Good News, Bad News: Protecting Your Bank Against Bad Actors

In this episode of The Purposeful Banker, Alex Habet speaks with Steve Bartels from Q2 about the state of cybercrime in financial services and what banks and credit unions can do to fight it.

 

 

  

 

Video

 

Helpful Links

[eBook] Q2's Security Strategy
[Website] cisa.gov
[Report] 2022 AFP Payments Fraud and Control Survey

Transcript

Alex Habet

Hi, welcome to The Purposeful Banker, the leading commercial banking podcast, brought to you by Q2 PrecisionLender. I'm your host, Alex Habet. And boy do I have a crazy new episode for you all today. This is something completely new, completely out of the box, especially given this show's history.

Now, speaking of this show's history, there's been a long and established pedigree centered around commercial relationship management, right? We've always talked about things like pricing, making sure we're cross-selling in the most effective way possible or navigating choppy waters in the market, or unknowns with the rate environment and that sort of thing. So a lot of the trade craft that comes with dealing with clients, especially in the banking business.

Now, when we're busy pouring our passion into the products that we're making as an organization, we constantly look for ways to interact with those who interact with our products to better understand how we can serve them, whether we need to actually bolster our areas of support or have more spirited debates around roadmaps. That's all part of the journey that we embark on together with our clients. And this very channel's just one of those ways that we like to at least get online and learn and share what we've learned on our collective journeys together. But again, just bringing it back as it relates to what we typically talk about on this channel, it's why we've always hovered around relationship strategies by and large, right? It's kind of centered around the products that PrecisionLender traditionally has built.

But there's so much more that goes on in banking that we've never really talked about here. So just in kind of a quick summary of PrecisionLender's more recent history, in late 2019, Q2 acquired PrecisionLender. And while a lot of the organization operated just as it was pre-acquisition, that as the fusion of the companies happened behind the scenes, there's been a lot of expansion in the mutual understandings of the inner workings of banking. Q2 offers a rather large suite of industry-leading capabilities across several mission-critical areas, and we internally have gotten to learn a lot about that. That's been a tremendous benefit for us. So when we were sitting planning for this week's episode of the show, we thought, "Well, why not bring that into this show as well?"

And of all places to start, we thought it might be a really interesting place to begin certainly on a topic that we tend to see in the headlines all the time, and it's certainly one that's on the minds of today's best bankers, consumers, solutions providers, and everyone else. And it's all about security. The more our society relies on and evolves and utilizes technology, the more we become vulnerable to cybercriminals who are constantly looking for new areas, new surface areas to attack, to infiltrate, steal, and do damage.

So today I'm welcoming Steve Bartels, Q2 senior director of Solutions Consulting, here to the show. And full disclosure, Steve is my boss, so he's going to get a lot of softball questions and just being told how great he is all the time. But Steve is a really interesting person to bring on this show because he's got one of these experiences that's actually pretty rare to find. He's one of the founding partners of Centrix, a company that created leading fraud-fighting technologies that Q2 acquired back in 2015. I think this is also his first time on the show. So Steve, I want to make sure that you get a very spirited and warm welcome to the podcast. Thanks for joining today, Steve. Take it away. Let us know who Steve Bartels is.

Steve Bartels

Alex, thanks for the invitation. I appreciate it. And also, in full disclosure, I think we talked about me coming on this podcast maybe well before you and I got to start working together on the same team. So happy to be here, appreciate the invitation. And I just want to tell you thank you for everything you do with this podcast. I mean, you can travel across the country ... I go to a lot of different conferences, and people are talking about this podcast, so you're moving the needle. So thank you very much for continuing this work.

