A collection of observations, ruminations, predictions and random thoughts from Cornerstone Advisors.

Learn More

June 30, 2016 by Brandi Gregory Brandi Gregory

The Payments Stress Test Somebody in the Bank Should Run

MoneyHandAn unfortunate turn of debit card events is happening for financial institutions unregulated by the Durbin Amendment (assets under $10 billion, which is most banks and credit unions). And, it’s bringing unwelcome bad news for non-interest income.

Many banks and credit unions will see non-interest income deteriorate for the following reasons:

Debit EMV issuance/acceptance: the acquirers are striking back.

As the liability for fraud shifted in October 2015, it was a non-event with the exception of the largest financial institutions. EMV Connection reported that 600 million chip cards were issued by the end of 2015 and predicts that number will rise to 900 million by the end of 2016.

The majority of EMV (Europay, MasterCard and VISA) cards on the street are issued by regulated (large) banks, which leaves a much larger percentage of financial institutions that are not yet issuing EMV. Large banks capitalized on the liability shift, and the acquirers/merchants weren’t ready because many retailers held off launching EMV acceptance at their terminals until after peak holiday shopping season. And, the large banks buried the acquirers in chargebacks the likes of which had no historical precedent.

Walmart sued VISA.

You read that right. Walmart sued VISA – again. (It’s that time of the year, right? Fourth of July picnic and a Walmart/VISA lawsuit.) This time Walmart alleges that VISA is violating Durbin by forcing the acceptance of a signature. It isn’t clear how this will be enforced as VISA is not issuing public comments and MasterCard is trying to stay out of it. To put icing on the cake, Walmart recently announced it is no longer accepting VISA cards in Canada over a merchant fees dispute. What are consumers to do if they don’t have an alternative payment method – leave their basket of goods?

While it may be hard for some to imagine VISA ever being denied by large merchants in the United States, keep in mind that the only credit card Costco accepts in the U.S. is now VISA, following its shift from American Express.

Meanwhile, many merchants altered their payment terminals to only accept a PIN on a debit EMV-card-present transaction. This change impacts all debit signature transactions for both MasterCard and VISA cardholders. Savvy consumers can challenge merchants to allow their transactions to be signature transactions, but how many really will?

Banks and credit unions are scrambling because they are rolling debit EMV out to cardholders with the message to perform signature transactions while large retailers like Walmart, Target, Home Depot, Lowe’s and Kroger are not having that anymore. Many banks and credit unions have spent years educating their cardholders on how to transact at point of sale (POS); some still assess a fee for a PIN transaction. And all of that education is being eradicated in just a few short months by acquirers.

If VISA prevails and merchants are forced to allow cardholders to choose their transaction method, it may be too late. Consumers are creatures of habit, so once merchants teach them to use PIN, what motivation would they have to go back to a signature transaction? And even if they did, would it make a difference?

The larger regulated financial institutions are most likely indifferent to this change in transaction processing since Durbin equalized their interchange on PIN and signature transactions. But, the unregulated banks and credit unions should care – a lot. Banks and credit unions should perform a payment stress test that forecasts the impact of volume shifts to non-interest income – just like a credit stress test, but on the other chunk of income that drives banking (not to mention banking relationships).

And just to add to the fun … Kroger sues Visa.

What started as a fraud mitigation effort with EMV is now back to just a battle over what everything seems to get down to: money. Merchants were not happy with how the U.S. opted to implement EMV without enforcing chip and PIN. They tried to force PIN at their terminals (which, if we are being honest, is not the same security as chip and PIN) and it resulted in VISA fining them until it was corrected. VISA even threatened to revoke their ability to accept any VISA debit transactions – a $29 billion impact to the Midwestern grocer. While the terminals still prompt for PIN first, consumers now have the ability to exit out to signature.

In response to the fines, Kroger has joined the growing list of merchants suing VISA. So let’s say VISA wins. What’s next?

