Fiserv Core Flaw Exposed Customer Data at Hundreds of Banks: Security Researcher

 

By Robert McGarvey

 

Highly regarded security researcher Brian Krebs has published a bombshell report that maintains a flaw in some Fiserv banking technology leaves customer data potentially exposed to criminals.

Krebs does not finger credit unions that may have fallen victim to this but there is no reason to think some aren’t.  

Krebs credited the flaw discovery to independent security researcher Kristian Erik Hermansen who noticed that when he setup an alert on his bank account, the alert was assigned an event number.  So Hermansen, on a hunch, tried to log into an event number a digit different and what he found was that he indeed could log in.  This matters because, said Krebs, “In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.”

That means a criminal could add his email address to the account and get alerts on, for instance, all transactions.

Krebs also noted that a criminal could hunt for customers who had set up high minimum balance alerts – $5000, say. Which would tell the crook he could siphon out $4999 and he might be undetected for some time.

Krebs said he personally signed up for accounts at two small banks that use Fiserv.  Here’s what he found: “In both cases I was able to replicate Hermansen’s findings and view email addresses, phone numbers, partial account numbers and alert details for other customers of each bank just by editing a single digit in a Web page request.”

He said he found “hundreds” more banks with similar vulnerabilities.

Krebs told Fiserv what he had discovered. The company responded this way: “Fiserv places a high priority on security, and we have responded accordingly,” Fiserv spokesperson Ann Cave said. “After receiving your email, we promptly engaged appropriate resources and worked around the clock to research and remediate the situation. We developed a security patch within 24 hours of receiving notification and deployed the patch to clients that utilize a hosted version of the solution. We will be deploying the patch this evening to clients that utilize an in-house version of the solution.”

Cave elaborated to Credit Union Times: “This is related to a one-way messaging feature on a limited number of bank websites. Upon notification, we promptly developed a patch to update the feature, deployed the patch to clients using the feature and completed testing to confirm the issue has been fully resolved. Our ongoing research and continued monitoring have not identified, and we have not received reports of, any adverse consumer impact.”

There is no count of the number of websites impacted by this flaw.

Any credit union running a Fiserv core and/or online banking ought to quickly contact Fiserv and inquire into the availability of that patch.  They ought also to see if they can replicate Krebs’ hack of the alerts system. And – above all else – check your own systems to see if you can replicate the Hermansen hack.

If you can, take action.

Krebs said that, in his inspection, the Fiserv patch in fact works.  “This author confirmed that Fiserv no longer shows a sequential event number in their banking sites and has replaced them with a pseudo-random string.”

But Fiserv is not blowing trumpets to announce the patch or the flaw.

A scan of Fiserv’s Twitter feed found no mention of the flaw or Krebs’ reporting or the purported patch.   

There’s silence over at Facebook too.

Julie Conroy of Aite told Krebs this about Fiserv’s customers: “These financial institutions use a core banking provider like Fiserv because they don’t have the wherewithal to do it on their own, so they’re really trusting Fiserv to do this on their behalf,” Conroy said. “This will not only reflect on Fiserv’s brand, but also it will impact customer’s perception about their small local bank, which is already struggling to compete with the larger, nationwide institutions.”

What she is saying is that big banks – that ordinarily don’t buy off the shelf technology from a Fiserv – may have a competitive advantage because they build their own.

I’m not sure that is true – I doubt most consumers have a clue as to whether their bank or credit union technology is off the shelf or bespoke.

But Conroy is right: in some ways the big banks keep expanding their technology lead over small institutions. That does not have to be the case. A smart credit union can use fintech alliances to create an institution that is the rival of even the most polished money center banks.

But the credit union has to want to get there.

And a necessary first step is cleaning up that Fiserv mess if your institution is a victim.  Do it now.

 

The 20% Travel Ripoff

 

By Robert McGarvey

 

Can you do basic arithmetic? Do percentages? Of course you can and, in fact, we learn in fifth and sixth grades how to compute simple percentages in our heads. Quick now, what’s 20% of $100 – or 20% of $250?

Sure, you can do the math. But now some MGM resorts in Las Vegas – notably Aria, Bellagio, and my once personal favorite, Vdara – will tack on a 20% upcharge when you get a massage, facial, haircut, and similar.

Bellagio, on its website, explains the upcharge: “For your convenience a 20% service charge will be added to each spa and salon service received. A portion of the service charge is dispersed to the spa and salon staff members who served you and the remainder is an administrative fee. Additional gratuities are at your discretion.”

