CU 2.0 Podcast Episode 353 Mike Robins on the NCUA Tech Audirf - How to Pass Artwork

The CU2.0 Podcast

This podcast explores contemporary, critical thinking and issues impacting the nation's credit unions. What do they need to be doing to not just survive but prosper?

All Episodes

The CU2.0 Podcast

CU 2.0 Podcast Episode 353 Mike Robins on the NCUA Tech Audirf - How to Pass

May 21, 2025 • Robert McGarvey • Season 7 • Episode 353

Send us a text

Today’s topic: How to Pass the NCUA Tech Audit (Without Losing Your Mind)

The guest is Mike Robins, COO at Dynamic Edge, a company that’s helped many credit unions - particularly ones with assets between $25 million and $400 million - successfully navigate the NCUA Tech Audit which occurs “periodically,” according to the agency.

Hear what’s involved in the audit, how to pass it and - crucially - how to prepare for it.

Robin’s key point: prepare and you won’t lose your mind.

Interesting, too, is that NCUA provides cheat sheets for the Tech Audit on its website. Robins tells where to find them and how to use them.

He also tells if the auditors are in fact following the cheat sheets.

Listen up.

Like what you are hearing? Find out how you can help sponsor this podcast here. Very affordable sponsorship packages are available. Email rjmcgarvey@gmail.com

And like this podcast on whatever service you use to stream it. That matters.

Find out more about CU2.0 and the digital transformation of credit unions here. It's a journey every credit union needs to take. Pronto

SPEAKER_02: 0:00

Welcome to the CU2.0 podcast.

SPEAKER_00: 0:05

Hi, and welcome to the CU2.0 podcast with big new ideas about credit unions and conversations about innovative technology with credit union and fintech leaders. This podcast is brought to you by Quillo, the real-time loan syndication network for credit unions, and by your host, longtime credit union and financial technology journalist, Robert McGarvey. And now... the CU2.0 podcast with Robert McGarvey.

SPEAKER_02: 0:33

Today's topic, how to pass the NCUA tech audit without losing your mind. The guest is Mike Robbins, COO at Dynamic Edge, a company that's helped many credit unions, particularly ones with assets between$25 million and$400 million, and that's the vast majority of credit unions, successfully navigate the NCUA tech audit, which occurs, quote, periodically, close quote, according to the agency. Hear what's involved in the audit and how to pass it and crew Thank you so much for inviting me. You're welcome. How can I refuse to talk to a guy who's going to tell me how to pass the NCUA tech audit without losing my mind? The

SPEAKER_01: 1:34

marketing hook worked.

SPEAKER_02: 1:36

Tell me, let's start. Tell me a little bit about Dynamic Edge and where are you located?

SPEAKER_01: 1:43

Yep. So Dynamic Edge is a managed IT service provider. We started in Ann Arbor, Michigan in 1999. So we've been in business just about 26 years. We opened a second physical location in Nashville, Tennessee in 2007. For the past 15 years or so, we've specialized pretty heavily in supporting credit unions, particularly as cybersecurity risks have become so critical. So we support credit unions. We have, of course, lots of them in Michigan and Tennessee, but we support them all across the country from New Jersey to Los Angeles. And we do... everything an internal IT department would do. For credit unions that are$500 million in assets under management and smaller, we often do everything. So we'll do help desk, we do strategic planning, we do one-time project work, and of course, we do cybersecurity. For those Organizations that are larger than that, we often do what we call co-managed. They have an internal IT team that handles some responsibilities, and then our team will supplement them in whatever way they see fit.

SPEAKER_02: 2:54

How big is your biggest credit union, your smallest credit union?

SPEAKER_01: 2:59

Well, our smallest credit union is quite small, maybe 25 million. And largest is probably right in the 400 range.

SPEAKER_02: 3:08

400 million? Yes. Okay, so that's certainly the biggest percentage of credit unions fall in that range.

SPEAKER_01: 3:21

Yeah, absolutely. Probably 90% of the 5,200 or whatever are left, yep.

SPEAKER_02: 3:28

Yeah, and I get it. So the$25 million probably needs a lot of help.

SPEAKER_01: 3:34

They all need a lot of help.

