5 Top Security Threat to Credit UnionsInterview with NCUA Board Member Gigi Hyland on Today's Top Information Security Challenges and the Current State of Credit Unions
- 5 top security threats;
- State of credit unions looking toward 2011;
- What regulatory reform means to credit unions.
Hyland took office on November 18, 2005, as a member of the National Credit Union Administration (NCUA) Board for a six-year term. Prior to joining the NCUA Board, her career spanned 14 years serving the credit union community. During her tenure, Hyland has spearheaded a number of key initiatives. She recently hosted and moderated a two-day Symposium to celebrate the 75th Anniversary of the Federal Credit Union Act. The Symposium provided a forum for robust and frank conversation about credit unions' unique business model and its future sustainability. In December 2008, she launched a supplemental capital initiative to review and formulate the agency's policy position on this critical issue. In 2007, she served as Chair of NCUA's Outreach Task Force and helped author the Task Force's report. The Task Force was created to provide a better understanding of and evaluation of the NCUA's outreach efforts, credit union service documentation requirements, and executive compensation disclosure. That same year, she facilitated a summit to discuss payday lending alternatives and credit unions' involvement in the Volunteer Income Tax Assistance (VITA) program. An innovator and strategic thinker, Hyland initiated the use of webinar technology at NCUA and has fostered direct communication with examiners and regional offices at the agency to assure alignment of policy decisions and examination practice.
Hyland serves as NCUA's representative on the NeighborWorksÂ® America Board of Directors. She also serves as the Board's liaison to the World Council of Credit Unions (WOCCU), other international organizations and the Export/Import Bank. Hyland's term expires August 2, 2011.
TOM FIELD: What's the state of the nation's credit unions, as we're in the middle of 2010, and already looking forward to 2011? Hi, this is Tom Field, Editorial Director with Information Security Media Group. I'm visiting again today with Gigi Hyland, a board member with the National Credit Union Administration. Gigi, it's a pleasure to talk with you again.
GIGI HYLAND: Tom, it's great to talk with you, as well. Thanks for the opportunity.
FIELD: Well, it seems like I ask you this question each time we talk, but it's always appropriate. How would you describe the state of the nation's credit unions today?
HYLAND: You know, overall, federally-insured credit unions remain very healthy and strong. However, just like with other types of financial institutions and businesses in general that we read about in the papers, day in and day out, our nation's credit unions are really finding the current economic environment pretty challenging. The financial statistics that we gather every quarter really reflect, I think, the collective difficulties that our nation's credit unions are experiencing. You know, a couple of very notable things. Over the last three complete years, the aggregate net worth ratio for all federally-insured credit unions actually decreased from 11.51% to 9.91%. And then, on top of that, during that same period of time, delinquency and loan charge-off ratios have both more than doubled, and earnings really have fluctuated between negative and marginal levels. So, while credit unions certainly do remain healthy and strong, they have not been immune to the effects of the economic climate that we have been experiencing over the past couple of years.
FIELD: So, we've all seen changes in the industry, and you can see where banks, in particular, have evolved, in part, because of the crisis. How would you say credit unions have evolved as a result of the economic difficulties we have faced?
HYLAND: Here at NCUA, we remain really impressed by the collective resilience of credit union officials, and the resilience that they have demonstrated in really meeting the challenges presented by the recent economic crisis. In addition to not only addressing a whole host of financial and operational issues, credit union CEO's and managers and certainly their boards have stepped up and really reinforced, I think, the public's confidence in federal share insurance coverage, which really, it was critical certainly during the initial liquidity crisis that we experienced in 2008. And then, on top of that, credit unions really continue to expand the availability of services to all of their members, while trying to serve folks with modest means. So, I think they are doing a very good job in the face of very challenging circumstances.
FIELD: I'm going to change gears with you a big and talk about regulatory reform. We've seen lots of proposals out there now from the Senate and the House, both, and we hear about banks, and we hear about bank regulation. We don't hear so much about credit unions. So, what I'd like to ask is how do you see the NCUA and credit unions being affected by the regulatory reform proposals that are currently being discussed?
HYLAND: Well, as you know, the Senate, last week, did pass a financial reform bill, and now it will have to go to conference between the Senate and the House. And I think there are a couple of issues. From a credit union perspective, I think there has been a lot of discussion about interchange fees and how that would affect credit unions, and so that's going to be an item, I think, up for debate and probably up for some grassroots efforts on the part of credit unions. I think from NCUA's perspective, there certainly are two issues that, I think, we have focused on, as an agency. Certainly, the financial stability in the markets at a macro level, and consumer protection. Here at NCUA, we've done a couple of things while the legislation been under deliberations. You know, we've worked to really advocate the interest of credit unions in addressing global market issues. And what I mean by that is that our chairman, Chairman Matz, has really gone on record in supporting the inclusion of NCUA as a voting member of this proposed financial stability oversight council, to make sure that that council ensures consideration of the credit union perspective during deliberations of whatever systemic concerns might arise. And then, with respect to the consumer protection, the agency certainly has consistently reminded, not only legislators, but all interested parties, of the history of credit unions, really not conducting many of the abusive practices that have helped to propulgate the recent financial crisis. So, you know, credit unions really have been true to the consumer protection aspect of many of the things that the Congress has been concerned about, as they deliberated on financial reform.