A little about me. So I think probably I would start in the early '90s. I was working for one of the big three core providers, I was doing core implementations every three weeks, traveling to banks and doing core convergence for them, which as you know, can be a pretty challenging game. Eventually moved into a development role at that same organization and then got out of that for a while and was a consultant in the insurance industry. And then, as you mentioned, I was one of the partners with a company called Centrix Solutions. Just had my 20-year anniversary with that company. That's kind of hard to believe, quite honestly. And as you also mentioned, Q2 acquired us in 2015. So I've gone on about seven years, I guess now, with Q2. And so I would say probably over all of those years I've been really focused on protecting account holders from transaction fraud. And we'll talk a little bit about the products that Q2 offers in that space. And we've also got some products in terms of regulatory compliance, and that's something else that I've been helping financial institutions with over my career.

Alex Habet

Well, again, appreciate you coming on the show. This perspective is actually just something we've never had here within at least the previous set of guests that we've had on this show to talk about this topic. So thanks for orienting this audience. Now, I just want to make it a little bit clearer about who typically listens to this show just for your benefit. So we have traditional banker, relationship managers, executive level in the commercial banking space. They might not necessarily be 100% in tune or focused on this topic. And so we just like to cover the basics here, just what are some of the macro level things, and as we're expanding the reach and the topic content of this show, keep that in mind.

So we might be getting some questions after the fact based on what some of the audience members might hear today, but I figured we could just kick things off. So let's look at how big of an issue are we talking about? We've all heard how high priority it is for any institution to focus on security and fighting cybercrime, but just how big of an issue is it, if you can at least quantify it, how big is it in terms of FIs and the businesses they serve?

Steve Bartels

Yeah, I don't know if I can quantify it other than to say that it's a huge, huge problem. There's so many different areas that I could talk about here, but if I think about Q2 just published a security eBook that I think we can provide in the links and folks can download it from our website, but if I think about how that document was structured, I think about really four different areas. The first area is an infrastructure layer and application layer. The data layer is the third-level layer, and I'll talk about the fourth one here in just a second, but when we talk about cybercrime, cybersecurity, and what corporations and what financial institutions need to think about, it has to do with those four things.

And so infrastructure layer, what am I talking about there? I'm talking about what do we do to protect the financial institution from any type of intrusion into their systems. And so we're talking anything from firewalls to zero-trust architecture. If we talk about the application layer, we're talking about clients now have gotten through and been authenticated to get into the systems and they're into the programs now. And so now what do we do in terms of allowing them once they're in one of our programs, allowing them access? And what I mean by that is, does this user have the rights to originate ACH? Do they have rights to initiate a wire transfer? So those are all of the things that we talk about when we're at the application layer.

And then the third layer is the data layer. And so you think about things like, what do we do to protect your customers' data, our customers' data? And so we think about things like encrypting the data at REST, which is an old SQL server term, but you also think about new technologies like blockchain, which Q2 is heavily investing in to secure that data. And then finally, outside of all of those three, we've got this fourth kind of bubble that talks about fraud and risk. And what I mean by that is that we've got all of these bad actors out there that are trying to perpetrate business email compromises or transactions for us. And so it's just a huge, huge issue that we're all dealing with.

Alex Habet

Yeah, it's funny you mentioned that business email example. It's obvious what's going on for any company out there where we're constantly even being tested as employees of an organization is to see whether we can detect a phishing scheme. And so there's a lot of investment happening in that front. They've gotten pretty good at it, by the way, I think I actually failed one of those tests because I was so utterly convinced. So look, fully recommend everyone out there to scrutinize every single link because in a simulation, boy, they try to get you.

I think there was a strong cybersecurity push in the fall recently. So anything to share on that? What's so special about the fall in cybersecurity?

Steve Bartels

Yeah, for sure. So October is Cybersecurity Awareness Month. And so our old chief security officer, Bob Michaud, who since retired this year, this was always his favorite month and he would always be doing several blog posts. And you were mentioning the phishing schemes that our IT department at Q2 provides to all of us.  it seems like quarterly to try to trip us up into clicking on unverified links, which in full disclosure, I think I failed one or two of those myself. But it's a good reminder that all of this stuff out there exists. And so Cybersecurity Awareness Month is just from a government organization called Cybersecurity and Infrastructure Security Agency. That's a little bit difficult to get out. You can go to cisa.gov. They've got a bunch of training ideas for both your employees and your customers, they've got info on the latest malware scams, the latest ransomware schemes, and you can also subscribe to alerts to see what's going on maybe in your industry.

