Auditing the cloud

Cloud computing this, distributed computing that. People hate buzzwords. Cloud computing however, is one you will have to put in your dictionary eventually, if you haven’t already. We’re big fans of cloud computing. It can dramatically change the way that financial institutions leverage infrastructure and their capital. But, cloud computing is still in its infancy. One of the first things most people ask about the cloud is, “Is it secure?” Most of the time, the answer is yes. But for financial institutions, that isn’t good enough. We have to prove it and that’s where it gets a little tricky.

Most financial institutions have robust policies in place allowing their supervisory committee, external auditors, or other vendors access to reports and analysis on the security measures in place. Not just alarms and panic buttons, but also teller and cash drawer controls, dual-custody policies, password policies, remote access policies, and board bylaws. As cloud computing becomes more of the norm, IT will need to demonstrate the security measures in place surrounding their cloud infrastructure.

Windows Azure LogoThe Windows Azure Platform is one of the newer entries into the cloud computing market. Created and run by Microsoft, Azure will be come a very popular selection for cloud computing needs simply because it is owned and operated by Microsoft. They claim to have completed a SAS 70 Type I and Type II audit on their “cloud platform”, which is one of the key factors for financial institutions, but they don’t specify that it is for their Azure platform, nor is it available for download. Either of those factors could be a stumbling block for credit unions or banks.

SQL Azure LogoSQL Azure, Microsoft’s database cloud offering, provides some excellent alternatives for database hosting. Rather than paying expensive licensing fees or hosting fees, a company can use Microsoft’s very robust and redundant infrastructure to host their databases. Even Microsoft’s cloud is still an infant though. Currently, their SQL Azure offering has no server level auditing in place. While logical, as many people are sharing a virtualized database and access restrictions are need, it also prevents users from verifying that no one else is logging in to or otherwise gaining access to their resources. Very few auditing choices exist today for SQL Azure, as demonstrated in this article.

Rackspace LogoRackspace, on the other hand, has a very descriptive page detailing their expertise and certifications, including their SAS 70 Type II and their PCI compliance. Their SAS 70 is able to be downloaded and their PCI compliance also presents a unique security offering to financial institutions, helping them be more confident in their choice of a cloud provider.

Cloud computing is going to become the norm in the financial industry. It may take the form of private clouds or stay public, but technology infrastructure is going to become a utility. Just like we pay for electricity now, we’ll pay for computing resources as well. If your FI is looking to make the move into cloud computing, start with baby steps. Don’t put member information up there quite yet. Start with your public facing website then move your intranet. Start experimenting, but keep in mind the many security and auditing concerns that exist today.

Free stuff is good

Everyone loves free marketing, right? Then why don’t wee see more credit unions taking advantage of holiday marketing?

As is always the case, Google had a “doodle” of their logo of for Saint Patrick’s day last week. Google has made it a point to create doodles of their logos for darn near every holiday possible. They even did a doodle to celebrate the 57th anniversary of the patent for a bar-code.

Google's Saint Patrick's Day Logo

Newegg, a major online electronics retailer, even gets into the holiday spirit with their own customized holiday logo.

Newegg's Holiday Logo

So what does all of this mean to credit unions?

Credit unions can stay relevant and fresh with only minor tweaks to your brand.
Your brand is not set in stone. It is not a palette of 3 colors that you must always use.
Take advantage of the Super Bowl, Valentine’s Day, Mother’s Day, and Oscar the Grouch’s birthday.

These “holidays” give a marketer a tremendous amount of material to create new campaigns to entice new members, and existing members, to strength their relationship with the credit union. Run a promotion that makes Oscar the Grouch (aka the CFO) cranky. And pitch it like that.  Don’t forget the upcoming Earth Day. But do forget the overused “Plant a tree for switching to e-statements.” You just missed National Pie Day on January 23rd, which was your chance to hold a pie fundraiser. Sell pies at $10 a piece to throw at your local branch manager to raise funds for Credit Union for Kids or your own charity. But be careful not to encroach on someone’s protected trademark.

