Security's Role in a Bank Acquisition - Matthew Speare of M&T Bank

Banks fail, are closed and acquired every week. The business processes behind these conversions are proven and precise. But what is the role of information security in a bank acquisition? When does the security group enter the discussion, and what's its role in the transition?

Matthew Speare of M&T Bank, which recently acquired Provident Bank, discusses:

The role of information security in a bank acquisition;
Successes and challenges in conducting a conversion;
Advice to other institutions that might acquire or be acquired.

Speare oversees security for M & T Bank Corporation, the nation's 17th largest bank holding company, based in Buffalo, New York. He is responsible for developing and sustaining an information risk program that effectively protects the personal information of millions of M & T Bank customers. His responsibilities include information security management, IT compliance and risk management, corporate emergency and incident response, and business continuity management. Matt is also a Major in the Army National Guard, serving as the 42nd Infantry Division Aviation Operations Officer, and is a AH-64 Apache Attack Helicopter pilot.

TOM FIELD: Hi, this is Tom Field Editorial Direction with Information Security Media Group. We are talking today about the work that goes on for a banking acquisition. We are talking with Matt Speare of M&T Bank who's been involved in one or two of those. Matt, thanks so much for joining me.

MATT SPEARE: Oh, thanks so very much Tom. I certainly appreciate the opportunity to share a little bit.

FIELD: Now, Matt, I know you've just been involved in a recent acquisition. When this comes down, what is your security group's task?

SPEARE: You know, when we look at kind of the breakdown and the tasks that occur, obviously whenever you are looking on taking a group of employees, there is all of the provisioning into the acquiring bank system so that on day one of conversion they have the kind of access they need. But also with that, from an external point of view, that is a time of transition for customers as well as employees. Whenever you have change occurring, there is certainly the opportunity for fraud to occur both internal and external because of that change. So part of our task is to be able to anticipate, based upon experience and trends that we see, what kind of attacks will be thrown at our customers and how to provide them with the type of education that they need, so that they hopefully won't fall victim to it, as well as a heightened sense of monitoring around what is occurring so that we can detect and react to any attempted fraud before it has the opportunity to affect customers.

FIELD: So, I know you are supposed to make this look like it happens overnight, but it absolutely doesn't. My question to you, Matt, is when does your group get involved when there is a discussion about an acquisition?

SPEARE: Well, usually at some point during the due diligence phase. So, while both companies are actually doing the discovery of each other, we get involved at that point. So we have a good idea of what would be the potential cause of our portion of an acquisition and also start understanding what is being acquired, so that we can identify those gaps that invariably occur, and how to mitigate the risks of the overall conversion. And so certainly it is well into the due diligence when we get pulled in, but amazingly enough it is still part of the due diligence, versus the announcement has occurred and then all of a sudden everyone has to dive in and figure out to make it happen. So that upfront planning is really key so that you can put all your mitigation plans in place.

FIELD: Matt, what has to be done by your group? What kind of a timeline before an acquisition is absolutely final?

SPEARE: Well, once you get past that due diligence phase, which is obviously driven by business justification for conducting the acquisition. So while you have your input around some of the cost and resourcing it would take to make the acquisition and make is successful, then usually immediately following the announcement it starts the process of putting together all of the plans. Since we do have a fair amount of experience in doing these, we do have kind of -- I wouldn't say a cookie cutter approach, but we have a mature framework on how we go through and conduct these conversion processes.

The timeline will vary. Sometimes there is impetus to do it in a very short period of time -- you know, somewhere in the area of 60 days -- or sometimes it takes longer and there's not as much of a reason, and so the acquiring could take longer, let's say six months, to go through the planning process before they get to that legal day one and then how quickly after that you actually do the conversion. When you look at banking-type acquisitions, those tend to be very successful both from an actual conversion as well as from getting the business synergies. The conversion happens very closely after the actual legal acquisition, so as quickly as you can conduct that conversion and do it in a way that's not going to affect customers, the better off that you are.

FIELD: And I believe the last big acquisition for you folks was Provident Bank correct?

SPEARE: Yep certainly way and finished that up actually Memorial Day weekend.

FIELD: One to remember, right?

SPEARE: Oh absolutely, and, well, it is our favorite time. When you look at holiday weekends, they actually give you a little bit more time to get through the conversion should something unanticipated occur, and, well, we're use to giving up our holiday weekends for these.

FIELD: So walk us through what your group's activities were for that acquisition. What did you have to do over that Memorial weekend in particular?

SPEARE: Sure. Well, actually up to that point, when you start looking 30-to-60 days out from an actual conversion activity around an acquisition, there are all kinds of legal notifications that go out to the customers, as well as the acquirer is going to send a lot of material to the customer as to what to expect as their accounts are converted over, things are going to be different, or you know that catalog of services and how they map to what they currently have. Actually it is during that timeframe that you are probably most at risk, because amazingly enough it seems that fraud -- a lot of people that conduct fraud for a living seem to seize that opportunity because it's that period of transition when things can be a little confusing for the customer.