The LATimes, in reporting on this, quoted an email from company spokesperson Brian Ahern: “Our employees go above and beyond to provide the best possible service, and it’s important that they receive recognition for a job well done.”

What?

A coerced tip somehow counts as “recognition for a job well done?’

When a masked man puts a gun in your gut and takes your wallet, is this recognition for a job well done?

It’s Vegas, baby.

But it is nonsensical.

It’s picking my pocket to let the employer underpay its employees and why, by the way, is the customer hit with an “administrative fee” when paying a tip?

Don’t ask, there is no answer.

The trouble is that what starts in Las Vegas often spreads, like a bad disease, across hospitality.  Consider resort fees.  Sure, a few Las Vegas hotels shun the practice but most slap a fee – $39 per night at Vdara and Bellagio, by the way – and you got me what you get in return.

Across America, many, many more hotels – some in cities – have climbed on and now impose “resort fees” or “urban amenity” fees mainly as a way to hike room rates without actually hiking room rates.  But that $99 hotel room has become $129 and the culprit is the resort fee.

Now, Las Vegas has decided we are too dumb – or cheap – to tip their salon and spa employees and, oh wait, isn’t it the employer’s job to compensate employees?  Not the customer’s?

It’s Vegas, baby.

A few years ago I ran across a spa in Arizona that hit customers with an automatic 20% tip and when I asked the company president what possibly justified this, he took offense. Didn’t I see that he was providing his spa customers with a convenience? Doing the math for them because, presumably, they are too blissed out by the spa treatment, or maybe just too stupid, to do a simple calculation that most 12 year-olds can do in an instant.

Johnny, what’s 20% of $120?

Jane, how about 20% of $160?

(Hint: just multiply 2 times the first two digits and, bingo, you have the sum.)

I am and have been opposed to mandatory gratuities – anywhere from cruise ships to spas.

I also, some years ago, drove a taxi and gratuities made or broke my night.  If I got stiffed by too many fares, I cursed them and I went home with a lot less dough than I had hoped for.

I understand the importance of gratuities.

But I resent it when they are shoved down my throat.

I am okay, by the way, with Danny Meyer’s campaign to end restaurant tipping and instead build tips into the prices for food shown on the menu. Of course I’ve eaten at enough Meyer places to believe his staff will deliver good service without the promise of a possible tip, or the withholding of one – and the difference between what Meyer believes is right and what MGM is forcing on customers is that Meyer shows one price, tip already built in, whereas in the hotel business there’s a service price and then, by magic, a service charge is tacked on so that $100 haircut now is $120.

With Meyer there is no chicanery. That’s the difference.

Automatic “gratuities” by the way seem rampant in the spa world and you have to ask: why is management so cheap that it won’t pay its employees adequately and why are customers so passive that they go along with this extortion?

Maybe what starts in Vegas really should stay in Vegas.

BSA, AML, and Your Credit Union: The New Perils

 

By Robert McGarvey

 

For CU2.0

Ask a senior credit union executive what’s new at his/her institution in regard to anti money laundering (AML), Patriot Act, and Bank Secrecy Act initiatives and the reality is that you will have a longer and friendlier conversation if you asked about his/her last colonoscopy.

Yes, it’s that bad.

And that’s despite the reality that a credit union can be shut down if it grievously botches its BSA and AML analysis.

Buckle up because in December 2016 FinCEN issued a press release where it announced a $500,000 fine against a credit union named Bethex in the Bronx.

Bethex has assets of under $13 million.  

They were folded into USALLIANCE, a Rye NY credit union. Bethex was no more.

FinCEN outlined Bethex’s sins: “In 2011, Bethex began providing banking services to many wholesale, commercial money services businesses (MSBs). Many of these MSBs were located in high-risk jurisdictions outside New York and engaged in high-risk activity, including wiring millions of dollars per month to countries at risk for money laundering. When Bethex began to service these MSBs, it did not take steps to update its AML programs.” 

“Among other violations, Bethex failed to timely detect and report suspicious activity to FinCEN and did not file any Suspicious Activity Reports (SARs) from 2008 through 2011. In 2013, as a result of a mandated review of previous transactions, it late-filed 28 SARs. The majority of the suspicious activity involved high-volume, large amount transfers outside of Bethex’s expected customer base by MSBs capable of exploiting Bethex’s AML weaknesses. Most of those SARs were inadequate and contained short, vague narratives encompassing a broad summary of multiple and unrelated instances of suspicious activity. For example, one SAR covered over $906 million in total aggregate of suspicious transactions, but provided little information useful to law enforcement investigators.”