SPEAKER_02: 3:36

Well, they all need a lot of help, but there's some thin staffing in that$25 million credit union.

SPEAKER_01: 3:42

So, I mean, right, 25 million, you're talking about, you know, four people on the staff, very, very, very small. That's not our average size, but that is the, that's the small, the small line for sure.

SPEAKER_02: 3:52

Now, I was reading up on the NCUA tech audit, and the thing that really caught my eye was, they say it's periodic. What does periodic mean?

SPEAKER_01: 4:05

It's a good question. I don't know if that word appeared before COVID or not. We were used to, for years, either the NCA or a state examiner coming physically on site once a year. And since COVID, it's been a little, I don't know, maybe more sporadic than that. We have some clients who maybe have had an exam every 18 months. So I don't know if I know the answer to your question specifically, but, you know, historically... There's been some sort of an exam, either from the state or the feds, once a year. And that seems to be mostly true with most of our clients. But as I say, we've had some who have an exam every year and a half.

SPEAKER_02: 4:48

I'm familiar with the financial audits of credit unions. Is it the same team or a different team that does the tech audit?

SPEAKER_01: 4:57

You've seen both. I mean... Typically, the tech audit or exam is part of the overall exam that an examiner is doing. It's just the one that, in my experience, the credit union executives and certainly board members have the least amount of knowledge on. I

SPEAKER_02: 5:14

know a lot about the financial stuff, and I'm more a tech guy than a financial guy.

SPEAKER_01: 5:19

Yeah.

SPEAKER_02: 5:19

But I... So the CPA comes in, it's kind of look at the tech. I mean, okay, sounds good to me.

SPEAKER_01: 5:31

No, it's really interesting. We work with a number of former examiners who our clients hire to do a third party audit, you know, before they're going to have their real exam.

SPEAKER_02: 5:42

Sure, sure. That's pretty common.

SPEAKER_01: 5:45

Yeah. Yeah. And they can't make heads or tails of some of this either. Right. The range of skills in the examiners is all over the place. There are people come in very sharp, very knowledgeable, very up-to-date, and it's easy. There are people who seem to be fumbling through some of it. One of the things I thought we might talk about at some point is the NCUA has offered some standardization in the last year and a half or so, which I think is really encouraging. The application of those standards varies wildly based on who's doing the exam. Sometimes they're just sort of by the letter. Sometimes they seem to be making things up on the spot. It's all over the place, which is why I think this is so challenging for credit union executives. They think they've got the right things in place and then somebody throws something else in.

SPEAKER_02: 6:32

Your credit unions have a lot of technology that's not homebrewed. In other words, they're buying it from third parties. Most of it. Pretty much all of it in many cases. Now, is the third party involved in this audit? Indirectly, yes. But do they have any direct involvement?

SPEAKER_01: 6:51

Not really. Not in my experience. I mean, what the It's an interesting point you raised too, because I think it's something like 86% of credit union vendors. So the third party people, you know, software providers or security application providers, they've got holes in their environment. And then sometimes those holes are in the product that they provide. And that's a vulnerability that the credit union doesn't have a lot of control over. So In my experience, the vendors themselves are not involved in the assessment of the environment because what we're really trying to see is like, does the credit union have the controls in place to make up for those deficiencies? Is there enough layers of notification systems and so on? I

SPEAKER_02: 7:39

think some vendors do third-party testing of the services that they're providing.

SPEAKER_01: 7:48

Yep, that's true. That's true, and we have done that for clients at times. But if your core is provided by Fiserv, you're not likely to be doing any third-party testing of Fiserv. But if Fiserv has a major vulnerability, and I'm just picking them because they're such a prominent vendor.

SPEAKER_02: 8:03

Oh, everybody picks up Fiserv. I do too. That's

SPEAKER_01: 8:08

cool. That's cool. if they've got a vulnerability, you know, one time I was doing a tabletop exercise for a client, a tabletop exercise for people who don't know is you simulate some negative thing happens and then you test whether the systems or the people or the processes you have in place are going to do well. And somebody, this was a client that was in Manhattan. They said, well, let's say the internet is out for Manhattan. I'm like, man, if the internet is out in Manhattan, we all have all kinds of problems. And so if Fiserv has a major vulnerability, that whole world is going to be shocked. And so I don't think an individual examiner is going to care too much about that when they're examining an individual credit union.

