Community bands and credit unions -- small to midsize firms with up to $2 billion in assets -- are an important segment of the financial services vertical. At least a few are typically found in each community, and they are inclined to turn to local VARs that understand the institution's day-to-day operating challenges for advice and technology purchases.

"There are a huge number of community banks, credit unions, and savings and loans out there, and all of them are buying technology every day from someone," says John Korting, president and CEO of FlexNET Automation Resources, a computer consulting firm and solution provider. "They look for ways to spend money in their own communities. If you approach them in the right way -- especially if you have an account -- chances are they'll buy something from you."

Where will VARs find the most action? Experts suggest solutions that support regulatory compliance. "Every financial organization has a responsibility to protect its assets, whether they're paper money or digital assets," says Kevin Reardon, director of risk management and solution services at McAfee. "That's why the market for compliance solutions is so broad."

Pressed by Regulations
Like their larger brethren, community banks and credit unions are under pressure to comply with a growing number of regulations and laws:

• The Gramm-Leach-Bliley Act of 1999 includes provisions to protect consumers' personal financial information held by financial institutions.
• Sarbanes-Oxley legislation is designed to protect investors by requiring organizations to improve the accuracy and reliability of corporate disclosures.
• California Senate Bill 1386 requires organizations that manage sensitive data to publicly disclose security breaches, and other states have adopted similar laws.
• The Federal Financial Institutions Examination Council (FFIEC) has issued updated guidance on risks and risk management controls necessary to authenticate customer identity in online financial services. This is pushing each U.S. bank to implement an effective authentication system that will safeguard customer information, prevent money laundering and terrorist financing, reduce fraud and theft of customer information, and promote legal enforceability of banks' electronic agreements and transactions.

Getting Up to Speed
The complexity of such regulations doesn't mean VARs should shy away from this market. According to Kimberly Reed, vertical market solution specialist at Ingram Micro's Solution Center, you don't have to be a compliance expert to sell compliancerelated solutions successfully. "I'm hearing from VARs that their clients tell them, 'I've got a business to run, and I can't keep up with these regulations,' " Reed says. "But if these companies follow IT best practices for security, they'll be enabling compliance by default." These ideas are nothing new, Reed adds. "The new regulations just put some 'teeth' into security best practices, so now there's a method of enforcing them."

Still, it pays to become familiar with the business and regulatory environment before approaching any customer. "It's critical to have a working knowledge of the industry," says Yacov Wrocherinsky, CEO of Infinity Info Systems, which specializes in customer relationship management solutions. "You must first understand the companies, what they're looking for and how technology will help them achieve compliance."

At a minimum, VARs should engage in basic web research before approaching a prospect, starting with the company's web site, key staff members and compliance in general. A search on "credit union compliance," for instance, brings up thousands of pages, many from the National Credit Union Administration, that outline the compliance requirements, procedures and areas of concern.

Another option comes from the ReymannGroup, a team of vertical market subject matter experts. To help VARs stay current on the business and compliance challenges of financial services and healthcare firms, ReymannGroup has created a complimentary web site, at www.complianceandbeyond.com. "Before a sales call, you can log on and do some research, and you'll walk in the door with a better understanding of what’s on your client's mind," says Paul Reymann, CEO. "Such knowledge will make you more comfortable in the environment and more credible with the client, ultimately resulting in increased sales.

Compliance Sales Strategy
Wrocherinsky notes that the biggest challenge faced by VARs today is just getting in the door. The key is tying technology solutions to the business results executive managers hope to achieve. "Financial services decisionmakers have a great deal of pressure on them," he says, "and you have to present compliance solutions that will relieve some of it."

This may mean broadening sales contacts beyond your comfort zone. "Many VAR relationships are strongest at the IT network-manager level," Reymann says, "but increasingly, spending decisions are made higher up."

McAfee's Reardon, himself a former IT auditor, emphasizes the multidepartmental nature of compliance decision-making, with auditing, IT operations, security and senior management all playing a role. When approaching clients, he suggests playing to your strengths. If network managers or security staff are your main contacts, use your relationships there to bring the other groups into the sales conversation.

"You need to talk to the audit team, finding out how they view risks to the organization, the key compliance procedures they're working on, and the processes they use to collect and analyze data to measure business operations," Reardon says. "This will give you audit's perspective on where the organization stands in its compliance efforts."

The bank's operations team is also important. System administrators, network engineers and desktop support staff can provide needed insight into the company's business-critical processes and technology. And security staff can provide insight into existing controls and how effective they are.

As mentioned, meeting with senior executives is a must, but not to discuss technology. Rather, have a business discussion about "how they ensure that the organization is operating effectively, what tools they depend on for financial reporting, and what they're hearing from peers that makes them uncomfortable," Reardon says. "VARs who can bring all this together into a compliance solution plan have excellent prospects for success."

The Solutions Side
Which solutions are local institutions likely to need? According to Reymann, the FFIEC's guidance mandates more effective risk assessment across the network. This leads banks and credit unions to need a range of services related to business continuity, security, content management and network monitoring -- all excellent opportunities for managed services. Such services would be especially welcome in smaller institutions that might not have the budget to hire inhouse expertise.

• Security integration. While most banks have a number of security point solutions, usually they are not integrated. This is problematical because compliance requires data from multiple sources to be analyzed and validated for audit purposes. "We find the discussion is less about substituting this point product for that one," says McAfee's Reardon, "and more about making things work together to deliver a stronger reporting process that supports compliance goals."
• Backup and business continuity. With mountains of data flowing into and through financial services firms, reliable and secure storage presents a promising opportunity. Hurricanes Katrina and Rita have made banking executives more aware of how disasters can wreak havoc on their systems and disrupt business operations, putting a premium on backup and business continuity solutions. VARs have the opportunity not only to sell more storage, but to ensure data integrity and business continuity by providing secure, off-site storage with easy backup and restore capabilities.
• Data loss prevention: Risk management best practices now include data loss prevention (DLP), a technology that goes beyond host intrusion prevention and content filtering to protect digital assets from unauthorized use by insiders. "A company can be compromised when an insider cuts and pastes a part of its business plan into an e-mail or downloads strategic information to a flash USB drive," Reardon says. DLP solutions address this issue by protecting against leakage from a range of sources, such as PCs, the network, e-mail, instant messaging, flash drives and printers.
• Network monitoring and management. With so much of every financial services firm's information residing on its network, it is essential to monitor network activity for performance, security vulnerabilities and unwanted traffic. VARs can serve financial services firms well with managed solutions that offer real-time, 24/7 monitoring, management and reporting capabilities.

Putting It All Together
Compliance for financial institutions, we have seen, has many aspects. "It's like a big elephant," Reardon quips. "There's only one way to eat it, and that's one bite at a time."

For VARs, this means taking a deliberate approach to understanding customer compliance needs; getting to know the business processes and priorities; and then laying out a technical strategy that meets the requirements. Though such a sales cycle can be lengthy, there are no shortcuts to a winning relationship.

"When you are controlled and consultative in your approach, customers understand that you have their best interests in mind," Reardon says. "That makes them more willing to spend time and money with you."