Initial Requirements for previous site (not all relevant)

Overview

The Midsize Bank Coalition of America (MBCA) has a longstanding public facing website https://midsizebanks.com/   but that website lacks a member only portal.   Thus, the 1500+ senior officers of MBCA’s 101 member banks lack a secure, confidential repository of confidential documents and videos that they can access on a self-service basis.  Instead, they send hundreds of emails each week to the MBCA’s Executive Director asking questions and requesting documents or links to video recordings of MBCA meetings – these questions and requests could be more efficiently handled on a largely self-service, member-only portal, that satisfies the following criteria:

Criteria:

• Initial enrollment (регистрация) (manual, but should require minimal MBCA administration time).  

  • Applicants for member only access will not have automatic enrollment.  Instead, applicants should reach a page linked to the public website that alternatively invites a login for already registered member-only site users or an application for credentials permitting member-only access.   Persons who have not previously set up a user name/password should be able to complete a brief survey (e.g., name, bank, bank title/role, email address, phone number, business address); the completed survey should enter a queue pending authorization decisions by the MBCA’s webmaster.  Usernames should be the applicant’s business email address (almost all will be their employer-bank email addresses); this will aid in alerting the webmaster to unauthorized user attempts to obtain credentials.   The MBCA’s webmaster would set up users with a default password requiring the user to re-set his/her password at the beginning of the first login experience.

  • Users should select and maintain their own passwords, and to re-set/recover forgotten passwords.  +

  • Initial password setting/password reset authentication should require a user to access his/her business email at a member bank domain or other whitelisted domain to obtain a passcode to be used for authentication (multi-factorial authentication).  The MBCA webmaster should have the administrative power to authorize non-whitelisted user email addresses (for experts, advisors and other nonbank authorized users). (генерить ссылку для сброса пароля.

  • Users should not be able to change their user ids – this change should require webmaster intervention.  (This helps prevent individuals who leave the employ of their member banks from changing user ids – for example:  we don’t want jsmith@abcbank.com able to change his user name to jsmith@gmail.com).

  • The system should be able to generate periodic reporting of enrollments and logins and deliver same to the MBCA webmaster/to the MBCA executive director.  Ideally, this reporting feature would also generate activity reports sorted by member bank that the MBCA Webmaster can send to member bank administrators (one or two individuals at each bank with oversight over who should have access to resource group materials on MBCA website

• Internal access restrictions (Website should restrict authorized users within the website). 

  • Once a user has credentials he or she should be able to see a non-public home page, with several “all hands” tabs and resource materials that are available to all users.   However, we need to be able to restrict access to specific committee and resource groups to users authorized to view these committee or resource group materials.   Perhaps this could be done on a top down basis (CEOs serving on MBCA’s executive committee see all materials;  C-suite members (however defined) can see all groups except executive committee;  Some more junior level resource group members should be limited to their own group materials (and, of course, the nonpublic home page and all hands pages/tabs discussed above).   The MBCA webmaster would manually assign users to access groups after reviewing each user’s survey requesting access.   The website programming should permit the webmaster to grant access (in addition to the nonpublic home page and all hands tabs) as follows:

    • The user IDs for the Executive Director and the approximately 15 CEO members of Executive Committee (and their administrative assistants, when requested) would have broad access to all member only resources.  The Executive Director could authorize other users to have this EC level access if desired.

    • The Webmaster would use the onboarding survey discussed above to give other user IDs access authority to one or more groups or Resource Groups (e.g., C-Suite, CRO group, BSA officer).   The MBCA Webmaster should have the power to give specific users access to multiple groups…for example, a typical Chief Risk Officer would have access to the C-Suite group as well as numbers 4, 8, 10, 11, 12, 13 and 15 (in many banks these functions report up to the CRO).