In 2015, North Dade – a small Florida credit union – was effectively put out of business because of AML and BSA violations.  In 2013, tiny North Dade moved over $1 billion in wires, often overseas. According to FinCEN: “When a small institution opens its doors to the world, takes on greater risks than it can manage, and puts profits before AML controls, bad actors are bound to take advantage,” said FinCEN Director Jennifer Shasky Calvery. “This case raises pretty obvious questions that no one seems to have asked. Why would MSBs located all over the world choose a small Florida credit union to conduct close to $2 billion in transactions? Credit unions pride themselves on close and low- risk relationships with known neighborhood customers. However, North Dade welcomed customers far beyond its field of membership, without adequate policies and procedures to ensure AML compliance.”

Face this reality: the big banks have big teams in place to handle BSA, AML, etc. They also have invested – heavily in many cases – in automation that takes a lot of the heavy lifting out of compliance. Machines do the work.

Credit unions – especially the vast majority with assets under $1 billion – generally have not invested in automation for compliance. “There are case management systems that are good. They can be expensive for a small FI.  A lot of bigger banks are using robotics to get screenshots of bank statements and so on – an analyst doesn’t have to spend an hour collecting it. Only the biggest banks are doing this,” said Alma Angotti, managing director in the Global Investigations & Compliance practice of management consulting firm Navigant Consulting, Inc.

Another issue that many small financial institutions now face: “Many employees in compliance are burning out,” said John Podvin, a Dallas lawyer well known in BSA circles.  He added: “There are people in BSA who are asking themselves, do I want to be second guessed all the time. Some are leaving the field.”

A reality in BSA/AML is that the easier course is to file a SAR (suspicious activity report – this documents flags an action for possible investigation by law enforcement). Do that and a financial institution probably has satisfied its regulators. “There is no downside to filing,” said Angotti.

Where the credit union may find itself in a pothole is when it does not file a SAR. In that case the credit union needs to justify why it did not file – and an examiner may well challenge the credit union.

And that means many more hours get invested in explaining and justifying decisions.  Said Podvin: “There are increasing expectations from examiners – that’s the biggest problem now.”

“It’s one thing for a big bank with a staff of several hundred working in compliance. It’s different for a community bank.”

Or credit union.

A result is that slender compliance staffs may be worn down in many small credit unions.

Another barrier at credit unions: there may be “competition for scarce IT resources,” said Angotti. Doing BSA/AML research is computer intensive and, at least at smaller institutions, there may be a battle for resources and ask yourself this: who will win if the fight is between marketing, which needs IT resources to power a new campaign that may bring in lots of new members, and compliance which wants to research possibly suspicious activity by members?

It’s a fight that compliance usually does does not win.

Don’t expect BSA/AML workloads to magically lighten.  

Possible light at this tunnel’s end, said Podvin, is a federal effort to streamline some BSA/AML compliance.  He pointed to pending legislation, HR 6068, as offering hope to financial institutions. The aim of the bill, in its own words, is to “reduce regulatory burdens, and ensure that the information provided is of a ‘high degree of usefulness’ to law enforcement.”

Don’t count on relief until a bill is signed into law.

Meantime, good advice for top credit union management is keep your ear to the ground and ask – and ask again- your BSA and AML teams what issues are they facing and what resources they need to do their jobs better and smarter.  

No credit union CEO wants to increase the budget for compliance work.

But no credit union CEO wants his/her institution to go the way of Bethex.

That makes the choice easier.

 

Would You Pay for Business Travel Upgrades Out of Your Own Pocket?

 

By Robert McGarvey

 

New research via Travelport slapped me upside the head so hard I  thought of Mo Howard and believed I was having a Three Stooges moment. Except, apparently, this is reality.

According to Travelport, 55% of us will pay for travel upgrades out of our pocket. This includes better seats on planes, WiFi, and hotel rooms.

The research also underlined how we have in fact become a nation of wimps where 69% of us say we always comply with our organizations’ travel policy. Another 26% say they “frequently” comply.  Meaning that just 5% commonly go rogue.

Color me mistaken.  In the past I have laughed at airline beliefs that we’d pay for seat upgrades – I am apparently wrong.

