Changing Security Environment Changes Risks
Credit unions confront a very challenging operating environment today. They face strong member demand for many cutting-edge financial products and intense competition from other financial institutions. At the same time, credit unions face increasing levels of scrutiny by examiners over their IT security and greater regulation and higher costs of compliance, which are shrinking bottom lines.
For small credit unions to survive and thrive, they need to be able offer competitive products while keeping pace with a changing security environment. This can be a tall order, as many credit unions do not have the resources to manage and secure complex systems.
Faced with these challenges and constraints, outsourcing may allow credit unions to maximize their limited resources and compete effectively in an environment that demands both greater access to sophisticated technologies and greater security. There are significant benefits of an outsourcing strategy, but giving up control also entails certain risks, which credit unions need to be prepared to mitigate.
Outsourcing of core banking systems can offer many advantages, although from a cash flow perspective, in-house management will generally be less expensive than outsourcing. But when credit unions take into account some of the hidden costs of managing this core banking function on their own–including labor for system maintenance, day-to-day operations and training, implementation of security controls and batch processing operating control, mainframe and database expertise, and disaster recovery–it can shift the bottom line ledger in favor of outsourcing.
Outsourcing can provide for greater scalability in a market where more and more consolidation is occurring. It also offers more flexibility in integrating additional banking products and services that customers are beginning to expect, including internet banking, bill payment, mobile banking and account aggregation. Additionally, the vendor can assist in managing security controls and in maintaining the continuity of business operations.
Business continuity should be an important consideration. In-house systems are susceptible to availability interruptions, whether caused by a server or database being damaged or corrupted, your physical building being damaged by fire or natural disaster or by disruptions in the local or wide-area network. Service providers can offer high availability and redundancy controls and usually manage the backup and recovery of systems. Furthermore, firewall, intrusion detection system and wide-area networks are highly technical systems that demand high levels of in-house expertise. Most small credit unions do not have the capacity for real-time monitoring of these systems, even though the risks of a potential exposure from a failure are high.
As regulators are fond of saying, you can outsource the function but not the responsibility and this is true when it comes to outsourcing core banking functions. As with any strategy, outsourcing mitigates certain risks to the credit union (like an undetected firewall breach) but also requires that credit unions forfeit a certain degree of control over their own operations. Thus, a successful outsourcing strategy demands that credit unions carefully select and manage their outside vendors.
First, vendors have a wide range of capabilities and services for managing network and operations. Credit unions need to conduct a level of due diligence in selecting an outside vendor commensurate with the level of functions they are outsourcing. This due diligence process should involve key stakeholders, including those responsible for important business functions, information technology and information security. Credit unions can undertake a range of due diligence activities, from assessing industry reputation and experience to conducting control assurance audits and reviewing any regulatory or audit examinations and findings.
Second, vendor monitoring is important for reducing risks and ensuring that the credit union is receiving the level of service for which they contracted. Reviewing SOC reports, ensuring that vendors are meeting service level agreements, and understanding significant changes to company personnel or service delivery are among the measures that credit unions can take to manage service providers.
One mistake many financial institutions make is thinking that outsourcing IT functions is a substitute for having to think through technology issues on their own. But, in fact, successful outsourcing requires that it be built into a robust internal IT strategy. With a clear picture of its IT needs and capabilities, a credit union can leverage outsourcing to balance consumer demands for services and mobility with their need for security, compliance and cost management.
Gerald R. Gagne is an owner of Wolf & Co. and leads the firm’s risk management services practice. Contact 617-428-5455 or firstname.lastname@example.org