5 minutes
Tips on vetting vendors that access your members’ sensitive information
Your reputation as a reliable steward of your members’ personal financial information today doesn’t rely solely on your internal data security program—your reputation also relies on any third parties you give access to this data.
We asked for advice about vetting third-party firms from two common types of credit union vendors: Allied Solutions, a lending and risk management services provider, and IDology, an identity verification solutions company.
Conversation and Documentation
Before delving into IT infrastructure and specifications, any good audit begins with simple conversations, says Josh Gideon, manager/audit and compliance for insurance solutions provider Allied Solutions, a CUES Supplier member based in Carmel, Indiana. He recommends starting audits by asking for the vendor’s data security policies and procedures. “You’re being graded based on what you say you’re doing,” he explains. “The auditors say, ‘Tell me what you say you’re doing, and then I’m going to test this to verify that you’re doing what you say you’re doing.’”
To initially gauge the quality of a vendor’s data security program, Gideon suggests asking the firm’s leader about the program’s policies and procedures. “If the CEOs or owners of the companies seem to have no clue about the policies and procedures, it’s a pretty good indication that they’re not really behind them,” he notes.
Another indicator of a company’s data security program is how transparent they are about the technical details. For its own program, Allied has a page on its website that covers its commitment to information security. And they back up this commitment by responding promptly and thoroughly to requests for specifics about their data security measures.
For example, credit unions often send vendors, including Allied Solutions, a generic data security questionnaire to complete. But Gideon finds that the questions on these are often too vague or lack context.
“Both the people asking the questions and the people trying to answer end up having to guess what the other is thinking,” he says. “In the end, you tend to get a sub-par sampling of the answers you really need.”
Gideon thinks a better strategy is for a company to share results of its own data security audits, such as SOC2 Type 2 documents. This is an internal controls report capturing how a company safeguards customer data and how well those controls are operating issued by independent third-party auditors covering the principles of security, availability, confidentiality and privacy.
“It comes down to being transparent,” he says. “I think that a partner or a vendor you’re using should be offering you documents--you shouldn’t have to be asking for them. The SOC2 Type 2 is a great insight into whether that company is doing what they say they’re doing.”
Another good document to look at is a Standard Information Gathering questionnaire, or “SIG.” The 1,200-question tool was created by a non-profit, Shared Assessments.
The report showing answers to SIG questionnaires is exhaustive, Gideon says. “When we send that, rarely do we get another question back.”
Don’t overlook the security of your vendors’ vendors, he adds. “We have to make sure our third-party vendors are taking CU member data security as seriously as we are,” he says, referring to the third-party-related Solarwinds hack. “Our vendors could very well be the weakest link in the chain.”
It’s even important to scrutinize vendors who handle data that may not be the highest target for hackers. Allied Solutions is a good example, because it generally doesn’t have access to the most easily exploited personal financial account information. But Gideon notes that even the vehicle and insurance data they process is worth defending vigorously.
“Pieces of data are valuable,” he elaborates. “They tell a story. If somebody can take insurance information and extract something they didn’t have before—maybe we have a phone number they didn’t have; maybe we have a physical address or a” vehicle identification number. “What can you do with a VIN? You can figure out what type of vehicle the member has, how new it is. It depends on what that threat actor is trained to do with that data. We may have the missing link for them.”
Find a True Partner That Goes Beyond Basics
When the vendor you’re vetting will be a key part of your credit union’s data protection program, it’s even more critical to do your due diligence, says Heidi Hunter, VP/product innovations at IDology, an ID verification solutions provider based in Atlanta. Like Gideon, she believes an honest conversation is an excellent start to the vetting process.
“First, find someone who is a true partner, who’s going to listen to the problems you have and put together the right solution to address them,” Hunter says.
For identity verification solutions, she advises looking for firms that go beyond basic “know your customer” requirements established by regulators. Your credit union could comply with KYC requirements and still not cross-reference the data a fraudster gives you broadly enough to flag the transaction.
“You need someone who has a really wide net of data sources and datatypes that they can verify. Because when you layer in mobile intelligence, email intelligence, geo-location intel, that’s how they’re going to find more of the risk up front,” she says. And detecting fraud early in the transaction process means you’re protecting your reputation and keeping down costs, she adds.
Strong analytics are the basic requirement of initial ID verification, but you should also look for a provider that broadens the protection through ongoing monitoring and review, Hunter points out. “Your vendor should be able to make adjustments quickly based on these ongoing reviews of your program,” she says. “But also, they should be able to make adjustments based on how they see the future of identity technology—and on the potential fraud that’s always evolving in response. For every block you’ve put in front of fraudsters, they’re already trying to find a way around it.”
Professional Expertise Complements Machine Learning
While IDology has a sophisticated software solution for member identity verification, it also backs findings with manual reviews done by members of its fraud team. These fraud analysts pore through data every day, with support from machine learning, and reach out to clients when machine learning points to something that may need extra attention, Hunter says. The data analysts then work with product experts and customers to create new use cases to improve results and shut the fraud out.
Finally, credit unions also need a partner that is flexible in implementing changes, Hunter notes. For example, if a credit union sees too many qualified applicants dropping off at a certain point in the identification verification step of a loan application, this can indicate a need to reduce friction at that step.
“Your partner should be able to assess that and implement the change without interrupting your CU’s work,” Hunter asserts. “It’s important that making changes is easy and fast, because fraud shifts every other day.”
Glenn Harrison writes for Credit Union Management from Stoughton, Wisconsin. Lisa Hochgraf is senior editor for CUES.