The answer, industry observers say, depends in part on the asset size of the institution.
The nation's largest institutions are working to stay ahead of the updated guidance issued this past June, but smaller institutions are facing stiff challenges to improving online banking security, says Gartner analyst Avivah Litan.
"Mid-tier and regional banks are confused about how far to go to meet FFIEC compliance requirements, especially with regard to payment batch-file processing, which can be expensive to re-engineer," she says.
Litan believes most community institutions are working hard to meet the FFIEC's demands for risk assessment strategies, layered security controls and improved customer awareness of online banking risks - the core tenets of the guidance. But for the smaller institutions, FFIEC conformance depends heavily on the effectiveness of their core processors - their third-party service providers.
"[Institutions] are very dependent on their online banking processors, most of whom are still upgrading their security strategies," Litan says. And many, including the processors themselves, are still confused about minimum requirements for conformance, especially when it comes to authenticating payments.
"They have little or no resources to deal with payment security," Litan adds.
Survey: Confused About Expectations
According to a new FFIEC Online Banking Security Readiness Study commissioned by Guardian Analytics, while banking institutions are prepared to share plans for ongoing risk assessments, many still struggle with grasping regulators' baseline security expectations.
Of the 300 U.S. institutions surveyed - 75 percent banks, 25 percent credit unions - most respondents say they've spent the last six months jumping into conformance action. [See the full survey on Guardian's website.]
Fifty-six percent have already completed their risk assessments, and 59 percent have already created plans to address identified risks.
What's more, institutions are addressing security across the board, focusing on enterprise-level security. Most institutions are embracing the need for substantial security upgrades. They're investing more in anomaly detection, and they're addressing fraud from a higher perspective.
"About 85 percent said they've made changes to address the guidance, and they plan to do more," says Guardian CEO Terry Austin. "The first part of 2012 will be very busy."
Austin speculates banks and credit unions are seeing improved fraud detection as a competitive differentiator. "Layered security is a focus," he adds. And so is customer and member education.
Two out of three of the institutions surveyed by Guardian said they already have extensive customer education programs in place; and most over the next six months plan to expand on those programs.
But only 50 percent say they fully understand minimum requirements for authentication conformance. "We're not criticizing the FIs here, but we're highlighting that there is still some education and interpretation help that the institutions need with the guidance," says Guardian's Terry Austin.
Doug Johnson, vice president of risk management policy for the American Bankers Association, says that confusion proves that more industry education is needed.
"Many community banks have not had the benefit of participating in the many webinars or conference sessions on this subject," he says. "As a result, we have written a number of articles for our various publications and bulletins on the subject and will continue to get the word out to help alleviate any confusion."
Litan says most institutions also have expressed concerns about how to interpret the updated guidelines relative to mobile banking, which is not addressed explicitly in the guidance.
"The regulators may have to issue an FAQ to clarify some of the points," she says. "I think the audits starting early in 2012 will clarify what the regulators want. I don't expect a hard-handed approach from them come January 2012. But by 2013 the regulators will expect to see substantial security upgrades across the board for online banking."
Joe Rogalski, information security officer and first vice president of Buffalo-based First Niagara Bank, says taking an enterprise-level view is a good idea. "It's good to look beyond the requirements, to make sure you're doing the best thing for your institution," he says.
What more should institutions do to ensure preparation for their 2012 examinations? Experts offer these six tips:
- Plan for Ongoing Risk Assessments. Annual and quarterly risk assessments look good as ideas on paper, but institutions must be prepared to prove they have thorough plans in place to follow through with these assessments. "I think the annual risk assessment is a much bigger deal than most banks realize," Litan says. "Most banks have not done an annual risk assessment to the level that the new guidance calls for."
- Organize for Fraud Management. Upon conducting these assessments, institutions need to be equipped to take fast action on identified risks. "Fraud management is not one-size-fits-all," Litan says. "It's different in every bank, and most decisions are made by committee." More flexibility needs to be built into the response plan, so committee decisions don't choke or stall reaction time.
- Show Layered Security Plans. Regulators want to see what institutions have done to fill the gaps identified in their assessments - especially in terms of the layered security controls prescribed by the guidance. "If you're not going to be compliant by [the time of your exam], make sure you have a reason why, or the ability to show that you have very good compensating controls," Rogalski says.
- Tackle the Basics. A lot of banks are busy implementing out-of-band authentication, Litan says. Yet, they're still struggling to detect and prevent ACH and wire fraud. Rather than investing millions of dollars in out-of-band solutions, she recommends that institutions focus on core security requirements first. Address identified weaknesses with basic and well-understood solutions.
- Examine Vendors. For institutions that rely on vendors for stronger authentication, be sure you know how well your vendor is performing. After all, it is the institution that will be held to the fire for conformance - not the vendor. Review the vendor's own internal conformance assessment, or - if the organization is large enough to be examined by federal regulators - ask to review its FFIEC examination later in 2012 to see the agencies' own impressions. "It does give you some insights, and the examiners can provide that exam," Johnson says. "But you're only allowed to [view] that exam if you have an existing contract in place with that party."
- Show Metrics of Progress. Experts agree that regulators won't expect to see 100 percent conformance in 2012. But institutions must prove they will reduce risk over time. Even if more technology investments are needed, proof of progress will satisfy auditors. "I think institutions are not measuring the potential exposure they may have, and the potential losses which they've managed to mitigate against their existing losses," Johnson says. "If they can demonstrate that they have mitigated potential losses, even if exposure increased because of more attacks, then they can show that their measures of protection are improving. It demonstrates effectiveness."