October 2016: Samaha Associates’ CEO Sabeh Samaha Featured in CUES: Go! Wait! – Balancing security with convenience plays into key payments strategy decisions
Path Through the Jungle – How CUs can and can’t confirm that their online account openings are working as promised
By Richard H. Gamble
The case for offering online and mobile account opening is a strong one, but the process is complex and the stakes are high. How can a diligent CU be sure this important new growth channel is working as advertised? Online account opening is usually a team sport, with the CU setting the rules and a vendor applying them. The vendor typically receives the application data, searches the relevant databases (such as those for drivers licenses or credit scores), applies rules the CU has set and exports the result to the CU’s systems. That automation has a lot of fast-moving parts that CU staffs can’t actually view, so there’s a degree of faith that the vendor is executing as promised.
How much faith is OK is under debate by security and operations pros. With a good vendor and good systems, having faith is all right, says Alissa Fry-Harris, director of marketing at CUES Supplier member Bluepoint Solutions, Henderson, Nev., which offers OpenAnyware for Credit Unions (http://tinyurl.com/bpsoa4cus). “Best practices and regulations set the standards for authentication, and full compliance is fundamental,” Fry-Harris notes. “Safeguards are built-in because the same highly automated, fully-compliant processes already in use are followed, including out-of-wallet questions, email authentication and gathering of information from multiple sources such as drivers’ licenses, government-issued IDs, credit cards and data from mobile carriers.”
Be suspicious and test continually, counters technology consultant Sabeh Samaha, principal of Samaha & Associates Inc. (www.ssamaha.com), Chino Hills, Calif. Test website design; test log-ins, transactions and log-outs, he urges. “Open and monitor test accounts. Use them continuously to try to break the system,” he advises. “That’s the only way to get best-in-class security.” And network with peers, sharing information about any fraudulent activity you see and finding out what they’re seeing. Touch base often. Also read about security solutions and fraud. Question your vendors, but don’t rely solely on them; CUs have to control their own destinies, he concludes.
Find the rational balancing point, suggests Maria Arminio, senior director of the Electronic Funds Transfer Association (www.efta.org), Fairfax, Va. Organizations usually won’t spend more on fraud protection than they can offset with the fraud losses they prevent, she observes.
“It all boils down to a financial decision of how much certainty you need to buy to secure online account opening,” she points out. Getting to 80 percent certainty might be easy to achieve and relatively economical, she explains. The remaining 20 percent might be difficult and expensive. Each organization has to find where it stops getting a return on its investment, she concludes.
There are lots of databases and security vendors out there, Arminio continues. A financial institution can increase security by adding more layers. The right amount may vary by the size of transactions or by the type of account an applicant is able to open remotely, she notes. A deposit account is less risky than one that allows credit, and low credit limits are less risky than high ones. But CUs are up against competitors that thrive by making funds available online and almost instantly, she notes.
Adjusting the Controls
CUs are finding their paths through this jungle. User-friendly online account opening is particularly important to branchless $4.6 billion PSECU (www.psecu.com), Harrisburg, so the CU recently upgraded to a system from the Temenos Group that, from mid-June to mid-August, had seen 25 percent of 5,678 completed online account applications opened within15 minutes in a totally automated process.
“Members are happy, and staff is happy,” attests Andrew Coy, PSECU’s AVP/lending. “It’s quicker and more efficient than our former process.”
The accounts opened are share/checking accounts with ATM cards; getting credit is an additional process, but one that can be quick and automatic for certain applicants and certain credit products like indirect car loans and unsecured term loans, he reports.
Testing to see that the process is working as it’s supposed to is more occasional than continuous, Coy says. “You build a rigorous testing methodology, and you use it for each system iteration or update, each release of a new code or process,” he says. “Once it passes those tests and you gain a comfort level, you don’t need to test as intensively.”
For the vendor, testing is continuous, says Larry Edgar-Smith, SVP/product evangelism for Temenos (formerly Akcelerant, www. temenos.com), a CUES Supplier member headquartered in Geneva, Switzerland.
