The Enduring Importance of Physical Engagement in Retail Financial Services

The Enduring Importance of Physical Engagement in Retail Financial Services

I take no issue with the growing importance being placed on digital in financial services. Indeed, it does not take extensive examination to see, in Wayne Gretzky’s words, “where the puck is going”. Digital needs to be a top technology priority among financial institutions – particularly in highly digitally-directed markets such as North America and Western Europe. But, that doesn’t mean physical engagement is unimportant. In my opinion, in-person (physical) engagement will be of lasting importance in financial services for at least three reasons:

1. Most consumers rely on brick and mortar for commerce and will continue to do so.

2. Most retail deposits still take place at the branch.

3. Most banks do not offer a decent digital customer acquisition mechanism

Most Consumers Rely on Brick and Mortar for Commerce

This week, comScore released its most recent measurement of digital commerce. It was truly exciting, with Q4 2016 m-commerce spending up 45% over 2015! But, even with that astonishing year-over-year growth, m-commerce constitutes just 21% of total e-commerce. And, with two decades of e-commerce, total digital commerce comprised just ten percent of total commerce in 2015. Plenty of consumers still like stores. * FRB Consumers and Mobile Financial Services 2011 – 2016, Percent of smartphone users with bank accounts
** US Department of Commerce, Internet Retailer, Excludes fuel, auto, restaurants and bars
***comScore

Digital is not equally important across segments. Books and music, for example, are highly digital. Not so much for food and beverage. I’m being simplistic for brevity, but the data suggests that most commerce will remain tied to the store experience – at least in part – for the foreseeable future. I don’t think financial services will be an exception.

Most Retail Deposits Still Take Place at the Branch

Banks are keen to migrate low-value branch transactions to self-service channels, and there is perhaps no better low-hanging fruit than check deposits. Yet, with a decade of remote deposit capture utilization behind us, a January 2017 survey of US financial institutions (n=269) clearly shows that the majority of retail deposit dollar volume still takes place in the branch. Like it or not, the branch remains a key transaction point for many consumers and small businesses. Sure, the trend lines support digital transaction growth (thank goodness), but we have a long way to go – farther than the hype would suggest.

Most banks do not offer a digital account and loan origination mechanism

Even as banks would love to acquire more customers digitally, most aren’t well prepared to do so. Unlike most every other retailer on the planet, most banks initially invested in digital banking for transaction migration, not sales. That is changing, but not quickly. The mobile realm needs the most work. In a December 2016 survey of North American financial institutions, Celent found that large banks, those with assets of >US$50b, had made noteworthy progress in mobile customer acquisition capability since the previous survey two years ago. Smaller institutions lag considerably. For these reasons, branch channels are getting a make-over at a growing number of financial institutions, with the objective of improving channel efficiency and effectiveness – effectiveness with engagement, not just transactions. Celent is pleased to offer a Celent Model Bank award in 2017 for Branch Transformation. We’ll present the award on April 4 at our 2017 Innovation & Insight Day in Boston. In addition to presenting the award trophies to the winners, Celent analysts will be discussing broader trends we’ve seen across all nominations and will share our perspectives why we chose those particular initiatives as winners. Make sure you reserve your slot here while there are still spaces available!

Goodbye PFM, Hello PFE (Personal Financial Experiences)

Goodbye PFM, Hello PFE (Personal Financial Experiences)

Personal Financial Management – PFM – has been a worthy goal pursued by many providers, yet consumers continue to ignore its possibilities. Rather than trying to incrementally expand the share of 10-12% of PFM users, banks should instead focus on the next stage in the evolution of personal finance: Personal Financial Experiences, or PFE.

We’re big fans of PFM (Personal Financial Management)…conceptually. We think that it has the potential to help people better control their finances and live happier, less-stressed lives. And yet, despite numerous efforts over the years, traditional PFM has not gained significant marketplace traction. It’s too cumbersome and inconvenient, while crucially often serving up bad news – and who wants that? At the same time, banks have recently begun to focus wholeheartedly on the customer experience of their clients, seeking to improve and coordinate the various interactions that consumers have across multiple and diverse touchpoints.

