Insight. Innovation. Industry.
Risk Management / Technology /  •


Digital fraudsters are increasingly targeting the financial industry, requiring that credit unions go the extra mile to protect members’ data.

Offering mobile banking apps, communicating with customers via email, text and social media and empowering members to share financial data with third-party organizations are table stakes for banks and credit unions today. The digital evolution has forced the financial services sector to adopt the latest technologies to meet consumers’ insatiable demand for easy access to their money across platforms and provide a positive banking experience.

However, with this technological transformation comes increased risk of data breaches. There are regular headlines about companies reporting breaches in their organizations, including earlier this year when both the Bank of Montreal and CIBC’s Simplii Financial reported that hackers might have collectively accessed data from thousands of customers. Companies across all sectors are being affected and ramping up their efforts to protect customer information. At the same time, cybercriminals are getting smarter about how to steal it.

Credit unions across Canada understand it’s their responsibility to protect members’ data and have programs and initiatives in place to fight it. “It’s a hot topic,” says Nicolas Untz, director of corporate IT services at Central 1 Credit Union. “What we can do on [the credit union] side is to protect our data and services and to ensure we have the right standards in place,” Untz says.

The strategy also includes continuously educating members on how to protect themselves against phishing and other online scams. The information campaigns often include advice on protecting and changing passwords, using two-factor authentication on various personal accounts (including email and social media) and reporting suspicious emails that will inevitably land in their inbox.

Risks with mobile and social

Education is increasingly important given the growing use of mobile phones for banking as well as interactions with financial services firms on social media. Mobile-banking apps are now among the top three apps used on smartphones, according to the 2018 Mobile Banking Study by Citi, the consumer division of financial services multinational Citigroup. About a third of respondents used their mobile banking app the most and nearly half increased mobile banking use in the last year.

While security measures are improving, keeping transactions secure and staying ahead of cyber criminals is becoming increasingly difficult. About two-thirds of fraudulent transactions took place on mobile devices in the first quarter of 2018, according to research from security solutions company RSA, a Dell subsidiary. That is up from 39 percent for the same period of time in 2015. Fraud on mobile apps increased 50 percent in 2017 alone, the RSA survey shows.

“If we’re dealing with an issue it’s to the benefit of all to share it.” – Michael Elchuk, Affinity Credit Union

Social media also comes with risks, as was evidenced by the recent high-profile case on Facebook where data firm Cambridge Analytica revealed it exposed data from millions of users on the platform to aid Donald Trump’s 2016 United States presidential campaign. Such cases demonstrate how critical it is for organizations to protect customer data across all platforms, including internal systems, mobile and social media.

Financial services targeted

The number of data records stolen, lost or exposed worldwide hit 2.6 billion in 2017, which was an 88 percent increase from the year before, according to the Breach Level Index report released earlier this year by digital security firm Gemalto. It stated that nearly 10 billion records were lost, stolen or exposed between 2012 and 2017, with an average of five million records compromised every day.

The financial services industry is a main target. Payments fraud reached a new high in 2017, hitting 78 percent of the 700 participants in the 2018 Association for Financial Professionals (AFP) Payments Fraud and Control Survey Report. The American-based survey, which included treasury and finance professionals, indicated that 74 percent were hit by cheque fraud, 48 percent by wire fraud and 30 percent by corporate card fraud. Just over three-quarters of organizations had their business email compromised. The survey showed that about two-thirds of all payments fraud is committed by people outside of the organization. Such fraud attacks cost these organizations about 0.5 percent of their annual revenue. “It is alarming that the rate of payments fraud has reached a record high despite repeated warnings,” AFP CEO Jim Kaitz stated earlier this year. “In addition to being extremely vigilant, treasury and finance professionals will need to anticipate scams and be prepared to deter these attacks.”

The survey urges financial services companies to better educate employees about data protection and ensure the right processes are in place “to prepare and protect their infrastructures from cyber fraud.” The good news, according to Kaitz, is that 77 percent of organizations have controls in place to prevent business emails from being compromised.

Legal ramifications

In Canada and other countries, having controls in place has become mandatory. The European Union, for example, recently adopted the General Data Protection Regulation (GDPR), which sets rules for data protection and privacy. In Canada, organizations must adhere to the Personal Information Protection and Electronic Documents Act (PIPEDA), which sets out how to collect, use or disclose a member’s personal information during commercial activities, as well as provincial privacy laws, in some cases.

Under PIPEDA, starting this November, organizations that suffer a data breach resulting in a “real risk of significant harm” to individuals will be required to notify affected individuals and report to the Office of the Privacy Commissioner, as well as, potentially, others in some cases, says Alex Cameron, a partner at the international law firm Fasken. Organizations must also maintain records of security breach incidents, whether or not these breaches meet the threshold for reporting and notication, and must provide the Privacy Commissioner with access to, or a copy of, the records upon request. Cameron says the latest change to PIPEDA will bring increased scrutiny and potential liability around organizations that experience a breach. “It’s more important than ever” for organizations such as credit unions to protect members’ data, says Cameron, adding there are not only financial exposures but also “reputational consequences” of not doing it, especially if there’s a breach.

