Credit Union Mergers – Mitigate Technical Risk

March 18, 2009

From my point of view a credit union merger is a ‘non-trivial’ event, however I am excited about the opportunity that this provides both entities from a technology perspective. A small credit union can come out of a merger stronger, leaner, and more efficient than before. This is an opportunity to streamline, achieve economies of scale, and combine the best of each entity while discarding the unworkable elements. The following are a list of good questions to ponder with your teams. Here is a short list of what I would consider to be the ‘tough stuff’ from a voting and discussion perspective between teams.

Technical Systems Integration Planning Steps

  • What is the plan for the coexistence of two (separate) LAN and WAN networks and what is the end state goal?
    •  IP Scheme – bridged/ routed network
    • Are the Credit Unions using disparate core systems? Different Versions? Do they have conflicting IP Scheme requirement?
  • What are the deadlines that need to be hit so that they details can be coordinated?
    •   IP Scheme
    •  Printing (Sharing, Services, Drivers)
    • Bandwidth
    •  Routers
  • What is the plan for the convergence of credit union peripheral hardware convergence?
    • Signature pads
    • Receipt Printers
    • Scanners
    • Check printers 
  • How will imaging be merged, including the old that may need to be kept for 7 years? What is the plan for current and historical images? What is the final imaging goal?
  • How will old core system records be kept (Core historicals, etc.)?

Internal Questions

  • What is the end network design?
    • WAN Architecture
    • Integration
    • POP Diversity
    • Redundancy
    • Encryption
    • QoS – quality of services to protect VoIP integrity
  • Can the credit unions use each other for DR?
  • What services will be shared?
    • Active Directory
    • Email
    • Files
    • SQL Databases
    • Domain Controller Authority
    • Imaging
    • Domain Trust
      • Is Microsoft SBS involved? If yes, there are important trust planning considerations.
  • Will Microsoft licensing be audited to take advantage of consolidation? Use a merger to negotiate and consolidate licensing.
  • What is the plan for enterprise back-ups long term?
  • How will the phone system be consolidated and converged?

So here is the summary of my merger material. I have collaborated with a couple of team mates to put this 2 part series together for everyone. I hope you like it and that it was useful to you.  



Considering a Merger? Is the Time Finally Right?

March 5, 2009

With the economy shifting south, coupled with the NCUA assessment fee to bail out the Corporate Credit Unions, small credit unions can combine forces to compete better and provide more value to their membership. I am observing a trend toward small credit unions merging on a much more rapid scale than I have seen in the past. The merging of credit unions is not noteworthy in and of itself, however I do believe that mergers that combine to reach the $100 million plus range are going to increase.


When considering a merger, it is critical to establish relationships with experts you can turn to if you go forward. These experts should span all operations in the credit union, and be able to weigh in on questions such as:


· What are the best practices in merging a credit union?

· How do you merge IT departments without adding risk?

·  How to plan for and cut waste during a merger?

·  How can risk be mitigated?

·  What is the best way to leverage the opportunity to build in efficiencies?

· What functions can be strategically outsourced?

· What processes can be integrated?

· How should IT integration be handled?


Credit Union Merger Questionnaire – Information Technology

The following questionnaire pertains to the last point, and represents the starting point for planning and implementing effective IT integration for a credit union merger. These questions are intended to bring up important issues that must be planned for in the IT space, and to start discussions that will lead to effective decision making.


High Level Objectives/ Co-Existence Plan

  • Is the objective for the merger:  To attain one united front or identity with the leveraged strength of a partnership……
  • or is the goal of the merger to  maintain dual identities with the leveraged strength of a partnership?  
  • What is the plan for the existing domain names and the new domain name? Is there a timeline set for the sites to disappear and one to replace them, or will the old sites remain in place?
  • What is the plan for the email utility in the new entity? What is the timeline for implementation? Will there be coexistence of emails between domains?
  • How will home banking be presented to the members? What is the timeline for the change?
  • What SSL Certificates can be merged, deleted and/or re-used (web sites, ssl vpns, etc.)?
  • Is there a common encryption policy for sending information to third parties ( e.g. credit card processing via PGP, or does one of the entities have ZIx email encryption)?
  • What is the encryption goal? Are there any vendors that require specific encryption technology?
  • What is the end goal for the phone system and call center/ member services? Is there a timeline set for the convergence of the systems?

o        PRI analysis – what is the call routing plan?

o        Are you launching with core phone system functionality first and then integrating Call Center functionality after the merger?


  • What is the goal for integration and collapse of the networks (WAN – MPLS)? Applications  (like imaging, etc.)? Data bases? Other elements?

o        Has a cost analysis been completed for the infrastructure WAN collapse of the two entitities? Data, Voice (long distance/local)

o        What questions does one need to ask when integrating carriers – Sprint, ATT, Qwest, Verizon, and Paetech for example? (This blog link is an overview of questions to ask.


