A collection of observations, ruminations, predictions and random thoughts from Cornerstone Advisors.

Learn More

October 6, 2015 by Steve Williams Steve Williams

The 5 Priorities in the Card-Not-Present Battleground

While bankers may be a bit fatigued this year by articles about payments, the more enlightened Gonzo bankers are paying close strategic attention to the single most impactful payments trend in our industry: the shift from a plastic card to a “card-not-present” world.

Quick level set: whenever credit card information is exchanged over the Internet, phone or mail, it is called a card-not-present or CNP transaction. Bankers only have to observe their own behavior and that of their children and family members to know the shift from plastic-focused cashier transactions to number typing card-not-present transactions is pretty monumental.

In fact, the Federal Reserve reports that while card-not-present transactions make up only 15% of total transactions today, these types of transactions are growing 3.5 times faster than card-based transactions. CNP is growing at 12% annually for debit cards and a rapid 24% for credit cards.

Understanding the New World

It is important that when bank executives picture the card business, they shouldn’t picture this:

But rather this:

Giving customers a number and encouraging them to virally spread it around the world in online payments from hundreds of merchants forces banks to develop a new strategic focus and a new set of management skills. Bottom line: this stuff is getting real very fast. In fact, bankers can sum up the main drivers of this shift in four words: Amazon, Apple, Google and PayPal – they are in effect the four horsemen of the CNP shift.

  • Amazon is the most influential as it builds its digital “everything store.” The reason Amazon has a higher market cap than Walmart today is that investors are seeing the “last mile” of a new retailing model built via the Amazon Prime experience. RBC Capital Markets analyst Mark Mahaney recently estimated that U.S. Prime adoption has risen from 25% of Amazon customers in 2013 to 40% today. Mahaney says that Amazon may have as many as 50 million Prime customers and 60-80 million globally.

Prime members spend about three times the average Amazon customer and more than $800 annually through the service. These figures will continue to grow as Amazon shortens Prime delivery time performance and adds recently announced services like restaurant and liquor delivery. Given the tipping point that Amazon is reaching with Prime, it’s likely that most research shops are underestimating the growth of ecommerce sales as a percentage of total in the next five years.

  • PayPal has historically been a strong influencer of CNP growth because its payments wallet allows credit, debit and ACH information to be registered for payments. Today PayPal has 165 million active payment accounts doing $235 billion of total purchase volume – of which two-thirds, or $150 billion, is credit or debit card based. With digital innovator acquisitions like Venmo, Braintree and Paydiant, PayPal is still squarely focused on becoming the world’s open payments network.
  • The growth of the Apple and Google media and app stores has also driven consumers into the CNP world significantly. Apple has roughly $20 billion annually in purchase revenue through its store and Google has about $12 billion.These four companies alone now account for nearly $300 billion of annual digital purchase volume while consumers continue to add card information to airline, travel, niche and online media retailer sites in droves. In addition, the growth of mobile self-checkout and vehicles like Apple Pay will slowly begin to tip the scales away from plastic and more toward CNP.

Research from mobile vendor Retale indicates that millennials have a high aversion to dealing with store associates and more preference for self-checkout via mobile phones. Bank executives should plan on millennials leading mainstream consumers into the world of self-checkout over the next five to seven years.

So there is one big irony in the world of payments. Banks and credit unions are in the midst of an unavoidable and important shift from mag stripe to cards tricked out with EMV chips. The EMV cards will be flying through the mail for the remainder of 2015 and 2016 just in time for bankers to tackle the serious strategies around the new world of CNP. To give busy executives a head start, I offer up the following key playbook items for a CNP-driven payments strategy.

1. Acknowledge that the credit card is as important as checking in building relationships.
For decades, our industry has focused on checking (and connected debit card) as the lead primary financial institution (PFI) product. Many banks sold their credit card portfolios and went to lame remarketing relationships with this product, assessing that only the Top 10 players could compete in this scale market. But here’s the problem: this product is fast becoming the epicenter of the shift to a mobile economy, even more so than the debit card. This shift has been acknowledged by the large retail banks, especially after the Durbin amendment took the profit out of debit cards for big banks. Wells Fargo CEO John Stumpf recently quipped that 100% of Wells Fargo customers have credit cards, but only 35% with his bank. Even though Wells feels like it has room to grow, this 35% penetration is much stronger than the 10% to 20% Cornerstone typically sees at community institutions. Building a credit card base is an ugly ground war of product development, rewards management, sales alignment and customer experience design, but the future stakes make this battle worth fighting.