SPEAKER_02: 8:44

What is the examiner looking for with the technology?

SPEAKER_01: 8:48

It's a good question. So in general, I think that they're trying to make certain that there are the physical and virtual controls in place to protect the members' assets and to protect the members' information. The reason, as you know, that credit unions are such a target of cyber terrorists is because they've got two sets of very valuable information. The first thing is they've got lots of money. And the second thing is they've got all that PII or personally identifiable information of all the members. And so there's a double dipping that goes on. Bad guys, they implement some kind of a ransomware event, lock up some system, say, give us a million dollars. while you're deciding what to do, they take a copy of all that data and you pay them the million dollars. They give you access to your system back, but they've now got a copy of the data and then they go sell that off on the dark web. And that's a very rudimentary, simplistic example, but credit unions are under significant threat. And so I think what the exam is trying to do overall is make sure that the controls are in place that somebody can't break in easily. And if they do break into one place, that that breaking doesn't spread widely. And the NCUA has been sort of tightening the screws on how to do that over the last few years, which is good because it was really the Wild West until a couple of years ago. And all of the things that we were checking for in credit unions were sort of derived from the banking regulations, but not specific to credit unions. And of course, as you know, you talk about it in your podcast often. Credit unions, they don't have the cash that the banks have, certainly not the large ones. And so as the NCUA has refined its regulations over the last few years, and I think it's filtered down my interpretation to the state regulators as well, we're finally getting some standardization on what you should expect them to ask about when they arrive at the door. When you're referring to a CPA audit, well, you know, when... Ernst& Young or, you know, Plant Moran comes in to audit, we all know what they're going to be looking for. We can get the boxes ready, you know, before they get there. It's been different when it comes to technology and credit unions. And I think that's finally starting to take shape. And I can, you know, talk about how that shape is happening in any, you know, whatever level of detail you're interested in.

SPEAKER_02: 11:06

Now, is the audit, the tech audit primarily focused on cybersecurity?

SPEAKER_01: 11:13

Yes. Yep. Cybersecurity, which has a couple different you know, significant sections. One is just what do you think of as traditional security? A physical server has to be behind a locked door. There have to be some access controls. Who can log into that server? You know, identity management, all the sort of normal things. But it's also a more complex or layered mindset. How do we help them not lose their mind when they're going through an exam? It's all the work you do in the months leading up to it. And there's been a paradigm shift in cybersecurity in the last couple of years that I think is super interesting. It used to be that you built up this very strong perimeter around your network. The old fashioned model was that of a castle and the castle has a moat around it. And I'm on a horse and I ride up to the castle and I say, I want to come in. And somebody is on the other side and they ask me a security question and they decide, okay, I give them the right answer. And the drawbridge comes down and I ride in. And once I'm inside the castle, I have free reign. That's old fashioned or what you would call perimeter security. You make a really strong perimeter or a wall outside the network, really, really, really make sure the person who's trying to come in deserves to be in there. And then once they get in, they can see everything. What's happened in the last couple of years has been an introduction of this zero trust security mindset. And that phrase zero trust is not just some techie term. It's actually the term the NCUA is using in the regulations. And what zero trust means, is no implicit trust and continuously verifying who you are. So if you've ever seen the movie Ocean's Eleven, they're planning the group of gangsters to rob the Bellagio in Vegas. And they're going through the plan. And when they go through this plan, they have to have fingerprint detection. They have to have retinal detectors. They have to have signatures. They have to get past armed guards. It's multiple layers. And as they're getting closer and closer and closer to the vault of money, they have constantly having to figure out how to verify that they're the person that they aren't really. And so zero trust is not just some piece of software like antivirus. You buy it in a box, you install it, and now you have zero trust. It's a mindset. that credit union executives and the tech teams that support them have to use. And if you use that mindset, trusting at every level of access to verify who that person is, that helps to unravel or solve the mystery of what the NCUA is looking for. My

SPEAKER_02: 13:54

sense is a lot of institutions, and I think I'm saying something similar to what you just said, a lot of institutions aren't at that interest in having an impenetrable wall because it's probably not possible. What they're really interested in is, A, what is the person doing inside the system? And B, most importantly, what data are they exfiltrating? And if they're just sitting there looking, hey, I don't care. It's...

