The Top Five Reasons
for Banks to Conduct Remote Vulnerability Assessments
and Quarterly External Vulnerability Testing
Too many banks and credit unions rely on annual or semi-annual vulnerability testing from third-parties that do not specialize in the unique security needs of financial institutions. Here are the Top 5 reasons why a financial institution should consider remote vulnerability assessments and quarterly external testing by a third party that specializes in security testing and audits specifically for financial institutions:
Security - The landscape changes every day. Newly discovered vulnerabilities can create a huge impact on all businesses, but financial institutions face extra scrutiny from both consumer protection groups and from regulators due to the unique risks posed by ever-evolving threats to IT security. Because of this, only third parties that specialize in financial institutions should be relied upon to perform security audits.
Visibility / “Show me” - It’s one thing to review the patch logs on systems and have a feeling of safety and security, but how do you know they work? Contracting for independent, third-party testing to confirm whether all patches were installed correctly and are working as expected increases security integration and can prevent hidden problems in the future.
Trending Analysis - Do you compare your current results to your previous results? A trending analysis is a quick way to discover if your enterprise patch management solution is working effectively, and can help you identify potential security vulnerabilities.
Initiative - Regulators are typically pleased when financial institutions take the initiative to promote security above and beyond the minimum requirement. This also may raise the confidence of account holders and potential clients.
Cost - Removing the expenses and hassles of travel creates a positive impact on the bottom line for the financial institute. Remote assessments can be performed at any time, resulting in final reports that can be produced in a more timely and efficient manner.
So why don’t more banks and credit unions conduct quarterly external assessments and remote vulnerability tests?
Cost- Most financial institutions believe that the cost of quarterly assessments- even remotely- would exceed that of a single annual assessment. Interestingly, because the more frequent tests involve less work, the cost of four quarterly tests often does not exceed the cost of a single annual test.
Awareness- Because not all companies offer a remote assessment and quarterly external solution, many banks and credit unions are unaware that this service is even an option. As a result, too many banks and credit unions develop security vulnerabilities between annual assessments that they are not even aware of.
Time- Today’s IT departments are busy enough as it is. The words “assessment” or “audit” typically mean that IT managers have to spend more time than they generally have, just on the auditing process.
Outsourcing- Many financial institutions are lulled into a false sense of security when they outsource applications such as internet banking and website hosting to managed or core application providers. They sometimes forget that by doing so, they lose focus on the bigger picture- airtight security across all platforms- including other internal and perimeter systems which may be left vulnerable to attack.
Understanding- Some executives do not understand the importance of a proper vulnerability management program. They depend on their IT department to “handle” the issue, yet they do not seek validation through checks and balances. With quarterly vulnerability testing, executives can easily view the status and overall posture of the institution without needing an extensive background or understanding of vulnerability management.
With every breach in security there is a renewed interest in reviewing a financial institution’s patch management program. Examiners depend on the results of the vulnerability assessments to score an organization’s patch management program. ROI in this sense cannot be measured directly in a dollar amount; however, if a security breach were to occur due to a poor vulnerability management program, the monetary and reputational damages to the financial institute can potentially be astronomical or even devastating.
We recently worked with an organization that was served with a Memorandum of Understanding (MOU) from the OCC because they had a poor patch management program (among other IT issues). They were repeat offenders. As it turns out, there was a barrier between the executive management team and the IT department. Had this organization implemented external quarterly vulnerability tests, executive management would have been able to track the progress of the program and make corrective action without the need of IT. Instead, they depended on an annual assessment which provided inadequate results.
AUSTIN, Texas (March 7, 2014) –Abound Resources, a leading credit union consulting firm, today released the results of its annual survey of credit union executives. The results highlight that credit union CEOs remain optimistic for 2014, an attitude that appears to be fueled by ongoing credit union profitability.
Credit union CEOs are feeling more optimistic about the year ahead, with 48% stating that they feel either somewhat or very optimistic, a jump in confidence from 2013.
"Even with a tough interest rate environment, credit unions have reason to be optimistic," says Brad Smith, Abound Resources' President & CEO. "In our conversations with credit union CEOs, the majority realize that they can do even more to position their credit union to rise above economic and regulatory challenges and remain profitable and relevant in 2014 and beyond."
Among its list of concerns, credit unions are focusing more on membership growth, with 25% naming it a priority, up from 17% in 2013. This makes sense, since the credit union membership is aging and credit unions are struggling to replace this aging base with Generation Y consumers.
In terms of setting growth priorities for 2014, CEOs are firmly committed to the notion that consumer lending is critical to their growth strategy. In 2013, 88% of CEOs named consumer lending as a growth priority. In 2014, it’s a resounding 94%.
