FFIEC: Tackling New Online-Banking RisksBank Risk Assessment Reveals Need for Change
Mike Wyffels, chief technology officer of QCR Holdings, a $2 billion company that owns and oversees four banking institutions, says recent risk assessments conducted as part of FFIEC guidance conformance proved QCR needed to make some shifts in its online-banking strategy. Those shifts required some significant changes to the holding company's online-banking platform.
QCR's banks - Cedar Rapids Bank & Trust in Cedar Rapids, Iowa; Quad City Bank & Trust, which is located on the Illinois-Iowa border; Rockford Bank & Trust in Rockford, Ill.; and M2 Leasing in Brookfield, Wis. - identified new security threats, such as increased distributed-denial-of-service attacks, and regulatory changes as reasons to transition to a new online platform, Wyffels says.
"The threats that are out there today are pretty complex," he says during an interview with Information Security Media Group [transcript below]. "We've seen these DDoS attacks just continue to be pervasive in our industry, and we've seen them target banks."
Wyffels says timing was the main reason for the move. "We just had a timing conflict," he says.
Although Wyffels would not name QCR's platform provider, he did say the new solution was chosen because of its intuitive interface. "We wanted to address some of the customer needs," he says. "Clearly, regulatory guidance was a component of that, and our provider wasn't quite there yet and we were ready."
During this interview, Wyffels discusses:
- Commercial online-banking risk enhancements, beyond those outlined and expected by the Federal Financial Institutions Examination Council;
- Budgetary considerations and ensuring buy-in from institution management; and
- The challenges working with numerous vendors, rather than a single core provider, pose.
Wyffels is the senior vice president and chief technology officer of QCR Holdings, where he supports in the oversight of compliance and fraud prevention. He has direct responsibility for project delivery, training, development, technology operations and delivery and IT Strategy. He has worked in information technology for more than 20 years. His career has focused on the financial services markets and credit card processing and operations. Before joining QCR, he directed MIS and distributed systems for Alliance Data Systems in Dallas. Prior to Alliance Data Systems, Wyffels worked in several enterprise and line-of-business roles within IT for First Data Corp.
TRACY KITTEN: How large are the institutions QCR oversees, and who comprises their primary customer bases?
MICHAEL WYFFELS: We're probably about a $2 billion organization, and we're continuing to grow and perform pretty well in what I think most FIs [financial institutions] would say is a very tough marketplace.
Our primary focus is commercial business and commercial business customers, but we do have strong retail segments, along with investment, trust and leasing services.
Key Areas of Risk
KITTEN: What key areas of risk were identified during QCR's assessments and how did they vary among the institutions you work with?
WYFFELS: We have to be a little broad. First, you have to acknowledge that the changes in the threat landscape, whether they're internal or external, are going to drive a review of an institution's risk posture. When that happens, you're going to see institutions re-evaluate their risk postures and take appropriate actions. I like to make the point only because past and current conditions, and the increased threats associated with those that we've all witnessed over time, gain a lot of our attention.
With that covered, I can start with cybersecurity and geopolitical risks. It's interesting. We probably wouldn't have had to talk about the geopolitical portion of this a couple of years ago, and now we're finding out that we have to marry the two together. But I certainly believe everyone should pay increasing attention to the risk of cyberattacks, from both state and non-state organizations. I would say it also includes the oversight of mobile banking as well, not just online banking, and the risk that comes with mobile banking to the customers and the banks as well.
The next thing I'd say is regulatory changes. Those introduce new strategic and operational challenges for FIs today. Sometimes, if those things aren't coordinated well through the institution, they can create organizational risk and create inefficiencies which pull down on many different things. But at the end of the day, inefficiency draws down on expense. They could, for example, impact business models and profitability if not handled correctly, and they can change risk postures. At the end of the day, if the consumer labor or banks are already stretched, they're going to become challenges for the banks to be effective.
I believe liquidity or funding and collateral-type management is another area that banks are paying attention to. Banks are looking to decrease risk through addressing capital.
