Are regulatory requirements killing credit union innovation?

Ongoing Operations recently held its client advisory board meeting.  While we had realized the compliance pressures had been mounting we were blown away with how bad it has gotten.  One client had actually measured and articulated their situation.

The client, a mid-sized credit union, had about 200 hours of labor available for R&D, new projects etc. on a monthly basis.  Currently, compliance reporting, mitigation, and management work were taking about 70% of the available capacity.  Many other clients voiced that they were facing similar struggles.  If this ratio is consistent throughout the industry we should be very concerned about credit union’s ability to stay on top of the competition.

And the end to increased regulatory pressures is NOT in sight either. As the NCUA begins to focus on Cybersecurity and other IT Security initiatives and with the ever increasing threat list, it seems that this will be the new normal for our industry.

So what should credit unions do?  Should we give up on R&D and innovation occurring in the technology department?  Should we hire more IT people?  Should we look for ways to make the compliance piece as efficient as possible?  What is the best way to make the compliance responsibility more efficient for IT?

The solution may unfortunately require significant changes to our IT Security approach and a lot more strategy.  Let’s look closer at the cyber-security example. Historically, IT Security has evolved over time.  It started with a firewall, then a DMZ, then VLANing. We added Anti-Virus, DLP, and every other three letter acronym until we get to 2014 where we have 20 or 30 different security products.  The challenge is none of these products were designed with the others in mind or with the evolving threat world.  In reality, all of them need to produce data and be tied together with platform management tools to really be able to correlate events, detect anomalies and ultimately prevent attacks.  Strangely, with this evolution things like which anti-virus provider to pick – no longer even matter and instead are purely commodity components.

Clearly, given the complexity of today’s credit union infrastructure a new model needs to exist for compliance approach. What if instead of applying each tactical solution to each threat, we started at the compliance engine side of things?

Ultimately, compliance requires three main components:

• First, a knowledge of what we have to comply with.  The FFIEC gives us a pretty good playbook on this one.
• Second, the policy and procedure that is required to create strategy, structure, and consistency in how we comply.
• Finally, proof in the form of reporting that we actually complied.

If we start with the regulation on the front end and map to the policy we can then get much more clarity and design a system that can adjust and be fluid to the changing threat world over time.  Then, if we accept that the tactical solutions are not all that important in the system, we can plug in specific solutions that appropriately match up to the compliance engine.

In the case of cybersecurity, by taking this approach, we can greatly simplify the compliance side while simultaneously preparing us to better mitigate the attacks.   The compliance engine and reporting occurs on the front-end and drives the process instead of being an afterthought.  Or you can stick with the current tactical approach and end up buying and integrating 20 -30 separate products with 20-30 separate reports and trying to translate them into 1. Designing from compliance side truncates that greatly.

Finding a managed security provider that supports this approach and getting out of the tactical decisions is key to freeing up the resources within the credit union.   Unfortunately, this shift will probably take many months (years?) and a concerted effort to approach the problem differently.  The end result could be getting back the 80 or 90% of the IT Skill that can get refocused on innovation and R&D in the business again.

Of course, if you decided that innovation and improvement shouldn’t come from the IT department then keep approaching IT tactically and your compliance costs will continue to expand.