(I was right, though, in railing that we had become a nation of wimps. Sigh.)  

As for what we told Travelport we’d pay for with our own dough (or frequent flyer miles), 49% said a better airline seat.  52% said a better hotel room. 50% said upgraded hotel WiFi. 50% said upgraded rental cars. Only 19% said there’s nothing they would pay for.

How about you?

I’ll admit I have occasionally used miles to buy upgrades – but I’d earned the miles flying for a specific client and was doing another trip for them and have decided to spend some of those miles for a business class seat.  Taking the sting out of this is that I know the CEO and I know he complies with his company’s coach only policy – but he pretty much never flies coach because he too spends miles. He’s also United Premier 1K so the airline gives him plenty of perks.

But he didn’t ask me to live by rules that don’t apply to him so I have been okay with spending miles on trips for him.

But I can say I have never spent money – mine or a client’s – on an upgraded hotel room (they are fungible to me) and I have never spent money on a rental car upgrade.  Never.

As for hotel WiFi I rarely use it – I consider it hideously unsafe and use cellular hotspots instead – so I’m not buying an upgrade on that.

My policy – going back to my earliest days on business trips and taught me by my bosses – is that if it is legitimately travel related the company should and will reimburse.  If it’s not, forget about it. And there isn’t a lot of gray in that equation.

In those days you could and should bill for a copy of the Wall Street Journal bought at the airport. But not for a Playboy or Mad Magazine.

I also can only think of one time when a client challenged a travel expense and, honestly, I had carelessly passed on a receipt to a secretary who had typed up my invoice. Not her fault. My fault and the client was right to challenge it.

But when it’s needed for work, the employer or client needs be paying for it.  No questions about that, so my policy is to push back against policies that defy my principles.  

Usually, too, my experience is that these are easy wins.  Ask and you get.

A lot of us apparently are no longer asking.

A sliver of good news in the Travelport data is that 90% of us say we are permitted to keep miles and rewards points we earn on business trips.  And I do wonder about the 10% who apparently kick them back into their organization’s coffers.

Also, many of us now use airport expediting services.  43% are in TSA Pre. 33% are in Global Entry. 31% are in Clear.

Often, employers paid for such services.  Just 17% said none of them. (15% said they belonged to none. It’s not clear if many of those 15% work at organizations that don’t reimburse.)

29% said employers reimbursed for TSA Pre. 28% say similar for Global Entry.  23% said likewise for Clear.

Every employer should pay for one such service for employees who travel on business. That is blatantly obvious to me.

A hot button question in the research is: would you let your employer use GPS tracking to monitor where you go when traveling on business?

Understand: it doesn’t bother me that Google knows where I go (I am a Fi subscriber). It also doesn’t bother me that many rental car companies now use GPS tracking.  

But 25% of us say we would definitely disagree with an employer policy of using GPS tracking on us. Another 21 % say they would “somewhat disagree.”

28% like the idea. 17% “somewhat” like it.

Talk about divided opinion.

As for me, I’m not going to take a position on GPS tracking for others. I am okay with it on me. But I won’t insist others think likewise.

It’s a gray area.

But in my mind there should be no divided opinion – no gray area – about reimbursement for business travel related expenses. If it’s a legit business expense the company needs to pony up.

 

 

 

On the Digital Transformation Journey with GTE Financial’s Brian Best

 

 

By Robert McGarvey

 

For CU2.0

 

It was mid 2016 when Brian Best was handed the top job at GTE Financial in Tampa FL and he’s been charging ahead since.  With over $2 billion in assets GTE Financial is among the nation’s biggest but as CEO Best is busy remaking the institution for the contemporary age.

Resting on laurels is not how he sees his job.

He said that a lot of his drive to remake GTE Financial grows out of the recognition that it’s in a different position.  He elaborated: “In our community, Tampa Bay – we have a lot of Millennials. 51% of our members are Millennials.  And they really like digital. They like the ease of access. We believe they also like brick and mortar.  But we know we need good digital.”

Best dated the start of GTE Financial’s Digital Transformation back to 2015  – he was chief experience officer then – and, he said, the institution’s aim has been to win member loyalty with superior experiences. “We want to make sure our experiences are beneficial to our members. Experiences are what differentiate an institution. Products don’t.”

Said Best: “We are 100% focused on what the member experience looks like.”

Think about that.  Most financial institutions offer roughly the same products and – hype aside – there often isn’t much that distinguishes the basic products at one institution from those at another.