A complimentary copy of a White Paper analyzing the complete survey results and Abound Resources’ top five strategies for 2014 is available for download at http://www.aboundresources.com/credit-union-insights-into-2014-survey-results/
About Abound Resources
Abound Resources is a full service credit union consulting firm with the sole purpose of helping credit unions achieve their goals - whether those goals are for growth, efficiency, technology or risk management. In fact, we guarantee it.
Abound Resources offers an array of services designed to improve performance and profitability and help credit unions cope with an increasingly stringent regulatory environment.
Our seven practice areas are each headed by an experienced practice leader:
Technology – credit union technology plans, credit union vendor evaluations, core vendor RFPs, credit union contract negotiations, credit union vendor management
Performance Management – credit union workflow improvement, revenue enhancement, credit union efficiency improvement
Lending – loan process improvement, loan origination vendor evaluations and implementations
Small Business and Commercial – small business deposit and fee income growth programs, credit union cash management programs
Strategic Planning – credit union strategic plans, risk tolerance planning, one page strategic plans, competitive differentiation
Sales and Marketing – branch performance improvement, sales coaching and training, e-marketing strategies and campaign management
Risk Management and Compliance – ERM, credit union IT audits, information security assessments, credit union compliance, BSA review
When we asked community bank CEOs where their growth focus would be in 2014, 85% of them said commercial lending (their #1 growth strategy). Tied for second was improving small business market share.
So why the interest in small business?
It is a very large and growing market. There are nearly 27 million businesses in the United States with revenues less than $5 million, representing 99% of all US businesses.
Small businesses are profitable to banks. The average small business owner contributes 6-7 times more profit to banks than the average consumer.
Small businesses are very loyal to community banks. Small business owners take great pride in their business and they want to be appreciated. This is why so many small business owners feel underserved by the Big Banks. They also have very long memories and remember the Big Banks largely abandoned them in 2010 and 2011. Community banks never left them.
But I think there are two big reasons small business shot up in priority this year; fee income and the need to lower banks’ cost of funds.
As the CFPB continues its assault on consumer fees and as debit income drops, community banks are looking to grow fee income from the commercial side of the house. Thankfully, small businesses have proven a willingness to pay for valuable products and services and the Consumer Financial Protection Bureau (CFPB) has little to no governance over small businesses.
Additionally, at a time when interest rates are flat and Big Banks are offering 2.5% commercial loans, community bank CEOs are realizing it may be easier to gain 50-80 basis points by lowering their cost of funds than by raising loan rates. Commercial deposits have become very appealing again.
So if so many community banks are interested in the small business segment, why have so few been able to capitalize on it?
In our experience, the two biggest culprits are the lack of a sales model and me-too product packaging.
In many banks, the ownership of the small business segment is fragmented. Small business accounts generally fall to branch managers that are now too buried in paperwork to ever proactively call on their small business customers. And the commercial lenders generally only want to talk to small business owners when there is an immediate loan need.
This approach typically leaves a lot to be desired as the proven small business success model is to get the deposit account first, then the payments and then be positioned for when they need a loan.
That is why we recommend the dedicated business banker model to many of our clients. This role is typically an out of the branch sales and relationship officer that visits customers and prospects at their place of business (and scheduled branch appointments). The business banker typically has a geographic territory and is armed with the list of every small business in their territory. They have deposit, fee and loan referral goals and are equipped with iPads to open new accounts at a place of business or at lunch or rotary, etc. They are typically not lenders, though they are trained to identify credit opportunities and they can either approve simple loans that can be auto-decisioned or refer loans to commercial lenders.
In addition to a winning sales and marketing model, banks also have to get their products and product packaging and pricing right.
We did a competitive study of 28 community and regional banks in a large metro market for a client. The only difference we found in 28 banks’ primary business checking account was how many items they got for free.
We typically recommend that a community bank should have a free business checking account with lots of payments-based fee add-ons, a packaged account with valuable services at a fixed price and an account on analysis. Look for the intersection of value to the customer, account profitability and differentiation from your competition.
Regardless of the packaging you choose, be sure and pay attention to what should be three of your most profitable small business products; business debit card, business credit card and merchant services.
Most community banks have had success driving consumer debit activation and usage, yet have largely ignored business debit card. Business debit card interchange drives 2-3 times more revenue than consumer debit so it is worth some marketing efforts to drive usage.
Business credit card can be the single most profitable small business product for you so you might want to reconsider issuing your own business credit cards. There are many more vendor options now so you can, for example, have a single vendor that lets you outsource your entire program but let you make the credit decisions for business applications and keep all the business interchange income. Or if issuing isn’t an option, structure your agency contract so you’re getting a one-time sign up bonus and a decent percentage on the interchange, fees and interest revenue sharing. Remember, the money is in interchange and fees, not the interest. That’s exactly the opposite of the way most vendor contracts work.