SPEAKER_01: 14:27

I'm not, yeah, I mean, I agree with what you're saying in part. I mean, I think there is a tremendous focus on access and identity management, making sure that I can't get somewhere within the environment I shouldn't be. And again, it used to be you logged into the network and once you were inside the network, you could see everything. Now it's, well, I can only see the folders that I'm allowed to see. What's sort of interesting and dramatic about what some of the cyber criminals do is they get inside your network and they wait. So they get inside and they poke around. The first thing they try to do is destroy your backups so that when they launch a ransomware event, you can't just tell them to go away because you have a good backup to revert to. They're going to destroy that. I had one colleague, different industry, a law firm, but there was a ransomware event. The bad guys asked for this very specific amount of money. It was an odd number. And this colleague said, why are you asking for this money? And of course, at this point, he's talking to a cyber terrorist who's working in a call center. You know, it's like the time-life operator thing from the old days. But they are run just like businesses because they are businesses, and they're certainly for-profit businesses. And they explain to this colleague of mine that, well, we asked for this specific money because that's what we know is in your cyber policy. So they had spent enough time in the environment to find a copy of the policy. Why ask for$10 million if you can only get two?

SPEAKER_02: 15:50

Right. Makes perfect sense. Yeah, I mean... Certainly in all big companies, executives have what's called signing authority. In other words, how big an expense can I approve?

SPEAKER_01: 16:00

Yep, that's right.

SPEAKER_02: 16:02

And if you bring an expense for$1 million and someone has a signing authority for$100,000, he can't help you. That's right. Yeah,

SPEAKER_01: 16:09

right. So, you know, as you point out correctly... I don't think anybody's interested in building in the impenetrable wall. Even if they were interested in that, they can't afford it and they don't have time to do it. So we try to coach or mentor people to make the list of priorities, make sure that list of priorities aligns with what the NCUA is recommending, do the things you have to do. then you prioritize the group of things that would be nice to have and just always be making progress. My experience, again, on these exams is examiners aren't looking for perfection. They know that's not possible, even for the largest credit unions. However, they are looking for progress. So they don't want repeat findings. And if something is a critical finding, you want to take care of that right away. And I'm glad that they're doing that. There's so much discussion about federal regulation. And of course, right now, we don't know what the future of the NCUA is exactly. But I'm glad that the NCUA is codifying some of these things because it's all our money that's insuring these deposits. And I don't want people to go through the heartache of having their information stolen or having their money stolen. And I definitely don't want my taxes going to bail out credit unions that haven't done the things that they need to do.

SPEAKER_02: 17:22

And 20 years ago, I thought a lot of the regulation was aimed at protecting credit unions against robbers with guns.

SPEAKER_01: 17:32

That's

SPEAKER_02: 17:32

right. And that's why many times the director of security was a retired police officer in the town. And that might have made sense 20 years ago. It makes no sense at all now.

SPEAKER_01: 17:45

Correct. I mean, it's the same thing in warfare. You know, cyber warfare country to country is certainly a bigger threat than thinking there's going to be an army at the border invading.

SPEAKER_02: 17:55

Now, does the NCUA give sort of a sample test? In other words, if I'm sitting in a credit union saying, ah, the tech auditor is coming tomorrow, what do I do? Is there a cheat sheet that the NCUA or perhaps that your firm provides?

