More than half of banks and credit unions expect an increase in fraud-fighting budgets and staffing this year. But where are they investing those resources?
See Also: Rethinking Endpoint Security
According to results of the 2012 Faces of Fraud Survey, announced April 10 in the 2012 Faces of Fraud webinar, 58 percent of the 200-plus respondents say their institutions will see increased fraud resources in 2012 - 17 percent expect to see 10-to-20 percent hikes.
Yet when pressed by federal regulators to upgrade security controls to conform to the FFIEC Authentication Guidance, only 11 percent say they have come into conformance since the updated guidance was issued in 2011. Half of the survey's respondents say they do not conform now, and nearly one-quarter say they don't even know their state of conformance.
Why the disconnect?
"The survey results reflect the confusion among most banks as to what's expected of them when it comes to practical technical solutions," says Gartner analyst Avivah Litan. One example: "Many banks are wondering if they need to switch their modus operandi for challenge questions, to follow the explicit guidance in the FFIEC update about using the more elaborate and expensive challenge questions from public data aggregators," she says.
The Faces of Fraud survey is an annual study conducted by Information Security Media Group, publisher of BankInfoSecurity. The online survey was conducted in February of this year, and respondents are from banks and credit unions of all sizes, primarily based in the U.S. Preliminary survey results were revealed at an RSA Conference presentation in early March. Final results were presented in the new webinar, which includes survey analysis by banking/security experts Matthew Speare of M&T Bank and George Tubin of GT Advisors. (See 2012 Faces of Fraud: First Look.)
The 2012 Faces of Fraud survey is sponsored by Authentify, Guardian Analytics, i2, RSA Security and Wolters Kluwer Financial Services.
Top 5 Fraud Trends
The survey shows the top five most common forms of fraud are:
- No. 1: Credit and Debit Fraud. Some 84 percent rank card fraud as their top threat, but only 41 percent say their organization is prepared to prevent and detect card fraud.
- No. 2: Check Fraud. Despite declines in the volume of checks processed annually, 76 percent say check fraud remains an issue, but only 45 percent say they feel equipped to thwart the threat.
- No. 3: Phishing and Vishing (Socially Engineered Schemes). Half of the respondents, rank these schemes among the top five threats, yet only 28 percent say they feel prepared to detect and prevent them.
- No. 4: ACH and Wire Fraud (Account Takeover). Here, the numbers were a bit more promising. While 43 percent ranked ACH and wire fraud among the top threats, 60 percent say they feel prepared to fight and prevent the threats posed by account takeover incidents.
- No. 5: ATM Fraud (Skimming and Ram Raids). A total of 35 percent rank ATM fraud as a top threat, and 35 percent say they feel prepared to detect and prevent fraud linked to this self-service channel.
Although banks' increased spending on prevention will help reduce fraud, they have to ensure they're investing in the right technologies, says Speare, who oversees security for M&T Bancorp., which has $80 billion in assets.
"It just depends on the organization," he says during the webinar. He notes that technology investments don't always jibe with need.
FFIEC Guidance: It's Impact
Despite confusion about the FFIEC guidance and conformance, respondents are motivated by the elements of the update. This motivation will be reflected in their 2012 investments, analysts say.
"The FFIEC guidance is what's bringing in a lot of the investment," says Mike Urban of Fiserv, a core processor that provides security services to financial institutions. "It's forcing everyone to think about their online banking in a different way, and, as a result, they're addressing more cross-channel risk."
When it comes to FFIEC Authentication Guidance, the survey shows:
- Only 11 percent believe the guidance will have a significant impact on reducing fraud;
- 29 percent do not fully understand the guidance;
- And yet when asked about their 2012 investments, respondents target fraud monitoring/detection (61 percent) and improved awareness programs for customers (43 percent) and staff (49 percent) - key areas of the guidance's focus.
Because the FFIEC's recommendations include a mix of best practice suggestions and technical tidbits, Gartner's Litan says banks and credit unions are concerned about following the spirit of the guidance and at the same time using the recommended layered security approach.
"The FFIEC needs to follow up with an FAQ to clarify many areas," Litan says.
Where's the Money Going?
The top 10 investments institutions plan to make over the next 12 months include:
- Enhance fraud detection and monitoring systems, mentioned by 61 percent;
- Increase and improve staff training, 49 percent;
- Enhance customer and member education efforts, 43 percent;
- Improve out-of-band verification, 33 percent;
- Enhance controls over account activities, 28 percent;
- Invest in more internal and external audits, 27 percent;
- Improve vendor management practices, 27 percent;
- Invest in anti-money-laundering tools, 26 percent;
- Enhance dual authorization through different access devices, 24 percent; and
- Improve how they track high-risk customers, 21 percent.
"You can see how regulatory pressure for more sophisticated solutions is having an impact," Urban says. "Definitely out-of-band is in there, and AML is in there, too.
"Here we see financial institutions investing in customer education and fraud monitoring, and a lot of that is related to the FFIEC guidance," he adds. "It looks like institutions are taking their risks more seriously, which is always good to see."
But from the layered security perspective, 66 percent say they continue to face challenges. "They still struggle with silos," Urban says.
Without a broader focus on enterprise-level fraud, Urban contends investments will continue to miss the mark.
The survey also shows 68 percent of institutions see the lack of customers' fraud awareness as the primary source of fraud. And because the FFIEC guidance specifically notes the need for customer and member education, institutions have made fraud-prevention education a priority.
But Speare warns that focusing more on consumer education than anti-fraud technology could be a misguided strategy. "I'm not sure significant investments in awareness are going to get us where we need to be."
For more on the 2012 Faces of Fraud survey, please register for the next webinar session, and stay tuned for the full report and additional analysis over the coming weeks.