In the banking industry, it's all about compliance and security. In fact, ensuring that it was keeping step with the latest requirements proved to be an increasingly full-time job for Forum Credit Union, one of the largest credit unions in the country. So the credit union turned to technology partner Allied Solutions to find a workable technology solution to help it adhere to the latest requirements for online banking and safeguard its employees as well.
Forum Credit Union, headquartered in Fishers, Ind., was founded by employees of Indiana Bell Telephone in 1941. The company holds $980 million in assets, placing it among the three largest credit unions in the United States. Forum has 240 employees in more than 11 branches nationwide and serves 88,000 members.
"Our membership and assets continue to grow over time," says Carol Minges, director of technology services at Forum. "We've been in a growth phase for the whole time we've been a credit union, but particularly in the last five years."
New banking regulations had Forum Credit Union scrambling to incorporate multifactor authentication into its technology security plan.
The company has strong IT support from its 34-employee Forum Solutions subsidiary, which specializes in helping financial institutions use technology wisely. Forum tapped its reseller partner, Allied Solutions, because it was confident that Allied could bring it up to date on the latest security technologies.
"Last year, with identity-theft breaches and all the ID-theft compromises in the news, we've really been trying to focus on security solutions for clients," says Traci Mottweiler, product support manager at Allied Solutions, which has dual headquarters in Carmel, Ind., and Plano, Texas. Founded 26 years ago, the solution provider offers its banking customers a unique combination of insurance and marketing vehicles, as well as technology products to meet the needs of banks and credit unions.
"In the past, we've done more marketing and insurance," Mottweiler says. "Over the last two years, though, we've started to have more technology products." Today, the reseller offers a select number of handpicked products in different areas of technology, including loan-origination solutions, online-collateral tracking systems and online-quoting software.
A Winning Combination
Forum trusted that with Allied Solutions' insurance background and expertise in technology-based solutions, the solution provider could identify the products that would help the credit union adhere to new regulations and recommendations issued by a host of agencies.
"We have used Allied Solutions as our insurance provider for a long time," Minges says. "In the financial services environment, we need to make sure member data is secure, so when they introduced us to the BioPassword concept, we were interested."
In October 2005, five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC) umbrella--including the National Credit Union Administration (NCUA) and the Federal Deposit Insurance Corporation (FDIC)--issued guidance to banks and credit unions, recommending that these institutions deploy security measures to reliably authenticate online banking customers.
The latest regulations require that banks and credit unions increase the security of electronic banking systems to minimize account hijacking and identity theft.
"Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services," according to a report titled, "Authentication in an Internet Banking Environment" from the FFIEC. "Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation."
The guidance requires that banks assess the risks of their online banking operations and implement multifactor authentication, layered security or other controls reasonably calculated to mitigate those risks, the report stated. The deadline for compliance with the guidance was year-end 2006.
NEXT: Factoring in multifactor methods.
One method of achieving this higher level of safety is multifactor authentication (also called strong user authentication), which requires users to provide an additional form of identification to supplement the traditional ID/password combination. There are four universally recognized factors for authenticating individuals: something the user knows (such as a password or PIN); something the user has (such as a credit card or hardware security token; something the user is (such as a fingerprint, retinal scan or other biometric); and something the user does (such as voice recognition, signature recognition, etc.). Multifactor authentication uses some combination of those factors.
Allied Solutions recommended that Forum use BioPassword's technology to safeguard its employees' computer systems as well as its online banking customers. The solution incorporates keystroke dynamics, a biometric science that accurately identifies individuals based on their unique typing rhythms.
BioPassword Enterprise Edition and BioPassword Internet Edition authenticates users based on a unique signature created by an algorithm that measures the way a user types the password.
"We pride ourselves in staying ahead of technology," says Debbie Price, director of retail product support at Allied Solutions. "We built our relationship with BioPassword as a proactive step to address multifactor authentication requirements. We also became very proactive in reaching out to clients to let them know about regulatory changes."