Alex Habet

Yeah. No, these are great resources. And actually as someone who has come over from the financial service industry into the technology industry now, it's actually one of those things that followed me along and I suspect that kind of follows you pretty much in any organization that you go through, so I was really pleased by the fact that this organization, at least that we both work for, is investing so heavily in this. It's super important and of course it's headline grabbing. But shifting gears a little bit, what about the fraud landscape? What has that been like recently?

Steve Bartels

So, it's interesting. You can hop on Google or DuckDuckGo and do some search and find some stats on these types of things, but payments fraud actually has gone down a bit since 2018. Now, it's still north of 70%, so it's not like we're approaching zero anytime soon, but it has gone down a bit. Your listeners may be surprised to know that check fraud is still the number one fraud being perpetrated through check washing of the payee name or the dollar amount. ACH debits are number two. So transaction fraud is still being committed and probably for quite some time it will be committed. I mentioned business email compromise, that's also gone down over the last several years.

However, I can tell you last month I was at two different payment association trade shows. And from talking to my customers and prospective customers, I don't know that anyone feels like this is getting any easier or any better. I think maybe our financial institution customers are getting better at it, they're investing in technology, they're training their customers, they're training their employees, but fraud is still a major, major problem.

Alex Habet

Alright. So we've established it's major problem. Got it. So let's look at two areas I guess for the remainder of this show. On the one path, what do advancements in technology do to help? And then on the other path, what should FIs do? I want to tackle the first one first. So if we were to look at some more recent advancements or just general advancements, what are some things that providers can do to help FIs manage this ongoing threat that just seems to proliferate year after year?

Steve Bartels

Yeah. I think I'll reference back to what I kind of opened the conversation with in terms of our security document. It goes back to securing the infrastructure, securing the applications or the software, and then securing the data. And so, again, from an infrastructure standpoint, Q2 and other technology providers, we've got to wrap that environment in a super thick layer, or sometimes you hear it in multiple layers, to protect bad actors from getting into the systems. And so again, that's everything from firewalls to zero-trust security.

I think, last year, Q2 spent in the realm of like $14 million alone protecting our infrastructure. When it comes to application security or program security, I mentioned earlier, having the right setup in terms of what users can access, maybe there needs to be dual approval for certain pieces of functionality within those systems, whether it's originating a payroll file, originating a wire, whatever the case may be, along with being able to limit users from maybe sending out certain dollar amount files and auditing all of those things. And so when it comes to developing software, technology companies obviously need to think about security when they are creating new programs.

And then finally, the data security standpoint. We've got to protect our customers' PII information, or personally identifiable information. And there's all kinds of stories. I heard plenty of stories over the last couple weeks as I've gone on the road of what's all out there on the dark net and the stuff that can be purchased, my Social Security number, your a Social Security number, mothers' maiden names, all of those things could be potentially at risk for all of us, but that just means even more that we need to make sure that us as technology providers are doing everything we can to protect all of that type of information.

Alex Habet

Did anything, in this conference, you hear kind of raise an eyebrow besides ... or is it just more pain than you've heard in the past?

Steve Bartels

There was a gentleman that spoke, I don't remember what company he was from, but he just basically was washing his hands of any of our private information ever staying private ever again. And he had some really good case studies. If you're on Facebook, if you're on any of the other social media platforms, it doesn't take very long for people to figure out where you live, who your families are. And you think about it from a social engineering perspective. So my son's 22, he goes to college up in Omaha. He can see, or people can see what he likes to do, they can see what I like to do just because we're connected on social media platforms. And so he was a bit kind of throwing up his hands and saying, "Hey, we can't depend that any of our information is secure anymore." That was pretty eye-opening.

