Skip to main content

Tag: mobile banking

What financial institutions need to know about the rise of digital lending

Written by admin on . Posted in Blog, Lending & Loan Review.

By Justin Schray; Credit Analyst, Young & Associates

Visiting a local bank or credit union isn’t always practical anymore. Mobile and digital lending platforms are reshaping financial services, giving consumers faster, more convenient and accessible options. Fintech leaders like SoFi, PayPal and Kabbage are driving this shift, using technology to meet borrowers’ changing needs.

One of the most significant advantages of mobile and digital lending is convenience. These platforms allow users to apply for loans, transfer funds and communicate with customer service representatives — all from the comfort of their home or while on the go. The digital loan application process is typically much faster than traditional methods, often delivering approvals within minutes. Furthermore, all necessary documentation is stored securely online, reducing the need for physical paperwork and enabling borrowers to access their information at any time.

Digital lending platforms also offer a wider range of services and investment opportunities. For example, many now provide “buy now, pay later” options, which are particularly popular among consumers making discretionary purchases, such as during vacations or seasonal shopping. Platforms like Kiva focus on providing microloans to entrepreneurs and small businesses, supporting underserved markets and fostering economic growth. This diversity in offerings ensures that digital lending can cater to a variety of financial needs and consumer preferences.

How financial institutions can compete and adapt to digital lending

To remain competitive in this evolving landscape, traditional financial institutions must invest in digital transformation initiatives that align with both consumer expectations and regulatory frameworks. While fintech’s have led the charge in agility and innovation, banks and credit unions can leverage their established reputations, trust and infrastructure to deliver equally compelling digital lending experiences.

Key steps institutions should take include:

  • Invest in digital infrastructure: Banks must adopt modern loan origination systems (LOS), mobile banking platforms and secure cloud-based storage to replicate the speed and accessibility offered by fintechs.
  • Partner with fintech providers: Collaborations with third-party technology vendors can accelerate the rollout of digital lending capabilities. Many vendors offer white-label or integrated solutions that align with the institution’s branding and compliance requirements.
  • Enhance user experience: Developing intuitive user interfaces and streamlined applications is essential. Borrowers expect minimal friction, clear disclosures and mobile responsiveness throughout the lending process.
  • Implement robust data analytics: Leveraging data to enhance underwriting, detect fraud and personalize lending solutions gives traditional institutions a competitive edge. Automation tools and AI-based decision-making can further improve efficiency.
  • Staff training and change management: Internal teams should be trained not only on new systems but also on the institution’s digital strategy and compliance responsibilities. Change management efforts are critical to ensuring organization-wide adoption.

Maintaining regulatory compliance with digital lending

Rolling out digital lending solutions requires strict adherence to consumer protection regulations, data privacy laws and industry best practices.

Institutions must:

  • Comply with lending regulations: Ensure all Truth in Lending Act (TILA), Equal Credit Opportunity Act (ECOA) and Fair Credit Reporting Act (FCRA) disclosures are digitally available and easily understood by consumers.
  • Protect customer data: Maintain robust cybersecurity and encryption protocols to safeguard personally identifiable information (PII) in compliance with the Gramm-Leach-Bliley Act (GLBA) and other relevant laws.
  • Establish vendor due diligence programs: When working with third-party vendors, institutions must perform proper risk assessments, monitor ongoing performance and establish clear service-level agreements.
  • Maintain audit trails and documentation: Regulators expect comprehensive documentation of loan decisions, disclosures and communications. Digital systems should be configured to automatically store and organize these records.

By investing in the right technologies, developing a thoughtful rollout plan and embedding regulatory compliance into each phase, financial institutions can successfully transition into the digital lending space and offer competitive alternatives to fintech challengers.

ADA Website Compliance Notes from the Field

Written by admin on . Posted in Management & Planning.

By: Mike Lehr, Human Resources Consultant

About this time last year, the topic of website accessibility and accommodation under Title III of the Americans with Disabilities Act (ADA) hit the community banking industry with full fury. Since that time both banks and service providers have upped their game. So, now is a good time for us to assess and share what we have learned in our ADA website audits.

There are two ways to assess sites. The more common and less expensive way involves scanning the site using software. Based on the logic coded into it, the software identifies potential issues. The second, less common, and more expensive way involves professionals or sight-impaired people using the site with a screen reader. A screen reader is software that converts a site page to text and reads it to the user.

Both ways involve a professional overseeing the process to interpret the results. Yet, something else drives both ways that tend to lead clients astray – measurability. The old adage of “what gets measured gets done” hits full force here. However, just because it’s a number doesn’t mean it’s more important. We are finding that the software scan, because of its beautifully quantifiable graphics, is causing many of our clients to focus on minor, even insignificant aspects of their sites that have little to no impact on the site’s overall accessibility.

