The community bank’s complete guide to building trust

Illustration by Ahoy There

Building trust in your institution has a lot to do with technology, from implementing strong data security practices to humanizing your online customer interactions.

By Ed Avis & Elizabeth Judd


In this feature, we’ll look at a number of ways you can continue to build trust—an especially crucial task as the pandemic continues, telecommuting persists and consumer banking practices evolve. But for most community banks, building a trustworthy brand isn’t a conscious effort. It’s in their DNA. So first, we’ll look at how two community banks have become trusted pillars of the community through charity work and good old‑fashioned customer service.

In early 2021, a customer approached a teller at Kennebec Savings Bank in Augusta, Maine, and asked to withdraw $20,000.

The teller, who recognized the customer from previous interactions, found the request suspicious. She gently prodded the customer for details about his need for the cash. Ultimately, the man took the $20,000, but he later returned and told the teller that her questions had planted doubt in his mind about an upcoming business transaction, which turned out to be fraudulent. He still lost $3,000, but he credited the teller with saving him the other $17,000.

“Part of relationship banking is being able to say to a customer, ‘I hear you, but have you checked this out?’” says Andrew Silsby, president and CEO of the $1.4 billion-asset community bank. “And man, do you build trust when you help a customer in that way.”

Build your community

That interaction between teller and customer represents a tangible way that relationship banking builds trust. But even more subtle relationships, such as those developed through donations and service to community organizations, can foster the trust that makes community banks distinct.

When a local nonprofit sought funds to renovate an 1895 opera house in Watertown, S.D., one of the communities served by $665 million-asset Reliabank Dakota, chairman David W. Johnson donated enough that one of the venues in the opera house is now called Reliabank Theater.

“I’ve had about 100 people come up and say, ‘I’m glad you did that.’ I think we built some trust there,” Johnson says. His motto is: Customers don’t care what you know until they know that you care. “That’s at the root of relationship banking,” he adds. “There has to be a relationship fostered through social activities, charities, civic clubs, where you get to know individuals.”

Silsby agrees that relationships created through community engagement are essential to building trust. He says Kennebec Savings Bank employees volunteer approximately 8,000 hours in the community each year, and 10% of the bank’s income is contributed to local organizations.

“People tell me regularly, ‘You guys are involved in everything in the community,’ and I think that community engagement builds trust,” Silsby says, adding that many times those trusted community-built relationships lead to new bank customers. “I think when customers are ready to change their banking relationship, they head our way because of the work we do in the community.”

Invest time in building trust

With much banking moving online or to smartphones, interactions with customers can be less frequent. However, Silsby says technology also can free up time for employees to have more meaningful interactions. If employees spend less time handling deposits or cashing checks, they can be available to help customers facing problems or seeking guidance regarding new opportunities.

For example, when a customer needs help securing a mortgage, navigating a family financial problem or starting a business, finding a community banker who has the time to speak in person can be a lifesaver.

“I think that’s the essence of community banking,” Silsby says. “When someone is in financial hardship or things are getting turbulent in their lives, they want to turn to a community banker for assistance. If they’re going through a divorce and they need help, they’re not going to get it from a mobile app. We have to have the mobile and web banking for the transactions that don’t need our assistance, but that frees the staff up to spend time with customers when they really need it. That makes building the trust easier.” —Ed Avis


“If you want to develop trust on social media, you need to be there when your customers need you.”
—Claire Hill, Heritage Bank & Trust

Use social media to build trust

Claire Hill, marketing director of $208 million-asset Heritage Bank & Trust in Columbia, Tenn., manages the community bank’s presence across platforms like Facebook, Instagram, LinkedIn and Twitter. Here are her tips for building trust on social media:

1. Focus on community.

Hill rarely uses social posts to highlight bank products or services. Rather, she focuses on the bank’s activity in the community. “I like to show that we are truly involved in the communities we serve,” she says. “People really care about those things.”

2. Reply quickly.

When someone asks a question or makes a comment on Heritage Bank & Trust’s social pages, Hill jumps in immediately. Once, before a holiday weekend, a customer messaged the bank to say that her ATM card wasn’t working. Hill arranged for a banker to call the customer after hours. “I have all of my notifications turned on all of the time,” she says. “If you want to develop trust on social media, you need to be there when your customers need you.”

3. Be authentic.

People respond better to simple, genuine interactions than overly slick or salesy posts. Heritage Bank’s Facebook posts include images of giveaways, recipes from bank employees and children’s artwork that will be featured in the bank’s calendar.

4. Lead with people.

Hill frequently showcases employees out in the community. “I love showing behind-the-scenes photos of projects our employees are involved in,” she says. “I want people to realize there are real people behind their community bank.” —Ed Avis


Pen test to prepare for a breach

“We have a saying here: ‘You’re going to be breached, so have a plan,’” says Edgardo Nazario, cofounder of DefenseStorm in Alpharetta, Ga. “Everyone’s going to stumble, but what are you going to do next?”

Penetration testing, or pen testing for short, has become a staple of bank IT security programs because hacking threats are constantly evolving. Through manual and automated scans, pen tests search for vulnerable services and hosts, typically caused by missed patches and misconfigured services. In other words, they find and assess anything that would allow an attacker to breach a system.

Another reason pen tests are increasingly common is that regulations and PCI compliance require banks to furnish annual pen test results.

Thomas Martin, founder and president of NephoSec, which performs pen tests, says the easiest way to gain access to a network is through social engineering attacks like phishing or even smishing, an attack through SMS messages on a mobile phone.

How often a community bank should perform pen tests depends on whether it’s undergoing a transformation, Martin says. Banks opening new branches, making an acquisition or onboarding new vendors should increase the frequency of testing.

