VyStar Credit Union Virtual Banking Platform Was Doomed From the Start

During the project and to keep to its project timelines, VyStar became increasingly willing to accept the persistence of critical bugs, according to the CFPB's investigation.

VyStar Credit Union’s Thomasville, Ga., branch. (Credit/VyStar CU)

VyStar Credit Union’s online and mobile platform was doomed to fail even before it was rolled out, causing members to lose access to their accounts and funds for weeks and triggering a government investigation that chronicled the details leading up to the immediate failure of the virtual banking platform in 2022.

Without admitting or denying any of the consent order’s findings or conclusions of law, VyStar agreed to a 47-page document that explains what caused the debacle in May 2022. The consent order is based on a joint investigation by the CFPB and NCUA that determined VyStar violated provisions of the Consumer Financial Protection Act. As a result, the credit union will be required to pay a $1.5 million fine, compensate affected members, and take steps to prevent future disruptions and maintain rigorous oversight of its technology and risk management practices.

Some of the consent order’s findings that explain the doomed the virtual banking rollout include management’s decisions that ignored critical issues during the project management process; management’s questionable selection of its online and mobile platform vendor; not having an IT director to oversee the project and to inform senior managers; management’s downgrading of crucial defects of the virtual banking platform; false representations; management’s dismissiveness of the quality assurance team; and setting unrealistic timelines.

Flawed RFP & Due Diligence Processes

The consent order indicates the failure of the rollout began during the first quarter of 2021. Around that time, after initially selecting a different e-banking platform vendor through VyStar’s formal request for proposals (RFP), the credit union changed course and selected an unnamed vendor without initiating a new RFP or conducting the normal due diligence. This also enabled project managers to ignore part of the RFP and due diligence process because VyStar failed to have governance structures in place that would detect and correct these deviations.

“The modified requests for proposal process resulted in material deficiencies in the evaluation of the Vendor,” the consent order noted. “For example, the review of the proof of concept submitted by the Vendor, a miniature version of a key piece of the virtual banking platform, failed to provide a meaningful examination of the design and development challenges of the project.”

What’s more, VyStar knew the vendor lacked experience performing banking system conversions this complex and it also knew the vendor’s product offerings would not be compatible with the credit union’s core transaction processing system without implementing more extensive customized software.

This lack of compatibility required the credit union vendor to design and implement custom integration code to link its front-end system with VyStar’s core banking processing system. The vendor had never performed a conversion that required it to integrate its virtual banking products with an existing core processing system that originated from a different vendor in this way, according to the consent order.

Concurrent with hiring this vendor, VyStar made a $20 million investment in the vendor in the hopes that the virtual banking platform project would demonstrate the vendor’s services to other financial institutions and lead to the creation of products and services that VyStar and the vendor could sell to others. The contract with the vendor included a 28% discount on the five-year vendor agreement associated with the platform conversion, the consent order reads.

The CFPB declined to comment to a CU Times inquiry on why the consent order does not identify the vendor even though it played a major role in the rollout’s failure. The federal agency also declined to respond to other questions regarding the consent order.

Lack of Oversite

The consent order also reveals another stunning fact: During a crucial phase of the conversion project — when the credit union transitioned to the vendor as its primary project vendor and set the development schedule — VyStar did not have a chief information officer.

“As a result, the project’s most senior leadership made important decisions that required input from personnel with a technical background without such a person at the highest ranks,” the consent order reads.

During the project and to keep to its project timelines, VyStar became increasingly willing to accept the persistence of critical bugs and lower levels of functionality in the new virtual banking platform. This occurred simultaneously with an increasing prevalence of new bugs within the platform as the project got closer its launch.

“Rather than address these issues before the conversion, Respondent (VyStar) chose to rely on what is commonly referred to as a ‘fast follow’ approach,” according to the consent order. “This decision shifted the timeframe for fixing bugs and improving functionality to after the new platform was released and serving as the only available system for Respondent’s members.”

Shortly before the May 13, 2022, release of the new platform, the management team leading the project downgraded the classification of at least 135 defects identified in the virtual banking platform initially classified as very important. This change in status meant that the identified defects did not have to be addressed prior to the initiation of the conversion.

When employees from VyStar’s Information Technology Audit group inquired about the downgrading of these defects, management told the ITA group that these decisions had been communicated to senior management.

“But this representation was false,” the consent order reads.

The credit union’s tolerance of defects, bugs, lower standards of functionality, and inadequate testing was at odds with VyStar’s Quality Assurance team responsible for testing the virtual banking platform. Moreover, the head of the QA team refused to sign off on the virtual banking platform because of these issues, and the downgrading of the 135 defects, in particular.

Despite the QA team’s objections, the credit union went forward with the new virtual banking platform launch, dismissing the QA team’s concerns as “simply a product of their risk-averse mentality,” according to the consent order.

Nonetheless, VyStar’s management even ignored feedback from the project development team that the virtual banking platform was not ready for release.

This led to VyStar’s management decision to utilize a conversion process that irrevocably disabled the Precursor Platform (a backup system) when the new virtual platform was brought online, which left the credit union and its members without a backup when the new platform failed to perform.

VyStar then made the ill-fated decision that the new virtual banking platform had to be in place by May 2022 because waiting would have required it to convert to the Precursor Platform’s updated banking platform at a cost of $1 million for each month VyStar continued to use the Precursor Platform. The upgrade to the Precursor Platform would have required VyStar to keep the platform until at least August of 2022, and the credit union would not have been able to convert to the new virtual banking platform its vendor until after that time.

Read the full VyStar Credit Union Consent Order.