At $1.1 billion Firefly Credit Union (www. fireflycu.org), Burnsville, Minn., automated account opening is part of a vendor-run package the CU bought from MeridianLink (www.meridianlink.com), Costa Mesa, Calif. It’s set up to screen applications pretty conservatively. If there’s almost any discrepancy— such as a knowledge-based question the applicant can’t answer or an IT address in a different part of the country from the mailing address—it doesn’t get opened automatically but referred to people in the collections department for security review, explains CUES member Rick Blood, CSE, SVP/member services.
“If they can’t resolve it, the application goes to the new account people, who typically call the applicant and may open the account by phone or direct him or her to come into a branch,” he says.
That process gets high marks for safety but not for efficiency. “I wish we saw fewer accounts go into the investigation queue,” Blood says. “We get a lot of false negatives, just hiccups in legitimate applications. I’d like to find ways to reduce those.”
The CU has limited visibility into how the vendor’s data collection and crunching is working, Blood concedes, so the tests come mostly after the fact. For Firefly CU, that means that all approved applicants get a phone call and a welcome letter. Once an apparent applicant said, “That wasn’t me,” Blood explains, and the account was closed.
In the 31 months the service has been available, approximately 2,300 accounts have been opened automatically, and only one fraud has been perpetrated successfully, Blood notes. In that case, the fraudster had all of the applicant’s information the system required. The follow-up call and letter went to the fraudster, who subsequently applied for and got a credit card. The CU realized the fraud when it was unable to collect on the delinquent credit card account and the balance in the share account had dropped to $5. “If they have all the right answers, there’s not much you can do to stop them,” Blood concludes.
Managers of $1.1 billion Columbia Credit Union (http://www.columbiacu.org), Vancouver, Wash., knows whether the fraud-prevention measures around its online account opening are working as intended because it controls those measures—no online account opening application is approved automatically. The application can be completed online—and 90 percent of the people who start the process complete and submit applications. But once the application is received, the applicant is thanked and informed that the application will be reviewed by people and that they will be contacted. Approval is never instantaneous but often comes in minutes or sometimes hours, reports CUES member Lindsey Salvestrin, SVP/chief experience officer.
With this strategy, Columbia CU is not opening large numbers of new accounts from online applicants, but also not experiencing fraud losses. Strategies tied to internal comfort levels may win the battle but lose the war. Taking a defensive approach to the security around your online account opening is a mistake many CUs make, insists Richard Crone, principal of Crone Consulting LLC (www. croneconsulting.com), San Carlos, Calif. The big risk is not that you get defrauded by cyber thieves, but that competitors eat your lunch, he says. The winners offer true online account opening, something that offers almost instantaneously functioning accounts, including loan accounts.
Many CUs distrust that process and truncate it, accepting online applications but taking the time to process them manually. Along the way, they lose the applicant, often to savvy technology players with names like Prosper, SoFi and Lending Club, Crone points out. That breakdown sometimes occurs at CU vendors, and sometimes at CUs themselves, due to their conservative“Everyone needs a mobile-first mindset today,” he adds.
Progressive providers, many of them not chartered financial institutions, are using completely automated multifactor authentication in online/mobile account opening to provide instant credit and transaction accounts. At stake is who gets the primary financial relationship for a generation or more of consumers, Crone says. CU leaders need to trust the new security technology more, not less.
Right, agrees cyber security expert Alisdair Faulkner, chief products officer at ThreatMetrix (www.threatmetrix.com), San Jose, Calif. Build trust with tools, not time, he argues. Otherwise, the risk is high that cautious CUs will lose the member or prospect to other financial players that have the tools and risk appetite to give full access to products and services instantly. “The quicker you can collect and analyze data, the more business you will attract, the faster you will grow, and the more profitable you will be,” he reasons.
Even if you investigate and confirm that your online account opening process is performing as promised, that doesn’t mean it will continue to do so. Fraud and security are both evolving, and it’s possible to speculate about the future. As EMV, tokens and biometrics stop fraudsters from card-present and cardnot- present theft, they will turn their attention to account takeovers and new account opening, predicts Jamie Topolski, director of alternative payment strategies at CUES Supplier member Fiserv (www. fiserv.com), Brookfield, Wis. Identity theft is a problem that is still searching for solutions, he notes.
OCTOBER 2016 | cues.org/cumanagement