The convergence of these two trends is PFE, defined as A coordinated set of customer interactions that pushes and provides customers relevant, timely information and advice to enable them to live more informed and proactive financial lives. PFE gives customers the ability to access whatever level of financial detail they want, but focuses primarily on context and appropriate accessibility.

A variety of companies – both banks building their own, and vendors focused on developing white-labeled software – have created a wide range of PFM approaches. Most have historically required a fair degree of intentionality on the user’s part, and treat PFM as a discrete activity – a separate tab or a standalone app, for example. PFE changes that. Users will experience PFE without ever having to call it up; it will just happen to them via an alert on their mobile, an idea from a branch representative, or an unexpected landing page on their laptop. The “E” stands for Experiences, plural. PFE isn’t just one touchpoint; it encompasses the wide variety of interactions that a consumer has with her financial institution. Today’s Digital banking will, in fact, become PFE. When banks move to the end-state of PFE, customers will no longer have to choose to manage their financial lives (or by not choosing, default to unmanaged ad-hocracy); instead, financial management will happen in the background, facilitated and orchestrated by the bank, as part of the overall relationship.

Three key principles provide the foundation of a robust set of Personal Financial Experiences.
1 Automatic: Users don’t have to put much conscious thought or effort into entering the data or even asking for guidance. The system gathers that information and proactively provides nuggets of advice and discrete, concrete calls to action.
2 Intuitive: There is no learning curve. Just as kids can start using a new mobile phone out of the box without reading any sort of manual, PFE will be intuitive and user-friendly. PFE becomes normal digital banking.
3 Relevant: PFE will deliver only the information needed at the appropriate time. No longer will a user be confronted with a huge dashboard of charts and dials confusingly presented. Relevance and contextuality will rule.

The iPod wasn’t the first MP3 player; it built on and refined pioneering work done by others. So, too, is PFM the first step in the journey to PFE; we’re not there yet, but we’re well on our way, helped by advances in technology and the incremental changes that FI tinkerers continue to make. We’ll be exploring this concept in greater depth over at celent.com; please check back in, or reply to this post, if you’d like to learn more.

Chat Bots: Savior or Disintermediator?

Chat Bots: Savior or Disintermediator?

AI is becoming increasingly interesting to bankers.  Last year I wrote a blog about “Assistant as an App”, looking at how concierge apps like MaiKai and Penny are offering up AI-driven financial management services.  My colleague Dan Latimore also recently posted a blog on  AI and its impact.

The emergence of chat bots within popular messaging apps like Facebook Messenger, Slack, Kik, and WeChat similarly has the potential to shift how customers interact with financial institutions. Chat bots offer incredible scale at a pretty cheap price, making adoption potentially explosive. Facebook messenger, for example, has almost one billion active users per month. WhatsApp (soon to launch chat bots) has about the same.  These apps offer some extremely high engagement, and with app downloads decreasing, users are spending more time on fewer apps. According to Tech Crunch, 80% of the time spent on a mobile device is typically split between 3 to 5 apps

Chat bots give the bank the ability to automatically appear in almost all of the most used apps in the world.  The opportunity with digital assistants is immense, and given the nature of bank transactions, it’s not hard to imagine chat bots becoming a widely used engagement method.  Most of banking is heavily rules-based, so the processes are often standard.  Frequent banking requests are pretty straightforward (e.g. ‘send this person X amount of money’ or ‘transfer x amount from savings to checking’).  Bank-owned chat bots are also more built for purpose than some of the multi-purpose third-party products on the market, making the functional scope targetted. While chat bots are still very early days, it won't be long before these kinds of interactions are accessible and the norm. Bank of America already has one; many others have plans or pilots.

This video (skip to 7:30) shows what an advanced chat bot might be able to accomplish. The image below from the Chat Bot Magazine is another conceptual banking use case.  The possibilities are compelling. 

 

 

 

 

But while the opportunity with digital assistants is enormous, banks must be aware of how this affects their current ongoing digital strategy. For example, if chat bots overcome the hype and become a long lasting method for accessing financial services, then what effect will that have on traditional banking apps?  Will chat bots make it foolish to invest large sums of money in dedicated mobile apps? 

