FFIEC: How Well Do Banks Conform?
Many Institutions Await Clarifications from Regulators
But what's next, and where are they expected to make their greatest fraud prevention and detection investments?"Many of the banks let (risk assessments) slide after the 2005 guidance came out, so that's an area that's getting a lot of attention," says Gartner analyst Avivah Litan in an interview with BankInfoSecurity's Tracy Kitten (transcript below).
Litan says bankers are weighing their options carefully before jumping on too many new technology solutions. But many are reviewing existing payment systems, such as wire and ACH, "so that they can conform with the guidance, which requires the banks to look at log-in of customers and movement of money among customers," she says.
They also are testing challenge-question strategies and simple device identification, to identify practices that are out of date. From there, customer awareness and education are next in line, and quite a few institutions are making big investments to enhance their fraud outreach programs.
But Litan warns banks and credit unions should be cautious about their technology investments. "Use your common sense; do what's best to protect the accounts; and I would hope that the regulators would agree with those measures, if they're based on sound reasoning," she says.
During this interview, Litan discusses:
- Why banks should focus on security, rather than guidance minutia;
- The top technology investments financial institutions are making;
- Why too much focus on customer and member education could be a mistake smaller institutions make.
Litan is a distinguished analyst at Gartner and a recognized authority on the FFIEC guidance. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.
TRACY KITTEN: You've been out talking with financial institutions about technology investments they should be making to conform to the FFIEC's updated Authentication Guidance. What types of investments are you seeing?
AVIVAH LITAN: I'm seeing, number one, investments in risk assessments. Many of the banks let that slide after the 2005 guidance came out and that's an area that's getting a lot of attention. So they're definitely investing in risk assessments.
Secondly, they're taking a much closer look at their payment system, wire and ACH, and tightening those up so that they can conform with the guidance that requires the banks to look at log-in of customers and movement of money among customers. So there's a lot of attention being paid to ACH and wire.
Third, they're looking at customer awareness, but I'm not seeing a lot of investment there, just like the fresh look.
And then fourth, they're looking at current methods that have become out-of-date, especially the challenge questions and the simple device identification that were called out by the guidance. So those are the areas that I'm seeing the most investment in.
KITTEN: That's a great point because I wanted to ask had you seen a dedicated or an adequate level of attention in detail being paid to the ongoing risk assessment plans, and it sounds like you are.
LITAN: I'm definitely seeing it now, whether we will see it continue a couple of years from now I'm not sure, but that was the first points that the FFIEC guidance called out. They said, "Banks, you paid attention to this once in 2005 and many of you have not gone back and updated your risk assessments." So that was the first thing that they said in the guidance and the banks are taking that seriously.
KITTEN: Have you spoken with any institutions that have actually undergone an examination?
LITAN: Oh yes, most definitely. Many of the institutions I'm speaking with are engaged in active discussions with their examiner. I have not talked to any that have finished an examination and passed one. That doesn't mean they don't exist, but the banks that I'm talking with are in the midst of the examinations. So they've got a lot of back and forth going on. The examiner will come in and take an initial look and make some recommendations. The bank has to respond to that. They don't always agree with all of them, so they're very much in the midst of this at this stage.
Conformance's Impact on Fraud
KITTEN: Now I would like to reference our recent survey, "The Faces of Fraud" survey, and in that survey we found that the majority of institutions question the impact conformance to the FFIEC's new guidance will actually have on fraud. In fact, 51 percent of the survey's more than 200 respondents say they see conformance only slightly reducing fraud. Do you find that statistic surprising?
LITAN: Not at all because in my banks, number one, the fraud staff and the staff that are managing compliance are not in the same part of the organization. So you'll find that among the larger banks and the regional banks, the staff that are worried by FFIEC they coordinate with the fraud staff but they don't have the most open communications when it comes to how these steps could impact fraud. I mean, that sounds surprising but it's true. It's a siloed approach. The compliance people worry about compliance and the fraud people worry about fraud, and they're not the same goals frankly. In the smaller banks, I think that you will see FFIEC guidance driving real budgetary allocations toward fraud improvements, fraud detection improvements. So I think in the smaller banks, if you dissected this chart by tier size, I would guess you would see that the small banks will have a much bigger impact than the large banks will. But I think it's really important on this point to note that compliance doesn't always equal security. It doesn't always get you the security, but security will typically get you to compliance.
KITTEN: Based on some of the banks that you've talked to, how far along are they in their conformance to the guidance?
LITAN: On average, 50 percent done. They're in the middle of making improvements based on the risk assessment. Most of the ones that I've spoken to are either done or almost done with the risk assessments and so it's an ongoing process. You can't change banking systems overnight. There's a lot to be done so, for example, if you're moving from simple challenge questions to out-of-band authentication, you have to spend a lot of time just getting the phone numbers of your customers up-to-date. That's not always so easy especially if you're a business customer. That could take six months to a year alone, maybe even more than that. So I think they're well on their way knowing what they need to do in many cases. In other cases, they're still grappling with some of the details and they've got a handle on maybe 85 percent of it, but this is not a snap to an immediate program. It's an ongoing program.
Customer and Member Education
KITTEN: Are banks and credit unions focusing too much attention on customer and member education, and not enough on technology?