POS signature/dual message debit: a disruptor lurks.

Even if VISA wins this lawsuit with Walmart, the coast is not clear for unregulated interchange erosion. The PIN networks are ready to roll out POS signature/dual message transaction processing. Doesn’t that sound like the muscle car of payments processing?

With POS signature/dual message, authorization occurs through the lower-revenue-generating PIN network and settlement follows later in a batch transaction exactly as it happens with VISA/MC signature transactions today. All the large PIN networks have the support ready and are simply waiting on the acquirers to support the transaction type. At this point, there isn’t a need to roll it out since the merchants are forcing PIN. Although it is unlikely that VISA/MC will see their volume convert to other networks, they haven’t pulled their largest lever yet – lowering signature interchange to compete with the POS signature/dual message debit rate tables that traditional PIN networks have created. Either way, it’s a hit to unregulated bank and credit union income on the same pool of transactions.

Three things banks and credit unions can do right now:

  • Run a payments stress test and stay smart. Understand sig/PIN penetration and how it impacts income. Smaller banks and credit unions should now deploy models and stress test to forecast impact just like the big banks.

Smart GonzoBankers might think this challenge could be tackled by aggressively marketing debit cards and making up the shortfall on volume, but the stress test found there was no way to optimally grow over the interchange problem with debit. Bummer, huh? But, at least credit is there as an option that works.

  • Get a credit card issuing strategy. The debit income problem is not going away, and plans are needed to recover as much of the income loss as possible. The majority of debit cardholders also have credit cards in their wallets. And that’s growing largely because big banks were motivated by revenue and the Durbin Amendment to get a credit card in their customers’ wallets.

Community banks and credit unions need to gain (or regain) their position in the wallet and avoid losing both transaction and brand power. If a bank already issues credit cards but penetration and usage are low, chances are 1) the product is uncompetitive; 2) there is no marketing calendar; 3) the product is buried three pages deep on the website; or 4) all the above.

  • Review network participation and cease belonging to more than one PIN network. Maestro or PAVD/Interlink cannot be avoided but the total number of other networks issued in can be.

Stress tests shouldn’t stress you out. So, make it a good summer and happy chipping and swiping.

Shout out to Terence Roche and Sam Kilmer for their contributions to this post.

For every 5% shift in volume from signature to PIN, debit interchange will be negatively impacted by 20%.

Are you prepared to lose 20% of your interchange income?

A Payments Stress Test from GonzoBanker’s mothership, Cornerstone Advisors, can help you get the balance right between credit and debit marketing. Our Payments Stress Test reviews your payments ecosystem metrics and provides an analysis of baseline versus adverse and severe impact scenarios.

Contact us today to learn more.



Filed under: Cards & Payments, Retail Banking, Uncategorized

Print This Post

June 22, 2016 by Scott Hodgins Scott Hodgins

Trouble in the Great White North, Eh?


d+h_62216There is trouble brewing with our pasty, pilsner-chugging partners to the north. You know it. I know it. The American people know it. Personally, given the chance I’d build a wall made of melted hockey pucks along the U.S./Canada border to repel those black-denim-wearing, Tragically Hip-listening ruffians. How else will we protect our American Zamboni driver jobs?! That’s for another day though, GonzoBankers. Another day.

For now, let’s focus on Toronto-based D+H, where all signs are pointing to big trouble when it comes to its core systems PhoenixEFE and UltraData. The following are Facts:

  • September 2015 – During the last D+H Connections client conference, D+H executives including President Bill Neville (a bank tech and core veteran), head product marketer Lindsay Sanchez (tech veteran new to banking), and Senior Vice President David McConney presented the company’s future direction including core banking.
  • November 2015Banking Exchange publishes an interview with Neville and Sanchez, the ostensible faces of the D+H core, about the client conference, pointing to the importance of core and user/community events.
  • DPeople_6216ecember 2015 – Sanchez leaves D+H for a new position elsewhere (a business ironically named Kore Inc.).
  • January 2016 – Suffolk County National Bank, PhoenixEFE’s largest domestic client by assets, publicly announces plans to convert to Fiserv Premier.
  • March 2016 – Neville announces his coming retirement in late 2016 and writes to clients that the 2016 client conference is cancelled. The announcement was wrapped in a fairly convoluted but optimistic, “Wait ’til you see how cool it’ll be in 2017!” wrapper, but D+H cancelled its freakin’ client conference! Poof.
  • May 2016 – D+H announces the shuttering of substantially all domestic UltraData development efforts in favor of offshore development in India with the former UltraData headquarters in Pleasanton, Calif., soon to close.
  • Late 2015 and 2016 – There has been an H. Ross Perotian Giant Sucking Sound coming from the core products management team that arrived from Harland Financial Solutions and hired by D+H after the HFS acquisition, involving executive level honchos and crucial hands-on senior managers alike:
    • Product marketing executive Lindsay Sanchez, brought in by D+H – goner
    • Product management executive Sanjiv Waghmare, brought in by D+H – goner
    • GiantSuckingSound_62216Operations and core senior executive David McConney – goner
    • Strategy and marketing senior executive Scott Hansen – goner
    • U.S. technology senior executive Dan Larlee – goner
    • PhoenixEFE operations executive and general manager Rick Durant, Ultradata R&D executive Peter McKellar, product and alliances leader Tom Berdan – all goners
    • The senior most core executive, Neville – retiring in late 2016.


Some management changes are to be understood with recent acquisitions, but c’mon! – this is a massive knowledge loss in a short period of time. Management exodus aside, no single point above merits a Panic Button situation for D+H core processing clients … and certainly not D+H lending and payments clients. And, D+H claims to be continuing to sign some new mid-size banks to PhoenixEFE contracts. But, together, these events cause a Crap Storm of Suspicion. (Ed.: Sorry for the consulting buzzwords.) It has gotten bad enough – publicly – that after the conference cancellation notice we hear that Fiserv, in a rare moment showing its sense of humor, sent a letter to D+H clients to invite them to the Fiserv client conference! I couldn’t list that with the facts above because I never actually saw the letter, but several D+H clients have mentioned it.

“God ain’t in heaven,
something ain’t right.”
–David and David, River’s Gonna Rise

So we can all agree, can’t we, that something is very wrong with the D+H core processing business. It doesn’t take a financial tech soothsayer like myself to figure out that a company with executives leaving in droves, cancelled conferences, slow market momentum – including the loss of their largest client … is having difficulties.

Who knows what is driving this, really? Maybe the core business is in such poor shape, sales-wise, that D+H is just cutting expenses, including staff and conferences, to the bone. Maybe its poised to sell the core products business (has a ring of possibility to it) or all of the former HFS business lines (pretty unlikely).

So What?

Clearly, your radar is screaming at you if you’re a D+H core processing customer. Your core product could be owned by yet another company in the near future. Maybe, maybe not. But even if no ownership change takes place, the writing is on the wall for the company’s willingness/ability to keep investing in its core processing products. You don’t witness the torrent of change described above and expect R&D to stay level or grow. D+H core product prospects should also take note: know what you’re getting into. It could still be time for you to move to a D+H core product, but know the warts along with the benefits.

Though not all necessarily agreed with every point herein, I thank the many Cornerstoners whose thoughts and ideas contributed to this article, including Sam Kilmer, Terence Roche and Eric Weikart.

– Hodgins glasses

Filed under: Core Processing, Vendor Buzz

Print This Post

May 27, 2016 by Todd Stringer Todd Stringer

How I Hacked Gonzopalooza

GonzoBanker mothership Cornerstone Advisors holds a few company-wide meetings at the Scottsdale, Ariz., headquarters during the year. The most recent meeting was our educational event known as Gonzopalooza, in which we … well, the first rule of Gonzopalooza is “don’t talk about Gonzopalooza.”