Finally, I'll close with the economic conditions and the marketplace uncertainty that I'd be remiss without mentioning. Loan growth is going to continue to be a challenge for banks; so we'll see more exploration for value-added, fee-based services that customers are willing to pay for, and this is an area that we can take advantage of to grow revenue until the market starts to turn and recover.
FFIEC Guidance Investments
KITTEN: The investments that are now being made to enhance some of the online security within your institutions and ensure conformance with the FFIEC's updated authentication guidance are just now taking place. What prevented QCR from making these investments sooner?
WYFFELS: Timing, I'd say, was probably the most important piece of that. We're like many FIs that take advantage of outsourced services. As a result, all of us depend on those providers to keep up with the regulatory changes. That means many of the providers control additions of features into products that enable the guidance. Over the last year or so, we finished a review of other provider solutions that are incumbent. We decided to work with an alternative provider for the commercial banking channel, and much of the additional guidance that we want to put in place can be addressed by that solution and other things we've already done today. Timing was probably our biggest obstacle.
KITTEN: What about the challenges from a budgetary standpoint? What types of constraints and existing contracts with core service providers posed challenges?
WYFFELS: I personally have not experienced a budgetary constraint from our executives or our board. They've been very supportive of the operational groups in the organization and the kinds of things that they need. In addition, our relationships with the core providers have been very good as well, and I have seen them to be very supportive of our needs, which include adjusting to changing market conditions.
KITTEN: Tell us about the changes QCR is making, where stronger authentication is concerned.
WYFFELS: We've made a few, just like other institutions. We use Vasco tokens today for customers who submit ACH and wire transactions. For other customers that don't do that, we have PassMark. It's a little less intrusive for a customer to look at a picture and go through that authentication process. Now, we've been doing those kinds of things for a while pretty successfully, but probably not much different than what other institutions have done there.
We've also been working with IronKey over the last year, so they've been very responsive and they've adapted their business model to move from a hardware solution to a software solution, which is something that's been pretty accepted within our customer base and within our treasury teams. They're also looking at deploying that in other platforms, which helps expand the area where we could use that product with our customers.
We do expect our ACH and wire customers to use the IronKey solution, because it's just another way to mitigate and reduce the risk. And, frankly, it's a step that helps us further reduce account takeover activity. We're also talking with Guardian Analytics. Guardian has come a long way, and they've got a very interesting product. You may remember a while ago, in another interview similar to this, I had mentioned that I really don't like putting product out to our customers that's intrusive or hinders what they do on a daily basis. I think that a model that allows detection, analysis and alerting from the back office is a better answer. Guardian has a solution that will do that in the back office, and make it transparent to our customers.
KITTEN: What about encryption? What enhancements are being made there?
WYFFELS: We've done quite a few things in encryption. We use encryption on laptops today. We're a PGP [Pretty Good Privacy] site [which offers data encryption and decryption as well as authentication]. We've been very happy with that solution. We do a lot of email-type encryption, where our employees can force encryption, and then we have a rules set on the back side for when an e-mail message goes out, it must meet the rules set and encryption is enforced. We apply encryption on our digital backups in our vaults, and so we've been very happy with that. We apply encryption on our SANs to protect the data that's sitting there in the SAN environment today, and so far we've been very happy with that as well. I think you have to look at encryption and try to find the areas where you can mitigate the most risk and apply it where it makes sense, and I think we've got a pretty broad cut of where we use that today.
In the wireless world, where people are traveling, we obviously use VPN [virtual private network] encryption services, and we're a Verizon shop and they've got a good solution there as well. You just have to continue to look at your own technology landscape and determine if you're addressing all the right things or if you need to start applying encryption to new things.
New Online Banking Platform
KITTEN: You've noted in conversations that QCR is transitioning its online banking platform to ensure more modularity, as well as the ability to complement the platform with enhancements. What can you tell us about the platform you expect to invest in?