LITAN: It depends on who you ask. I have seen the results of your survey that demonstrate the smaller banks and the credit unions think security should be solved and fraud should be solved by their customers. The ones that think it's the customers' issue, yes I think they're putting too much weight on it. But I do think assuming that everybody takes equal responsibility for the problem and shared responsibility, the customer awareness is very important because it can help avoid a lot of mishaps. Certainly some of the fraud that we're seeing from sophisticated Trojans, you can't expect the customer to see that on their desktop, but at least if you make them aware of security issues, they'll call in right away if something is unusual, or they may not fall for a phishing attack. So I think that it's important to share responsibility across customers and banks, but definitely not rely on your customer for your entire fraud strategy. The data that you've shown me shows that I think that some of the credit unions and banks are relying too much on customer awareness, so that's the way the results showed up. I hope it's not true, but it looked like it.
KITTEN: What about some of the education plans that you're seeing financial institutions implement? Are they conducting that education in the way the FFIEC intended?
LITAN: That's a great question also because I think the FFIEC was not crystal clear, and this is an area where they should have been crystal clear. Specifically they said, "You need to inform your consumer and business customer where we protect them and where it doesn't." But what they didn't tell the banks was - how do you communicate this to the customer? Is it okay to do it in the fine print of a condition, a terms and condition sheet? Is it okay not to mention specifically Reg E or just to say regulation? Is it okay just to have a web page that tells them about their protections very generally? How specific do you get and if you just have this in some PDF document buried on the side of your website, is that good enough?
I think the questions that are left for the FFIEC to answer are number one, do the banks have to specifically refer to Reg E because that's not clear? Number two, what constitutes adequate communications? That's not clear at all either. If you remember a few years ago, there was legislation passed relative to GLBA on informing consumers of their privacy rights and where they could opt-in and when they could opt-out. The legislators were very specific with the banks telling them and the card issuers specifically rather what font they had to use, which was a good idea because none of us could ever read the fine print. It's hard enough to read the larger font. So it's that kind of detail that's missing from the FFIEC guidance.
Vagueness in the Guidance?
KITTEN: That's a really good point because I wanted to ask about some of the confusion that surrounds the guidance, and again the regulators have said they wanted to keep things vague so that the guidance wouldn't become dated too quickly. But the absence of mobile is something that has come up over and over again, and I'm just wondering, what kind of confusion do you see there among the institutions that you're talking to?
LITAN: I think the main confusion is pretty simple. The guidance does not address mobile with respect to authentication. The guidance spends some time, some paragraphs talking about out-of-band authentication and how it's safer, how it should be used, that you can't use simple challenge questions. You should use more complex challenge questions than another method of authentication and they don't address how that would work in mobile banking. So if you're coming in from a mobile device, how do you do out-of-band authentication on that mobile device? The regulators need to define, (for example), SMS to a mobile phone is really out-of-channel, if the mobile app is not using the SMS channel. So they need to say something specific. Which methods are out-of-band for mobile banking?
And they also need to address the challenge questions because asking all these questions on a mobile device and expecting users to type in the answers is just very kluge so it's not going to work real well on mobile and they don't even make any reference to that. They encourage the banks to move from simple challenge questions to out-of-wallet questions, which by the way is very expensive and whether or not that's so effective remains to be seen. There are problems with that also, but even forgetting that for a moment, how are you supposed to handle complex challenge questions on a mobile device? For example, Apple took away the UDID, their device ID from iPhones and iPads from being exposed to other applications. The developers were scrambling so it's not clear how you're supposed to do device identification yet on mobile phones. There are a variety of measures. That relates to the Authentication Guidance again.
The other part to the guidance, like the layered security, the anomaly detection, it doesn't matter if a user is on a mobile device or a land-line device.
KITTEN: When we look at the guidance overall, beyond mobile, what other areas are not quite so clear based on what you're hearing?
LITAN: I think the challenge questions - just to bring that up again - the guidance in my opinion made a mistake by getting into details on device identification and challenge questions within the guidance as opposed to in the appendix. The banks are a little confused with that. The wording in those paragraphs I thought was well done, the principles were sound, but just because they called out these specific methods in the guidance, some of the banks are thinking and some of the examiners are thinking, "Oh, we've got to move all of our simple questions and add complex out-of-wallet questions." That costs dollar to dollar $50 a shot. So it could be very costly. So I'm hearing a lot of griping about that and also about the device identification. That has been beaten by man-in-the-browser attacks, even by some proxy servers. And then of course the banks want to know what everyone else's doing, especially when it comes to customer awareness programs. What are they expected to do? How clear are these programs supposed to be, these customer awareness programs? How proactive?
KITTEN: You've reviewed some of the survey results. What key points stand out or surprise you beyond those that we've already discussed?
LITAN: I was surprised that so many banks think they're compliant already. When you asked the question, "Are you in conformance or not," 11 percent - that's more than one out of ten - think they're in full conformance now. I'm surprised with that. And I was surprised that 23 percent had no clue where they stood, so at this point they really should know if they're in compliance or what their plans are. I wasn't surprised by the question about, "Will the guidance help reduce fraud" for the reason we talked about, but I was surprised when 62 percent said the guidance was clear to them, that the expectations were clear, because that didn't really reconcile with just the simple thing like mobile banking not being addressed.
KITTEN: Before we close, based on the information that you've gathered from some of the institutions that you've spoken with, as well as some of these survey results, what final thoughts or recommendations would you like to share?
LITAN: The way I would approach this, if I were in the banks' shoes, is just do what's reasonable. Worry about protecting your customer accounts and then argue with the regulators if you don't agree with their specific opinion, because in the end I think we're all reasonable adults and the goal is to keep these fraudsters out and the exact tactics can differ from bank to bank, but really use your head. Use your common sense, do what's best to protect the accounts and I would hope that the regulators would agree with those measures if they're based on sound reasoning.