"How Can You Use Technology to Know Your Member Better?" - Kris VanBeek of Digital Federal Credit Union

"How Can You Use Technology to Know Your Member Better?" - Kris VanBeek of Digital Federal Credit Union
As credit union members become more tech-savvy, their expectations increase - for banking services and information security alike.

Kris VanBeek, SVP of Information Systems at Digital Federal Credit Union, discusses:

His institution's top information security concerns;
The members' concerns;
ID Theft Red Flags Rule compliance;
Major agenda items to address during the second half of 2009.

VanBeek is a banking/security leader with deep experience in banking and regulatory compliance. Prior to joining DCU five years ago, he spent time as a supervisory manager at the Federal Reserve Bank of Boston; data center manager at Fiserv; senior IT specialist and examiner with the Federal Deposit Insurance Corporation.

Digital Federal Credit Union is a not-for-profit financial cooperative owned by and operated for its members. DCU was chartered in October of 1979. DCU serves more than 350,000 members and their families in all 50 states. DCU is the largest credit union headquartered in New England as measured by assets and among the top 15 nationwide.

TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Kris VanBeek, Senior Vice President of Information Systems and Risk at Digital Federal Credit Union. Kris thanks so much for joining me.

KRIS VANBEEK: Thank you for having me.

FIELD: For people who aren't familiar with your credit union, maybe you can tell us a little bit about the institution?

VANBEEK: We are about a $4.5 billion dollar credit union located in Marlborough, Massachusetts. We have just shy of 400,000 members. Our kind of claim to fame is utilizing technology for member service and really trying to take it upon ourselves to use technology to make it easier to do business with Digital and whatever that might be, whether it is loan origination, opening a membership or just doing basic transactions.

FIELD: What do you find to be your institution's top information security concerns these days at a time when Digital is really in the target of the proctors?

VANBEEK: It is a great question but a difficult question because there are so many kinds of emerging threats. I don't think there is one single answer. There are the top two or three but clearly from the internet you see more and more activity and attempts to defraud financial institutions. Whether it is opening fraudulent memberships, identity theft is obviously very common these days. You have a member that may have been a good member at one point in time but due to financial stress or change in personal circumstances that may actually turn to fraud in order to maintain their current lifestyle.

The idea of the online channel continues to evolve as kind of a high-risk area. The other side of it is that all the traditional channels, whether it is ATMs or branch transactions, the idea of getting to know your customer and your member really is very important. And how can you use technology to know your members better?

FIELD: That makes sense. Now you have a tech-savvy membership. What do you find to be the members' top information security concerns?

VANBEEK: We get a lot of inquires. These days members really want to have affirmation that their online channels are secure, that they are really doing business with a legitimate financial institution and that their transactions are accurate and timely.

Recently we had almost a reverse approach for secondary authentication or multi-factor authentication, whereas I said we used some of the technology to take some of the burden on ourselves.

We were doing transaction monitoring; where an IP address is coming from, where our member is coming from, trending, identifying when they do business with us, do they do it usually nine to five on the online channels? And then we paralleled those trends with strong authentication up front and what we have more recently gone to is more traditional secondary authentication.

We have almost done it backwards in a sense but our members are really interested in what we are dong behind the scenes. It is a delicate balance because we want to share that information. But at the same time there is some truth to be said about security by security where we share with our members that we are transaction monitoring but we don't share all the criteria that we are looking at as part of that process.

FIELD: That is interesting because you have detailed a number of things that institutions are certainly facing in terms of fraud on all fronts and what your members are concerned about. How are you addressing some of these issues and how do you sort of straddle that fine line between the security and the obscurity that you mentioned?

VANBEEK: It takes a very, very strict discipline and what I mean by that is identifying your first priority, your second priority, your third priority and how they need to be addressed. And then once you have identified those priorities, sometimes that priority doesn't necessarily line up with how quickly you can provide a timely and efficient solution.

So for us, I already mentioned transaction monitoring, which is something that we have been doing now for a year and half or so, and there has been an evolution of that. What we were monitoring in transactions a year ago is certainly not to the same level that we are today; we've gotten better at it, more efficient; we fine-tuned it.

When we add some of these other processes, how can we leverage that transaction monitoring? Historically we have really looked at that to monitor internet banking as a primary focal point, but now we are looking to evolve that into other channels. As I mentioned, the teller time or ATMs, that information is just as valuable there.

Our hope is to evolve this into a complete risk engine, where ultimately our members are identifying patterns and processes, much in line with what we are going to talk about in a few minutes regarding the Red Flags area, but doing that with systems and making it very easy and efficient for our staff to manage risk, identify potential fraud or identity theft and to be able to do it with very simple empowering tools.

Meaning the end goal is not necessarily to say there is a problem here, but to empower our staff to take almost a red/yellow/green type system where we know that this is a very standard transaction, it happens always on Mondays, Wednesdays and Fridays and during our normal business hours so there is really no concern there.

Vice versa, this is an orange or red transaction and typically we don't see a wire going out right after we just saw an e-mail address change. Maybe we want to dig into this one a little bit before we let the transaction go through.

FIELD: You said the magic words there Kris, Red Flags. Were those the words that you didn't want to hear in 2008?

VANBEEK: They were but it really goes in line with what we were already doing as a credit union anyway. There is a lot hemming and hawing throughout the industry and that is not to say that it is easy for us to do as well. My comment is that it is in line with the direction we were going in.