SPEAKER_01: 18:13

I'm really glad that you asked that question because the answer to that until last year was no. We've always had things, but our thing has been based on what are just cybersecurity best practices. Last year, the NCUA released something they call the Information Security Exam or ISE. And they say in it specifically, they're trying to tailor the exam based on the asset size and complexity of the organization that they're evaluating. And they also say in the preamble to this document that they're trying to standardize the exam of information security and cybersecurity programs. So this is great. And the nerds out there can find all this stuff in the NCUA regulations. It's part 748 and 749. But for regular people, you can go to the NCUA website. And underneath the information security exam, they actually have three cheat sheets. They call them statements with a capital S. And the three statements are supposed to address different size organizations. So the first one is actually called the Small Credit Union Examination Program. And it's tailored for credit unions that are under 50 million in assets under management. Then there's a second one. The second statement is called CORE. And that's the cheat sheet for organizations that are over 50 million. I don't know why they made 50 million the break point, because that feels very, very small. I would have done it at 250 or something like that, but that's okay. And then they have a third statement, and that's called Core Plus. So we had small credit union, then Core, and now Core Plus. And Core Plus is not a list of things for any particular size. It's just sort of said, tailored at the discretion of the examiner. So you can go to the NCUA website and you can download, they're just Word documents, these three checklists. And I encourage everyone to do that with their tech teams. We use it as a reference for it. We've created something, I think, a little bit more elegant, but it does give you an idea of the things the examiner is supposed to be checking when they come on site. Interestingly, With a lot of our clients in the last year, their examiners aren't using it. They're still working off of old checklists. It doesn't mean they're not checking a lot of the same things, but I had hoped the sort of standardization that was presented was going to be a little more rigidly enforced or really standardized. And I haven't quite seen that yet. But these checklists, which are available from the government site, are a really good starting place.

SPEAKER_02: 20:37

So you get a client, a new client, the client says, I'm concerned about this tech product. What's your process? What do you do then? Do you say just take some Advils and call me in the morning?

SPEAKER_01: 20:51

That would be so much easier to just resell Advil. What we do with a new engagement is we do what we call a security assessment. And a security assessment is in two parts. The first part is this is not an external penetration test like so many credit unions properly pay for, which can cost$15,000 or$20,000. That's not what we do. We do a two-part interview. The first part is I sit down with the relevant people. Sometimes it's the CEO, depending on the size of the credit union. Sometimes it's the tech person. Sometimes it's a VP or CFO. And I just ask them, it's a business interview, 30 minutes. Let me understand how you're working, what are the initiatives, what concerns you about tech? Have you had any security breaches in your recent history, et cetera? And then we run a scan with a proprietary tool on the system itself. We get the results of that scan. We get the results of the interview. We collate that and we present them with a list of findings. And we say, here are all the things we found. Here's what we would do to remediate them. If you would like us to work on it with you, great. If you want to take this back to your tech team or to a different vendor, that's great too. We get a lay of the land that way. We will also, during that process, ask for a copy of their last exam, either from the NCOA or the state. And that often will tell us, did they make any progress since the examiner was here? Is the examiner kind of being tough unnecessarily on certain things? We'll just get a sort of the lay of the land with that. And then we come up with a plan to do two things going forward. The first is we have a technology roadmap. We say, we think you need to do these 12 things in the next 18 months, and here's why, and here's what they'll cost roughly if there's a cost associated with them. And I want to say, Robert, that a lot of the things that are in those checklists that I referenced, a lot of them are just elbow grease. They're policy changes, using existing technology. There is this misperception out there, and maybe we'll talk about economic scale or how this affects mergers, et cetera. But there's this perception that to be compliant, you have to spend a ridiculous amount of money. And I do not at all agree with that. There are ways to scale with vendors like mine. It doesn't have to be mine that can help you get compliant and more importantly, protect your members stuff. The second thing we do is we do monthly proactive vulnerability scans. So we scan an environment because IT people, including us, aren't perfect. This allows us to find things ahead of time and fix them in as close to real time as is practical. And regulations change. Insurance carrier requirements change. So what we're trying to do is instead of When it's time to renew your cyber insurance at the end of the year, you get this laundry list of things you need to do to either get approved or to get a reasonable rate. We're trying to stay on top of them going forward. So it's initial assessment, monthly scans, and a roadmap for the next 12 to 18 months.