At GTE Financial Best is driven to go beyond the basics and drill into what – really – will captivate members.  That’s at the heart of this digital transformation.

Best said a continuing obstacle is that third party vendors “don’t want to give up control of their APIs,” that is, their Application Protocol Interface, which enables communication with the program.  Many tech vendors jealously guard their APIs and, although that is understandable, it also complicates the job of an institution that is seeking to give members a unified experience.

Best added that many vendors also don’t get that “we want to give our members a different experience” – meaning that GTE Financial does not want to settle for the same off the shelf tool kit that is in use in dozens, maybe hundreds of financial institutions.

“What should digital transformation look like,” Best went on. “We believe a member should be able to access – easily – key information in their accounts.” He pointed to an amortization table as a case in point.  Loan customers should be able to easily access it – that table is crucial to seeing ahead with a loan – but doing so just isn’t ways easy.

None of these changes are simple and many aren’t quick. Best said, “Our main competition is ourself.  We have every big bank in Tampa. They are throwing money at digital transformation but their experiences aren’t that great.”

He added: “Our true competition is the Amazons, the digital payments landscape.  If we don’t live in that world we’ll lose touch with the future. It will be ugly for us if Amazon gets into the banking world.”

“Much like Amazon, the experience needs to be intimate even when it is digital. The artificial intelligence has to really understand what the member is looking for.”

“We want to create real intimacy in the virtual environment.”

Read that again. What Best is saying is that the companies that are winning succeed in combining great digital with genuine intimacy and personalization.  

Getting there just may be critical.

Best nonetheless said he is very optimistic, about the future for GTE Financial in particular and for credit unions in general.  “Credit unions have always put the person first – that’s why I started working for credit unions. Night and day difference between our culture and at the banks where I worked. Banks have a different mission. Credit unions will persevere because of that focus. If we lose that focus we have risk.”

He also shared a valuable tip. Just about every day GTE Financial gets 100 new members. What produces that steady stream?  Best thought about that before he answered.

Here is what he said: “It’s mostly word of mouth. We put a lot of effort into philanthropic giving

We provide $500,000 to $700,000 annually to a lot of non profits in Tampa. We average two financial literacy workshops a day. Word of mouth increases through the right activities. If you are doing the right things, word of mouth happens quickly.”

He continued: “70% of the time new members tell us they really like how we support the community.

They have a good feeling about where they are putting their money when they open an account with us.”

Can you say similar? Do your members?  

What Travel Apps Are On Your Phone?

 

By Robert McGarvey

A new Oracle report came as a wake-up call for me.  Said Oracle: we are using a lot of travel apps. Quite happily.

At first I snorted at this and then I recognized that, increasingly, I personally am making considerable use of apps – just not travel apps so much.

Should I do a rethink?

I do use Headspace and Mondly (language learning), pretty much daily on my Pixel phone. Google’s Fit is my daily companion as it tracks my walking and meditation. I use SeatJunky often (hunting for free seats at cultural events).  Of course I use Facebook on my phone, also a couple of banking apps and PayPal. The list could go on. But the point is just that, definitely, I make growing use of phone apps.

Five years ago I used pretty much no apps with any regularity but apps have crept into my life.

But not travel apps so much.

The Oracle report tells me to rethink that.  

According to Oracle, “Branded restaurant and hotel apps are very popular; almost a quarter of global consumers have at least one hotel or restaurant app on their mobile devices.” The exact number of consumers who use the travel apps, per Oracle, is 23%.

Those who use them use them often, too. Said Oracle: “Branded restaurant and hotel apps are being used weekly; 70% of the hotel/ restaurant branded app users say they use those apps at least once a week.”

For point of comparison, we use mobile banking apps more – but travel apps are surprising strong.  Here is data from a Federal Reserve study: “The Fed survey found that 43 percent of all mobile phone users with bank accounts had used mobile banking in the previous 12 months, up from 22 percent in the agency’s 2011 survey. Among mobile banking users with smartphones (cell phones with internet connectivity), 53 percent with bank accounts used mobile banking in the previous 12 months.”

As far as travel apps go, once we use one, we seem open to using more.  Oracle added: “Once consumers engage with branded apps, they’re open to using several; two thirds of the consumers using hotel or restaurant apps have at least three of them on their devices.”

A last bit from Oracle: “Branded apps are more popular than third party ordering apps – only 20% of global consumers have an app for a third party aggregator.”

