FFIEC Authentication and the Link to DebitLeveraging Synergies Between Online and Debit Fraud Prevention
"Clearly the requirements around Durbin are very explosive as are the requirements around the FFIEC around online authentication," says Ron Giammarco, a partner within Ernst & Young's Information Technology Advisory Services division. "Really, organizations have to think about the multiple layers of security that are required to ensure customer protection, to ensure regulatory compliance."
In an interview with BankInfoSecurity.com's Tracy Kitten [transcript below], Giammarco, along with David Nussenbaum, an expert in bank payments and financial crime management technology at E&Y, explain how the FFIEC authentication guidance and the Durbin amendment to Dodd-Frank are helping institutions make better fraud-prevention investments.
"If a bank can demonstrate that they have a solid fraud control program in place, they are actually entitled to another cent of interchange fees," Nussenbaum says. "The FFIEC online security guidelines are really focused on protecting consumers and banks against online fraud attacks." Together, the two are interrelated if there is use of online banking associated with debit cards.
Both, in the end, are helping financial institutions protect customers and members.
During this interview, Nussenbaum and Giammarco discuss:
- How financial institutions can reduce fraud losses across debit schemes and online channels;
- How stronger collaboration among fraud, security and compliance departments can help banking institutions avoid regulatory fines; and
- Why the end goal should always focus on heightened security and the maintenance of consumer confidence.
Giammarco is a partner of E&Y's Information Technology Advisory Services practice who has more than 17 years of experience in the financial-services industry, where he has focused on compliance, risk and finance technologies. Within ITAS, Giammarco oversees compliance technology enablement and is responsible for developing IT and data related solutions to assess, implement and improve compliance-related processes. He is a Certified Public Accountant and Certified Information Systems Auditor, and has served as an adjunct professor of Information Risk Management at Molloy College's Graduate School of Business.
Nussenbaum is a subject matter expert in bank payments and financial crime management technology who has worked for major institutions in the global banking and telecommunications industries. At E&Y, he leads development and technology delivery to support E&Y's financial-services-focused fraud control advisory and implementation practice. Before joining E&Y, Nussenbaum was vice president of the fraud management software business at ACI Worldwide.
The Durbin-FFIEC ConnectionTRACY KITTEN: David, over the last several weeks, we've talked quite a bit about what the new online authentication guidance passed down by the FFIEC means for financial institutions. Now of course, with the Fed's recent clarification regarding how the Durbin Amendment's interchange cuts could impact fraud prevention, banking institutions have quite a bit to consider; and that's of course a good thing. But David, I would like for you to tell us: how do you see the Durbin one-cent debit fraud prevention incentive offered by the Fed connecting with steps to comply with the updated FFIEC guidelines for online security? How might the two movements compliment one another?
DAVID NUSSENBAUM: They really compliment each other very well. The one, Durbin Amendment, really focuses on debit cards and the other, FFIEC, focuses on online banking. Both of them have strong fraud and security elements. Durbin in general was not well received by the banks. It obviously caps debit card interchange fees, but there is a silver lining here and that is that if a bank can demonstrate that they have a solid fraud control program in place, they are actually entitled to another cent of interchange fees, which really can add up for a large bank. The FFIEC online security guidelines are really focused on protecting consumers and banks against online fraud attacks. They really address two different areas of banking that are interrelated in the event that there is actual use of online banking associated with cards.
KITTEN: Ron, okay we accept these two movements do compliment one another. How closely can fraud managers link debit fraud prevention with stronger online authentication? Is there a logical connection there?
RON GIAMMARCO: Yes, there is absolutely a logical connection and I think the first takeaway that fraud managers should think about is that this really demonstrates increasing regulatory requirements facing fraud. Clearly the requirements around Durbin are very explosive as are the requirements around the FFIEC requirements around online authentication. Really organizations have to think about the multiple layers of security that are required to ensure customer protection, to ensure regulatory compliance. And they really have to think about these in a bit of a higher hierarchical fashion because all of these layers are required to ultimately protect the financial institution and the customer against the organized attacks.