SPEAKER_02: 23:43

Have you seen any changes in the behavior of insurers in the last year or two? And I ask because there have been dramatic changes in, say, home insurers. I know it's different people, etc.,

SPEAKER_01: 23:57

But dramatic changes, dramatic changes. It was, let's say, around the time, let's say maybe 2020, I would say most credit unions that I talked to did not have any kind of cyber insurance. Some of them started to get cyber insurance coverage through the same provider that they were getting their general liability or their workers comp. And then this niche opened up for insurance providers that specialize in cyber. And those vendors had a field day for a couple of years because everybody was buying up the insurance. Well, now the bad guys got more clever and they started playing all these claims. And as a result... What has really changed and I would say the last two years in my experience is that the cost of premiums is just getting sky high. I think it was like a 74% chance year to year from 23 to 24. We don't know what it'll be yet this year, but big increase. And the other thing that I wanna point out to listeners that's super important is it's important to know a number of things about your insurance policy when it comes to cyber, not just the total amount of coverage, But we have seen changes in particularly exclusions. So there'll be exclusions for things like acts of war. I mean, we're in a pretty hostile, violent world right now. What does that mean if a threat comes from a certain place they're not going to cover? I don't know the answer in this moment. Everybody's got to evaluate their policy closely. The one that scares me the most is I have seen in a number of policies this generic phrase, quote, failure to maintain standards. We know that it is really hard for any provider, even the greatest, to stay on top of every security update. Microsoft has patch Tuesday once a month. They release security updates that we need to install on all of your environment servers. And who knows why, but sometimes nine of the 10 install or eight of the 10 install. There's a communication error. It times out. And so you have to clean it up a couple of days later as you realize that not everything was done. Is that going to be the hole that the insurance company uses to not pay my claim because everything isn't up to date? And so I implore our client, and we help them through this, look at the policy carefully. And if you have any questions about those exclusions, any of them, get better definitions on them or look for providers that make that stuff a little clearer.

SPEAKER_02: 26:19

Well, just speaking broadly, I think it's fair to exclude claims that result from failure to maintain standards. If you go out and get a new BMW, drive 30,000 miles a year and never get the oil changed, never. And then the third year, the engine blows up. If I'm a BMW, I'm going to say, hey, dude, it's your fault.

SPEAKER_01: 26:42

I agree with that completely. I mean, an example in the tech world is that Microsoft offers a new operating system for its servers or workstations every couple of years. Right now, the world is using Windows 11 on workstations. That's the current operating system. Windows 10, last time's operating system, is still out in the world and still being patched, but it's coming to end of life, which for Microsoft means they're not going to support it anymore, and they're not going to update it with security patches anymore. And so we're in a time right now where we need everybody to move to Windows 11. It would not be fair be running windows 7 or windows 10 and then be upset or frustrated when there was some kind of a breach however if you're working on a windows 11 machine and you get patches once a week for it if you don't have every single patch installed that's sort of the reasonable course of you know regular life and we just want to make sure that you're not paying a bunch of money toward an insurance policy that's going to be that specific in denying a claim. So I think that there's a middle ground that is appropriate and makes sense between what you described and what I'm describing. And I think that smart people can ask those questions and get that clarification.

SPEAKER_02: 27:51

Yeah. I was offering a gross negligent driver.

SPEAKER_01: 27:55

That's right. Exactly. Yep. Right. That person deserves their car to blow out.

SPEAKER_02: 27:59

Yeah. Now, what are your costs? What's your fee basis?

SPEAKER_01: 28:07

Yeah, so depends, of course, on the range of services. If certain larger credit unions will engage with us just for cybersecurity, we put together what we call our stack. And if you use the tools that are in our stack, it usually runs in the range of about$83 per user per month. If you are doing the full suite of services that we offer, so not just the cybersecurity, but also the help desk, the proactive strategic planning, et cetera, prices range anywhere between$150 and$200 a month per user. And that's a recurring fee that covers all the licensing costs for everything we use. And it's unlimited support other than things like hardware purchases, which we procure for you, but they have to pay for it because it's their capital expenditure.

SPEAKER_02: 28:54

Now, a while ago, you mentioned mergers. How do mergers figure into this?

SPEAKER_01: 29:01

Because

SPEAKER_02: 29:02

everybody in credit union land is talking mergers.