It’s the last in fact that surprises me. I do have, and have used, HotelTonight, OpenTable, HipMunk, and a few others.

As for branded apps, I have on my phone Uber (used a lot), United, American Airlines, Delta, My TSA, and, nope, not a single hotel branded app.  I also have no restaurant apps. And I’ve never used the airline apps.

Maybe it’s my age.  Said Oracle: “Only 9% of consumers aged 55+ have a restaurant or hotel app on their mobiles, compared to 31% of millennials.”

I’m in sync with this however: “20% of global consumers have at least one app for a food delivery service on their devices.”  In my case it’s Ubereats, also Amazon Prime Now (which I have used on several occasions). Which puts me in line with this Oracle finding: “28% of global consumers said that they have paid for food and drink from an app on their mobile devices at least once.”

It worked fine for me, by the way.  I just don’t order much takeout food and so haven’t had a need for the apps anyway.

You are sitting out hospitality apps? Oracle said a lot of us do.  “43% of global consumers say that they do not use hospitality apps.” This also is age influenced.  “70% of the 55+ generation do not use apps in any way, compared to just 26% of millennials,” according to Oracle.

Tell you the truth, however, I am now downloading more travel apps and will begin using them because I am getting very accustomed to using apps (like Headspace) every day.

That’s the reality of mobile: the more we use it, the more we use it and, suddenly, we see the convenience of having what amounts to a mini computer in our pocket.

Then too, the power and ease of use of all mobile apps is much higher than it was when the iPhone launched 11 years ago (or the apps we had on our Palm Pilots before then).  

My advice: download three or four travel apps and, probably, you’ll begin to find utility and, no, I’m still not downloading any hotel apps – and year ago research from business intelligence firm L2 dismissed the lot as junk.  As for airlines, here’s a roundup of the best.  And here’s PCMag’s roundup of the best in all categories.

Happy downloading.

 

 

How to Avoid Merging Into Oblivion: Three Steps to Save Your Credit Union

 

By Robert McGarvey

 

For Cu2.0

 

Should you applaud, cry, or scream?

That’s my question as I read a Credit Union Times story headlined “NCUA Approves 14 Mergers in June”  — “Credit union consolidations for the first half of the year decline from last year.”

So far this year NCUA has approved 87 mergers which, CUTimes pointed out, is down from the 95 it had approved at this point last year.

Say 120 credit unions merge out of existence this year.  Where will that leave the credit union count?

According to CUNA in March there were 5644 credit unions.  That’s down from 6680 five years ago.

Do the math. In 2028, there probably will be under 4500 credit unions. Maybe fewer than 4000.

That kind of musing recently led marketer Bo McDonald to post a column at CUInsight headlined “The last credit union in America is….”  

He recalled Blockbuster – once ubiquitous in America, now largely forgotten. Are credit unions headed that way, he asked.

Good question.

It doesn’t have to end there but if credit unions don’t embrace the bleakness of their futures, the industry may well wind up as a footnote in business history books.

Big banks keep getting bigger. Chase, Wells Fargo, Cit, Bank of America are growing. They  long ago began measuring their bulk in trillions of dollars

And community banks and credit unions keep faltering. Add all credit union assets together and they about equal the holdings of one big bank.  Just one.

A sliver of good news in the CUNA data is that credit union assets and membership both are up.  

But you have to be worried about the question of when do credit unions become statistically unimportant.

And when does NCUA seem as needed as, say, an agency to regulate farriers and another to oversee typewriters.

It’s not that bad? Not yet. But the trends are plain.

There is a path to a brighter tomorrow. Technology, in its essence, is a great leveler. Smart, hungry credit unions can and are riding the digital transformation rails and are building institutions that will thrive for years to come.  Digital transformation has emerged as a must do for credit unions that want to survive and thrive.

Know that a healthy future is digital and that gets you moving in the right direction.

And then there is still more that needs doing.  Such as? Just three steps will help credit unions move into that brighter future and, you bet, this is all about rocking the boat. But when the boat is sinking, what does a little rocking matter?

Here are your three to-do’s:

Make big data your life blood.  Increasingly, data is the plasma that produces business health and credit unions have the ability to create big data insights that will rival what Chase and Citi produce. Communal data lakes are within reach and very probably will be up and running in 2019.

No, a credit union does not have enough data on its own – but when 1000 join together to share data, they collectively have what they need.

