Considering a Merger? Is the Time Finally Right?

March 5, 2009

With the economy shifting south, coupled with the NCUA assessment fee to bail out the Corporate Credit Unions, small credit unions can combine forces to compete better and provide more value to their membership. I am observing a trend toward small credit unions merging on a much more rapid scale than I have seen in the past. The merging of credit unions is not noteworthy in and of itself, however I do believe that mergers that combine to reach the $100 million plus range are going to increase.


When considering a merger, it is critical to establish relationships with experts you can turn to if you go forward. These experts should span all operations in the credit union, and be able to weigh in on questions such as:


· What are the best practices in merging a credit union?

· How do you merge IT departments without adding risk?

·  How to plan for and cut waste during a merger?

·  How can risk be mitigated?

·  What is the best way to leverage the opportunity to build in efficiencies?

· What functions can be strategically outsourced?

· What processes can be integrated?

· How should IT integration be handled?


Credit Union Merger Questionnaire – Information Technology

The following questionnaire pertains to the last point, and represents the starting point for planning and implementing effective IT integration for a credit union merger. These questions are intended to bring up important issues that must be planned for in the IT space, and to start discussions that will lead to effective decision making.


High Level Objectives/ Co-Existence Plan

  • Is the objective for the merger:  To attain one united front or identity with the leveraged strength of a partnership……
  • or is the goal of the merger to  maintain dual identities with the leveraged strength of a partnership?  
  • What is the plan for the existing domain names and the new domain name? Is there a timeline set for the sites to disappear and one to replace them, or will the old sites remain in place?
  • What is the plan for the email utility in the new entity? What is the timeline for implementation? Will there be coexistence of emails between domains?
  • How will home banking be presented to the members? What is the timeline for the change?
  • What SSL Certificates can be merged, deleted and/or re-used (web sites, ssl vpns, etc.)?
  • Is there a common encryption policy for sending information to third parties ( e.g. credit card processing via PGP, or does one of the entities have ZIx email encryption)?
  • What is the encryption goal? Are there any vendors that require specific encryption technology?
  • What is the end goal for the phone system and call center/ member services? Is there a timeline set for the convergence of the systems?

o        PRI analysis – what is the call routing plan?

o        Are you launching with core phone system functionality first and then integrating Call Center functionality after the merger?


  • What is the goal for integration and collapse of the networks (WAN – MPLS)? Applications  (like imaging, etc.)? Data bases? Other elements?

o        Has a cost analysis been completed for the infrastructure WAN collapse of the two entitities? Data, Voice (long distance/local)

o        What questions does one need to ask when integrating carriers – Sprint, ATT, Qwest, Verizon, and Paetech for example? (This blog link is an overview of questions to ask.


  • How are third parties (PSCU, FedLine, DI, etc. ) being addressed? Which third parties will remain? Are there redundancies? Which ones are going away? 


On my next post I will examine most technical questions that I have to ask myself when helping a credit union during a merger. 




Ensure Encryption Compliance with NCUA and FFIEC

July 1, 2008

Developing a business case for email encryption? Does e-mail encryption compliance seem like a constant battle?

The guidelines are very specific and I have cited them below. I captured the following bullets from the IS&T Checklist for IT titled Security Program:

  • Is sensitive data encrypted during member sessions and when it is transmitted or received via the Internet and over the credit union’s network?
  • Are policies and procedures in place that describe how and when encryption should be used to protect transmitted and stored information?
  • Are password files stored in encrypted format on a server that’s securely separated from Internet-facing servers?
  • Is encryption methodology tailored to specifically protect data deemed sensitive?
  • Are the locations of assets (servers, telecommunications equipment) analyzed to ensure that security is appropriate based on the sensitivity of the information stored on the asset?

From the FFIEC Information Security Booklet the following expectations are stated:

“Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:

1) Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk.

2) Effective key management practices.

3) Robust reliability and appropriate protection of the encrypted communication’s endpoints.”

I find very little consistency with regulators in mandating e-mail encryption. I have heard small credit union clients say to me, “Bill I need e-mail encryption, what do you recommend? I need it now.” I have heard from my larger credit unions, “well we are going to wait and see what the auditors say to us.” It might seem odd, but this kind of inconsistency is nothing new.

My general recommendation is that the following criteria should apply when choosing an e-mail encryption solution:

1) The solution should be the choice of Federal FFIEC regulators. The FDIC, OTS, OCC and NCUA all use ZixCorp to secure their email.

2) The solution should have over 400 financial institutions as customers.

3) The Email Encryption Service should allow seamless, secure email communication with partners and customers who are members of a master directory hosted in a SAS 70 Type II facility. Translated into plain English, this means instant secure communications with your federal regulators.

