05:10 PM
Exploring a Small Bank’s IT
In response to the ongoing mergers, buyouts and consolidations of financial institutions in the 1990s, a group of Puget Sound-area businesspeople started a locally owned and managed bank in order to provide local businesses and their employees with responsive, highly personalized service. The resulting Bellevue, Wash.-based Charter Bank ($255 million in assets) opened its doors in January 1998 as a full-service business bank. Tom Robertson, a former network engineer at Fiserv (Brookfield, Wis.) and now Charter Bank's senior vice president and manager of information technologies, discusses the ins and outs of IT for a smaller bank in an interview with InformationWeek's Steven Marlin.
Q: How long have you been with Charter Bank?
Robertson: Six years. Prior to that, I worked for Fiserv for 19 years. I did a lot of disaster recovery planning work for the data center, so I came to the bank with a lot of knowledge in that area.
Q: What distinguishes Charter Bank from other community banks?
Robertson: It has its own IT department. Most [community] banks outsource their IT operations; Charter started out seven years ago with an IT manager on board. Since I've arrived, management has been extremely supportive on all matters of technology, including security, business continuity and fault tolerance.
Q: Have security issues risen in importance?
Robertson: No. We've always considered security to be important. Legislation such as Gramm-Leach-Bliley and the USA Patriot Act have reinforced the need to take extra precautions with knowing who your customers are and protecting sensitive information.
Q: Why does Charter have its own IT department when most banks its size outsource?
Robertson: Seasoned bankers started this bank -- they saw the importance of maintaining control over information and product selection, for choosing best-of-breed products. They also saw the need to have an in-house IT staff. It would have been easier to outsource IT, but then we wouldn't have complete control over security and infrastructure, nor could we make technology decisions based on client needs. Reliance on third parties has its own risks. There's no real buy-in unless you have some skin in the game. If you have an incident, then the third party isn't affected.
Q: Can you elaborate?
Robertson: If you have third-party vendors that handle client information, you're responsible for what those vendors do with it. We have to share certain customer information with vendors because they need it to do their jobs, but we're still responsible for Gramm-Leach-Bliley Act compliance, reviewing SAS70 forms and performing FDIC audits. We have a comprehensive vendor management program, encompassing risk mitigation and annual reviews. Our vendor manager is responsible for making sure that vendors perform to specifications.
Q: Is regulatory compliance part of your responsibilities at Charter Bank?
Robertson: We have our own compliance officer who reports to our president and maintains and schedules reviews, both for the FDIC and the State of Washington.
Q: Do you run Internet banking in-house?
Robertson: Yes. We run it in-house so we can maximize control of client information. Third parties have to conform to their own risk management programs. As we've seen, it only takes a vendor of a vendor to lose a tape. We use S1's [Atlanta] Internet banking platform. We have control over information security, including intrusion detection, firewalls and the like. Some vendors that operate service bureaus were brought down by attacks such as Code Red and Nimda. That's an instance of vendors being compromised. We weren't infected because we run the product in-house.
Q: Has your bank been the target of phishing attacks?
Robertson: No. We're fairly small. Some of our customers received phishing e-mails intended for Charter One Bank [which has no relation to Charter Bank]. We do our best to educate our client base. We maintain intrusion prevention systems, firewalls, content filtering, encrypted e-mails and patch management.
Q: Any product enhancements in the offing?
Robertson: We're getting ready to roll out our new Web site, which will feature greater personalization, including My Charter Bank. We're a business bank -- we meet the needs of industry-specific segments, such as medical, dental and home lending. The site will contain specific content aimed at our clients, such as builders, doctors and dentists. We are building content around industries and professions as well as around specific products. Instead of just offering e-banking, we are bringing multiple products under My Charter Bank. For example, if you're a home lender, you can initiate your own wire transfers; right now, you would have to use e-mail or fax. On the security front, we also provide dual-factor authentication.
Q: What's the impetus for beefing up your disaster recovery capabilities?
Robertson: The FDIC constantly is checking on our disaster recovery plans. Those plans need to be robust and have to be tested annually. Every product has fault-tolerant backups and failovers. That's the most important thing -- having a good business continuity plan. As a small bank, we find it helps to keep it in-house.
Q: What are the key elements of Charter Bank's business continuity plan?
Robertson: First, we have an incident response policy that defines importance based on the criticalness of the business application. Our incident response policy is integrated with our business policy continuity. A technology committee and different business group leaders decide what recovery levels are needed for each application. Fiserv, which supplies our core applications, is mission-critical; that's our data of record. Getting to that data is considered mission critical, so we have a well-defined recovery time associated with that. An incident may involve the network, or it might involve Fiserv's mainframe systems. Part of our business continuity plan is making sure Fiserv has a business continuity plan.
Q: Describe your storage environment.
Robertson: As a business bank, we don't store as much physical data as a retail bank with many thousands of customers. We're a Dell [Round Rock, Texas] shop running a [Redmond, Wash.-based Microsoft] Windows 2003 server. We use lots of direct-attached storage, but are working toward implementing blade servers and storage-area networks. For near-line data, we back it up to tape, but we have reports and archive available on a disk array. We use network-attached storage for archival purposes. Our systems provider, Fiserv, processes the main banking transactions, but we do everything else in-house -- e-banking, check image archival and retrieving, COLD reports. We have systems for wire and ACH transactions as well as our own accounting systems.
Q: What kind of analytics does Charter Bank perform on transactions?
Robertson: We don't run any adware or spyware. We run analytics software to analyze Web sessions. We have a front line of personal bankers and relationship associates who provide a single point of contact for customers.