Many community banks have lukewarm merchant services programs. But they can be a very profitable part of your small business offering. A couple of best practice metrics to help you analyze your program:
You should be averaging about $600 per year in merchant fees per merchant customer. If you’re not, you’ve got a bad contract or you’re targeting the wrong accounts.
You should expect roughly 10% penetration of your commercial account base.
You should also expect close to 100% of your merchant accounts to have a DDA with your bank.
If growing your small business market share is a priority, re-evaluate your sales and marketing model and your product packaging and pricing. And keep those small business owners loyal to community banks.
Approximately 60% of US Households have some relationship with one of the four largest banks – Bank of America, JP Morgan-Chase, CitiCorp and Wells Fargo. (Figure 1) In that same survey, however, 60% also indicated that they would prefer to do business with a Community Bank.
At the same time, current community bank customers are very loyal. 88% of non mega bank customers indicate they are “not very likely” or “not at all likely” to bank at one of the big banks in the future. (Figure 2)
As community bankers it may be good news that our Community Bank customers love us, and the mega bank customers would actually prefer us, the reality is most banking customers gravitate to the larger banks for two reasons: 1) The larger banks are perceived as technologically superior and 2) They are perceived to be more convenient.
And to make matters worse the mega banks have the more desirable customers. The have the customers with higher incomes, higher balances and who are more likely to utilize less costly electronic delivery channels. (Figure 3)
So the good news is that as a community institution our customer base appears to be stable, at least as it pertains to the mega banks. The bad news is that 60% of potential financial institution customers think the mega banks are more convenient and more technologically advanced.
In today’s technological environment there is no reason a community institution can’t deliver the same level of sophistication and on line convenience provided by the mega banks and on line only providers. At the same time the current political and economic environment -- that has resulted in adverse publicity and public reaction to the mega banks – provides an opportunity go to the market place with a message that capitalizes on the preference for community institutions. Here are seven areas we recommend community banks address to take maximum advantage of current market conditions and opportunities.
1. Have a state of the art web site complete with account opening and loan application capabilities. It should contain interactive navigation and should be Search Engine Optimized. Keep in mind that it is projected that nearly 40% of all checking accounts will be opened on line by 2015, and that nearly 85% of consumers and small businesses considering opening a bank account go to the internet first. This means potential customers are going to your web site before they come to your branch.
2. Ensure that the basic alternative delivery channels such as Bill Pay, E-Statements, email alerts, ACH, direct deposit, check imaging are in place and functioning in the most efficient manner from the customer’s perspective. All of these services are cost effectively available to community institutions and are expected by customers. Make sure you have them and that you communicate that you have them.
3. Install the emerging delivery channels as quickly as possible. At one point Mobile Banking was projected to have the fasted adoption rate of any financial service in history. The reason being that nearly everyone already has the delivery device…a cell phone. It hasn’t quite worked out that way, but mobile banking has become a fundamental service that is expected my most market segments. Likewise, remote deposit capture – deposits via a picture from your smart phone – is becoming requirement demanded by new customers. Don’t waste time and energy building financial based business cases around these services. They are becoming as fundamental as having a branch, if not more so.
You must break the paradigm that only younger customers are interested in electronic banking. Of the major market segments, the largest is The Baby Boomers, the oldest of whom were born in 1946. This group is driven by convenience and has experienced first hand the development of technology in our daily lives. As a group they are technologically savvy and they expect those who service them to be also. And Gen X and Gen Y don’t even think of our smart phones and computers as technology. To them they are merely appliances. And remember the older Gen Xers are in their 40’s. So technology usage is no longer a young person’s environment.
4. Free ATM usage. An account configuration that provides free access to any ATM can be strong component of competing with the enormous branch networks of the mega banks. Do some financial analysis and determine how much fee income is actually realized from your customers’ usage of foreign ATMs. In many cases you will find it is less significant than you think.
5. High performance institutions maintain a consistent marketing presence and a consistent marketing message. They create a marketing plan consistent with the institution’s strategic plan, create an implementation plan and stick to it. Institutions that are consistently presenting marketing messages within their markets are perceived to be financially stronger and more sound that those who do not.
6. A strong “sales culture.” This is arguably the most misused and misunderstood term in the financial services industry. It does not mean utilization of hard sell tactics. It means keeping customers fully informed of products and services that might be of value to them. 75% of financial institution customers say they expect their institution to provide them with information about products and services they may need. It is also not limited to sales training. It means establishing goals and objectives and implementing mechanisms to assist in reaching those goals, measuring results and recognizing high performers.