For all the promise this technology brings, banks need to be aware that this could be a step towards front-end disintermediation. The threat of tech companies (or other large retailers) stepping in to grab banking licenses and compete directly with incumbents was short lived.  The more realistic scenario was always relegating core banking functions to a utility on the backend of a slickly designed user interface created by a fintech startup.  The incumbents lose the engagement, even if they are facilitating the transactions.

Are chat bots a step towards front-end disintermediation, or are they an extension of the bank’s main app?  If you believe that chat bots are a stepping stone (or companion product) towards a world where the best UI is no UI, and where AI evolves to the point of offering significant functional value, then banks could be at risk.

This isn’t a call to hysteria by any means, nor am I calling chat bots wolves in sheep’s clothing, but banks need to be aware of the potential impact. As voice or message-based interactions become the norm, they will have an effect on a bank’s dedicated mobile app.  In this environment, the mobile app will need to evolve to become something different; non-transactional.

Chatbots will only further fragment the customer journey, requiring an even clearer understanding of how consumers are choosing to handle their finances and make transactions. Banks need to start thinking about how chat bots and AI fit into a long-term digital channels strategy, one that doesn’t handcuff the institution into a no-win proposition of competitive disadvantage versus wilful disruption.

Get off the bench: free lunch is over for banks?

Get off the bench: free lunch is over for banks?

This is a copy from my guest post for Finnovista that I wanted to share with you here as well.

A few years ago when we started collaborating in creating the Latin American Fintech community there were no Fintech associations, no Fintech conferences and for sure there was no mapping of Fintech start-ups at all. It has been quite a journey for all of us involved. Kuddos to the Finnovista team for being a key element and catalyser for these achievements!

What exciting moment to be in financial services! Many things going on. Banks are being unbundled; and its happening everywhere. Want to take a look? Check what’s going on in the US, Europe and in more near places across Latin America like Mexico, Brazil, Colombia, Argentina and Chile.

It’s making no distinctions, affecting personal and business banking equally. Consequently, the nature of competition is changing; and pressure is not expected to come from other financial institutions. In a recent Celent survey, to SME banking representatives from Latin American banks, most believe that fundamental changes that are expected to occur in the banking industry won’t come from other financial institutions; instead they are looking mainly to new entrants and adjacent industries.

In last year’s survey to retail banks in Latin America, Stanford University found that 47% of the banks see Fintechs as a threat. The same survey indicates that only 28% of the banks meet the needs of their digital customers. Not a position where you want to be.

Customer expectations, pressure on revenue and cost, and increased regulation don’t make the life easier for banks either. Fintech start-ups may advantage banks on responding to customer expectations and being leaner has Fintechs better positioned to pressure on costs; but they have to play under the same regulation and at some point earn revenues in excess of cost (a.k.a. be profitable).

FCA, the U.K. financial regulator, has opened its sandbox for applications from financial firms and tech companies that support financial services. Successful applicants can test new ideas for three to six months with real consumers under loosened regulations. This is something we haven’t see yet in Latin America, though regulators are increasingly open to the benefits of Fintech and innovation, particularly if it is related to financial inclusion: we have seen the support of regulators to mobile wallets across the region in the last couple of years. Mexico appointed this year an officer for Fintech development in what I see as the leading case in the region to facilitate the adoption of services provided by Fintechs under the umbrella – and supervision – of the regulator. Most lately, the Argentinean regulator has introduced changes enabling digital onboarding, and in payments facilitating competition and adoption; though no sandbox yet, but maybe a digital/branchless bank in the way? Will it be a disrupting incumbent or a new player? By themselves or in cooperation with Fintechs?

Indeed, there has been a lot of debate regarding the nature of the (best) relationship between banks and Fintechs; be it competition, cooperation or coopetition, banks need to play a different game. The ecosystem has changed incorporating a myriad of players and increased complexity. Banks must reconstruct their business models around three areas, recognizing that they are part of a broader and new financial ecosystem:

  • Channels: How the bank serves customers
  • Architecture: How the bank organizes to deliver value
  • Innovation: How the bank delivers new ideas, products and services around both channels and architecture

Banks can innovate on their own, or partner with Fintechs or other 3rd parties; at the end of the day banks need to select and execute on the best innovation models. There is no single answer that fits all; each institution will have to discover the best combination of innovation models aligned with risk appetite, organizational culture and the target customers you want to reach.