Here are the MBCA’s Resource Groups at present:

• Chief Executive Officers

• Chief Financial Officers

• CxOs (Presidents, Chief Operating / Operations / Administrative Officers)

• Chief Risk Officers

• General Counsels

• Chief Information Officers

• Chief Human Resource Officers

• Chief Credit Officers

• Chief Internal Audit Executives

• BSA Officers

• Chief Information Security Officers

• ERM/ORM Leaders

• Chief Compliance Officers

• Chief Communicators (Head of Communications / Marketing/ PR)

• Data Governance Leaders

• Many of the foregoing Resource Group members (primarily members of 1,2,3,4,5, 7 and 8) are also members of the C-Suite group.  The Executive Committee (the governing board of the MBCA), plus 1-15 above, should have its own access controlled pages to host the materials discussed below.  

• Given the groups listed above, and the fact the MBCA has about 100 member banks, MBCA estimates 1500-2000 users (including administrative assistants etc) in the near term. 

• Content to be posted on the members-only website.

  • We contemplate a variety of materials to be posted on the nonpublic home page (directly or via tabs or links) that greets member bank executives when they log in to the members only website.   These materials will be available to all users, regardless of their status or resource group membership.   The home page should also have links to the Executive Committee and to the 15 resource groups listed above.

  • Surveys.  These are subject matter surveys that MBCA regularly conducts using products such as Survey Monkey.   Based on longstanding practices, MBCA requires a member bank to answer a survey as a prerequisite for having access to survey results.   This is a highly manual process.  For purposes of website design, the website should be able to host password protected survey results done by Resource Groups, not conduct the taking of the survey.  The M-BCA webmaster would also post the survey questions on the applicable Resource Group’s page and on the home page, as non-passworded, unprotected text .   

  • FAQs – To be developed apart from the website development.   The website will host/display these FAQs.   MBCA will build these (and refine them over time) based on the most common questions fielded by the ED about the MBCA.  Would also include subject matter FAQs (for example, links to useful documents on non-MBCA websites.  Most FAQs would be posted on the home page available to all users – but resource group pages should include tabs for specific FAQs.  The MBCA webmaster will upload and maintain these.

  • Presentation decks.  MBCA Webmaster uploads to the home page (when appropriate) and for the resource groups.

  • Member Bank officer directories…perhaps collected/updated via survey…but in this case survey results would not be password protected.  This data will be collected and uploaded by the MBCA webmaster to the home page.  The website will simply host directories prepared apart from the website.

  • Member bank profile…spreadsheet sortable by regulator, size, office/branch locations, etc.  Again, collected/updated via survey but not password protected.  Links to primary website/investor website, etc.  The MBCA webmaster will collect and upload this data to the home page.

  • Zoom links to recorded C-Suite and resource group programs.  These will be links to zoom sessions recorded/hosted elsewhere.

  • MBCA history/governing rules.  Annual report.

  • Advisors listing, with links to MBCA’s primary law, consulting, accounting firms  (helps induce these experts to provide pro-bono help to MBCA)

  • Congressional/regulatory/administration contacts – matrix connecting Member Bank footprint/personal relationships to government officials.  MBCA webmaster to upload this workproduct when it is created.

  • Integrated calendar of past/future events.  MBCA webmaster to upload calendar to home page tab.

  • Resource group message boards – with a subscription/signup feature at the option of resource group members.

• The member-only portal should have the following features:

  • Subgroup level word search features (alternatively, if user permission can control span of search this would be better…for example, a C-Suite level user would be able to see search results anywhere on the portal (except executive committee materials), but a BSA subgroup user would see only BSA page search results.

  • Regular backup and business continuity protections.

  • The member portal could reside on a separate website than the existing MBCA website, accessible via a link on the existing MBCA website. 

  • General comment:  Many of the active users on MBCA’s member-only website will be highly knowledgeable about cybersecurity risks, including some of our member bank  CEOs, most of the CROs and all of the CIOs and CISOs.    Even though this website will not host GLBA or other highly confidential information….it should be designed as though it did.   For most of our 100 member banks’ cybersecurity experts, this website will be their first introduction both to MBCA’s attention to good cybersecurity practices as well as to Shatterproof’s expertise in this space.  This is tough audience.