Make your mobile world class. Increasingly, too, mobile is the contact point that will matter to members (definitely not branches!) – but smart credit unions recognize that reality and at least some are busy developing their own mobile apps.

That’s a tough order for smaller credit unions – really any institution below $500 million in assets, which is around 90% of credit unions.  My advice to those institutions is to lean on your vendors, hard, and demand a mobile app that is as good as Chase’s and also Venmo and if they can’t produce, find a vendor who can.

Make your core system work for you, not the other way around. It’s ridiculous: many credit unions let their core systems, often 20+ years old, set their technology limits.  The limitations of their cores shape what online banking provider they will use, what mobile provider, often what payments processor.

That has to stop.  It makes as much sense as creating a shrine for an old Burroughs adding machine and saying daily prayers to it.

Start now to lessen the dominance of the core in your institution’s technology decisionmaking and, sure, I know that won’t be easy.

But going out of business isn’t easy either.

Think on it.

 

The Coming Payments Revolution in Travel

 

By Robert McGarvey

 

It’s about time: travel providers, at least the big ones, now are edging into an embrace of the payments revolution that in the past half dozen years have given us contactless payments, also mobile payments such as Apple Pay and Google Pay, and also EMV cards.

Reports Pymnts in a recently published report “Travel Payments Study:” “More than two decades after PayPal was founded, and four years since the launch of Apple Pay, the travel industry is taking its first cautious steps into its own payments revolution.”

The staggering reality is that travel has been under assault by hackers for at least a decade – it numbers among the most attacked verticals in the Verizon Data Breach Report.  Just converting to EMV at gift shops, bars and restaurants at hotels would put a serious crimp in hacker styles, but hoteliers are among the slowest to move into the new technologies.

Taking Apple Pay at check in would also be a boon to guest data security.

A peculiar irony is that credit card data insecurities may be a reason why travel providers have not innovated. Said Pymnts: “At 78 percent, consumer data security was, by far, the most-cited inhibitor to payments innovation. Following that was credit card data security imperatives, at 74 percent, which were listed as either ‘very’ or ‘extremely’ inhibiting. Incurred fraud losses came third, cited by 64 percent of respondents.”

Except now Pymnts reports that changes are coming.

It’s not your imagination that travel providers have been notorious laggards. Says Pymnts: “PYMNTS’ most recent research revealed that just 15 percent of all travel companies have attempted new payments innovations over the last three years, let alone those that succeeded in implementing them.”

Just 15%.  Wow.  This has been a span of feverish innovation, at least when viewed from the stodgy perspective of bankers.  And travel has sat it out.

Operating internationally and a broad industry dependence on third party payments processing services are cited among the reasons for delays in adoption of payments innovations.

Guests, too, have not insisted on innovations. Consider: most of us still, docilely, hand over a credit card in a restaurant, the server vanishes, and a few minutes later a receipt comes at us.  I cannot remember the last time I saw that at a restaurant in Europe, where servers – for at least 15 years in my recollection – have been equipped with miniature credit card processing gadgets that also print out a receipt, all in your plain view.

You just have to wince when you hand over a credit card at a hotel because the data just has been so insecure.  But a big driver for payments innovation – maybe the biggest – has been enhanced security.

And still travel providers stayed on the sidelines.

That’s changing. According to Pymnts, about 80% of travel providers plan payments innovations in the next three years.

14% say they plan to roll out “a lot” of innovations.

Just 5% say they have nothing in the hopper.

What’s prompting travel providers to invest in payment innovations? 91% pointed to customer suggestions as a prod – meaning our grumbles have been heard. 83% also said they had lost customers because they hadn’t innovated.

Reported Pymnts: “The demand for new payment methods isn’t being driven by companies looking to cut costs or boost efficacy, though, but by consumers in search of a more convenient and compelling payment experience.”

Travel providers also expect that although innovations have price tags, they may wind up actually saving money. Reported Pymnts: “We asked respondents whether they believed the financial gains to be had from payments innovations would outweigh the costs, and an impressive 96 percent of the sample had a positive outlook. These companies believe that the revenue gained would outweigh its costs, that innovation would have no effect on costs or that it would actually decrease costs.”

Large companies are much more optimistic about cost reductions than are small – and travel remains a business where there are many small players: travel agents, independent hotels, independent restaurants, local destination marketing companies, etc.  

Big players also see payments innovations as a way to drive down their payments processing costs – and probably they are right.