Whatever your do, do it well and do it different. Your members will love you for it.

to try, test, experience, prove

That is the definition of experiri (in Latin) and it also represents the first set of product offerings from CU Innovators.

Frequently, projects we’re working on for clients create discussions around solutions that are missing from the credit union industry. Other times, problems not associated with our current projects are brought up by clients as a “wouldn’t it be nice if” kind of thing. We’re trying to fix some of those “things”.

experiri is our outlet to test new ideas, new business models, and other things we think could help the credit union industry. It is easy to talk about innovation in credit unions, but it is a whole other thing to actually encourage people to try. So experiri is our stake in the ground. This is our corner of the innovative industry that credit unions could be.

Our first product, slated to be available next week, is technology related and aims to make credit union data readily available to be “mashed-up” into online applications, market research, and other tools for credit unions. Our second product, due for release in May, is in the social media space, and we’ll give you a hint: Christopher Morriss just mentioned this as a pain point for him on Twitter.

Stay tuned for more information!

The Best Potatoes

Seriously, if I had money, I would just do things like this. Screw committees and politics. Insert credit union everywhere they say potato and we have a darn near great national credit union campaign.

I’d send an invite for each league president to bring themselves and one credit union CEO to a shoot and they’d have a script not to far from this.

Missed Social Media Opportunities

Credit unions have been clammoring to get involved with social media, many times without a cohesive strategy behind the action.  The Financial Brand ran an article about why social media doesn’t have any ROI a while back. The basic gist: have a reason to get into social media.

Neighborhood Watch Sign

Some companies have ample opportunity to get involved in social media, and for some reason or another, have yet to do so. Take your good ol’ Neighborhood Watch. While it is officially called USA on Watch, you will most likely recognize the sign you’ve seen many times on telephone poles and buildings in your area. To quote from the USA on Watch website:

Our nation is built on the strength of our citizens. Every day, we encounter situations calling upon us to be the eyes and ears of law enforcement. Not only does the Neighborhood Watch Program allow citizens to help in the fight against crime, it is also an opportunity for communities to bond through service.

The Neighborhood Watch is the perfect example of an organization that could leverage technology and social media to make it stay relevant. Think of the technology you have in your possesion right now that could be “the eyes and ears of law enforcement”. The Neighborhood Watch has some great opportunities to take advantage of the explosion of location-aware technologies. Consider the following examples:

  • Your local neighborhood watch has a Twitter account. One of the neighborhood watch participants tweets the details about a car break-in and the exact location is automatically included in the tweet.
  • You are walking your dog when you notice a stray in the neighborhood. You snap a picture with it from cell phone and sent it off to Twitter, GPS locations included on the picture itself and your tweet.
  • The neighborhood watch website overlays GIS data from the city (here’s an example in Portland, OR) that combines publicly available sex offender data and crime data to make a snapshot of your neighborhood.

Those are what some may call the “low hanging fruit” for USA on Watch. Many more things can be done using some of the free tools available. This may include using the Twitter API to combine local tweets in real time with Google MaPS and Google Earth that have been tagged a certain way or contain certain keywords. It could also build the ever-popular iPhone application to enable people to join their local neighborhood watch and send out updates to the application when a crime occurs or an Amber Alert is issued.

Goodwill Industries presents another wonderful opportunity to engage in social media to further fulfill their mission. It appears Goodwill has taken too long to create an iPhone app, as a private developer has already beat them to it. iDonatedIt also is stepping on Goodwill’s toes by tracking customer’s donations on their iPhone or iTouch. Goodwill should take a cue from the airline industry and develop their own iPhone and/or Blackberry application that lets customers not only find their store locations, but also enables the customer to receive their receipt via email or a message to their iPhone app.