SPEAKER_01: 29:05

Yes, they are. I speak at, I don't know, eight to 10 conferences a year. From our vantage point, we see technology as becoming the scapegoat for a little bit of lazy leadership. So they'll say the NCUA and its regulations are making it impossible to keep up. And as a result, I can't afford to run$125 million credit union. So I'm looking to merge, which really means they're looking to be acquired. The analogy I would use is you can have an effective workforce working remotely. After the pandemic, we had to all figure out how to do that. And do I wish everybody was back in the office? I do, because I think there's some things lost. But if you have the right KPIs or right performance metrics in place, you can get a fully remote workforce to be just as productive. They're just productive in a different way. And I think that there's a lot of technology becomes the butt of the joke. It's, you know, government regulation is what's keeping us from making any money and it's getting in the way. And so we have to merge because we can't scale. And what I'm here to tell you is that actually every credit union, no matter what size, has to make some investment in their technology. But as I said before, the little bit of elbow grease and working with a partner who knows what they're doing, meaning when you buy some cybersecurity tools from me, I can get them cheaper because of my volume than you can off the street, get them through me. Let me tell your vendor like me which apps you should use, how this positions you for the exam, and you will do just fine. So we have been able to protect lots and lots of small credit unions. The economies of scale in the financial sector, that's not my specialty. I don't understand mortgage rates or loans or those other things that are critical to the business. But I can tell you that technology is not getting in the way of your bottom line. There are ways to do it with elbow grease and working with a good partner or with a smart internal hire to get these things done. And I don't like when I hear that technology is the reason they think they need to merge. I'll also say, parenthetically, that one of the things I really love about working with credit unions is that they serve their members. That's the number one thing. The number one thing isn't to make money. It's to serve your members. During all these mergers, particularly of the behemoths that you described a few weeks ago, we're just becoming banks. And I want to be part of an industry and help support things in a way to keep these cooperatives alive. I think it's an important part of sort of the American fabric. And technology is important, takes a bunch of time, takes some investment, but you do not need to merge in order to scale properly with tech.

SPEAKER_02: 31:55

I've thought a lot about mergers in recent years. Every merger is unique. But one thing I would say is that if you're merging to equally economy of scale of a Chase, you ain't never going to get there.

SPEAKER_01: 32:11

That's right. Not even close.

SPEAKER_02: 32:13

Chase is barely aware that Navy Federal exists. And Navy Federal is a great credit union. It's the biggest by far. But Chase is many, many, many, many, many multiples bigger. And they have an economy of scale. That's just the way it is. So is AI figuring into this tech thing? And every credit union that I'm talking to, the two things they want to talk about is mergers and AI. They don't want to talk about anything else. And AI has some serious security issues associated with it, I believe. And I don't know that they're being addressed properly.

SPEAKER_01: 32:53

I think that's probably true. I mean, AI is almost like saying air, water, fire. It is such a gigantic term that encompasses so many things. We've all been carrying AI in our pocket for years because we have Siri or we have Google Assistant at home. So it's tricky to make sure that we're talking about the right thing. I'm

SPEAKER_02: 33:13

particularly talking about generative AI, the chat GPT world, which this is the best thing since sliced bread, man. And you got to get sliced bread. That's what credit unions tell me.

SPEAKER_01: 33:27

I think that that's true. I mean, I think what we're seeing, I mean, I'll tell you, I'm a service provider and credit unions are a service provider. I have a call center just like credit unions have a call center. I'm very interested in the ways that AI will help enhance the client or in the case of a credit union, the member's experience. So many of them are using it when it comes to phone trees already. But where they might look for it is in searching their member database for opportunities based on very specific life events. Somebody's of a certain age, you might start feeding them things about wedding planning. You might start feeding them things about first home purchase. There's a lot of trending that the AI applications can do that don't take a lot of sophistication that I think regular marketing people could take advantage of. In terms of security concerns, I agree with you. You need to vet those vendors hard and make sure that they've got the right things in place. You have to be extremely careful related to privacy. I would say in that last bit is where we can help. I'm a little out of my element where I'm not the right person to recommend how AI is going to be applied to make loan originations go up. I just know that what I see those applications being used is very sophisticated. It is that jump from using an abacus to a calculator times a million. I'm excited about the opportunities we have not to replace people on our team, but to be able to enhance the client experience. But you have to be very careful, particularly with the generative models, not to feed it through, not to put a bunch of private information in there and then just have the regular old engine off the shelf, tell you what you should do next. Very dangerous. Many organizations, not just credit unions, I know are installing their own version of an engine like ChatGPT in their own environment with the proper security around it, and then starting to teach it about their organization, about their members so that they can process trends or learn in a faster way.