2. Fight the good fight to build a kick-butt payments self-service experience.
As consumers begin to buy everything and tap card numbers into their smartphones in a constant frenetic fashion, managing this account becomes a critical moment of truth for the retail banking customer. With mobile by their side, consumers are viewing and managing their credit card accounts much more actively than in the old school monthly paper statement of even the boot-up-the-PC Web eras. Consumers will want fast ways to turn on and off their accounts, to receive alerts for fraud and to conduct maintenance and dispute transactions with a few easy clicks.

For most financial institutions, the card self-service experience is miserable today, and improvements are just starting. Bankers should not get discouraged if early implementations of card self-service do not get rapid adoption by customers. It will take iterations and proactive customer education, but building this type of customer experience will be worth the effort.

3. Shift your battle plan with the shift in fraud.
Bankers are beginning to acknowledge the fact that EMV adoption will NOT greatly reduce overall payments fraud. Rather, based upon experiences in Europe and Canada, it is likely that fraud will quickly shift and grow in the card-not-present areas.

Card-not-present fraud represents 45% of all card fraud today but it could move to as high as 75% of fraud in the years ahead. In fact, Aite recently projected that card-not-present fraud would jump a whopping $3 billion in the next three years.

Aite rightly urges banks to focus on building a more robust risk-based authentication infrastructure for card-not-present transactions that leverages tools like behavioral analytics and tokenization. Importantly, banks will need to heavily weight fraud tools and support in addition to price as they evaluate card processors and strategic partners.

4. Dammit we’re serious: elevate analytics.
While it’s become cliché in a very short time to encourage bankers to invest more in analytics, the sheer revenue at stake and strategic importance of payments should wake executives up to finally do something tangible with business intelligence. Banks should be developing dashboard reports that elevate debit and credit revenue, fraud costs and customer adoption trends to the senior management meeting. Because it’s vital that banks get as many of their credit and debit accounts as possible imbedded into Amazon, PayPal, Apple and Google, why don’t executives have an in-your-face report that provides this information monthly? Incentives for customers to embed credit accounts in these ready-to-launch mobile payment vehicles should be encouraged as well, and these types of payment activation campaigns should be monitored by senior management.

5. Get gritty and creative with the trusted brand experience around payments
Organizations like the American Bankers Association are right to promote the fact that banks are still the most trusted payment provider in the land, and, given trends in recent years, trust has become a much more critical factor for consumers. However, banks don’t seem to be jumping full force into leveraging this position of trust. Bank executives should ask themselves, “What has my bank done to bolster trust in our payment offerings since the high-profile Target and other retailer breaches and the growth of cybercrime?”

Whether it is through simple online pop-ups, well trained branch and contact center staff or short YouTube-like videos on fraud and cybercrime prevention practices, banks can do a better job at being the leader for consumers and small businesses in fighting payments fraud. Right now, our brand feels too much like protecting the bank’s institutional and financial backside versus passionately wanting to help keep individual consumers safe.

I am convinced that banks that bring passion to the game of protecting consumers will experience greater purchase volume and higher retention the years ahead. Building amazing payments knowledge and conversational skills in a bank’s contact center should be one of the highest near-term priorities for executives. Given the small incremental cost to create a visible presence around trust and security, any CEO would be wise to make this visible commitment in his or her payments business.

The trucks bringing Amazon goods to our porch every few hours and the beeping of new apps and media dowloading onto our smartphones illustrate that a mongo Gonzo shift in retailing and payments is reaching a tipping point. We grew up on plastics and now we are modernizing our cards with EMV chips. But take note, Gonzo bankers: for recent graduates entering the banking world like Benjamin Braddock, I have three words and only three words of advice: “Card Not Present.”

Payments revenue accounts for 25%-50% of your non-interest income.

A consistent, long-term focus on your Payments programs can have a huge impact on your bottom line.

Cornerstone Advisors’ Payments Growth Initiative can identify opportunities, close gaps and help make your Payments program more profitable.

Contact us today to learn more.


Filed under: Cards & Payments, Retail Banking, Strategy, Web & Mobile Banking

Print This Post Print This Post

September 28, 2015 by Todd Stringer Todd Stringer

Ashley Madison: Why You Should Care and What You Should Do

Why go to the trouble of taking money out of people’s accounts if you can get them to just give it to you?

That, apparently, is the logic behind hackers who use stolen passwords and information from breaches to send fake wire transfer requests to trick recipients into approving funds transfers.

Take, for example, the Ashley Madison breach where email addresses were obtained. While at first glance a bank may see no immediate fraud issue with such a breach, let’s look at an example of what can be done with this type of data.