  • How are third parties (PSCU, FedLine, DI, etc. ) being addressed? Which third parties will remain? Are there redundancies? Which ones are going away? 


On my next post I will examine most technical questions that I have to ask myself when helping a credit union during a merger. 



Database Consolidation as a Strategic Weapon

April 2, 2008

It’s not an obvious fact that databases could be linked to strategy.

In a meeting last week with a local credit union, I asked about their core system performance and imaging systems, and they mentioned that performance was very poor when their tellers were in the Synergy imaging system. As usual, IT was ready to pull their hair out – but it didn’t have to be that way.

A credit union must be intentional with its data. Databases hold data, and your data (including the way you use it) is often the only difference between you and your competitor.

SQL (Structured Query Language) data bases distributed haphazardly across ten, twenty, or even fifty servers are not only hard to manage, hard to recover, and costly to manage for IT personnel, but are also costly from a licensing perspective.

Too much application software has been sold to credit unions. Vendors install their application, including an SQL data base, then walk away. Little if any attention is paid to the SQL data base, since a vendor’s primary concern lies in getting the application up and running properly, rather than optimizing the data base itself. As the predominant type used by my clients, SQL data bases need care and feeding, oil changes if you will, to avoid having them slow down.

A common excuse I hear is: “The vendor won’t support us if we touch the data base.” This just isn’t the case. In reality the vendor won’t provide support if you touch the application, but adjustments to the data base itself can be made without any problem.

So where does IT strategy fit in here?

A database consolidation strategy should encompass the following elements:

1) Has data base recovery been tested? For example from a tape back-up?
2) Has the data base been optimized for performance?
         a. Data base hardware optimization;
         b. O/S optimization;
         c. Application optimization;
3) Have the countless SQL databases been consolidated into 1 or 2 load-balanced servers?
4) Will the consolidation of databases help with DR planning?
5) How would this work with virtualization?
6) How would this work with a SAN (storage area network)?
7) Do you have expanding or contracting back-up windows for your databases?

Reviewing your database planning and approach can be very useful. The following elements should be covered when addressing SQL databases:

1) How many SQL instances do you have?
2) Can you outsource the optimization of SQL? This would work sort of like oil changes and tune-ups for your car.
3) How does one consolidate, and what is the staffing impact to consolidation?
4) What is the back-up plan?
5) What is the recovery plan?
6) Has it been tested?
7) What is the licensing impact?

Finally, ask yourself this: How much would our managing costs drop if we consolidate SQL data bases in our environment?

Security Strategy that a CFO can Understand

March 28, 2008

I recently had lunch with the CFO of a medium-sized credit union in the Mid-Atlantic region. 

The CFO had joined the credit union 6 months ago, and the account manager for my company was giving him an update on the progress of several IT projects that were being handled by my company. We had been working with this credit union for about 3 years, so we were educating him about decisions made before his arrival.

Since he had just lost his IT manager, he wanted to know why he had four devices acting as firewalls on his network. I responded that we had noted this fact as a risk item two years ago, but the former IT manager had disregarded our warnings. In explaining the history of the credit union, we explained that the IT manager was not concerned with security, but with how he was going to articulate the problems to his bosses (the CEO, IT review committee, and the board of directors).

In 2004 this credit union had passed a security review, though it was in actuality only a remote “penetration test”. The IT manager was not willing to face the challenges we described in our findings.

Fast forward to 2008 at our lunch meeting, and the IT manager is gone and the CFO is running the show. My company’s consultants tell the CFO that the four firewalls are doing absolutely nothing, and are in fact acting as a “screen door” for security.  The CFO shakes his head in amazement.

I explain that security can be quite straightforward. In fact if a business person can’t understand the security strategy and the tactics employed then it is too complex — complexity is a death sentence for credit union security. The more needless complexity you build into your infrastructure, the higher your costs.

I took out a pen and drew pictures of a firewall and 3rd parties (e-funds, shared branch, home banking, FedLine) on a restaurant napkin to show him how a firewall manages external business relationships. I drew a representation of his current situation with four firewalls and then sketched out an optimized (and affordable) future state. [See diagrams below]

A de-militarized zone (DMZ) must be a key part of a credit union’s security strategy. It is not the number one aspect of security, but it is close. The DMZ of a network is simply the drawbridge, moat, and exterior sentries of a castle’s defenses.

At its core, a DMZ must manage 3rd party access to a credit union network. Everyone thinks they are doing this, but I have yet to find a successfully managed and installed DMZ. My experience has been that DMZs are a real challenge for credit unions whether they are $30 million or $1 billion outfits.

I provided the CFO with a multi-year Security, Identity, and Privacy (SIP) strategy blueprint, and he promised to keep his IT strategy front-and-center for the next two years.

I’ll talk about the SIP strategy blueprint in future posts on this blog.