They use that opportunity to strike and try to put some kind of fraud against the customer. What we typically see is heightened number of phishing attacks, as well as a social engineering attacks where they are trying to get customer account information, all under the guise pretending to be somebody generally pretending to be the acquirer, so that it seems like the acquiring bank is trying to help the customer. It's really a fraudulent type effort. So you know during that period up to the actual conversion activity where signs get changed and new cards are issued, you are at a period of risk where you really have to monitor that. Then the conversion weekend itself, or what you typically see during that, that's when employee user accounts go live, a lot of testing of appropriate access has to occur, and then you work through the internal problems around access because invariably things get missed that have to be remediated, then the transition of the customers over to the use of their new cards.

For example for ATM debit, the use of their new checks ... so there is a heightened period of monitoring through that conversion period and then immediately following because you are still going to be dealing with customers or sometimes people who pretend they were customers that you know you are trying to help them make that transition over to you as the acquirer. So there are lots of opportunities for things to go wrong. The more hand-holding you can do with your new employees as well as the more vigilant you can be in your monitoring of exceptions, the better off you will be and be able to tap down and hold back on fraud losses that invariably occur around an acquisition, as well as making that as seamless transition for customers and employees as possible.

FIELD: So you are going in over this last weekend, you are really ripping out machines and putting in new ones?

SPEARE: Oh. absolutely. Well everybody is modeled a little different. Ours typically has been where we will replace all equipment and convert to our networks, and it works very well for us. We are pretty practiced at it. Some others, if you look at Bank of America and their recent acquisition, well, they don't convert for a long period of time, but operate independently. So it really depends on what the model is for what your acquisition strategy. What we find is that the biggest synergy from a business standpoint is when we convert them over to our system as well as be under our banner, and that we are able to actually do a better job servicing the customer and not operate as disjointed organizations.

FIELD: Sure. Now what do you see as the biggest successes of your recent conversion right now?

SPEARE: Well, I think that when you look overall that the number one fraud we were able to not suffer any major frauds that occurred during the last conversion. As well as I think we did a very good job being able to very active in our communications with our new customers that were coming over from the acquired bank, and then make that a seamless transition for them. So actually, our attrition rate has been much less than anticipated because of that ability to service the customer as well as make it very clean, crisp, concise, communications to them, so it was not as confusing as it could be.

FIELD: Now on the flip side of that, what do you find to be your biggest ongoing challenge or challenged during the conversion process even?

SPEARE: Well, I think every time that you go into a conversion, it is the unknown in terms of what kind of fraud is going to be attempted against the conversion activity. It is just like we have to deal with our normal day-to-day business that every time you turn around there is some new fraud avenue that has attempted to be exploited.

Well, you learn something new from every acquisition on what is going to be the fraud this time that I was absolutely not anticipating, and know that is going to occur and make sure you have a very strong framework to be able to deal and react to it. Ultimately, you are trying to do the best that you can for your organization so that they don't suffer losses that are unanticipated, but every more importantly making sure that your customers don't suffer losses during that conversion activity, again, because part of what you are doing is you are getting new customers that you hope to be able to grow so you want to make it a very solid and positive experience for them.

FIELD: Now, Matt, as you know we get a number of institutions that have acquired or been acquired this year. If you were to give advice to another institution that is going through an acquisition from either side of it, what advice would you give to them?

SPEARE: Well, I think that those acquisitions that are most successful are very collaborative, and we've been very fortunate in recent years that despite a lot of times when an organization is acquired -- and there can be bad feelings on the part of employees. So you want to make them a very positive part of the acquisition because certainly you are dependent upon them to help you reach success. If they were to shut down and not tell you about their customer base and be confrontational, it makes it very difficult to get through the acquisition process. So I think understanding from both sides: This is something that happens in a business cycle, and so the way that you work together is absolutely imperative, and even for employees from an acquired institution that are not going to be retained, well, amazingly enough banking is a relatively small industry, and if you are going to stay in the financial services industry for your career, you are going to run into a lot of the same people over and over again. So you want to be recognized for being part of a collaborative team on that. So I think that those that really plan it out, plan out the acquisition process and do a solid job of communicating and making each other feel part of the process, those are the ones that are most successful.

FIELD: Very good, Matt, I appreciate your time and your insight today.

SPEARE: I was glad to be a part of it. Thanks very much, Tom.

FIELD: We are talking with Matt Speare of M&T Bank about acquisitions. For Information Security Media Group, I'm Tom Field. Thank you very much.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.