Risk Management and Increased Security

States continue to introduce security legislation to help protect consumer privacy.  The e-mail encryption should help protect this data with email encryption solutions that also help you benefit from: 

  • Risk management;
  • Security best practices;
  • Reduced liability;
  • Avoidance of fines and bad publicity;
  • Customer loyalty retention

Automatic Content Scanning is both accurate and convenient. The Email Encryption Service should have built-in lexicons that automatically detect and encrypt messages that contain personally identifiable information. It’s invisible to end users and helps prevent accidental transmission of confidential data, including: 

 Personal financial information

  • Social security numbers
  • Account numbers
  • Credit card numbers
  • Financial terms

 Purchase Options

 I believe that any credit union worth less than $150 million in assets should be considering a managed e-mail encryption system versus owning and buying the technology itself. Smaller credit unions can simply buy the encryption as a service and not have to pay for hardware to support the solution. Once a credit union exceeds $150-$200 million or 50 to 75 employees, then owning the e-mail encryption devices and placing them on its own network makes the most sense. There are a variety of reasons for this that I will get into another time if there is enough interest.

Implementing an IT Disaster Recovery Plan That Works (Part 1)

May 3, 2008

So what does having a comprehensive IT recovery plan mean? Does it mean that you have a Business Continuity Plan? Maybe it means that you have a real chance of recovering IT systems that support employees and systems serving members?

The NCUA wants an action plan and actionable progress being made toward implementing a DR site, but what about back-ups? For clarity’s sake let’s compare a Business Continuity Plan (BCP) versus an IT Disaster Recovery Plan. Everyone has a definition for both, and pretty much everyone agrees on the importance of both so here’s my definition:

BCP Plan – A plan that recovers credit union business processes.

IT DR Plan – The technical reality of recovering processes with underlying IT systems.

I strongly believe that both are needed. For now, however, I’m going to focus on the IT part since this is where I see most of my credit union clients having difficulties, regardless of size.

What is happening now with credit unions is interesting. Here are two recent stories that highlight challenges I often come across.

EXAMPLE 1: A Small Credit Union [$68 million in assets] – When I asked him why he wasn’t backing-up his new Microsoft Systems and Imaging systems, the senior executive in charge of technology stated: “We just installed our network and since our core processor is backed-up we didn’t think that it was important to back-up the new systems right away. Our imaging system might be backed-up but our Exchange and File systems are not……” Needless to say, I was stunned; I just couldn’t believe what I was hearing. This decision, by the way, went all the way up to the board of directors.

EXAMPLE #2: Medium Credit Union [$200 million in assets] – When asked what systems are backed-up on tapeless back-up solutions, the IT manager replied: “Everything is backed up to the tapeless backup solution including the core system, Microsoft Systems, and Imaging.” The IT Manager left the credit union shortly thereafter and the CFO engaged us to help their staff do a recovery test to a reputable recovery facility. We found the following during the test:

1) Most of the backup agents were not configured properly;

2) There was no encryption between headquarters and the DR site, leaving all backup data “in the clear” when transmitting to the recovery facility;

3) They had no local restore and no corruption protection with their tapeless solution. They had decided to go with only 1 device at the DR site and forego the device at HQ.

In summary, they were unrecoverable, which is almost unbelievable! Ironically, since his old IT manager left, the CFO has “rolled his sleeves up” and now embraces network IT strategy. His comment: “if I can’t even get clean backups of my enterprise, what does it matter if I have a fancy DR site?”

So What?

My point with these short stories is to point out that credit unions are faced with interesting challenges when it comes to the basics of simple backups. Yes, the NCUA wants a DR site but what about backups?

Trust, but verify.

Here are some questions that you can ask yourself, or even better, your network support personnel – regarding your “non-core” systems like all Microsoft Systems which will be systems like File, Email, and Imaging.

1) Are the non-core credit union systems recoverable in the event of a system outage caused by hardware failure, virus, water spill, or flood?

2) Are these systems recoverable in a mini-disaster or outage?

3) Would they be offended if you asked this question?

4) What is needed to demonstrate proof? You might also consider how often you get this proof.

5) Is a non-core system going down during the middle of the day a disaster or just a problem?

6) Has your IT manager proved to you recently that Active Directory is not corrupt? What would it mean to you if it were?

7) Has your IT manager proved that the imaging systems can be recovered?

8) Can the IT Manager prove to you that all Microsoft systems can be recovered?

9) Can the IT Manager prove to you that the Imaging system can be recovered?

10) Have you asked how much time it is taking to backup all systems?

11) If non-core system nightly backups fail, do you know why? Are you notified?

12) Can you complete all system backups during the night? How tight is this window?

My next blog entry (Part 2) will focus on IT Disaster Recovery issues at a large credit union.