“These types of security assessments have now been made mandatory by our banking services provider, League Data, and our provincial regulator.” – Michael Boudreau, St. Joseph’s Credit Union

A report released this past July from the Institute of International Finance, titled Safeguarding Customer Data in the Financial Sector, says customers need to trust that their data is “handled soundly by all players” and that market integrity and the reputation and stability of the financial system are not put at risk. The report states, “when a customer is willing to share his financial information with a new service provider, this should not be translated as a lowering of expectations for the safety of their data. The principles and practices of financial institutions go beyond regulatory requirements, also reecting the best practices that the industry has developed and refined over time.”

Cameron says that the financial and reputational cost of dealing with breaches, including the potential liability and settlement payouts, reinforces the importance of working to avoid them in the first place. “You really need a comprehensive, written information security program, among other things,” he says. That includes policies and procedures across divisions, not just IT. He recommends credit unions look to best practices and industry standards to ensure they’re meeting — and potentially exceeding — data protections. Credit unions also need to train their staff on how to properly handle data, both in and outside of the office, and when to avoid clicking links that may be part of a phishing scheme, for instance. Cameron adds that many breaches can easily be prevented by organizations adopting a multi-factor verification for privileged users, among other safety precautions.

Credit unions protecting data

There are two main approaches to safeguarding member data: protection and education, says Mark Kroll, senior information technology manager at Libro Credit Union (104,000 members, $7.2 billion in assets). “It’s very important to consider where the members’ data is being held and what security is wrapped around it,” says Kroll, who is also a former chair of the cyber security group at Large Credit Union Coalition (LCUC), an alliance of Canada’s 15 largest credit unions. “We live in an age where information is easily accessible, so there should be precautionary actions to protect that sensitive data.”

Credit unions collaborate

Credit unions are working together to share information, best practices and data-protection measures that strengthen the entire industry. “Security is one of the areas where we won’t compete,” says Michael Elchuk, interim executive vice-president and chief information officer at Saskatoon-headquartered Affinity Credit Union (139,000 members, $6.7 billion in assets). “If we’re dealing with an issue it’s to the benefit of all to share it.”

Elchuk says there’s a focus on training staff to be extra cautious to help protect member information. At his credit union, for example, they use everything from posters to comics to help educate members and staff about data privacy and protection. Afnity also hires third-party auditors to do both an internal and external audit of their systems, including exercises where they try to trick staff into divulging data that should be protected. Another test was leaving thumb drives around the office to see if staff would plug them into their computers, or hand them over to IT (the latter of which is the proper action).

“Anything is fair game,” says Elchuk. “It’s about keeping staff on their toes and making them aware that these types of threats do happen. You can have all of the policies and procedures in place but if your staff aren’t following them or don’t know what they mean, you’re no better off. You still need to test their effectiveness.”

Be security aware

Smaller credit unions across the country are also paying attention to privacy concerns, despite limited resources as compared to their larger industry peers. “We are trying to stay on top of this as best as we can,” says Michael Boudreau, general manager of the single-branch St. Joseph’s Credit Union, (2,850 members, $79 million in assets), based in Cape Breton, NS.

For example, St. Joseph’s has developed and implemented a Privacy Breach Response Plan ahead of the PIPEDA changes coming this fall. Back in 2011, St. Joseph’s was also one of the first credit unions in Atlantic Canada to proactively and voluntarily hire a company to deliberately try and hack into their network and computers. “We were provided with a set of recommendations on how to better secure our data and subsequently implemented these recommendations,” Boudreau says. “These types of security assessments have now been made mandatory by our banking services provider, League Data, and our provincial regulator.”

To stay on top of changes, the credit union regularly posts fraud awareness-related material on its Facebook page and website and has hosted seminars on the topic for members and the general public. “We advise our members, especially at account opening, that they should have proper anti-virus software installed on their devices. If they don’t and their personal information is compromised and someone accesses their account, we might not refund them that money if it was determined they willfully ignored our recommendation.”

With social media, the credit union keeps it simple by just using Facebook and has a complex password that is changed monthly. “All computers used to store member information are password protected and screensavers are set to appear on all desktops during periods of inactivity,” Boudreau adds.

For mobile banking, the credit union uses the MemberDirect platform, which falls under Central 1’s and League Data’s rewalls and network protocols. “We also have it set up to send alerts if there are any changes to a member account. This platform provides our members the best encryption technology currently available and renders our members’ personal information indecipherable while in electronic transit,” says Boudreau, citing just a few examples of the measures his smaller credit union uses to protect member data. Staff also receive training throughout the year on data protection and privacy protocols.

“We are committing what I believe is the appropriate amount of resources,” Boudreau says. “It’s not a lot but once you have everyone on the same page, it gets easier.” He adds that access to personal information should be on a “need-to-know basis. Otherwise, you mind your own business.” ◊