Banks and credit unions are increasing budgets and staffing this year for the ongoing fight against financial fraud. But will their spending prove prudent?
See Also: Data Center Security Study - The Results
Most are doubtful.
I truly believe that it still comes down to what consumers are doing and their lack of awareness and concern about how to keep themselves safe and secure.
This week, we released some preliminary results from our 2012 Faces of Fraud survey. While banking institutions are focusing more attention on technology to meet regulatory demands outlined in the FFIEC's updated Authentication Guidance, only 11 percent expect that conformance with the guidance will result in a significant reduction in fraud. More than half expect conformance will only slightly reduce fraud, and 16 percent expect conformance will have no impact.
Analysts and vendors I talked to about the perceived lack of impact of guidance conformance were a bit surprised; bankers, however, were not.
Why? Because so much of the fight against fraud depends not on technology, but human behavior.
Role of Consumers
"I truly believe that it still comes down to what consumers are doing and their lack of awareness and concern about how to keep themselves safe and secure," says Patti Broer, the information security administrator and business continuity plan coordinator for BankWest Inc., a $754 million bank in Pierre, S.D. Broer serves on BankInfoSecurity's board of advisers.
"I feel that banks can take all the precautions, put everything in place to watch for fraud on consumers' accounts, cross every 't' and dot every 'i' in regard to the FFIEC guidelines, but it ultimately comes down to the human element," she adds.
And when I look at our survey results, I see that Broer's perspective is right on the mark.
The survey shows 68 percent say a lack of customer awareness is the primary source of fraud. Because the FFIEC guidance specifically notes the need for customer and member education, institutions are making fraud-prevention education a priority. Among all the investments bankers are making, customer education ranked No. 3.
If the regulators truly want to see fraud reduced, then the greatest attention should be paid to education, bankers argue.
One executive at a multibank holding company, who asked not to be named, told me, "You can't protect an environment that you don't control."
So, you can provide education and enhance technology, but you can't force businesses and consumer to change their behavior.
The good news is that customer education can come in many forms and flavors. Many institutions say they're making site visits to educate and train their commercial customers and members about emerging threats. Others are issuing mailers and having tellers explain how phishing schemes work when retail accountholders visit the branch or banking center.
But some institutions are going a step further, thinking outside the box, which I really find promising. For example, some are testing vulnerabilities to social engineering schemes. (See New Strategies to Fight Phishing.)
I'm anxious to learn more. And I wonder if examiners, as they review institutions' plans for FFIEC conformance, are recommending this type of training. I invite you to share your insights.