Setting Out a Vision for Customer Authentication

Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

There are *exactly* 608 US firms offering banking fingerprint authentication

There are *exactly* 608 US firms offering banking fingerprint authentication
Biometrics are hot. Fingerprint authentication (Apple’s version is Touch ID) is one of the most common forms of biometric verification. So, quick – how many American banks let customers log on to their accounts using this method? Based on the press, you might optimistically think a few thousand, right? And, in fact, ApplePay just activated its 1000th bank (adoption is another story, and the subject of another post). Well, as of January 31, the actual number (not an estimate, not an extrapolation, and not a piece of data from Apple) was 608. That’s 9.52% of the 6,388 FIs offering a mobile banking application. How does that compare to three months ago, at the end of October 2015? At that point just 252 FIs were offering it. That’s an increase of 241% in a quarter, certainly a sign of robust growth. Some of the increase comes from clients implementing from their hosted solution provider. Others (generally bigger banks) are developing it in-house. And yet, it’s not as popular with the large banks as one might think (of the 21 with more than $100bn in assets, only 8 offer fingerprint authentication; 3 of the top 4 have it). Bucketed Adoption Does fingerprint authentication pay off? By one measure, something we call “feature lift,” it does indeed make a difference for customers. Banks whose customers have installed fingerprint authentication have an uplift of 53% in enrolled customers per deposit account relative to banks who don’t offer it. While this is correlation, not causality, it shows that the banks who offer this feature have more customers enrolled in mobile banking than those who don’t. We’re looking forward to analyzing many more mobile banking features to see which ones offer the biggest impact on customer enrollment. Uplift How did we access this information? I’m very excited to say that Celent is collaborating with FI Navigator to analyze the mobile banking market in an unprecedented depth of detail. FI Navigator has assembled a database of every US bank and credit union offering retail mobile banking, together with the vendors who host them. We’re feverishly analyzing this trove of data to bring you a report at the end of April. It’s different from, and additive to, work made available to our existing clients; you can find the particulars here. To let you in on how the sausage is made, we originally tried to find out how many banks offered fingerprint ID by doing a standard search (which turned up press releases and the like) and by contacting a few vendors. We were able to arrive at roughly 250 banks in total, including several dozen from one vendor (from whom it was difficult to get precise answers in terms of commitments, scheduled go-lives, and actual implementations). It turns out that we undercounted by more than half. The beauty of the FI Navigator data is that it’s derived from a variety of sources – on a monthly basis – that let us deduce and infer a huge amount of actual information about the entire US retail mobile banking population, not just a subset. By integrating unstructured website data and conventional financial institution data, FI Navigator expands the depth of peer analytics and the breadth of market research to create vertical analytics on financial institutions and their technology providers. So, in addition to my excitement at this new and powerful data source, I have three takeaways about fingerprint authentication:
  1. The gap between hype and reality for fingerprint authentication is big, but shrinking;
  2. Banks don’t have to be large to do this; and
  3. More banks should be offering fingerprint authentication.
Why is your bank or credit union not offering your customers the chance to authenticate with their fingerprint?