FIELD: Gigi, do you feel that the NCUA and the credit unions are being heard by legislators?
HYLAND: Uh, I, I think so, but time will tell. As the old adage goes, "Legislation is like the sausage making process, you never know what's going to come out at the end." Well, you actually do, but you never know what goes into it, as well. So, you see. I think time will tell.
FIELD: What can the individual leaders at credit unions be doing, at a grassroots level, as you mentioned, to make sure that they are being heard?
HYLAND: I think they simply need to be aware of what's going on. I think they need to follow the legislation, and I think they need to reach out to their elected representatives, if they have particular concerns, both at the offices here on Capital Hill, and also the district offices. They simply need to work with the trade associations that they are members of, to make sure that their voices are heard.
FIELD: When we talked a year ago, we talked about the Identity Theft Red Flags Rule, which your examiners were checking for compliance. Give us an update on how institutions are complying with the Red Flags Rule now, and where do you find that they tend to be strongest and weakest in compliance?
HYLAND: Well, as you know, Tom, the ID Theft Red Flags Rule is formally part of NCUA's regulation that implements the Fair and Accurate Transactions Act of 2003, and it became effective November 1st of 2008. You know, in terms of compliance, with such a short timeframe following the Rule's effective date, at this juncture, it's really difficult to draw meaningful conclusions about major areas of either compliance or noncompliance. What we have so far, in terms of the information, indicates that credit union CEO's and their staff and boards have generally been fairly proactive in implementing the key provisions of the Rule, and NCUA really has noted very few violations. I guess the exceptions NCUA uncovered really ranged, I think, from an absence of either an appropriate risk management process, to the need for relatively minor policy tweaks, refinements, and staff training. So, very technical violations, as opposed to large substantive violations, and we're finding that the credit unions are certainly correcting those within a short period of time.
FIELD: Would you say you find more institutions in compliance this year versus a year ago at this time?
HYLAND: Yeah, I think so. I think credit unions have focused on the issue, in addition to everything else they've had to focus on, and they're also learning as they go, in terms of what their requirements are. So, as I noted, really, we haven't seen very many violations, and the ones we've seen have been super technical. So ....
FIELD: Gigi, vendor management has been one of the issues that you, in particular, have pushed for a couple of years now. So, how would you say that credit unions have improved in vendor management, and where do they need to focus continued efforts?
HYLAND: I think credit unions have responded very, very favorably to the emphasis that certainly NCUA and, and really, the larger body of FFIC agencies, which have also stressed this issue, have really placed in a variety of functional areas, regarding third party relationships and management of those relationships. You know, NCUA, as you may remember, initiated the examination procedures related to third parties through a variety of Letters to Credit Unions. The one that comes to mind is Letter to Credit Unions 08CU09, which was issued back in April of '08. You know, our field staff has really worked productively, I think with, again, credit union CEO's and staff, to ensure that management really comprehensively considers the implications of the vendor selection process, and all of the dynamics related to that. And I think as credit unions increasingly partner with outside parties, appropriate due diligence is always going to remain an issue. And we're not aware of any glaring exceptions, I guess, right now, but I think that's because our field staff is continuing to focus, really, on every exam, about management's internal controls, and what they are using, in terms of due diligence tools and what is appropriate for the particular credit union.
FIELD: Gigi, it seems, for the past several months, that fraud has been a dominating issue, whether we are talking about Heartland-style frauds, with the processors, or if we are talking about the ACH and wire transactions or corporate account takeover. What do you see as the current information security threats that pose the biggest challenges to your member institutions?