Risk AssessmentsKITTEN: David, I would like to go back to you for a moment. When it comes to the new FFIEC guidelines, most institutions are currently focusing on risk assessments. Now is it logical for them to develop plans for those risk assessments that also evaluate debit fraud?
NUSSENBAUM: Absolutely. I would answer that in two ways. First of all, within the Durbin Amendment there is discussion about how the bank has to demonstrate that they have the means of detecting and preventing fraud. So by implication, you really can't do that before you've done a thorough assessment of your risks. You really have to understand the vulnerabilities in your products and the vulnerabilities in your customer base, and that certainly applies to your debit products.
KITTEN: Now I was going to ask you to kind of explain how these two might work in tandem, but just to kind of recap it, sounds like you're talking about a risk assessment that would look at each of these particular services differently, right? You would look at debit fraud and come up with a risk assessment for debit fraud, and then look at online fraud and come up with a risk assessment there. But where might the two meet in the middle?
NUSSENBAUM: Let me start by first talking about debit card fraud, because when you really scale down a little bit, there are many different sources of debit card products. Increasingly, we see prepaid debit products. We see NFC [Near Field Communication] naval cards. These are examples of the variety of products that our debit card issuer is probably going to have to access in terms with each of their vulnerabilities. Then similarly you have different segments of your customer base that you have to understand, and lastly these cards are used in a variety of different contexts whether they be ATM withdraws, point-of-sale or E-Commerce. That's just giving you a flavor for the level of variety and the level of detail that has to be undertaken to properly understand the risk within the card. Then marry that against the guidelines that FFIEC gives you in terms of online banking and then you'll see there is overlap. There is overlap in situations where for example a new card may be issued through the online channel or where the cardholder is looking at information about the transactions through the online channels. There is definitely overlap between debit card utilization and online banking.
KITTEN: When it comes to these fraud security practices within institutions, those that relate to debit and those that relate to online banking, how siloed do those two remain in today's payments environment?
NUSSENBAUM: They shouldn't be that siloed but there may be cases where there are actually different areas that have day-to-day operational responsibility for patrolling the online channel and patrolling the usage of debit cards. But I think the way to highlight why they shouldn't be siloed is to look at it from the fraudster's perspective. A fraudster, if he or she recognizes that there is a silo defense, they will exploit that situation. Consider the following scenario very simply. A fraudster might phish to take over some individual or some victim's online banking account. At that point the fraudster might do a change of address on the online system, might request a new debit card online, might activate that new card, which today could be done online or over the phone, and then would proceed with a live debit card to drain the victim's account by an ATM or POS. That is a nice simple example of how the fraudster would exploit the two different areas, the online area and the card area, and if there is not coordination the fraudster would take advantage of those silos.
Enhancing Security for Online and DebitKITTEN: David, what recommendations could you offer to financial institutions that would help them integrate solutions and approaches that enhance security and authentication across both the online and debit schemes?
NUSSENBAUM: Well again, I think there is a common theme here and that really means it comes down to first, having a thorough and broad risk assessment that looks across your products and across your channels, and coming up with an overall direction in financial crime strategy and having the right systems, organization and processes in place. Once you really know where you are going, then it really becomes easy to integrate the different counter measures including integration between online and debit card defenses.
KITTEN: Now Ron, I would like to go back to you for a moment. How can financial institutions do a better job of balancing compliance? And when I talk about compliance, I am basically talking about passing a fraud examination. How do they balance that compliance with enhanced security that also qualifies for these incentives that we've talked about at the opening of the call?