WYFFELS: We're not quite ready to let you know whom we have selected, yet. But we've looked for a solution that has an intuitive interface for our customers. We want something that's easier for our customers to use and something that allows them the ability to customize their sessions, which makes them more efficient and more effective in their jobs. Clearly, we've looked for something that's got dual controls and improved reporting. We want to see alerting for both the customer and our back-office organizations, and we'd like to see that alerting extended to our treasury management teams, who have the direct relationship with the customers today, where it makes sense.
We also were looking for a commitment to a partner that would enable us to give customers one view into their banking relationship with us. That means single sign-on interface was a key component of our decision. We think we've got a pretty good provider that does that today, so we're still doing what we call deep-dive due diligence with that provider. But so far, we've been pretty happy with what we've seen and we think our customers will be just as pleased with it.
KITTEN: Why was transitioning the platform the best option?
WYFFELS: Transitioning and moving away from one provider to another was pretty difficult. We're pretty happy with our current provider today. I think that they would say the same thing about us. We just had a timing conflict. They weren't quite there yet with the solution. We were ready to make a change and wanted to move on to do that, and so timing got in the way for both of us to continue to keep our solution integrated. We wanted to be able to address market competition. We wanted to be more competitive with our solution. We wanted to address some of the customer needs that we heard. We wanted to address efficiency in the back office. Clearly, regulatory guidance was a component of that and our provider wasn't quite there yet and we were ready.
KITTEN: What about the difficulty of changing or transitioning an online banking platform? Was that a tough sell internally?
WYFFELS: We're going to learn a lot about that when we finally pull this trigger with the provider that we selected. We're experiencing some of that right now. We're going to have to have an interface to the core system and so there's going to be some things we're going to have to work through there. There's going to be reporting that's being automated today that we're going to have to automate on the new provider's system. We've got those things to work through. We're going to have to convert all of our existing customers onto a new system, and we've talked about two or three different ways to try to do that that would accommodate our customers, meaning they would have less work to move over; the same would be true for treasury, to try to accommodate treasury so they don't have as much work, and then our back-office folks.
It's almost like a new enrollment process. It's almost as if the customers are going to be treated as brand new customers and, as a result, we're going to have to enroll them under a new system, train them under the new system and getting them comfortable with it. We all know that change isn't always easy for a lot of people, whether it's a good change or not. I think we're going to learn a lot about what it's going to take to get that done.
Working with Numerous Vendors
KITTEN: Does relying on more vendors give QCR more control, rather than relying solely on the solutions that are offered by a core processor, for instance?
WYFFELS: I wouldn't characterize us as a best-of-breed shop, meaning that we would continue to look away from our core provider for other solutions. We've got a commitment with that provider, and, to the extent that they've got solutions out there that work well for us, we certainly want to stay there. This was just a timing issue and we wanted to move on, and it made more sense to do it. I really don't see this becoming a control challenge for us going forward. I think if you're going to be a best-of-breed shop, you're going to have to think about the control landscape and what it means to have to deal with those controls across many providers, versus having a very short list of providers to do that with.
KITTEN: Does working with more providers create new concerns?
WYFFELS: It creates more work. Accounts payable is going to have a new supplier that they're going to have to deal with payments on. Our back office is going to have a new provider that they're going to need to support from an online-banking perspective. Our treasury teams are going to have someone new out there as well that they're going to have to have a relationship with. Risk and compliance are going to be affected by that choice, so the same kinds of situations arise there. I think those are the kinds of things that happen when you add someone new to the list, and this is exactly why I say we don't see ourselves and don't expect to be a best-of-breed shop. We want to be as consolidated as possible.
Expanding Security Teams
KITTEN: Have you had to expand your security, fraud, IT teams and, perhaps, even your treasury department as a result?
WYFFELS: I think our bank always looked at their treasury staff to determine if they have the right staffing needs in place, and then they address that accordingly. We're a very relationship-driven bank, which means we really like to be out touching our customers. I know our banks well enough to know that if they can't keep that relationship model in place, because they're stretched on staffing, they would certainly handle that. I think that when it comes to fraud and IT teams, we certainly have seen expansion in our audit and in our risk staff in the last couple of years, and that's just probably due to the changes in the landscape and the regulations that are happening out there.
