Countdown to Compliance
Institutions Still Confused About FFIEC ExpectationsThis week, Bill Wansley , a financial services risk management and cybersecurity consultant at Booz Allen Hamilton, talked about how prepared U.S. banks and credit unions are for conformance with updated online authentication issued in June by the Federal Financial Institutions Examination Council.
He says most big banks are ready. Smaller institutions, however, are struggling.
It's a perspective shared by others, including many of the community bankers themselves.
Barry Rich, chief financial officer of Tennessee-based de novo CapitalMark Bank & Trust [$668 million in assets], says smaller institutions are playing catch-up, and they're working to educate themselves and their retail and commercial customers about just how threatening fraud - especially ACH-related incidents - can be. "When it comes to security, you're always in the mode of playing catch up," he says.
Gartner analyst Avivah Litan says mid-tier and regional banks are still confused about exactly what they need to do to meet regulators' expectations. "[Institutions] are very dependent on their online banking processors, most of whom are still upgrading their security strategies," she says.
For Doug Johnson, vice president of risk management policy for the American Bankers Association, those revelations point to one thing: the need for more industry education.
"Many community banks have not had the benefit of participating in the many webinars or conference sessions on this subject," he says. "As a result, we have written a number of articles for our various publications and bulletins on the subject and will continue to get the word out to help alleviate any confusion."
According to a new survey commissioned by Guardian Analytics, while FFIEC institutions are prepared to share plans for ongoing risk assessments, many still struggle with grasping regulators' baseline security expectations. [See FFIEC Guidance: Are Banks Ready?]
Only 50 percent of the 300 institutions surveyed said they fully understand minimum requirements for authentication conformance. "We're not criticizing the FIs here, but we're highlighting that there is still some education and interpretation help that the institutions need with the guidance," says Guardian's Terry Austin.
Litan says most institutions also have expressed concerns about how to interpret the updated guidelines relative to mobile banking, which is not addressed explicitly in the guidance.
So where does leave us? Industry pundits suggest the FFIEC will likely issue some sort of FAQ about mobile and minimum authentication requirements. We can probably expect that FAQ during the first quarter of 2012, after the first wave of exams.
"I think the audits starting early in 2012 will clarify what the regulators want," Litan says. "I don't expect a hard-handed approach from them come January 2012. But by 2013, the regulators will expect to see substantial security upgrades across the board for online banking."
In the meantime, industry associations such as the ABA will likely step in to help fill the education gaps many smaller institutions need to fill. But banking/security leaders have to make education a priority.
I understand institutions feel pressure, especially at the mid-tier and community levels, where budgets are tight and staffing is slim. Dodd-Frank is consuming most of their attention, but they cannot afford to ignore or backburner FFIEC conformance, either.
My advice to banks and credit unions: Look to your core processors and associations for assistance. Institutions pay processing partners for service and association dues for networking benefits and knowledge. Before we get too deep into 2012, take advantage of the services you pay for. And sign up for as many educational opportunities as you can, now, before auditors tell you what's missing.