At the lowest root of it, I keep overusing the terminology transition monitoring, but it really is at the heart of how we are approaching this. We internally looked at all the different types of transactions that we do and whether it is originating a membership, changing a number that may be for a member that is going through a divorce, changes of address, wires, ACHs, ATM transactions, deposits, withdrawals, and looking at each and every transaction that a member could do and assigning a rating to it. Is this something that is a higher risk, lower risk or maybe medium risk?

And then the next step is meshing those together. If there is a pattern of two, three or maybe five of these transactions, that pattern is a higher risk pattern of transactions. Once you start to do that, it is not something you do in a day, week or even a month. This is a year-long process; you have the under workings or underpinnings of starting to be in compliance with the Red Flags Rules.

Where you are making a leap is with the procedural piece of it, which in many respects the Red Flag compliance issues are more the procedures of that. It may be my regulatory background, but my thought is that the procedural piece is relatively easy once you have the technology and the infrastructure to support it. We are in a good place now with having taken that approach and biting the bullet a year and a half ago.

FIELD: Have you had your first examination on this yet?

VANBEEK: We have not. Because we are rather a large, fairly complex financial institution, we do frequently have inquiries, whether it be from regulators or auditors. Typically they send out some of their best and brightest to see what we are doing, which was the case as I mentioned secondary authentication or multifactor, we were a case study for a number of those folks just to see how we were doing things.

We are nowhere near perfect but we always try and proactively stay ahead of the curve because we know it takes time. Some of this is big investments; it is a lot of work and if you don't start a year ahead it is tough to meet the goals.

FIELD: Now one of the tenants of Red Flags has been customer or membership awareness. What have you done to make your members more aware of some of the information security issues that maybe they were overlooking?

VANBEEK: As you mentioned earlier, we do have a little higher than average tech-savvy membership so whenever there is something out there, whether it is a technology solution, a technology threat, a regulation change, typically we get more than our share of feedback on that.

Because we are technology oriented, we have maybe more than the average set of tools. One example of that is a product called Message Center. Message Center really is behind the PIN, it is an internet banking tool that was internally developed and as a result of that we are able to send messages to members. The idea is that, "Did you do a transaction? Just wanted to confirm that there is a wire going out or an ATM transaction going out or a change in your e-mail address.

The idea that you may have done that at the teller line or at the ATM or wherever the channel is that you caused that, we have the consistency among all of the different channels and the ability to provide that information in a constructive Red Flag oriented communication. That puts us one step ahead of the regulation and compliance concerns.

We have regular member communication as well, whether it is information that is developed internally by our marketing department or our risk groups. They are pretty aggressive about that and we post a lot of information out on the internet, via e-mails and related channels. We also have a quarterly newsletter that we put a lot of that information out on as well.

FIELD: It sounds like you must have a pretty security-aware staff as well from the top to the bottom.

VANBEEK: We really do. It is really a great team. I have a couple of ex-regulators that I have worked with at the Federal Reserve for example; they have key positions in the department. The whole team really gets it and they are very, very excited. At the root is member service. How can we do this and how can we comply without dumping on the members?

The members are there and we are there because they are. Whether it is setting up best practices or procedures, we try very hard to explain why we are doing what we are doing to our members, not just, "Here is another password you have to remember." It is how we present that in such a way that it will minimize the impact to our members.

FIELD: Are you doing mobile banking Kris?

VANBEEK: We do. We have mobile banking and we have had it for over five years. It hasn't been explosive in terms of its utilization, but it is something that we see a small segment of our members looking to use.

We do have requests these days for an iPhone application and we have not gone that route yet. But it is something that we are taking a look at and if the right solution appears and we think it is going to meet our member needs, we might take a harder look at it.

FIELD: So we are halfway through 2009 now. What would you say are your major security agenda items for the rest of this year?

VANBEEK: Number one is the idea of pulling all of the information together. For lack of a better way of saying it, we need a risk system or a risk engine. We are doing it today, we are pulling pieces of it together and we are more in a test mode with the idea of assigning a green/yellow or green/orange/yellow/red-type rating to member circumstances.

It's the idea of not dumping that on the member but taking it on ourselves. So whether it is utilizing Message Center or an extra question at the teller line to talk to a member and ask them about recent transaction activity, we are taking initiative. Creating a system that communicates with all of our different channels is the key and it is taking what we have in bits and pieces throughout the credit union and pulling it all together in a really effective approach.

We are always looking at whether it is multifactor authentication or other security parameters. What can we anticipate and what can our members be looking for us to have around the corner in the security world? Sometimes they come out of nowhere. Every once in a while you find a diamond in the rough.

FIELD: Kris, it sounds like you have a good plan and it sounds like you've had a good year.

VANBEEK: In the risk world and in the IS world for that matter 2009 has definitely been a different year. It has been very aggressive. You have seen the changes and I am sure it is not just us, but there is almost a newfound respect in the risk management area and in technology solutions. In 2009 the credit union as a whole has a lot of support in this area.

FIELD: Kris I appreciate your time and your insight today.

VANBEEK: My pleasure.

FIELD: We've been talking with Kris VanBeek of Digital Federal Credit Union. For Information Security Media Group, I'm Tom Field. Thank you very much.


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.