On our IT team side, we re-evaluate how big we are and how many people we have and the role that they play almost annually. We like to make sure that we're staffed accordingly. We survey our customers every month to get feedback on whether or not we're doing a good job or not, and that gives us time to react by doing it monthly. So far, we've done very, very well there. On the IT security side, it's the same kind of thing. We go through multiple audits all year because we have three different banks, that probably ten months out of the year we've got somebody looking at us.
Ensuring Customer Convenience
KITTEN: Earlier you were talking about Guardian Analytics and some of the back-office support that's available through the solutions that they provide. What steps have you taken to ensure customer convenience is not adversely impacted by enhancements being made on the back end?
WYFFELS: I think the answer is we're looking at what steps we can take with the solutions that we have out there to try to eliminate some of the intrusive products in place. When you look at multifactor authentication or you look at things like IronKey - and I'm not picking on IronKey, but as an example - those are all things that live out in the customer's environment. By my definition, they're intrusive because they've got to be there and the customer has to take some action to use those. We have a product in the back office that helps us do vetting of ACHs and it does behavior analytics and applies rules to them so it generates its own suspicious transaction alert.
When you look at Guardian and the kinds of things that it offers, what intrigues me about the combination of those two in a new online banking product is our ability to reevaluate our risk and what we're doing in front of the customer to determine if in fact we've got good enough controls in place from the online banking products and from companies like Guardian in the product we have today on the back-office side that gives us the ability to reevaluate our controls and take some of that intrusiveness away from the customer. That's coming, but we're hoping to be able to look at that and make some of those decisions.
KITTEN: Is customer education a concern?
WYFFELS: It's always been a concern. I think I've been one that's been an advocate of getting more and more education out in front of the customers, both commercial and retail. I just don't see enough of a push in the marketplace for that to happen. We've partnered with a company called BVS out of Cedar Rapids and have been able to develop a very nice educational product that our commercial customers, if they choose to, can become a subscriber to and learn more about account takeover and the kinds of things that they can do to protect themselves.
KITTEN: The changes that you're making, are these geared more toward commercial customers versus retail customers?
WYFFELS: We're a commercial bank first, and so we're very focused on the commercial channel and the kinds of things that we can do there to help them and help ourselves be effective and efficient. It doesn't mean that we don't do anything on the retail channel. There are some things that we're doing on the retail channel today, but I would say that it's commercial channel first.
KITTEN: When do you anticipate the rollout to be complete?
WYFFELS: The date for that to be complete is really going to be based on the staffing resources that our banks are going to have to be able to go out and touch our customers and get them trained. I've heard many different kinds of approaches that treasury has been thinking about. I think until we determine what approach they would like to take, it's going to be hard for us to look at the rollout. But I would anticipate this rollout to probably take six to 12 months.
Advice to Other Institutions
KITTEN: Before we close, what advice could you offer to other institutions?
WYFFELS: I think first and foremost you've got to look at the products that you have and determine if they're competitive in the marketplace. And if they're not, you need to start looking for something that helps you become more competitive. I also think you have to take a look at changes in technology for the products you have or changes of technology that you need to apply to help address guidance that's been released out there today. You have to balance the guidance; you have to decide how much of that guidance makes sense to you, do a risk assessment on that and determine of that guidance what things you want to do and what things you want to wait on doing.
Lastly, the threats that are out there today are pretty complex. We've seen these DDoS attacks just continue to be pervasive in our industry, and we've seen them target banks. I would anticipate that they may want to target other types of institutions in the future to be able to demonstrate their ability. You have to take a look at the kinds of technology that's available to you or available to your outsourcer that could be applied to help protect you from those kinds of things. We know that we've seen these happen against very large, very sophisticated and very capable institutions and they have struggled to protect themselves.