Very recently, a mid-size bank with assets over $5 billion received a wire request using a seemingly legitimate email address and password, and the transfer was sent through. Even though the contents of the email are unknown, it’s apparent the employee was disinclined to call and question a request from a board director. Upon discovering this, the wire department suspended email requests for the remainder of the day

Another example: at a small business, the accountant received what appeared to be an email from the CEO requesting approval of a wire transfer. At first glance, it absolutely appeared to be a legitimate request. The “CEO” said he was unreachable at a client meeting and instructed the accountant to complete the transfer. At the time the email was sent, the CEO really was out of town in a client meeting. However, thanks to a keen eye, a small discrepancy came to light and the transfer was questioned.

I was unable to confirm the details of the group(s) who sent these specific fraudulent wire transfers, and we are not saying Ashley Madison data was in fact used for fraudulent wire activities. Rather, these are examples of how your institution could be hit at any time. And, despite your efforts to safeguard your customers’ passwords and IDs and to establish security procedures to prevent unauthorized access to accounts, your customers may be willingly giving their money to hackers – and using your wire departments as pawns in the game.

A breach such as Ashley Madison burns twice and any bank with a wire department is at risk.


Three key pieces of information were publically disclosed by hackers for each Ashley Madison account: email address, the amount spent on the service, and the customer’s physical address. But hackers have a fourth piece of critical information that was not disclosed publicly: Password hashes.

Using the password hashes, the hackers are able to determine a user’s password to the site. When you consider that the majority of people – one estimate puts it at 70 percent – re-use their passwords across sites, you realize that getting into their email and banking accounts becomes a relatively easy task.

With access to an email account, the hackers check the sent mail folder to see if the rightful owner ever transferred funds via an email request. They then forward an old wire request and ask for a new destination for the funds.


Gonzo bankers should take three steps to prevent any further Ashley Madison burns:

  • Enforce internal procedures. Many times what we see documented on paper is only half-heartedly practiced by the staff, or the institution doesn’t fully support it. If your policy is to call customers to verify wire transfers, make sure calls are logged electronically in order to provide a paper trail.
  • Adjust your employee training. For wire fraud, a quick inspection of previous amounts, frequency and typical wiring dates can serve as a litmus test for fraudulent outliers. If the institution has a large volume of wire transfers per day, investigate technologies that can help identify malicious requests.
  • Have a cyber-response plan. If you can execute your fire evacuation drill better than your cyber-response plan, you have a serious problem. The time to figure out the right person to call is before the money is gone. Use the FFIEC’s Cybersecurity Assessment Tool (it’s free). Identify the web sites you’ll need to file complaints. Create a list of numbers for local, state and federal authorities so that you have it on tap if (make that “when”) a security-related event occurs.


What’s ahead? Cornerstone believes that there will be surges in activity as the fraudsters discover new ways of utilizing the gold mine of information obtained from Ashley Madison. After the current wire transfer surge, expect a few weeks (or even months) of silence.

But don’t get comfortable—this will be just a brief pause before the next wave of attacks. Look for things to pick up again around the holiday shopping season when people are taking vacation and the night shift is on watch at the helm. We may see a new mobile device virus spread by email to the address books of the current victims.

Is your institution vulnerable to attack?

Cornerstone Advisors’ Cybersecurity Services are designed to proactively discover your vulnerable areas and strengthen your institution’s overall security posture.

We can help you:

  • Meet and exceed FFIEC Cybersecurity compliance requirements
  • Measure the overall performance of your security program
  • Provide security knowledge and insight at the board level
  • Test and strengthen internal security policies and procedures

Contact Cornerstone Advisors today to learn more.



Filed under: Best Practices, Branch Sales & Service, Cards & Payments, Deposit Ops & Item Processing, Information Technology, Retail Banking, Risk Management, Wealth Management, Web & Mobile Banking

Print This Post Print This Post

August 31, 2015 by Eric Weikart Eric Weikart

Top 4 Performance Stats That Will Blow Your Mind

In our line of work, we see a lot of processes and benchmark a lot of data. Here are four statistics that will blow your mind:

  • 75% of time spent with new customers involves computer input versus building relationships through a conversation.
  • More than 50% of banks still originate commercial loans manually.
  • 60% of financial institutions still use a paper-based new accounts process.
  • Over 70% of statements are still being mailed.

Why? Let’s dig into the details for a minute and research the causes and solutions for each of these.

1. Bankers spend 75% of their time during the new customer/account process on the computer versus building relationships.