To make its point, Allied Solutions presented Forum with a matrix that evaluated several potential solutions, then demonstrated the BioPassword solution, Price says. BioPassword combines the user's login credentials (a user ID and password) with a biometric signature based on an individual's typing. The software asks the user, during the first session, to type in a user ID and password combination nine times in order to create the algorithm it uses to authenticate the user going forward. Only about 4 percent of users are so erratic that they need to type their information in more often in order to create a reliable signature, Minges adds. In addition, the IT manager can set the threshold for recognition to be more or less strenuous.
"When Forum Credit Union saw the demonstration and spoke with BioPassword, it was a hands-down decision," Price says. "There was really no comparison with the other products."
The company agreed to be a beta customer for BioPassword Enterprise Edition to authenticate employees in August 2006, and went live with the release version of the technology Jan. 1, 2007. "In looking at our network security and online banking concerns, we thought that it would be a good idea to apply BioPassword to both environments," Minges says. "It's been really successful."
Reaping the Rewards
This decision to move to multifactor authentication technology for employees provided a number of benefits for the credit union. First, the decision allowed Forum to take a technology leadership position.
"It's interesting that they decided to roll out BioPassword not just to home banking customers but also for employee access," says Anil Rao, product manager for BioPassword. "There are several threats in FDIC and NCUA guidelines that stipulate the need for better authentication and controls around who has access to data in banks. Forum is now ahead of the curve with regard to implementation specifications."
Forum found that BioPassword was, after the initial process of retyping passwords to build a profile, largely transparent to users, Mottweiler says. "The member doesn't experience any changes in their behavior, which is notable compared to other solutions," she adds.
In addition, the more often the user logs in, the more accurate the security signature becomes, which reduces--and even negates--the need for users to change their passwords regularly, Rao says.
"The great thing is that we're changing our network passwords every 30 days, but as we become more convinced about the reliability of BioPassword, we can reduce that interval," Minges says. "Even if someone has the password of another person, it's not an issue."
In addition to assisting Forum in working through the beta process, the solution provider has helped the company make the decision to move ahead in rolling out the technology to online banking customers as well.
NEXT: Taking the next steps.
Going forward, Allied Solutions and Forum Credit Union plan to continue to work together to ensure the safety of their customers and employees and make online banking simpler. "Allied Solutions and Forum will continue to work closely together," Price says. "They've been a beta site for many of the technology products we offer, and I see that tie getting stronger and stronger."
As a next step, the credit union will be using the same technology with BioPassword Internet Edition to secure the transactions for its online banking customers. Today, a majority of Forum users--nearly 65,000--are active Internet banking members, Minges adds.
In the future, online banking will become even more popular with users, analysts predict. In general, online banking experienced a 27 percent growth rate in 2005, according to a March 2007 report on U.S. online banking by Forrester Research, Cambridge, Mass. By 2011, Forrester expects online banking adoption to grow by 55 percent, to roughly 72 million households. In 2011, 76 percent of online households will bank online, the report adds.
As part of the process of adding new authentication technology to its system, the credit union is completely revamping its online banking.
"We made the decision to completely rewrite some components of our online banking system and thought it was a good time," Minges says. "BioPassword gave us a strong, secure solution, so we could give members more functionality, since we truly know they are who they say they are when they log in."
In the new version, members will be able to access multiple accounts with a single-user name and password instead of maintaining separate security information for each account. Forum hopes to have the next phase of the project done this summer. "We'll roll it out to our employees who do Internet banking in May so that we can see what education or technology issues we might face, and then we will use it for everyone," Minges says.
Allied Solutions, meanwhile, plans to continue to extend its technology portfolio with products and services that are closely aimed at the expanding needs of banks and credit unions. "As credit unions face greater challenges in the market, we'll be there to assist them," Price says. "As new threats emerge, financial institutions have to do things to protect themselves."