The wonderful thing about some of the new social media tools available to marketers, technology geeks, and grandmas, is the ability for these tools to make interacting with their favorite and preferred stores or brands much easier. Forget about using Twitter to blast your latest rates or talk about going green with e-statements. Your members want banking to be easy. If you or your team can think of a way to make credit unioning easier for your members using social media, you’re on to something. Create a business plan around your idea and sell it to upper management. By making your social media strategy actionable with a clear goal in mind, you will position your credit union to be the envy of all of your competitors.

Unemployment in Credit Unions

In case you’ve been living in a cave, which the credit union industry can be at times, our economy stinks. Just go look at your 401K statement, at least what’s left of it. And this go around, the credit union industry has not been spared. With the massive problems that the credit crunch produced on a national level, it was only a matter of time until the crunch hit corporate credit unions. Impairments and assessments are just some of the four letter words being thrown around by credit union CEO’s, CFO’s, and the occasional CMO. Once these assessments began impacting the bottom line of credit unions, the layoffs were soon to follow.

Credit Union Employees to IncomeIn the graph to the right, the orange line is income and the blue line represents the number of employees in the industry. As you can see, the industry has been experiencing many layoffs. In typical credit union fashion, they tried to hold off on layoffs hoping that this recession would be short lived. After 6 straight months of massive revenue decline (the industry lost $3.2B in the 1st quarter of 2009), the layoffs began coming and have continued well past the turning point of the income crunch. Roughly 3,000 people have been laid off in just over a year.

While these layoffs represented less than 2% of the total credit union workforce, many high quality people have been displaced and flooded the job market with very experienced candidates. With layoffs continuing, finding a job was proving to be incredibly difficult, even for these experienced people. What made this recession different however, was the new tools available to credit unions, laid off employees, and recruiters that hadn’t been available before.

Jason Lindstrom AdJason Lindstrom was the Chief Political Officer for a large credit union in California and was laid off the end of last year. So what is a veteran of the CU political process, with nearly two decades of experience, to do when he’s laid off? Try to put an ad in the CU Times is the correct answer. Together with Matt Davis, they put together a campaign to raise money for Jason to place this ad in the CU Times. Additionally, Jason has been active on Twitter and his blog, all tools that barely existed less than 5 years ago. With all these tools at his disposal, Jason has been able to create quite the conversation around him and his abilities, getting his resume in front of people that normally would not have been exposed to it.

Another great example is Carla Day. She too was laid off from her credit union, but has turn adversity into opportunity. Carla created, to my knowledge, one of the first internet radio talk shows specifically about credit unions called CU Chat Up. She has interviewed probably over 100 people by now and has generated much word of mouth around herself and CU Chat Up. Similar to Jason, Carla is also active on her blog and on Twitter, expanded her audience, and pool of potential employers, even more.

Many tools exist today for the ranks of the unemployed that are providing new opportunities to demonstrate their experience and have their resume, and themselves, seen in front of a very large audience compared to what was possible only 5 years ago. If you find yourself in an un-or-under employed situation, have hope. All recessions eventually have turned around and hopefully this one won’t be different. Use some of these new technology tools to help build your network and your experience. The massive “flight to safety” from the stock market and other investment vehicles has inflated the balance sheets of credit unions. Once these assets age, the income will begin to catch up, thus stabilizing the bottom line and the capital ratio of many credit unions. Once that occurs, credit unions will being to hire again and fill positions that have been allowed to remain vacant through this economy.

Credit Union Employees To Assets

Sensitive Compartmented Information (and your money)

For those with military experience out there, you may be familiar with SCI. Actually, you probably can neither confirm nor deny your SCI or non-SCI status. Regardless, for those not in the know, SCI is the step above top secret. You’ve heard the old saying, “It is on a need to know basis, and you don’t need to know!” Unfortunately, most online transactions performed today do not follow rules anywhere close to that, even though they don’t really need to know.