The biggest reason is related to lack of system integration. Systems like ChexSystems, Check Order, Credit Reports, Debit Card, Online Banking Enrollment require re-entry. Most vendors promise integration and most do if you use their products and want to spend the money. The reality is that many banks don'’t do either of these. Before selecting systems, make sure the vendors you have in place work with the new system. This seems like common sense but it happens all the time that they don't. If they don't, make sure you’'re comfortable using the systems that do.
Lack of capable workflow functionality creates manual processes and affects processing times. Vendors tout "“integrated workflow”" in their systems. While that sounds like a great idea, most don'’t have system capabilities that allow for dynamic workflows to be customized by product. The lack of integrated sales tools also adds to the frustration.Pick vendors that walk employees through processes and make processes "“idiot proof.”"
The risk pendulum has swung too far. This oftentimes causes requirements like signatures for every transaction, which creates paper… ... which then creates manual processes and QC. Other examples include CIP requirements that go overboard like requiring a paper social security card or risk rating of consumer accounts in the branches. It could stem from an overreaction to a regulator or an overzealous compliance employee with too much power.Manage regulatory concerns accordingly and don’'t over-react. Take a strategic approach to risk by challenging processes that don'’t seem efficient. Rules are often subject to interpretation and as long as senior management clearly understands the risks, alternative, more efficient options may exist and should be explored.

2. Over 50% of commercial banks still manually originate commercial loans via point solutions that are typically not integrated.

Loan officers are typically sales versus process driven individuals and because their pay is typically tied to production, they do whatever it takes to get deals done. Automation directly conflicts with their "“scream the loudest"” technique that has worked for years. Executive ownership that drives behavior is critical. From pipeline to close, everyone needs to be marching to the same drum, and oftentimes the CEO's active involvement is necessary to bring the bank out of the Stone Age.
Many banks have allowed loan officers a creative license to reinvent the wheel for every deal so terms can get very complicated.Product standardization is needed (with some variations for those customers that are “different” as required). There are always exceptions that won'’t fit into the system. Designing processes that work the majority of the time and not focusing on the one-offs that occur a few times a year will help.
Vendors continue to build capabilities but no one vendor has great sales tools (nCino) while also having strong customizable workflow (CCS) and credit analysis tools (Moody’s) that integrate well.Sell older, less sophisticated loan officers on the fact that they will be able to focus more on sales and customers will have a quicker, less error-prone experience as long as they play in the sandbox.

3. 60% of financial institutions still print, sign, index and manually scan new accounts documents, receipts and loan documents.

Technology and lack of understanding is to blame most of the time. Many platform applications haven'’t been upgraded or financial institutions aren’'t aware of functionality that'’s available to them. Many vendors have punted here and rely on third parties that make the process so cumbersome it'’s not worth the hassle.Check in with your vendor to find out how others have implemented signature pads at both the teller line for cash back and at the new accounts desk for customer documents, maintenance, wires, etc. In many cases, it’'s just a matter of buying some relatively cheap hardware and a module to make it happen. Be careful that you really understand where your vendor is when it comes to the user experience of the process. There should be no need to go into multiple systems, manually search/select documents or, worst case, re-type information to create electronic forms.

4. Over 70% of statements are still printed and sent via mail.

While the trend continues to rise, many financial institutions don'’t create products or fees around mailing statements.Charging for traditional paper statements is a no-brainer even if it’'s $2. Typical costs are in the $2-$5 range across the county. For those that want to differentiate and send the paper statement, make sure to tie profitability to the overall account costs as this can be a significant driver.
Vendors want a piece of the pie and charge much more than they should for sending customer notifications and housing the statements. Oftentimes, e-statements can be almost as expensive as traditional statements as vendors charge per page, per statement, etc.Leverage your imaging system. Most of the time statements live in the archive so really the only missing link is the integration to online banking. Statement notifications can also create some challenges, but given the proper account disclosures, I’'m not sold that notifications need to even go out. That being said, there are alternatives to high-priced vendor solutions that should be explored via technology where investments have already been made.

Bankers, crank up some Eye of the Tiger and let’s get our teams humming by executing some of these solutions. There are several more examples of similar mind-blowing statistics in each of your financial institutions. I challenge bankers to come up with a Top 5 list and feel free to share it with us here at Gonzo. The only non-admissible items: pie-in-the-sky type projects like card-less ATMs or digital wallets that seem sexy but don’t pay the bills. Let’s get the low hanging fruit fixed first.

“I tried so many times
And that’s no lie
It seems to make you laugh
Each time I cry”

“Didn’t I blow your mind this time” –Delfonics


Q: What’s the secret to capturing costs, gaining market share and increasing shareholder value?

A: Performance Improvement

Cornerstone Advisors can help your institution identify hidden financial opportunities – not only for the short-term but for long-term strategic growth. Contact us today to learn more.


Filed under: Best Practices, Branch Sales & Service, Commercial Lending, Deposit Ops & Item Processing, Loan Ops & Collections, Retail Banking, Vendor Buzz

Print This Post Print This Post