7. Understand how your branches are performing relative to market potential. Percentage or dollar growth may or may not be a good measure of performance depending on the market in which a branch is competing. Ranking branches relative to both key performance indicators and market potential can provide a clear direction for prioritization of marketing dollars and performance expectations.
Strong retail and marketing personnel working together to design and deliver a plan integrating these seven areas will provide definitive and significant return on investment as a result of increased market share, increased customer retention, a strong presence in your market(s).
For the last two decades, community banks could effectively differentiate themselves from their big bank competition based on two bedrocks; “we’re local” and “we give great customer service”. With today’s fickle customers, increased competition, ever growing technology developments and changing demographics, community banks need to redefine their value proposition.
To define your true competitive differentiation, you need to communicate, and execute, on a promise to your customers that passes the following tests:
- Does your promise matter to your customer?
- Is your promise different from what your competitors promise?
- Can you prove you deliver on your promise to prospective customers?
In most markets, a “we’re local” differentiating strategy fails at least one of those tests. Customers and prospective customers hear the “we’re local” from many of your banking and credit union competitors. Even Wells Fargo’s advertising tries to position them as a local community bank. While we all know that’s laughable, many consumers do not. I also need to point out that “we’re local” may not matter much to many of your customer segments. Despite “buy local” campaigns across the country, consumers continue to support Wal-Mart and Costco even understanding that it hurts local businesses.
The “we give great customer service” strategy also fails at least one of those tests. Again, many of your banking and credit union competitors say the same thing so it is very difficult to compel prospective customers to leave their current bank to come to yours based on a potential of better service. It is also very difficult to prove to prospective customers. Unless you’ve been recognized by independent organizations (e.g., local paper, Greenwich Associates, Yelp reviews, etc.) for your great service or you offer service guarantees, many consumers will hear it as an empty slogan.
The other challenge with “great customer service” is how your core customer defines it. For some customers, it simply means being recognized when they come into the branch. For others, it means someone can answer their questions at 10:00 pm. For others, it means no surprise fees. Many business customers define it as hassle-free, as in, “don’t keep asking me for more information.” So unless you understand their needs and you set their expectations, it is very difficult to consistently meet, much less, exceed your customers’ service expectations.
So, then, how do you define your competitive differentiation? Here are the four key steps:
1. Define your core customer
It is exceedingly difficult, and expensive, to differentiate your bank across all consumer segments, all small business segments and all commercial segments. You want to laser focus your target market as much as possible. Often, it’s as simple as thinking of some of your “best” customers and asking yourself, “Who do we need more of to achieve our strategic goals?” Then name them as in, “if we had 25 more ABC Industries” or “1,000 more John and Susan Does applying for mortgages,” etc. “then we could achieve our goals.”
2. Determine what matters most to your core customers
Once you’ve defined your core customer, you need to determine what matters most to them when it comes to choosing a financial service provider. You can do this with customer surveys and ask them why they chose your bank or from first-hand knowledge from your sales and service people.
It’s important to ask insightful questions to avoid getting the lazy one word answers of “location” or “fees”.
3. Determine what need you can meet for those core customers that none of your competitors can
Once you’ve defined your core customer and what matters most to them, you now need to spend some time discussing what it is that you can do better for them than anyone else. This is the heart of differentiation. Can you provide a product that meets a need like no competitor can? Can you save them money? Can you bring industry knowledge that allows you to get harder deals approved? Can you offer a simpler, hassle-free experience than your competitors?
Spend some time on this and be honest about your ability to beat your competitors. Many of your competitors are successful in many areas. You’re looking for their Achilles heel.
4. Determine how you can prove that you can deliver on that promise
Lastly, you need to identify proof points for your promise. We’re not looking for a slogan; we’re looking for a promise that can be consistently delivered on.
How can you prove your promise? Can you offer a free financial review and promise them $100 if you can’t find ways to save them money? Can you guarantee a 25-day mortgage or pay them $500? Or can you simply list out the last 10 hospitals you financed or state that you bank more professional services firms than any other bank in the market? Can you point to 300 positive Yelp reviews?
The key is that you have to be able to prove your promise to your prospective customers. They are the ones you have to convince to go through the hassle of changing.
To avoid the commoditization trap, a unique and compelling value proposition is needed that both matters to your customers and differentiates you from your competitors. Get started today on defining your value proposition and then ruthlessly deliver on that promise.
For more information, http://www.aboundresources.com/bank-competitive-advantage/
AUSTIN, Texas (January 27, 2014) –Abound Resources, a leading bank consulting firm, today released the results of its recent survey of community bank executives. The results highlight that community and small regional bank CEOs are cautiously optimistic for 2014, despite ongoing challenges in the regulatory and economic environments.
