FFIEC Authentication Confuses Banks, CUs
Survey Report Shows Institutions Struggle With ConformanceOur new Faces of Fraud survey report shows banks and credit unions are making strides toward enhanced fraud detection and prevention.
See Also: How to Take the Complexity Out of Cybersecurity
Banking security executives say investments in enhanced fraud detection, monitoring systems and customer and member education top their lists for fighting fraud this year.
They're also upping investments to improve out-of-band verification, enhance account-activity controls, improve vendor-management practices, implement more anti-money-laundering tools, track more high-risk accounts, enhance dual authorization and conduct more internal and external audits.
Much of that increased spending and focus is linked to security enhancements outlined in the FFIEC's updated Authentication Guidance (see Fraud Survey: Banks Get Bigger Budgets).
But there's a problem. Too many executives say they don't really know that the investments they're institutions are making will have significant impacts on fraud. Moreover, they don't understand regulatory demands, and question whether the new guidelines really address the right fraud-prevention needs.
Confusion About Guidance
Here's what our survey finds: Of the more than 200 financial leaders who responded, 29 percent say they still don't understand what regulators want, where conformance with the FFIEC Authentication Guidance is concerned, and 88 percent don't believe conformance will do much to curb online fraud.
Those findings are alarming.
For one, the updated guidance is not really that updated. The update definitely offers many more details than the guidance issued back in 2005. But the tenets are the same. Multifactor authentication, regular risk assessments, transaction verification, account monitoring and customer/member education were all noted in the 2005 release, and though they're clarified in the 2011 update, the message is the same.
Those recommendations should not be surprising. Banks and credit unions should have been addressing those areas for the last seven years.
The updated guidance definitely clarifies a few suggestions, by, for example, explaining how an institution might implement multifactor authentication or transaction verification through device identification. But, really, there's no great variance between the 2005 and 2011 releases.
Why Institutions Should be Doing Better
It's troubling to learn that banks and credit unions are confused. We often hear the adage, "Compliance doesn't equal security," but have banking security leaders truly embraced that concept?
The FFIEC guidance is just that - guidance. It's a suggested roadmap for enhanced e-channel security. Banking institutions have to fill in the gaps, based on their own risks. That's what regulators want to see.
When any organization gets too caught up in compliance, it gets into trouble.
Be sure to check out the new Faces of Fraud survey report for an in-depth analysis of all the results.