Features

Ken Emerson, director of strategic planning and CIO for Boiling Springs Savings Bank in Rutherford N.J. uses outsourcing to provide key financial services for his company’s customers. In an interview with Associate Editor Raymond Peckham, Emerson discusses how federal regulations have both made his job easier and threaten to complicate his outsourced processes. How Emerson has chosen to tackle security issues is discussed in the article Bank outsources security to the cloud.

Has outsourcing always been part of your solution set?
The bank has historically always outsourced the data processing of the core banking platform. We have had good experience with that. It takes a lot of headaches off of us. I have to manage vendors instead of managing a staff of people and the equipment. Managing the vendor is not that difficult.

What factors do you consider when choosing a vendor?
Some of the things that the regulators require of me is that I know my vendor has engaged in an independent audit, the SAS70 Type II, which goes in and examines service bureaus’ operational controls to ensure that they are running a tight ship. This makes my job easier. I can say to anyone coming in, “Do you have a SAS70? Yes, OK we can talk. If you don’t, there is nothing to discuss.”

The FDIC says I have to do my due diligence on a risk-based assessment. If I look at my vendors and say what is the likelihood of a problem and the magnitude should it happen, then I can make a determination of how diligent I must be in my review of them. For example, any company that I buy software from that I run in-house, where I do not give them connectivity to my environment, I can be a lot less stringent. I need to worry about my ability to run it from my disaster-recovery site. I need to worry about what their financial viability is. I need to look at the financials of all these institutions so that, if I see they are having financial difficulties, I can make plans to look at other systems.

How have you applied these requirements?
When my customers log in to do banking, they are dual authenticated to the bill pay provider. In a risk-based assessment, that is one that comes out as having a large magnitude of difficulty for me because that is one of the means by which an identity thief could take funds out of one of my customer’s accounts.

I expect them to have an independent audit. They have to have disaster-recovery documentation available for me to review, detailing what my responsibilities are in case they declare a disaster. They also have to engage an external company to do penetration tests of their environment. They have to show me documentation that they have done it, and what they are doing to remediate any findings.

What are the challenges you face with outsourcing?
The FDIC is looking for me to step up the oversight I have to do on my vendors, to the point of having my vendors recertify on a quarterly basis that they have had no breaches of security. They need to tell me if they have had any disgruntled employees. There are privacy issues that are being violated in trying to establish this oversight, and there is stuff that goes beyond the scope of my capacity to actually perform the task.

In the banking world, we are subject to a large amount of regulation and regulatory oversight continues to get more onerous. That, in itself, could force me to internalize a lot, just for the reason of not liking to manage the vendor.

I have three network technicians committed to the network and running all the applications we do in-house. Hiring more staff to deal with compliance issues–I am in the process of training an individual to handle the system and our third-party vendor relationships, doing any new research and rolling out any implementations, so that I can focus more on the CIO and strategic planning areas.

SPEAK OUT!
Share your insights and comments to rpeckham@comnews.com.