Ars TechnicaEveryone in the industry is familiar with the Heartland breach, the TJ Maxx theft, and probably half-a-dozen others. Too bad retailers, both brick and mortar and online, don’t believe in SCI. Of all the players in the industry, Microsoft has recently stepped up with a program they’ve dubbed “U-Prove“. U-Prove works with a model similar to SCI, in that it only gives the information necessary to complete a transaction and nothing else. A recent Ars Technica article has offered some editorial insights:

On the other hand, there’s no reason why a storefront like, say, iTunes, needs to know your identity; it only needs to know that the money being handed over is yours to hand over.

To use a credit card on iTunes, I have to hand over so much information that Apple, if it was a bad actor, could masquerade as me. I can’t just give Apple some electronic money; instead, I have to give them my name, address, and credit card number. In practice, the real problem with me handing over so much info to iTunes isn’t that Apple might pretend to be me—with billions in the bank the company doesn’t really need to charge things to my credit card, after all—but that hackers (both external and internal) might take this stored data and use it for their own nefarious purposes.

U-Prove aims to stop organizations from being forced to collect excessive information from their customers when, in reality, it is not needed. To the contributor’s first quote, Apple doesn’t really need to know all of my info, just that the money I’m sending them is good. Microsoft has open-sourced the U-Prove framework, enabling other applications to use the protocols. U-Prove, using a combination of many cryptographic solutions, creates a one-time unique and secure key with the necessary information contained within it, which is then decoded and used by the organization requesting the transaction.

As is the case with any new technology, adoption is always going to be the hardest part. Some retailers, such as the Amazon example used the in Ars Technica article, will not welcome the U-Prove framework as it removes many key data mining aspects of their business. Amazon doesn’t really need to know your age, unless of course you are subscribing to Playboy or buying a CD with explicit lyrics, but they use that information extensively in their advertising. In much the same way, Apple has no need for your address when purchasing a song, but they can use that information to determine the best location to place their next store, geographic and contextual marketing, and potentially track down problems in their supply and distribution chain.

The U-Prove framework has the potential to be a game changer for the way business and individuals transfer information between one another, but the implementation and adoption hurdle will be a large hill to overcome. Microsoft has begun implementing U-Prove within some of their own products such as Active Directory and some of their web technologies. Even with this show of good faith, convincing other organizations to limit the amount of data they can collect from their customers, all in the sake of privacy and security, will be a challenge.

Is U-Prove the correct way to diminish some of the risk associated with breaches like Heartland and TJ Maxx by limiting the amount of data exposed on a need-to-know basis only or are the implementation challenges to great to overcome?

My GAC 2010 Acceptance Speech

First off, I’d like to thank God, for without Him, nothing is possible. I’d like to thank my family, my wife, and my new son Mason, for being supportive of all of the long hours I had to put in over the week. I’d like to extend a very large thank you to CUNA for putting the GAC on in the first place. It is an incredible, must attend event for all credit union professionals. Also, without CUNA, Crash the GAC would never have been able to attend the entire conference and become involved with the great sessions and events. Thanks to their generous sponsorship, the GAC was tweeted about nearly 1000 times which translates to a ton of free press for CUNA and the ability to extend their conference to people around the US and the world who were not able to attend.

I’d like to extend a huge thanks to Palmetto Cooperative Services and Mark Curran for putting up the crashers in our two star lodging for the week and picking up the tab for dinner and drinks on a few occasions. Another big thanks goes out to CU Swag (and PTP New Media) and James Robert Lay for the killer Crash the GAC t-shirts. I’d also like to thank all of the crashers and their sponsoring credit unions for come up to DC and livin’ it up at the GAC.

And finally, I’d like to thank the master behind the curtain, Brent Dixon and his design shop, The Haberdashery, for his amazing work at putting this together. Also, Filene, who supported Brent in his quest to bring under 30 professionals to the GAC. Without Brent, none of this would have been possible!

I’d also like to thank my personal trainer, my dog… (cue music)