Given that this is an event about understanding gritty industry trends and I am Cornerstone’s resident cyber-geek, I decided to give my colleagues a first-hand lesson on white-hat hacking.

It was my first time visiting the corporate office since it was renovated. While my colleagues were taking advantage of the new corporate spa facilities (just kidding), I couldn’t wait to check out the new network infrastructure upgrades (not kidding).

I planned to treat Gonzopalooza like any hacker would treat the typical coffee shop scene. I would go to the meeting, blend in, and no one would have a clue what I was doing. As people peck-peck-pecked away at their laptop keyboards, I confidently thought, “piece of cake.” What I didn’t count on, however, was el presidente kicking off the proceedings by saying, “Laptops off, everyone! Shut ’em down!” Can you say buzzkill?

Sure enough, everyone stopped using their laptops (we’re an obedient group) … and started using their mobile devices (OK, maybe not).

This just got a bit more difficult, right? Not really. Mobile devices like to chat it up on the network. Ever notice your data usage when the bill comes due? Me neither. As I sat through the meeting, every now and then I’d take a look at my iPad. I had set it up to control some wireless “sniffing” software on my laptop. Various pieces of information started rolling in: Some folks were watching YouTube videos, some were researching Quicken Rocket Mortgage, and one person was trying to find analogies for the word pimple (he or she is paying $50 to keep his/her name out of this post).

After a few minutes, a scan of my iPad revealed that I had obtained private information from a number of people without their knowledge. My unsuspecting colleagues are like many bank customers. They don’t understand how these things work, and they don’t fully realize the potential – and very real – “e-dangers” out there. What they want is to feel a certain level of privacy, and they generally trust their banks to do everything they can to protect their information, protect them from a real hacker.

After the meeting, I came clean to those who were affected. Secrets are harmful in the security practice. It’s important as a white-hat to be ethical and trusted. Yes, I was able to collect credentials on a modern wireless network, but I didn’t use them for malicious intent. Instead, I used them to help my colleagues understand and address weaknesses in their own personal technology usage in order to strengthen the company’s wireless network and strengthen their mobile devices’ security settings.

Cornerstone’s wireless network was among the best I’ve seen. Yet, my exploits took half a day to pull off. This wireless network, like many others, would have easily passed an FFIEC or general assessment with flying colors. Everything is new, name brand, with no current end-of-support issues.

Here’s the rub Gonzobankers: if a mobile device’s communications security is weak, it doesn’t matter how modern the wireless network is that it’s connecting to. In a wireless network, application security becomes more critical than ever. And I don’t mean simply verifying that a teller account can be audited for unauthorized account viewing. I’m talking about application security from the standpoint of secure communications to and from a server (e-mail, banking, etc.); in other words, using proper security to communicate over a wireless network.

Most assessments are one-sided and only question the network, not the vulnerability at the edges. They don’t look at the mobile and PC data that’s passing through it, or the applications communicating on it. As a result, those assessments don’t find the weaknesses that may exist. This is where hackers will start, but sadly, it’s the point where most assessments end.

The FFIEC’s guidelines include recommendations that address secure telecommunications protocols, encryption to minimize the interception of traffic, and encryption of personal information stored on mobile devices.

This is all well and fine, but once these recommendations are implemented, who is going to verify that everything is functioning as it should?

Can your mobile banking application be fooled into communicating at a lower level of security (easier to “hack”) if the higher security levels are not available? How do you find the answer to that question? These are the things you need to think about – otherwise you’re just diagnosing a problem by looking at the surface.


Who do you trust to identify your mobile and network security weaknesses?

Cornerstone Advisors offers mobile application security and other in-depth security assessments.

Contact us today to learn more.



Filed under: Information Technology, Risk Management, Web & Mobile Banking

Print This Post