PYMNTS-MonitorEdge-May-2024

Why Credit Unions’ ‘Mature Trust Model’ Matters For Members

PSCU: Why ‘Mature Trust Model’ Matters For Members

As COVID-19, the disease caused by the coronavirus, ravages the economy, and millions of Americans shelter in place to figure out their next financial moves amid layoffs and volatile markets, credit unions (CUs) have a role to play — particularly in the battle against fraudsters who would prey upon CU members at this most vulnerable moment.

To that end, Chief Information Officer Dave Stafford and Chief Information Security Officer David Bryant of PSCU, a credit union service organization, told PYMTNS that trust and collaboration are key among the efforts to protect consumers.

As the pair noted to PYMNTS, the coronavirus pandemic has spurred a shift in how people think about — and address — their finances. They are likely living life, now more than ever, online.

“As credit union members and consumers are transacting and doing more of their business in a digital environment, data privacy, and privacy in general, takes on a completely different flavor,” Stafford said.

Against that backdrop, he said, it’s imperative that CU members trust that their chosen financial institution (FI) is handling their data properly, safeguarding that data, and sharing that data only under circumstances that allow that member to be serviced and offered complimentary products — as opposed to being solicited.

“That’s a much more mature ‘trust model’ than perhaps we have relied on in the past,” Stafford said.
And in crafting and promoting that mature model, said Stafford, CUs can offer tools members can use to service their own needs with speed and efficiency.

He pointed to features that lend themselves well to banking on mobile devices. One example can be seen in setting up fraud alerts, which can be sent proactively to the member in case of a suspicious transaction.

Those proactive measures — leveraging advanced technologies such as geo-location, which can ascertain whether users are in fact the ones using devices — can prevent the need for a call in to a call center and lag times. As more fraud shifts from card-present to card-not-present commerce, it’s been imperative to thwart attempts to impersonate consumers and assume control of their accounts.

Bryant said end users want “assurances baked into products upfront,” and noted there has been an increasing embrace of two-factor authentication and for other protective measures that go far beyond user IDs and passwords.

In detecting and preventing bad actors, in setting high standards of transaction controls, Stafford and Bryant said CUs have been increasingly embracing the Automated Cybersecurity Examination Tool that is in turn provided by the National Credit Union Administration.

It’s a tool that can foster collaboration and data sharing among members — a positive dynamic, according to Bryant, that focuses on end benefits to consumers.

As Bryant said, the tool offers a way for CUs to measure the effectiveness of their fraud programs.

“It gives a credit union the ability to say from a maturity curve standpoint, ‘This is where our program would normally be… and where we need to be,’” he explained.

He said FIs can gauge the controls set in place with a cybersecurity program, and to gauge real versus expected outcomes tied to those efforts.

“There’s a good holistic view of what the entire cyber program looks like, as well as the ability to measure it against the tool everybody else measures,” said Bryant.

CUs can examine their strengths and weaknesses against CUs of the same size and see how they compare.

Security is also top of mind for CUs as amendments to California data privacy laws may effectively insulate these FIs from penalties tied to data breaches, owing to CUs’ non-profit status.

Bryant said CUs are not waiting around to see where the legislation goes to make sure they are in compliance with it. Many executives in the CU ecosystem, he said, are already thinking about or have already implemented much of California’s privacy requirements.

“We don’t require regulation to drive a good cybersecurity program,” he told PYMNTS.

PYMNTS-MonitorEdge-May-2024