In 2013, only 28% of CEOs were “somewhat or very optimistic” about the upcoming year in banking. However, heading into 2014, 59% of respondents indicated they felt “somewhat or very optimistic” about the coming year even in the face of an increased regulatory burden and an uncertain interest rate environment.
“This year bank CEOs are decidedly more optimistic than they have been since 2011,” said Brad Smith, President and CEO of Abound Resources. “In our conversations with bank CEOs, the majority realize that they can do even more to position their bank to rise above economic and regulatory challenges and remain profitable and relevant in 2014 and beyond.”
The regulatory burden and the interest rate environment lead the list of major concerns for 2014. The list of major concerns also included weak loan demand, efficiency, non-interest income, and credit quality, although credit quality ranked at the bottom of that list for the first time since 2010.
In terms of setting growth priorities for 2014, growing commercial loans remained at the top of the list from 2013, followed by expanding the online presence and improving the small business market share.
On the operating side of the equation, streamlining workflow for greater efficiency remains the top priority for the third year in a row.
2014 promises to be another year when banks continue to try and use their technology for greater efficiencies. Bank officers expect to spend slightly more on technology in 2014 than 2013, and enterprise risk management (ERM) is again the top planned technology purchase.
A complimentary copy of a White Paper analyzing the complete survey results and Abound Resources’ top five strategies for 2014 is available for download at http://www.aboundresources.com/community-banks-insights-into-2014-survey-results/
About Abound Resources
Abound Resources is a full service bank consulting firm with the sole purpose of helping community banks achieve their goals - whether those goals are for growth, efficiency, technology or risk management. In fact, we guarantee it.
Abound Resources offers an array of services designed to improve performance and profitability and help community banks cope with an increasingly stringent regulatory environment.
Our seven practice areas are each headed by an experienced practice leader:
Technology – bank technology plans, bank vendor evaluations, core vendor RFPs, bank contract negotiations, bank vendor management
Performance Management – bank workflow improvement, revenue enhancement, bank efficiency improvement
Lending – loan process improvement, loan origination vendor evaluations and implementations
Small Business and Commercial – small business deposit and fee income growth programs, bank cash management programs
Strategic Planning – bank strategic plans, risk tolerance planning, one page strategic plans, competitive differentiation
Sales and Marketing – branch performance improvement, sales coaching and training, e-marketing strategies and campaign management
Risk Management and Compliance – ERM, bank IT audits, information security assessments, bank compliance, BSA review
One of the lessons learned from the 2009-2010 bank failures is the importance of the foundation of bank strategy – your core values and purpose.
In our experience, banks that are clear on its purpose and consistently live out a set of corporate values tend to deliver both consistent performance and strong employee satisfaction.
Alternatively, many banks that failed began to chase growth outside of its stated purpose and/or in conflict with its stated values. If a bank’s stated purpose is to be the economic engine in a certain community then you wouldn’t expect that half its portfolio would be in CRE two states away. And if teamwork was a core value, you wouldn’t expect it to hire a bunch of lone wolf super star performers.
Two other personal observations on values:
Customers (especially Gen Y) increasingly don’t care what you do until they know why and how you do it.
The next generation of Board members expects organizations to be both values-centered and performance-driven.
So let’s take a look at your values.
Documenting Your Values
Your bank’s values serve as the cornerstone for your bank culture and help you answer the basic question of “should we or shouldn’t we”. They typically are first defined by your founder though they may evolve over time. Jim Collins, author of Good to Great, has a great tool for defining and testing your values.
I encourage clients to identify three to seven core values with each core value being a single word (eg, teamwork) or short phrase (eg, do the right thing). Just make sure they are words or phrases your organization already uses daily. No “corporate speak”. Then for each core value, include a few brief descriptors to help employees understand the meaning. You can sometimes create an acronym of your values that reinforces a theme or your most important value (example here), but don’t alter your values just to create an acronym.
Regardless of format, values must be authentic to be believable. They are not aspirational. They need to already exist within your organization.
And most importantly, they must be alive in your organization. Otherwise, they will come off as a meaningless list of words from a leadership team that doesn’t understand what’s really going on.
Making Values Come Alive
Yes, you need to post your values on the walls, but you need to go beyond that to make them come alive. Just as parents use rituals to reinforce family values (eg, grace at dinner, prayers at bedtime, church on Sundays), leaders need to create opportunities to communicate and reinforce values so they become part of the fabric of your organization. Here are five ways to make your values come alive:
1. Recruit for values
You can’t train values. People either share yours or they don’t. Include your values in your job postings (eg, “are you a hard-working, team-oriented…”) to self-screen and then design your interview questions to determine whether the candidates align with each of your core values.
