FFIEC Guidance – A Credit Union Perspective
Many industry experts have voiced disappointment regarding the FFIEC’s recently revised guidance for the security of electronic banking activities. Before we become too judgmental, we must applaud the council’s efforts to open the conversation about the increase and drastic change in cyber-security threats since its first guidance, Authentication in an Internet Banking Environment, was issued back in 2005.
As a whole, the financial services industry needs to strategically address online fraud and proper mitigation techniques, rather than continuing to overlook the elephant in the room. Institutional reputation is at stake as well as the trust of your members.
The FFIEC should be congratulated for publishing its guidance quickly, acknowledging that fraud has outpaced its original regulations. And, despite the guidance leaked months ago that suggested extreme security measures such as having a PC dedicated solely to online banking, the actual implications are extremely obtainable. Credit unions, no matter their size, should have no trouble meeting the January 2012 deadline.
When beginning to apply the new supplemental guidance, it must be noted – contrary to many concerns – that the guidance principles are applicable to all Internet-based financial services. After a recent conversation we had with the FFIEC, we would strongly advise approaching changes with well thought out, overarching security plans for all banking channels: Internet, mobile and voice.
From a tactical standpoint, security may be managed on multiple fronts, but your members should encounter consistent user experiences across all channels. While mobile banking has not yet experienced a substantial amount of fraud, it is inevitable. As adoption increases, so will predators. Specific areas to improve risk and risk management techniques include multifactor authentication, layered security and/or other controls calculated to assess and mitigate risk appropriately.
As far as criticism with the FFIEC guidelines is concerned, IP verification and geo-location tactics may not prove to be very effective methods to protect members, when these tactics are used in isolation. Using these in conjunction with other risk-based scoring can prove to be an effective deterrent.
We are also leery of increased reliance on personal questions. Even if the information requested is non-credit bureau information, it can be easily gathered from social networks or Google inquiries. While out-of-wallet questions can be a tool for transaction authentication, many of the answers are available fairly quickly and easily accessible by fraudsters. Such tactics can be added to an already strong security protocol, but should not be relied on too heavily.
Credit unions are especially well prepared to address the guidance about member education and tokens. These strengths stem from two credit union-specific qualities: 1) an advanced reliance on e-channels that help expand segments and reach beyond geographic boundaries, and 2) expanding member business accounts that require employee and member training, and thus a more modern approach to transactions.
Many credit unions already host educational seminars, embrace authorization from different touchpoints in a business, have cumulative limits to transactions and use tokens to further authenticate business clients – meeting several demands of the new criteria. We’ve even seen credit unions use social media to warn members about phishing schemes, or other changes. (Note that these are not big technology investments, but thoughtful and strategic plans that leverage available tools.)
Regardless of whether we agree with each measure taken in the new guidance, it clearly delineates strategic steps for execution. Credit unions have the flexibility to tailor the new security standards to their specific business plans and should consider their vulnerabilities, the technology assets they have available and their short- and long-term goals.
Have an open dialogue with your executives, employees and technology partners to ensure a cross-functional approach across the credit union. And, include the C-suite, marketing, lending, administrative representatives and anyone else who may be affected by Web, mobile and voice banking security in your planning process.
If you’re not sure exactly which divisions should be involved, consider who would be directly impacted if there was a breach in security and ensure they are part of your prevention efforts. You can never be too prepared when it comes to protecting your members.
The new supplemental guidance is just a first step in the process and many expect to see additional refinements added. However, it provides a solid baseline on which to focus authentication and security efforts. More importantly, it creates a need for credit unions to shift a focus to fraud, despite how busy they may be with the Dodd-Frank Act, Reg E and other issues.
Making security a foundation for all strategic plans protects both your members and your reputations from avoidable damages.
Ward Howell is director of security solutions consulting for Q2ebanking in Austin, Texas.