HYLAND: Well, Tom, I wish it were a short list, but it's really not. I think there are five things that are really the most significant information security threats to credit unions. You know, first and foremost, I guess I would list employee theft of data right at the top of the list. Unfortunately, the agency is learning of cases where disgruntled former employees pilfer or otherwise corrupt key data after their employment with the credit union ends. And this creates, as you can imagine, a great deal of risk to the institutions, and I think what we are seeing is that in order for credit unions to be proactive from an internal control standpoint, management really needs to ensure that policies are in place for coordinating data access issues between HR and IT divisions, as a part of the termination process. So, it's making sure that the two important parts of the organization that have a piece of what happens when an employee leaves, that those two are talking to each other and coordinating. The second, I think, big area that poses an information security threat is employee misuse of data. And what we are seeing, in isolated cases is that current employees have inappropriately used or benefitted from member data by providing that data to third parties such as financial management companies. And again, I think this is an issue for management, that really, management should establish very clear expectations as to how employees should maintain confidentiality and member data and really restrict the use of data to their specific job function. So, it's a little bit of having internal control procedures based on need to know specific information. A third issue is, really, debit and credit card processor issues. A lot of times these are outside the control of the credit union, but certainly, as we all know, we have seen it again in the press, security breaches by plastic card processors really can adversely affect members. And, since these types of breaches ultimately have a huge possibility of affecting the reputation of the credit union, it is really imperative that management of a credit union conduct very, very careful due diligence when entering an agreement with any third party. And then, the last two are sort of connected. I mean, one, the fourth one, I should say, is hacking of the server. We've seen that a couple of times, where an outside party gains access to a credit union's systems, and the severe consequences as a result of that. And, in terms of what we are seeing as best practices, you know, credit unions IT programs should have very clear provisions for risk management practices, and internal controls, security measures, segregation of duties, and data encryption. And, all of this is really part of Part 748 of our Rules and Regulations, and Appendix A to that section of our rules provides guidelines for safeguarding member information. And, Appendix B actually offers guidance on responding to cases, where unauthorized access to member information actually does happen. And then, last, but not least, is control over third party contractors. We talked about this a little bit before, Tom, in terms of due diligence, but, as systems become more complex, credit unions often do, and should, many times, hire outside contractors to address specific information needs. Once that's done, again, the credit union has to exercise extraordinary due diligence, to really carefully limit the data that the contractor can access, and make sure that the credit union's network access procedures require these technology service providers to contact credit union staff before gaining access to the system. So, just, again, that due diligence, which really, runs through all of these issues.
FIELD: Just a quick follow up question about the insider issues you mentioned. Do you find that there are more incidents now, because of the economic conditions we have all faced, or do you find that your institutions are just getting better at detecting them?
HYLAND: You know, I think when times are bad is when you see more incidents of fraud and insider/employee misuse of data and possibly fraud-related. So, we're seeing slight uptick in that, I think, because of the economic climate. But, you know, it just, it behooves credit unions to take a double-look at their internal controls in this tough time, and make sure that those internal controls are strong as they can be, to try to prevent fraud as much as they can.
FIELD: Gigi, as we close in on the midway point of 2010, what are the issues that you believe credit unions need to resolve to be most successful in 2011?
HYLAND: I think a variety of issues. You know, there's still a great deal of uncertainty, Tom, over the general economic condition of our country and how long these economic conditions are going to continue. And I think the general sense here at the agency is that they are likely to continue over the next, at least, couple of years. So, I think credit union officials really need to remain as flexible as possible in communicating with their members under a variety of environments, to ensure that the members receive consistent messages that reinforce the value of their membership in a federally-insured credit union. I think that is really important, to maintain member confidence. And, you know, assuming that the general sort of long-term trend reflects a gradually recovering economy, I think the most important challenge that credit unions are going to face next year is transitioning from operating in a crisis mode, which everybody has been in now for a couple of years, to really implementing a business strategy with long-term objectives. You know, many folks are saying, "Well, when will this end?" and we're just trying to get through day by day. But, at some point this is going to end, and credit unions need to be looking forward. Particularly boards of directors are really going to need to look forward to carefully assess how the business model presently functions and how well they have positioned the credit union for the future. Not only in terms of the membership viability, but also in terms of product and service appropriateness and general service delivery. And then, I think last, but not least, we are certainly at a very unique place in history where an unprecedented number of generations are simultaneously part of the same labor force. You know, boards of directors of credit unions, very bluntly, don't tend to be reflective of that diversity, normally. And so I think boards need to kind of step back and look in the mirror, and need to really carefully evaluate internal personnel policies, to ensure that the board, the staff, and the management of the credit union remains reflective of the field of membership and remains inclusive, to make sure that management is attracting a diverse staff, and obviously, a very qualified staff.
FIELD: Gigi, trust is the key. If there is one thing that credit unions can do today to improve that trusting relationship with its members, what would you advise?
HYLAND: Credit unions certainly, I think, have a leg up in that battle, if you will. I think credit unions tend to be in a stronger position than most other financial institutions, in terms of reputations, but it continues to be earned. You know, credit unions and credit union management and boards need to continue to be really effective in distinguishing the consumer-friendly business model that credit unions have typically followed, and make sure that that continues, that they are being responsive to member needs. And I think that includes looking at what the long-term strategy of credit union is, and having the board and management really implement a way to focus daily interactions to be responsive to what the members need in wherever the members happen to be in their life.
FIELD: Gigi, as always, it's a pleasure to catch up with you, and I appreciate your time and your insight. Thank you so much.
HYLAND: My pleasure, Tom. Thanks again.
FIELD: We've been talking with Gigi Hyland with the NCUA. For Information Security Media Group, I'm Tom Field. Thank you very much.