Mobile in the time of digital

Mobile in the time of digital
Bank of America recently announced that it would triple spending on its mobile app. While no exact dollar amount was given, it made me wonder: what exactly does that entail? In the past, Celent has praised the Bank of America mobile banking apps as some of the best out there. The bank has been going strong with its digital strategy for years, even closing branches and reducing overhead to drive adoption. Bank of America recently added features like touch ID, debit card toggling, two-way fraud alerts, and more to its app, and has been outspoken about the desire to personalize the digital experience. Its commitment to new features and functionality is reflected in the comments and ratings on iTunes and Google Play. Shown in the graph below, the bank´s mobile banking adoption has been steadily growing, with a growing share of deposits. Pictureforblog                     Source: BofA Annual Reports/ Investor Presentations So again: what does “tripling” mean when talking about an app that has obviously been well-funded for quite some time? As digital assumes a larger role with the business, the funding required to build a digital customer experience will extend beyond the reaches of mobile. The capabilities many consumers demand can be difficult if not impossible without significant effort on the backend to align technology. Banks are starting to realize this, building out unified digital platforms that streamline the architecture and better position institutions to offer truly modern, data-driven, and value-added consumer experiences. These kinds of initiatives can often run in tandem with larger cultural and multi-channel efforts. In the press release for the announcement, Bank of America said it was launching a digital ambassador initiative which, similar to the Barclays Digital Eagles program, will see front-line branch staff reskilled to be able to assist with digital channels. The bank is also launching cardless ATMs later this year. I´m assuming the coincidence of these announcements is anything but, and that the funds for “mobile” will largely be dispersed over (or fit into) a wider array of strategic digital initiatives. Institutions need to create a solid digital base within the institution, bringing in culture, personnel, and technology across all channels and lines of business to start transforming digitally. Banks are being challenged by the notion of “becoming digital.” Many have reached the point of recognizing the inevitable digitization of the business model, and are in the throes of decision making that will determine how equipped they are to appeal to the new digital consumer. Most institutions are experiencing these growing pains, and very few have committed to digital at the level demanded by customers. If Bank of America is indeed tripling its budget just for mobile, then I´ll be very interested to see the kind of features the bank develops over the next few years. Yet there´s a lot that goes on to make the front end look good and spending more on the front will mean more spending on the back. Mobile banking is a significant part of digital banking, but remember that it’s only ONE part. While new functionality gets the headlines, it’s what’s under the hood – culture and backend – that truly matters.

It’s not us, it’s you – why breaking (it) up is so hard

It’s not us, it’s you – why breaking (it) up is so hard
The UK Retail Banking is undergoing yet another review of competition, with the initial conclusions released a few weeks ago. The full report is in excess of 400 pages – I must confess that I’ve not yet had chance to read it, but one has to assume that the press release is indicative of the tone and content. Which is worrying. At first glance… it’s frankly shocking, and shockingly poor at that. Before I start a war with the CMA (Competition and Markets Authority), who are conducting the review, let make sure we’re clear on the lens that I am using. I cover payments, not banking per se, so I’m looking at this through the eyes of a consumer. Remember, this is the very group that CMA is trying to help. As predicted, the new and improved switching service provided a brief, temporary lift, but has pretty much reverted to the same level of switching that has existed for the last 10 years. My thinking has always been that the switching wasn’t the issue, but the fact that few consumers perceive there is little benefit to be gained. In short, most consumers believe that most banks offer pretty much the same thing, and at the same price. Imagine my shock then reading the official press release: “Despite [some] encouraging developments, because too few customers are switching, banks do not have strong enough incentives to work hard to compete for customers through better products or cheaper prices, and smaller or better banks find it hard to gain a foothold.” Sooooo, basically you’re not getting better products because you’re not switching. Surely that can’t be right?! It continues: “The CMA says: “The problems in the market are unlikely to be resolved by creating more, smaller banks; it is the underlying issue of lack of switching which has to be addressed.”   Now, I’ve taken the quotes somewhat out of context – please read the full release – but the remedies proposed focus heavily on the switching, and not the underlying issue. The CMA seems to think that there is both differentiation and ways of finding the accounts. Both these points I believe to be deeply flawed.   Differentiation The release suggests that “heavy overdraft users, in particular, could save up to £260 a year if they switched, and on average, current account users could save £70 a year by switching”. I suspect the key word is average. Do they mean mean, median or mode? UK bank accounts operate generally on a fee free basis, but with heavy penalty and overdraft fees. To save £70 on average implies the average person is overdrawn most of the year (i.e. they’re still overdrawn, but paying £70 less). £70 is £70 – but equally, it’s only 2 Starbucks a month. However, the bigger issue is that the assumption that the alternate bank would actually offer them an account with the overdraft they seek. Lending criteria has tightened up significantly over the last few years – most UK consumers have had the overdrafts and credit card limits reduced, and remortgaging is now frankly very hard work. I recently had to supply more than 15 additional documents to remortgage a house which 3 years ago took no more than 10 mins for a decision to be made, and where the value has risen by 20%. The reality then is that the heavy overdraft users simply won’t ever get a better deal as their existing bank, if they’re accepted as customers at all. The “average” UK consumer won’t see any benefit at all – if they don’t go overdrawn, it’s very difficult to see where the savings will come from. Which just leaves a very small set of people who will benefit. The switching service needs to be measured against this set of people, not against all those who won’t switch!   Comparison But perhaps I’m wrong? How can we find out? This element really surprised. One suggestion was: “Making it easier for consumers and businesses to compare bank products by upgrading Midata, an industry online tool, launched with the support of Government, that gives consumers access to their banking history at the touch of a button. Midata allows consumers to easily access their banking data from their bank and input it directly into a price comparison website which can then analyse their transactions, and alert them to available bank accounts which best suit their needs. An improved Midata could have a radical impact on consumer choice in retail banking markets” What?? Midata? What is Midata? Considering that the switching service has been heavily promoted, by the banks and on TV, the fact that I’m both a consumer and in the industry and have never heard of it, nor could I readily find details on it, speaks volumes. As a family, we have accounts at 4 of the 6 banks signed up. Not one, to my knowledge, have ever told me about it. My main bank has one single mention of it, as the last item in an obscure FAQ page. I’m also uneasy that a well-known comparison website is hosting the service. Whilst the data is anonymized, I assume the site knows a fair bit – cookies will show I used the service, and so the ad’s will be served up to me based on my searches. Given that comparison sites get paid from ad revenue and lead generation, it feels a little too cozy. Not implying everything isn’t above board, but it undoubtedly put me off using the service.   So, enough ranting, where does this lead us? As a consumer, I suspect probably worse off. Further change will cost more money – and it’s the customers who will foot the bill. There is also the danger that the more affluent, who already play the system, will be the ones who benefit, whilst those at the opposite end will just find things harder. It would seem then at first glance (i.e. without having read the report in full yet) that CMA has potentially not only got it wrong, but is set to make things worse.