Should we in fact be optimistic that payments innovations are in fact coming – and that we’ll see more travel providers accepting Apple Pay et. al., installing EMV card readers, and – dare we hope – equipping servers in restaurants with portable reader/printers?

Just maybe we can expect to see all this. Said Pymnts: “One thing is clear, though: Travel companies must invest in improving their payments structures if they want to maintain a competitive edge.”

My advice: grumble about the absence of current payments technology when checking in, when paying in a bar, when paying in a restaurant.  Our grumbles do matter – the research underlines – so keep it up. And just maybe more travel providers will roll out contemporary payments tools.

 

Member Engagement: The Big, New Battleground

By Robert McGarvey

For CU2.0

Research out of Pymnts drives home two points: financial institutions, suddenly, are attempting to up their game in consumer engagement – and the better institutions are the ones that are all over this.

Said Pymnts: “Our analysis shows CE is a growing focus for FIs, particularly the top performing innovators in our study. Moreover, those banks that focus on a customer experience and consumer engagement (CXE) strategy are tuned into customer needs and adoption, and
they roll out innovations they say are more successful, too.”

The FIs that are good at this are getting better. The ones that aren’t, aren’t.

That has to be terrifying for the institutions that are laggards – and, sadly, most credit unions (and banks too) fall in the laggard group.  

But more now are trying to do this better, reported Pymnts: “Just 35 percent of [financial institutions] reported having focused on CE during the past three years, while 43 percent said they intended to focus on CE in the following three.”

Word of firm advice: solidly plant your credit union in the CE camp. That’s how to thrive.

Exactly what is meant by consumer engagement?  Pymnts explained: “Consumer engagement in the digital age refers to the combination of consumer experience, digital technology and data analytics.”  The researchers added: “These areas proved to be of particular importance to credit unions and community banks.”

Pymnts continued: “It is also critical to note that top performing FIs are far more likely to report an intent to focus on consumer engagement than their peers. In fact, 80 percent of Top Performers say they will focus on CE initiatives over the next three years, nearly twice the percentage of all FIs as a group (43 percent).”

Understand, the money center banks are focused on digital technology, data analytics, and consumer experience.  Most credit unions are playing catch up. But play they must because there is every indication that, increasingly, members will be won and lost in large part due to their member experience of the credit union.

Think about just one battleground: the mobile banking app. Innovation is continuous at a Chase, or a USAA. Is it at your credit union?  Probably not. Most credit unions are beholden to third party vendors and speed of updates has not been how they have distinguished themselves.

Consider the fast rising consumer demand for p2p inside their mobile banking app. Not many credit unions offer it.  But the big banks are putting Zelle in their mobile apps – they are already there before a majority of consumers know they want the capability but that majority is definitely heading our way. What are you doing to be ready?

Pymnts also expects higher focus by leading FIs on digital wallets as well as loyalty and rewards initiatives. A hope of these initiatives: more mindshare of consumers and more touchpoints.  What credit unions want – and need – are well used accounts and that’s the intended payoff of consumer experience campaigns.

An engaged consumer is a more active consumer.

A lot of next wave consumer engagement will be technology driven.  Many credit union executives think member engagement and immediately think of a smiling teller and a warm voice on the phone.  But Pymnts rocks that paradigm by singling out Bank of America’s machine service rep Erica as a powerful innovation in engagement.  Said Pymnts: “When it comes to the changing nature of customer service, few developments in the financial sector offer quite as illustrative a demonstration as the runaway success of Bank of America’s digital assistant, Erica.”

In its first three months, Erica grabbed one million users. For many of us, said Pymnts, digital assistants now are the “preferred” contact channel with an FI.

It wouldn’t surprise me if many of us have many more contacts with a digital assistant than with a human, in part because the digital assistant is always available and also because – psychologically – we don’t think we are demanding too much attention when we pepper Erica, or Alexa, with questions.  

Pymnts said that the digital components figures in more ways in our customer experience.  It elaborated: “There is a direct correlation between innovative payments technology, a differentiating customer experience and developing newer, more efficient payment features that can help boost CE.”

Consumers like mobile banking and they really like mobile remote deposit capture.

What additional technology do you offer that you know your members love? “I can’t think of any”  is not a good answer.

Accept this reality: technology will shape the looming customer engagement wars and the credit unions that are racing to stay ahead technologically are very probably the ones that will emerge as winners.  Today’s technology will not keep consumers engaged tomorrow. Race to stay in the chase.