SPEAKER_02: 35:34

That certainly is happening. But if you just look at basic open AI, ChatGPT, generative, what they've done is scraped together a whole bunch of information to answer your prompt, to respond to your prompt. You don't know what they've scraped together. You don't know where they've been scraping. And

SPEAKER_01: 35:57

it's not always right. What's a little scary for me, just as a regular old person, is I forget one of the large models they asked, like, what's the average temperature in Fort Lauderdale in April? And it said something like 73. And it turned out that the answer is really 75. I'm making those numbers up. It was something like that. And it's like, well, do those two degrees matter? Well, they do. Facts matter. So we have to be very, very careful with the application of that technology. I'm not saying anything original here, other than from my perspective, if a credit union is engaging with it, it needs to really vet the vendor that they are working with, and certainly make sure that the security of both their internal technology and their members' information is properly secured.

SPEAKER_02: 36:43

Now, have you seen NCUA auditors expressing any significant interest in AI within credit unions?

SPEAKER_01: 36:52

I haven't seen that yet.

SPEAKER_02: 36:54

That's coming. I'm sure it's coming.

SPEAKER_01: 36:57

Yeah, and it should, and it should. And I think that it is the largest credit unions that are using it in a significant way already. And as I say, we do co-manage for the largest organizations. And so I'm not as privy to some of those exam results as I am for the people that we, a couple hundred that we cater to.

SPEAKER_02: 37:16

What would concern me about the smaller credit unions is they take a consumer product like ChatGPT and start playing with it inside the credit unit. Which is okay, but you need to have some safety nets there for yourself.

SPEAKER_01: 37:33

Absolutely. Yeah. And that we can help with all day long, but it's a bad idea to do it on their own. And it's a terrible idea to do it on a credit union device until they make sure that they've got the security in place they should.

SPEAKER_02: 37:47

Right. I mean, you don't want... That doesn't exist anymore, but you don't want to issue... a laptop to somebody and have them install TikTok and Hotmail.

SPEAKER_01: 37:57

Exactly right. Exactly right. Yeah. And if you're using zero trust mindset in your environment, you would never allow them the capability to install anything on their own.

SPEAKER_02: 38:07

I'm sure you could go on YouTube and find a video that tells you how to do it. Now, have you ever had a client who really just had a breakdown because of a tech audit?

SPEAKER_01: 38:20

When you say breakdown, do you mean like an emotional breakdown or?

SPEAKER_02: 38:23

Yeah, like starts wrong things at the auditor. I don't know.

SPEAKER_01: 38:27

I have. I did have no breakdown. No, but I have had clients of mine, credit union CEOs, very frustrated because they felt that they had made progress and they felt that the examiner was being difficult. I had a state examiner in Tennessee just a couple of weeks ago who suggested something very specific be done, which seemed unnecessarily complex. And I know that my client was going to follow up with that person's supervisor to find out where in the world is this coming from. So I do see frustration there. I see frustration around a lack of organization, a lack of comprehension about some of the things. But I'm telling you all the complaints. With a lot of clients, I would say the majority have a very good experience with their examiner. When I say very good experience, it's like having a good experience with your CPA at tax time. It was as expected. You've got some things to fix. Everybody's professional. Everybody's organized and timely. The roadmap is clear afterwards. I would say that's most of the time.

SPEAKER_02: 39:42

Before we go, think hard about how you can help support this podcast so we can do more interviews with more thoughtful leaders in the credit union world. What we're trying to figure out here in these podcasts is what's next for credit unions. What can they do to really, really, really make a difference in the financial scene? Can't all be mega banks, can it? It's my hope it won't all be mega banks. It'll always be a place for credit unions. That's what we're discussing here. So figure out how you can help. Get in touch with me. This is rjmcgarvey at gmail.com. Robert McGarvey again. That's rjmcgarvey at gmail.com. Get in touch. We'll figure out a way that you can help. We need your support. We want your support. We thank you for your support. The CU2.0 Podcast.