In the end, if a bank ever ends up in court, it’s not about software being able to access the site. It’s about individuals with disabilities. Yet, it is much harder to quantify that into an eye-catching chart. For instance, a client called worried about their PDFs. The software scan showed them inaccessible. Moreover, they spent a lot of time trying to fix them. The nature of the documents were such that they required a professional printer. In short, it wasn’t a Word document. Upon closer look, there were only a dozen of them. All but one were on the same page of the site. Furthermore, the page saw little traffic from customers and prospects. Plainly, the page wasn’t important.

Yet, since bankers can be conscientious to a fault, it bugged them that these PDFs kept showing up “red” as an issue. By itself it’s not bad. In context of the whole site though, it is. This was energy, time, and money diverted from far more important issues. One was whether a sight-impaired person can navigate the site. Software can’t determine this. One can only determine this reliably by using a screen reader or by observing a sight-impaired person trying.

For instance, it’s not uncommon these days to find sites that have multiple ways to navigate them. On one hand, you have the traditional horizontal navigation. On the other, you have the more recent mobile friendly navigation (“hamburger menu”). Still yet, some sites use vertical left-hand (or less common right-hand) navigation. That’s three ways to navigate the site. We’ve seen these on a couple of sites already. This doesn’t even include all the links and smaller menus that might be contained within the page.

Now, to a sight-impaired person, this is nothing but chaos. Keep in mind, a non-sight-impaired person can see the whole site at once. It’s two-dimensional. He/she can select whatever menu they like. A sight-impaired person doesn’t have this luxury. That’s because a screen reader can only read one word at a time. It’s a linear process, one-dimensional.

Also, he/she might tell the screen reader to only read navigation menus. So, if he/she starts hearing two or three different menus, it becomes hard to visualize in his/her mind how he/she might use the site. To a sight impaired person, they blend together as one. That’s frustrating. It’s also something else . . . inaccessible.

Yet, in most cases, as long as these menus are coded and tagged right, the software scan won’t catch them. Moreover, and back to the original point about measurability, it’s hard to quantify this user experience. The solution then is to code one of these menus invisible to screen readers. Of course, that means the remaining one has to be comprehensive and robust.

In the end, it’s a battle between easily measurable but unimportant PDFs and unmeasurable but important navigation. What gets measured gets done. Thus, the unimportant gets done and the important doesn’t. That’s why we can give compliance ratings to clients who still have issues on their software scans and non-compliant ones to clients whose scans show no issues.

In short then, invest in a screen reader. If not, partner with someone who has one. Banks can generate much goodwill by reaching out to groups and societies that support Americans with Disabilities. Remember, computers don’t use sites. People do. People also testify in court.

For more information on this article or to learn how Young & Associates, Inc. can assist your bank with its ADA website compliance, contact Mike Lehr at 1.800.525.9775 or mlehr@younginc.com.

The Changing Role of the Community Bank IT Manager

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

At small community banks, the IT Manager role was once, and in some cases still is, one of many hats worn by the President or CFO. However, this role is quickly evolving into a nearly full-time position even at smaller community banks. There are a number of factors that are contributing to this change, including increased use and sophistication of technology, increased regulatory scrutiny for cybersecurity, and the rapidly changing threat landscape.

It was not long ago that the IT Manager only needed to support a few internal servers and workstations. Over time, technology and customer expectations have evolved, leading to increased network complexity through the requirement for additional internal servers to support new services, the use of server virtualization, and connectivity to additional outside networks. In addition, the use of mobile technology has expanded dramatically leading to employees using mobile devices to access internal network resources, and banking services being provided to customers through their mobile devices.

The amount of time required to properly manage and monitor a bank’s information systems has increased dramatically. However, in many cases, community banks have not significantly increased the human resources assigned to the management of their IT environment. We have had numerous discussions with bank IT personnel indicating that they do not believe that they have enough time and resources to properly address the changing IT regulatory requirements and new cyber risks. While some community banks have outsourced the management of their network and other systems to a service provider, this does not relieve the bank of its role in the oversight of these systems. Additionally, outsourcing increases the time that the bank must spend to manage these vendor relationships.