When in doubt, community banks should err on the side of more testing. John Moeller, a principal at CliftonLarsonAllen LLP who is based in Cedar Rapids, Iowa, says many banks are not engaging in pen testing often enough and some use inferior approaches to testing.

Ideally, a pen test uses phishing emails to target users and attempt to capture credentials for gaining a foothold within a network. Comprehensive pen testing, Moeller says, speaks volumes about a bank’s security controls.—Elizabeth Judd



Use these 3 technologies to safeguard customer data

55%

of consumers report concerns about customer experience, including personal data

The pandemic pushed many banks to go digital ahead of schedule, and the number of employees still working from home makes for an even larger surface area of attack. Given the breadth of challenges banks face, here are a few cybersecurity technologies worth noting.

1. Multifactor authentication

Customers are now often asked to prove their identity two or more ways, typically by logging in and then inputting a six-digit code sent to a registered device. It’s indisputable that multifactor authentication is a way to make logins less vulnerable to hackers. In fact, Microsoft estimates that it can eliminate or reduce the impact of all account-targeted cybercrimes by 99.9%.

The biggest knock on multifactor authentication is inconvenience, according to Joel Williquette, ICBA’s senior vice president of operational risk policy. “Once you get used to it, though, you do not give it a second thought, and you appreciate the extra security that it provides,” he says.

2. Security information and event management (SIEM)

Bank forensics rely on data security logs from financial institutions as well as from outside providers of everything from antivirus protection to firewalls. A SIEM examines various data streams and then overlays algorithms to detect suspicious activities, says Timothy Evans, chief of strategy and cofounder of Adlumin Inc., a Washington, D.C.-based security and compliance automation platform.

Increasingly, SIEMs are a must-have for community banks, he says. That’s because the Federal Financial Institutions Examination Council (FFIEC) audits banks annually to determine whether they have proper cybersecurity automation and log management tools, like SIEMs, to mitigate evolving risk.

While not all SIEMs use artificial intelligence (AI), solutions with those capabilities can bring real benefits, according to Evans. For example, a SIEM with user and entity behavior analytics (UEBA) can establish a pattern for every laptop, desktop and server it encounters, making it well-equipped to detect aberrations.

3. Cloud security

“There’s a misconception that the cloud is less secure than hosting on premise,” says Thomas Martin, founder and president of Cincinnati-based cybersecurity firm NephoSec. Even so, he adds, “cloud-based technologies are becoming more common, and that’s only going to accelerate.”

Martin says security technologies for the cloud include cloud security posture management, cloud workload protection platform and cloud infrastructure entitlement management.

Edgardo Nazario, cofounder of DefenseStorm in Alpharetta, Ga., says many community banks are already cloud natives. However, many of these banks find it challenging to hire and retain the IT talent they need to maintain such technology. That’s where a third party like a solutions vendor may help community banks, he adds.—Elizabeth Judd


Reestablish trust after a breach

What types of banks do Americans prefer the most?

58%

Local institutions

42%

National banks

Source: The Harris Poll, 2018 survey

There were more than 460 data breaches with confirmed data disclosures in the financial industry between Fall 2019 and Fall 2020, according to Verizon’s 2021 Data Breach Investigations report. While only a tiny number involved small financial institutions, breaches are a reality. What can community banks do if it happens to them?

“People used to say, ‘It’s not the crime; it’s the cover-up,’” says Seth Berman, a partner at Nutter, McClennen & Fish LLP in Boston. “Today, it’s not the cyberattack that upsets people so much. It’s the [perception of how] a bank reacts. The key is to be as open as you can about what’s going on and to talk in plain language.”

“Practice your instant response,” says Joel Williquette, ICBA’s senior vice president of operational risk policy. “So many of the banks that I’ve talked to don’t realize that there’s going to be a tremendous emotional response to a breach. It’s traumatic for the staff. It’s traumatic for bank leadership. And you handle those emotional responses by practicing.”

John Moeller, a principal at CliftonLarsonAllen LLP who is based in Cedar Rapids, Iowa, agrees, noting that clear communication is made easier by thorough prep.

“Work off of facts and not assumptions,” he says. “Clearly communicate what happened and identify the type of data that was accessed. Do not get overly technical with descriptions and do not come across as defensive.”

Taking practical steps

Community banks can take concrete actions to foster peace of mind. Moeller cites the common industry practice of paying for credit monitoring for a year after a customer’s Social Security number or other personally identifiable information is exposed.

Berman recommends offering identity protection for even longer. He says two years of protection costs banks only a little more than a single year, and, practically speaking, the programs turn out to be affordable because only a fraction of customers typically participate.

Williquette says one of the best ways to reestablish trust is through reliable and helpful information. For example, community banks can create webpages providing resources for addressing identity theft from the FBI and regulators (see icba.org/solutions/operational-risk).

An excellent way for community banks to reestablish trust is by offering in-person or online safety courses that highlight steps customers can take to protect themselves from threats, Williquette says. In his previous roles as chief information officer at financial institutions, he did just that. “Often it was older individuals who wanted to come in and feel more comfortable using online banking or keeping safe on the Internet,” he adds.

Always on guard

Safety courses can be brief but should always be practical. “We’d talk about best practices for passwords and making sure they keep antivirus on their computer,” Williquette says. “We’d talk about the fact that many of the emails they’d receive are phishing attempts.”

Williquette says security is a realm in which community banks shine. “The nature of the threats may have changed, but banks are still very good at protecting money and data,” he adds. “We’ve been doing so since banks have been in existence.” —Elizabeth Judd


Ed Avis is a writer in Illinois.
Elizabeth Judd is a writer in Maryland.