GIAMMARCO: Maybe I'll give you a little analogy here to think about. Early in life we all learn without having to take an examination, right? Then you get into school and everything that you learn, you have to validate that you've learned it by taking a test. Every good student needs to understand and learn how to take a test. In the fraud space, fraud managers are no different. They have to take what they've learned and ultimately apply it and a test is just a way of demonstrating that you've actually done that. The point is that compliance can be tailored to manage specific business risks rather than being just a check-the-box exercise. Where it is a check-the-box exercise, you run in danger of really not providing any value. You really have to constantly challenge that thinking, not making it a simple compliance exercise and making sure that it focuses on business risk.
KITTEN: What lessons can fraud managers learn from their colleagues in compliance and security? And how closely should all of those departments be working together?
GIAMMARCO: The answer is they should be working very, very closely together. In most financial institutions, it is important to keep in mind that the compliance officers and security officers have significant experience demonstrating their confidences to bank examiners. They've been the subject of regulatory reviews, audits, internal audits, external audits and third-party reviews for many, many years. Fraud managers should really be adopting their best practices around risk assessment, around training, communications and metrics, monitoring, and maybe most importantly looking down the road and having an enterprise-wide view of risks and incorporating the rapidly changing environment and rapidly changing regulatory expectation in their processes and procedures.
KITTEN: Ron, what are some of the technologies that you see or those that maybe you might recommend that address some of these cross-channel concerns such as ACH and wire fraud, and the connection to debit?
GIAMMARCO: Customer identification, transaction monitoring, case management, analytics, they are all used in both the fraud and AML space across all the major payment instruments. We are clearly seeing a convergence of monitoring activities across fraud, across anti-money laundering, across other surveillance activities and responsibilities. It is important that the technology is available, be fully leveraged by the institutions, and that synergies, whether it is in the customer identification process, whether it is in link analysis, whether it is in pattern analysis, that these synergies be identified and used across the different surveillance domains.
Fraud Security: Streamlining OperationsKITTEN: Then David, I would like to go back to you for a moment. How can fraud security and compliance departments develop as well as deploy processes and strategies that streamline not only operations and work, but also help to prevent fraud oversight and risk assessment redundancies?
NUSSENBAUM: I think there is some balance that has to be taken into consideration. Obviously, fraud security compliance, these departments, and these individuals who work in those departments, they do have somewhat different goals and objectives. They're not all doing exactly the same thing and there are some different skills. But as I think we've tried to mention before, in spite of the need for some separation of duties, there is so much that they have to gain by working more closely together, learning about what each other is doing and really examining how technology can overlap into different areas of responsibility. As Ron mentioned, some core transaction monitoring, case management platforms - we're seeing tremendous benefits of sharing platforms, information or analytics across these different areas. I would summarize by saying that data, technology and then individual expertise really have to be better shared.
KITTEN: Before we close, what final thoughts would either of you like to leave our audience with? For instance, what are the top five considerations for fraud managers and others when it comes to debit and online fraud prevention?
GIAMMARCO: A few things here, and maybe first and foremost to take away is that fraud management has now entered the regulatory spotlight. Managing your customer risk authentication, the rules in Durbin clearly demonstrate that the regulators are focusing on fraud more and more, so the game has changed and you need to approach it in a way that will meet regulatory requirements. Maybe the second thing to keep in mind is that the fraudster, or whoever is attacking either the financial institution or the customer base, never erects silos. They don't think about different lines of businesses or what is money laundering and what is fraud. They are simply attempting to perpetrate an illegal act that is impacting the financial institution and the customer base. And you need to think about that the same way. In addition to the fraudster's perspective, financial institutions need to knock down those organizational silos where it makes sense. Ultimately sharing information, whether you utilize the same people, the same process, or the same technology, those are all the "hows." What organizations need to do is really share information in order to manage the "what." The risk assessment is key. We talked a little bit about performing an appropriate risk assessment, but don't rest on that risk assessment. Risks change significantly day-to-day and over time so you need to really have a thorough understanding of your products, customers and how your business is evolving. And then finally, keep in mind that fraud management really achieves three objectives. The first is to reduce fraud losses. The second is to avoid regulatory issues and fines. And the third is really around the customer experience, maintaining customer trust and customer confidence.