2. New employee orientation
Make sure your values are explained in your employee handbook and include them in your new employee onboarding process.
3. Performance reviews
Jack Welch, former CEO of General Electric, built a very simple performance review system. GE measures every employee on two scales; performance and alignment with company values. They learned that the most destructive person in their organization was the high performer that didn’t live by the company’s values. Because of their high performance, managers would often let these culture killers live by a different set of rules thereby undermining everything management was espousing to all the other employees.
The GE review process is a very effective way to hold people accountable for their behaviors. If “teamwork” is a value (for example), you will need to discipline the manager that routinely takes all the credit for his team’s performance.
4. Recognition and reward
Find ways to publicly recognize employees that live out your values. Before your next quarterly or annual all-employee meeting, invite employees to send in stories recognizing their peers for living out your values. Have a committee pick the best example and then recognize the winning employee at the meeting. Take a picture of the CEO presenting them with a gift and include it with a story in your annual shareholder report.
If you have a company newsletter, highlight a value in each issue and include stories of employees living out that value.
And a thoughtful email from an executive to an employee can go a long way…“Susan, I really appreciate the great “teamwork” you showed getting the Acme deal closed yesterday. You jumped in, stayed late and helped us deliver great service to our customer. That teamwork is what helps separate ABC Bank from everyone else.” Make sure you copy their manager, too.
5. Day to day management
Incorporate values into your meeting rhythms. Rotate values of the week and start your weekly meeting with a short story or example or a personal challenge around the value of that week. Even better, invite others to share their examples or stories.
When making difficult decisions, relate it to a value. When customer issues come up, discuss how it could have ideally been handled in accordance with your values. And continue to look for opportunities to reinforce your company values.
To become a values-centered, performance-driven bank, leaders must first hold themselves accountable to corporate values. They also must communicate and coach their team members on the bank’s values, reward those that live by the values and hold those that don’t accountable.
As I was driving through the Appalachian Mountains on the way to facilitate a strategic planning retreat, I found myself listening to radio coverage of the House Energy and Commerce Committee hearing on the HealthCare.gov debacle.
As you know, the online marketplace launch for ObamaCare, the HealthCare.gov website, has been a technical disaster. It crashed on the day of launch, confidential consumer data has been exposed (why aren’t bank examiners screaming about GLBA violations?) and the site continues to be up and down to the point that consumers are now being encouraged to call in rather than try the website.
As I listened to the heads of all the government technology contractors explain how the disastrous results weren’t their fault, it struck me how much they sounded like bank core vendor conversion teams after a bad conversion.
And now that banks are starting to actually upgrade their core systems again after a four year lull and make other major technology investments such as Internet banking, loan origination and electronic content management upgrades, I thought I would share the top three lessons learned from the HealthCare.gov debacle:
1. Implementation is the Bank’s responsibility
Cheryl Campbell, senior vice president of the leading government systems contractor, told the House committee that the Obama administration ultimately bears responsibility as the "systems integrator or quarterback on this project." She and other contractors testified that confusion among the tech firms led to problems with the website.
While that sounds like passing the buck, she’s correct. And the same applies to your bank.
Many bankers wrongly assume that because they pay hefty conversion or implementation fees to vendors, then the vendors will take full responsibility of your conversion or implementation. Wrong. You are responsible.
If a customer’s debit card doesn’t work after a conversion, do your customers care that it was because of a vendor mistake? Of course not. They blame you.
You must understand all the steps and sequencing of those steps that go into a conversion or new system installation and then understand what part the various vendors play. Each vendor has a role, though it is typically much less than what bankers assume. They tend to focus only on the parts they are directly responsible for, and their corresponding training, installation and data conversion.
But what about customer communication of the changes? Or policy or procedural changes? Or business continuity changes?
Similarly, you should not rely on others to tell you the testing was successful. The same government contractors, testifying before the same committee on September 10, assured lawmakers that they were ready to handle a surge of users when the federal exchange opened on Oct. 1. Turns out they had only tested the system for a few hundred concurrent users despite their internal projections that 7 million consumers would register in the first year.
You need to take charge and take ownership of the entire implementation process (including testing) and hold your vendors accountable to your plan and expectations.
2. You must do integrated testing, not just unit testing
The Washington Post reported last week that as late as September 26, there had been no “end-to-end” testing of the site mimicking the real-life experience of trying to get online and buy coverage.
Ms. Campbell said her company’s portion of the site worked when it was tested, but when it was integrated into the entire system, it did not work.
How many times have bank operations and bank technology executives seen vendors point the fingers at other vendors? It’s mind numbing.
So you must take ownership of your systems testing whether it’s installing a patch, an annual update or a major conversion. And you need to go beyond mere unit testing. You must do integrated testing.