I've heard that over the last several years that we were marching down that path, but I think it's a good reminder for all of us that when your customers maybe are calling in and you're verifying they're saying who they are, just asking them for a street address or the last four digits of the Social Security number may not cut it anymore.

Alex Habet

Yeah. Who knows how this whole thing evolves? I don't even know how to imagine it, but I'm still willingly giving my information out there to sign up for these free services and probably shouldn't anymore, cut that off. Alright, so what are some things that financial institutions should be doing to protect themselves and their customers? What would be some advice? You meet with a lot of FIs for a living, so what are some common pieces of advice you tend to give these executives?

Steve Bartels

Yeah. And I think a lot of financial institutions are doing this today, but education for not only their employee base but also their customer base. So when it comes to working with maybe your corporate clients, and even your consumer clients, but certainly your corporate clients, having either a lunch and learn or a webinar or whatever fits your environment best to talk through what types of fraud can be performed against their entities. And in the large corporate, folks are going to get this because they're going to have likely a whole staff of people looking for fraud and trying to mitigate that fraud. But what I worry about are, for example, the sole proprietors or the small and medium-size businesses where they need to understand that malware can get infect their machine by just clicking on a link.

When they get seemingly random text messages on their phone, asking people to click links in them, because you want to, I don't know, get a Walmart gift card or whatever the case may be. That's another way that people can take control of those devices or install software programs, malware programs that can monitor every keystroke that those businesses or those users type. So I still think there's a lot of education that can be done out there, especially for our banking clients.

I think another thing that can be done, let's see here, giving your customers the ability to self-serve in terms of notifications and alerts to let them know when something might be going on on their account that's unexpected. And so for example, one of Q2's products is called Centrix ETMS, that's our check and ACH positive pay system. Corporate clients can set up their own notification warnings if they get activity that's unexpected. Many of us probably do that on our credit cards or debit cards today. So for example, I just have an alert turned on all of my cards that say anytime a transaction hits it, send me a text message. So anytime, anywhere, somebody hits my account or debits my account, I'm aware of it. Now, it also exposes when one of my family's been on Amazon and have purchased a few things on Amazon, which is fine, but it also comes in handy from a fraud-detection standpoint as well.

Alex Habet

Yeah, that's funny. The Amazon alert, yeah, we deal with that here too. Look, I really appreciate you bringing some of this perspective here. Again, this is an area that Q2 broadly has a little bit longer of a history in dealing with and talking to clients about than the PrecisionLender traditional base, so really thank you for bringing some of that expertise here. I have a suspicion it's not the only time, so as we continue to make innovations in the product sets that we offer our clients, and then they start bleeding together, you get the functionality going cross borders almost between these tech systems is going to be hugely interesting to watch over the next few years.

Steve, I appreciate it again, security cybercrime, it's a daunting issue, but it does help to have tangible ways to fight it. So you made us feel a little bit better today by laying out the problem, but also talking about what are some things that we can do to combat against it.

Well, as it relates to this week's episode, I want to just thank Steve again for joining us today. That's it for this week's episode of The Purposeful Banker. If you want to catch more episodes of the show, please subscribe to the show wherever you like to listen to your podcasts, including Apple Podcasts, Spotify, Stitcher, iHeartRadio, and more. And if you have a minute to spare, let us know what you think in the comments. You can also head over to q2.com to learn more about the company behind the content. Until next time, this is Alex Habet and you've been listening to The Purposeful Banker.

Previous Article
Striking a Balance Between Hurry Up and Wait
Striking a Balance Between Hurry Up and Wait

Alex Habet is joined by Adam Blue, Q2 chief technology officer, in a discussion about balancing speed with ...

Next Article
Spotlight: How Texas Security Bank Uses Purpose to Take On Goliath
Spotlight: How Texas Security Bank Uses Purpose to Take On Goliath

Shon Cass of Texas Security Bank joins Alex Habet to talk about the bank’s story, strategy, and culture; ho...