, there have been more than 760 data breaches in the United States affecting over 12 million records, 55 percent of which were in the business sector.
Where to start.
It seems like a daunting task if you feel like you’re already out of the game, but with three steps you can get back in there.
First, you need to create a digital payments strategy. For help getting started, read my first two blogs (and coming soon, I will provide a template to help you).
Second, look at your organizational structure. Where do payments fit? Are the responsibilities fragmented and siloed? Is there a payments champion on the senior/executive management level? Organize around digital – always think digital first.
Third, more of your customers will adopt digital technology when you do. Do you have the right services in the right delivery channels? Are your employees embracing these channels? Can your employees talk about the features, benefits, and demo the solutions?
Next month, we will take a look at the various digital wallets on the market and why this is a channel you can’t afford to ignore.