Proposed new cyber security regulations will be a huge undertaking for financial institutions

Proposed new cyber security regulations will be a huge undertaking for financial institutions
New York State Department of Financial Services (NYDSF) is one step closer to releasing cyber security regulations aided by the largest security hacking breach in history, against JP Morgan Chase. The attack on JPMorgan Chase is revealed to have generated hundreds of millions of dollars of illegal profit and compromised 83 million customer accounts. Yesterday (Tuesday, November 10), the authorities charged three men with what they call “pump and dump” manipulation of publicly traded stock, mining of nonpublic corporate information, money laundering, wire fraud, identity theft and securities fraud. The attack began in 2007 and crossed 17 different countries. On the same day as the arrests, the NYDSF sent a letter to other states and federal regulators proposing requirements around the prevention of cyber-attacks. The timing will undoubtedly put pressure on regulators to push through strong regulation. Under the proposed rules, banks will have to hire a Chief Information Security Officer with accountability for cyber security policies and controls. Mandated training of security will be required. Tuesday’s letter also proposed a requirement for annual audits of cyber defenses. Financial institutions will be required to show material improvement in the following areas:
  1. Information security
  2. Data governance and classification
  3. Access controls and identity management
  4. Business continuity and disaster recovery planning and resources
  5. Capacity and performance planning
  6. Systems operations and availability concerns
  7. Systems and network security
  8. Systems and application development and quality assurance
  9. Physical security and environmental controls
  10. Customer data privacy
  11. Vendor and third-party service provider management
  12. Incident response, including by setting clearly defined roles and decision making authority
This will be a huge undertaking for financial institutions. Costs have yet to be evaluated but will be in the millions of dollars. It will be very difficult to police third party security because, under the proposal, vendors will be required to provide warranties to the institution that security is in pace. The requirements are in the review stage and financial institutions should join in the debate by responding to the NYDFS letter.