Unit testing is the simplest form of testing. It’s testing just one single concern (use case) without testing any interdependencies. It might be that a new patch doesn’t change a certain interest calculation or that data mapping a group of account numbers mapped correctly or that a server remains connected after an operating system update.
Integrated testing is much broader and includes testing multiple issues (multiple use cases). Integrated testing attempts to mimic real life scenarios as much as possible and needs to test real life volumes and system interdependencies such as operating system or database changes to applications, multiple interfaces, network connectivity, etc.
And just because all the products come from Jack Henry, Fiserv or FIS, doesn’t mean that you can assume they are testing all the connection points. In fact, this has become one of the more common breaking points in core system conversions. Banks assume that core, DDA, Internet banking, bill pay and multi factor authentication will all work seamlessly because they all come from the same vendor. Dangerous assumption.
3. Set a Go, No Go decision a month in advance of your go live date
It now appears that Secretary Sibelius knew of the problems ahead of launch, but she did not communicate these to the President. I would imagine she felt enormous pressure to go forward with launch hoping that things would work out.
The same pressure mounts for bank operations and IT executives.
So we recommend that at the beginning of your implementation project, you schedule a "Go, No Go" decision meeting at least one month ahead of your scheduled live date.
That meeting needs to include your CEO, the heads of all external vendor implementation teams and your internal implementation team. The sole purpose is to decide whether to go forward with the original go live date.
This is a candid assessment of the results of your full implementation test and whether it makes sense to go forward with the scheduled implementation date. If everyone agrees to go forward, we go so far as to require everyone to sign the document saying they are confident of a successful implementation.
Now is no time to hide from accountability. A bad implementation, particularly of customer facing systems, is nearly impossible to fully recover from so the CEO needs to be asking hard questions and the ops and IT folks need to provide candid answers.
Otherwise, if things fall apart, you’re likely to hear what Congress heard from Ms. Campbell.
"It was not our decision to go live," Campbell said, saying such a call was up to the Centers for Medicare and Medicaid Services (CMS).
And I’d hate to see you thrown under the bus with them.
As you head into your 2014 bank strategic planning retreat, there is no shortage of questions on the minds of directors and CEOs. Where is growth going to come from? Do we need to improve our bank efficiency? Is our technology up to date? What’s going to happen with Basel III? How do we attract younger customers? How do we deal with this new compliance burden?
With so many questions, let me suggest a planning framework to keep your next planning retreat focused. Here are the top five questions to answer in your 2014 strategic plan:
1. What’s your bank’s purpose?
Your institution’s purpose is its higher calling and should articulate why you exist. Sure you want to make money for your shareholders – that’s a given. But you, or your founders, could have started any number of businesses to make money. So why did you chose to open your specific bank?
Your purpose should evoke an emotional response in the minds of your customers and in your employees. It’s something people should be attracted to and can stand behind. And it’s not something that should change every few years.
Encourage your CEO to spend some time either confirming your existing purpose or defining a new one. You might pass along some of these examples for inspiration:
Freedom to travel
Make the world's information universally accessible and useful
Bring inspiration and innovation to every athlete in the World
Help our Clients achieve economic success and financial security
Bank of San Antonio:
Help businesses grow
Don’t waste time wordsmithing a bank mission statement in your planning session. Instead, identify your purpose in 10 words or less.
2. What makes your bank truly unique?
We use the term “brand promise”, but others call it competitive advantage or unique selling point. At the heart of this question is what you are promising your customer (and prospective customer) that is different from the competition.
Here’s a quick test to know whether you’ve identified a true brand promise:
- Does your promise matter to your customer?
- Is it noticeably different from what your competitors promise?
- Can you prove it before they become a customer?
Far too many banks rely on “we give great service” as their brand promise. But “great service” fails the above test. While service matters to the customer, it’s no different than what every other big bank, community bank and credit union promises. And, it’s very difficult to prove that you give great service to a prospect before they become a customer.
So, if you’re going to promote “great service” as your brand promise, you need to be able to back that up. Do you have hundreds of positive Yelp reviews? Have you been voted the best bank by an outside firm (local business paper, Greenwich, etc.)? Do you offer a money back switch guarantee?
3. Where do you want your bank to be in 1, 3 and 10 years?
Your 10 year goal is your singular long term goal. It should focus your bank on a single long-term goal. It should be audacious but not impossible. Think of Kennedy’s famous 1961 challenge to put a man on the moon within the decade. Jim Collins coined the term Big Hairy Audacious Goal (BHAG) to capture this concept.
There are four types of BHAGs:
- Target BHAG – “Be $3 billion in assets by 2025”.
- Role-model BHAG – “Be the Nordstrom’s of Illinois community banks”.