Here are some of the areas where we have seen community banks spending additional time to perform IT and information security functions:

  • Vendor Management. As the bank implements new services or engages service providers to manage existing services, additional time is required to monitor these vendors. Significant time is needed to obtain the required documentation from each vendor and to review and analyze this documentation.
  • Threat Intelligence. Threat intelligence sources are monitored to identify threat sources and their current activities to identify and implement mitigating controls that will limit the potential impact of these activities on the bank. Significant time can be spent analyzing the data from threat intelligence sources to determine its applicability to the bank and to then implement or modify mitigating controls.
  • Risk Assessment and Policy Maintenance. As the bank adds or changes technologies or services, risk assessments and policies must be created or updated to address their risks. In addition, risk assessments need to be updated periodically to ensure that the risks associated with new or changing threats are evaluated and mitigated. A cybersecurity assessment must be completed and reviewed periodically based on changes within the bank’s IT environment.
  • Ongoing Employee Information Security Awareness Training. With most banks providing external email access and internet access to all of their employees, each employee has become a critical link in the security chain where the result of one employee clicking on a malicious link in an email can be an organization-wide catastrophe. Annual training is no longer adequate to keep employees apprised of current threats such as ransomware and phishing scenarios. A significant amount of time can be spent developing training materials and distributing them to employees on an ongoing basis.
  • Event Management and Monitoring. Network devices, operating systems, and applications must be monitored to identify malicious activity. In the past, many banks were only monitoring perimeter devices such as firewalls and believing that the perimeter devices would stop any threats. However, many current attacks start with the installation of malicious code on an employee’s workstation to bypass the controls imposed by the firewall and then the attacker moves around, potentially undetected on the internal network. Monitoring for malicious activity on all of the bank’s internal network devices can require significant resources. ƒ ƒ Patch Management. Patch management is more than just patching Microsoft operating systems and applications such as Adobe Acrobat and Java. Patch management includes updating the software running on network devices such as firewalls, routers, switches, DVRs, and printers to address any known vulnerabilities. Additional time must be spent to identify the release of new patches, and in many cases the patches must be installed manually on each network device.
  • Disaster Recovery / Business Continuity Planning and Testing. A bank’s increased dependence on technology requires formal documentation for maintaining business continuity and testing the selected plans to ensure that the bank can recover from a disaster within a reasonable time frame to allow for the continued performance of its daily functions. Additional time is required to initially document recovery strategies and then modify the strategies based on system or vendor changes. Time is also required to prepare testing strategies, coordinate testing schedules with vendors, and analyze the test results. ƒ ƒ Incident Response Planning and Testing. Many experts say that it is not a question of if a business will be hit by some form of breach, but a question of when it will happen. Banks must have a well-documented plan in place to detect and respond to an information security incident. In addition, the plan needs to be tested periodically to ensure that all employees are aware of their roles to effectively and efficiently respond to an incident.

Potential Costs of a Breach
Why should changes to the technology used by the bank, changes to regulatory requirements, and the evolving threat landscape be a significant concern for the board of directors? The board of directors is ultimately responsible for the management of the information security program, and failing to provide the appropriate resources to manage the IT and information security functions at the bank can lead to regulatory enforcement actions, harm to the bank’s reputation, and significant costs associated with a data breach.

According to the Ponemon Institute’s 2017 Cost of Data Breach Study: United States, performed June 2017, the average cost for each lost or stolen record containing sensitive and confidential information is $225. This study also indicated that breaches involving businesses within the financial services industry had a per capita cost of $336.

Insurance Coverage
Another consideration for the board of directors is insurance coverage. While a bank may have a cyber insurance policy, management needs to thoroughly understand the requirements for this policy and ensure that it is meeting all of the minimum security requirements of the policy. Insurance companies may reject a claim or even seek repayment of a settlement if defined controls were not in place at the bank at the time of a breach.

Using the example of a community bank with assets of 100 million and 12,000 customer records, a breach of those 12,000 records could cost the bank 4 million dollars. This would be a substantial loss for the bank if insurance coverage is not appropriate, and even more significant if an insurance claim is denied due to the bank’s failure to maintain the minimum security requirements defined within the policy.

Continuing Education
With the rapid changes in technology and the changing threat landscape, continuing education for the bank’s IT staff is also a critical consideration. A bank’s IT Manager must learn how to change the bank’s mitigation strategies to address evolving cyber threats rather than relying solely on the strategies that have been used in the past. There are numerous options for continuing education such as cybersecurity conferences sponsored by state banking associations and webinars.

Cybersecurity Assessment Tool Staffing Requirements
With the regulatory focus on cybersecurity, another illustration of the need to evaluate the human resources required to effectively manage the bank’s information systems can be found in the declarative statements within the staffing section of the FFIEC’s Cybersecurity Assessment Tool as shown below. Attainment of the baseline cybersecurity maturity level is required for all banks as this level identifies the minimum expectations required by law, regulations, or supervisory guidance. The declarative statements within the evolving cybersecurity maturity level will also need to be attained by small community banks as they increase their maturity level over time.

