Two years ago, a man with a handgun walked into a branch of Happy State Bank and Trust Co. in the dusty cowtown of Amarillo, Texas, and demanded cash. "This is no joke," he told the teller. He stuffed the money in a backpack and fled. But bank employees spotted the robber's getaway car -- a blue four-door sedan -- and police picked him up a few weeks later.
There aren't many places to hide in a small city surrounded by prairie.
Earlier this summer, a young man set up a phishing scheme to steal the identities of Happy State Bank's customers and hijack their accounts. Working off a tip from a friendly stranger in San Antonio, Texas, IT employees uncovered the ruse before it reached the bank's 4,500 online customers. They shut down the false front within four hours. The feds tracked down the culprit, who was holed up somewhere in the Bronx.
Whether a thief plies his trade on foot or online, the point is clear: Don't mess with Texas. "Banks have been around a long time, since Jesse James and his gang were robbing them," says Jason James, senior vice president of technology at Happy State Bank (and no relation to the infamous outlaw). "Security is nothing new to this industry."
But what is unusual in banking is the high-touch approach to online customer service that sets Happy State apart from its bigger competitors. The advent of Web banking has pulled James and his four IT staffers into a trailblazing position with the bank's most critical business ambition. This IT department handles all security in-house and even conducts one or two site visits a week, traveling to customers' homes to clean their computers of viruses, spam and spyware.
"High customer touch is what really brought us to the dance," says bank President Gary Wells. "In the Texas panhandle, relationships are key. People out here still want to sit down face to face and talk, go have coffee, play golf, hunt."
Taming the Security Frontier
Happy State Bank's three-story brick fortress stands tall in the outskirts of Amarillo. High ceilings, wooden staircases and walls adorned with cowboy art all nod to the Old West. There's a circular steel vault door on display that a half-dozen sticks of dynamite couldn't blow a hole through. In many ways, Happy State Bank and other midsized banks are struggling to tame a frontier of their own. Instead of iron safes and double-barreled shotguns, banks today rely upon an arsenal of technology tools -- everything from firewalls to vulnerability assessments to fraud detection and customer authentication -- to protect themselves from Internet outlaws.
It's a high-stakes poker game, for sure. Customers will desert a bank in droves if they think it can't keep their money safe. Meanwhile, regulators can and will shut down a bank that fails to meet tough Internet security requirements. By the end of this year, the Federal Financial Institutions Examination Council (FFIEC) -- a group that defines standards for financial services providers in the U.S. and is backed by the Federal Reserve System as well as other notable bodies -- will require banks to use more than one form of online customer authentication. Research firm Gartner Inc. foresees cease-and-desist orders for noncompliant banks arriving on the first banking day of 2007.
Yet for CIOs at midsized banks, there is a silver lining. The rise of Web banking and related security regulations have given IT executives a more prominent role in their companies. This is especially true at Happy State Bank, where the brass pinned the proverbial tin star on James and his four-man crew earlier this year. The 33-year-old James was promoted to senior VP, making him the youngest bank officer with the lofty title. "They do a great job," the bank president says of his IT group. "I sleep better at night knowing they're in control."
This was first published in October 2006