- Common enemy BHAG – “Crush ABC Bank”
- Internal transformation BHAG – “Become the bank every University of Florida graduate wants to work for”
Any of the four types can be effective, but you need to determine how you will measure your BHAG. You need to know how you’re progressing and when you get there.
For your nearer term goals (1 and 3 years), we suggest setting just two financial targets. Most commonly, it is:
- Total bank assets and a profitability metric (ROA, ROE, net income, pre-tax income, etc) or
- A capital ratio (total capital, Tier 1 capital, etc.) and a profitability metric.
You’ll have lots more financial targets for ALCO, risk management and departmental purposes, but identifying the top two helps focus the board, management and employees.
4. What needs to happen to get you there?
We recommend that you identify the top 3-5 actions (or strategies) to get you to achieve those targets and goals. What are the top 3-5 actions to get you to your three-year goal? And what are the top 3-5 actions to get you to your one-year goal?
The important part of this question is the prioritization. A list of 10 strategies is very difficult to execute and even harder to communicate. The executive team’s job in a planning session is to brainstorm ideas, debate and then prioritize the most important strategies to achieve your goals. Keeping it to 3-5 forces you to prioritize and makes it easy to communicate internally.
5. Who’s responsible for what and by when?
This is like a mini project plan. For each of the 3-5 actions you identify for your one-year goal, you need to assign ownership responsibility. You need one name by each action. Even though multiple people typically need to be involved in each action, you still need to identify the one person responsible for the action.
Then that person needs to identify a due date for the action for which they are responsible. They also need to identify two or three interim milestones so the CEO can make sure they are staying on the timeline.
If you can answer those five questions, you will have a strong plan that can be communicated and executed.
Learn More About Bank Strategic Planning:
Back in January, in a post on the Fiserv OSI acquisition, I asked who the next core vendor to fall would be. Yesterday, we got our answer. In a deal valued at $1.2 billion, Davis and Henderson Corp. announced its planned acquisition of Harland Financial Solutions.
Just like the last time Harland was acquired, lots of clients are calling me asking who the acquirer is.
Davis and Henderson, or D&H, is a Canadian technology company only vaguely familiar to US banks and credit unions through its Mortgagebot loan origination product which they acquired in 2011.
They are actually similar to Harland in that it is another checks company trying to evolve to become a technology company.
With the acquisition, D&H will add a little more than 5,000 US banks and will have combined revenue of $1 billion. That will put them at roughly the same revenue as Jack Henry.
A couple of quick thoughts:
- D&H is a major player in the checks business in Canada, however, they did not acquire Harland's checks business.
- D&H is a strong company in lending technology. MortgageBot is strong, and they have an integrated commercial/consumer/mortgage loan origination system (Cyence) that is stronger than Harland’s Credit Quest and Decision Pro. But D&H has traditionally been geared toward large banks from a price and tech resources standpoint. Molly Latham, our Lending Practice Manager, has asked them before whether they were going to bring those products down-market to community banks and the sales rep said that it was on their roadmap. We’ll see if that’s where this is going.
- D&H will be new to the core processing, Internet banking, and online account opening business. Yikes. We know how that’s worked out with other vendors before, but unfortunately Phoenix, Ultradata, Sparak, Intrieve, Cavion and uMonitor customers are used to being bounced around and being promised more development dollars. I’d be particularly worried that Phoenix and Ultradata core will continue to remain in no man’s land with yet another owner that doesn’t know the core processing business. Maybe D&H will actually deliver on Harland’s promises, but I wouldn’t expect major development dollars for a while. History has taught us that vendors will typically focus on integrating their legacy products with their newly acquired ones before they start to tackle new developments in the acquired products. I hope I’m wrong.
- In five years, D&H will have grown from 100 customers to nearly 6,000. That’s impressive if you’re a shareholder and frightening if you’re a customer. I hope their management team consists of superstars.
- My quick read on the financing of this deal is scary. At year end, D&H only had $5.5 million in cash. Goodwill and intangibles make up 86% of their assets. So how are they financing a $1.2 billion acquisition? D&H has said that it will finance it, in part, by raising nearly $600 million through the sale of subscription receipts and unsecured debentures. D&H’s leverage is already sky high and its liquidity is very low, so it will be important to know how much of that $600 million will be additional debt. We’ve seen several highly leveraged core processing acquisitions before and none of them survived. Unless I’m reading this incorrectly, I’d be very, very worried about this. Harland customers, it’s hard to believe this, but your vendor management financial reviews might have just gotten uglier.
The transaction is slated to close about August 19, 2013.
Correction to original post: Original - "I wouldn’t have too many concerns about their ability to integrate Harland’s checks business.". Correction - D&H did not acquire Harland's check business.