     Baseline ƒƒ

  • Information security roles and responsibilities have been identified.
  • Processes are in place to identify additional expertise needed to improve information security defenses.

     Evolving ƒƒ

  • A formal process is used to identify cybersecurity tools and expertise that may be needed.
  • Management with appropriate knowledge and experience leads the institution’s cybersecurity efforts.
  • Staff with cybersecurity responsibilities have the requisite qualifications to perform the necessary tasks of the position.
  • Employment candidates, contractors, and third parties are subject to background verification proportional to the confidentiality of the data accessed, business requirements, and acceptable risk.

Conclusion
In summary, the board of directors and senior management must carefully consider the resources required to appropriately manage its information systems based on the rapid technological, regulatory, and threat landscape changes. Strategic plans should consider the additional workload that will be created to support changes within the bank’s IT environment to achieve management’s strategic goals, and ensure that appropriate human resources are included within its plans.

For more information on this article or how Young & Associates, Inc. can assist you, contact me at 330.422.3447 or mdetrow@younginc.com.

 

Do You Know Where Your Data Went Last Night?

Written by admin on . Posted in Information Technology.

By: Mike Detrow, CISSP, Senior Consultant and Manager of IT

Maybe your data went to a football game on an employee’s smart phone. Or, perhaps your data met some international friends at an offsite backup location used by one of your service providers. In either case, if you do not know how your data moves and where your data is stored, you cannot protect it.

During our IT Audit engagements, it is not uncommon to see bank employees storing or transferring non-public information (NPI) using services such as Google Drive or Dropbox. This creates a very dangerous situation if one of these services suffers a data breach or the data is synchronized to personal devices infected with malware. In most of these cases, senior management does not understand how employees are handling NPI.

The importance of understanding and controlling NPI data flow and data storage is emphasized in the newly released version of the FFIEC’s Information Technology Management Handbook, as well as in the declarative statements to meet the Baseline maturity level within the Cybersecurity Assessment Tool. This article will discuss a process that can be used to document the data flow and data storage locations used within your institution and those used by your third-party service providers.

Here’s a way this could be used to illustrate the way that an institution can document data flow and data storage. You will first identify each Service or Application that uses NPI. Some examples of these services and applications include: core processing, lending platform, internet banking, and online loan applications. Next, you will identify the Vendor(s) associated with each service or application. The Process Type is used to identify the various processes that are performed using the specific service or application that may use different methods for accessing the data or result in data being transmitted through different connectivity types. An example of different process types can be illustrated with internet banking where data may flow between the core processing system and the internet banking system through a dedicated circuit, but customers access the internet banking system through a home internet connection. The Type of Data will most often be customer NPI, but may also include proprietary institution data. Data can be accessed in numerous ways including: institution workstations, institution servers, employee mobile devices, customer PCs, and customer mobile devices. The Connectivity Type may include: dedicated circuits, virtual private networks (VPN), local area networks (LAN), wide area networks (WAN), wireless networks, or the internet. Controls in Transit may include: encryption, firewall rules, patch management, and intrusion prevention systems (IPS). The Primary Storage Location(s) should include known locations where the data is stored such as: application or database servers, data backup devices, service provider datacenters, and service provider backup locations. The Optional Storage Location(s) should consider other places where data can be stored such as: removable media, an employee’s workstation, mobile devices, Dropbox, and Google Drive. Identifying the Optional Storage Location(s) may take a significant amount of time, as this step will involve discussions with application administrators to understand the options for exporting data and discussions with employees to understand their processes for transferring and storing data. A review of this information may lead to the implementation of additional controls to block the use of unapproved sharing and storage services.

Controls at Rest may include: encryption, physical security, and environmental controls. The Access Rights column should identify who can access the data at any point in time, which may include institution employees, service provider employees, and subcontractors used by a service provider.

This may seem like a daunting task to complete, and it may take a significant amount of time depending on the size and complexity of your institution. One option for implementing this process is to start with your annual vendor review process rather than trying to complete the process for all of your services and applications at one time. When you are gathering and reviewing documentation from each service provider, complete the table shown above for the service or application provided by that service provider. Documentation for internally managed systems and applications can also be completed over a period of time.

Upon completion of this process, you should have a full understanding of how your data moves between devices and where the data is stored. This information will allow you to justify the risk ratings within your information security risk assessment and identify additional controls that need to be implemented to properly protect your data.

For more information on this article, contact Mike Detrow at 1.800.525.9775 or click here to send an email.

Connect with a Consultant

Contact us to learn more about our consulting services and how we can add value to your financial institution

Ask a Question