Regulatory Guidance – FFIEC's Latest One Worth Embracing
Financial institutions have been under significant scrutiny lately, with seemingly endless regulations and guidance with which they need to comply. We appreciate that it’s hard to know where to begin.
Our recommendation is to start with improvements that not only meet minimum agency requirements, but also yield compelling business and member benefits.
The FFIEC’s Supplement to Authentication in an Internet Banking Environment released in June is that rare breed of guidance whose benefits make complying far more compelling than simply because the agencies say so. We believe credit unions and their members will be far better off as a result of the agencies’ actions.
The FFIEC has spent months analyzing fraud and providing a recommendation for securing online banking. Now credit unions must understand the guidance as a roadmap for outstanding member service, not just some regulatory hurdle they must clear. You want to provide excellent service to your members? The FFIEC has just shown you how.
Part of taking the guidance to heart as the right thing to do for your members requires understanding what the FFIEC really is saying. There are three key components of the Guidance Supplement, each with clear business or member-service benefits:
1. Risk Assessments. The agencies made this existing requirement more explicit; probably something that should have been in the original 2005 guidance. And this is not unreasonable. It’s just good business to have a comprehensive understanding of what you have in place and where the gaps are.
Fraud attacks are changing more rapidly than ever. At the same time, you want to introduce expanded services in response to member banking preferences. It’s important to assess the risk introduced by both of these and develop appropriate mitigation strategies so you can expand services with confidence.
2. Layered Security. The agencies identified two elements needed to meet their minimum expectation: anomaly detection and enhanced business controls. Sophisticated attacks often include reconnaissance activity such as adding new users, resetting approval levels and adding payees. These high-risk activities warrant closer oversight.
The anomaly detection requirement is the area that likely requires the largest technology investment, and therefore is receiving the greatest scrutiny, especially given the number of options for individual layers to include in your security strategy.
We encourage credit unions to prioritize their technology investments around anomaly detection, for which proven solutions are available that can be deployed quickly to protect all members while yielding benefits that get to the heart of a credit union’s mission of providing great member service. More on this below.
3. Member Education. We all know that not all members will listen nor follow through, but who would argue that you shouldn’t share information with members about the risks and what they can do to protect themselves? Your members look to you as the experts, and sharing that expertise can only increase trust and loyalty.
Layered Security and Anomaly Detection
Risk assessments will help you to mitigate growing risk, while customer education will increase member appreciation as you help them lower their own risk. However, the big debate will be around which layer of a layered security strategy to implement first.
By definition, layered security makes it harder for cyber crooks to complete fraudulent transactions by placing layer after layer of roadblocks in their way. As the FDIC's Jeff Kopchik said, "If any one control is compromised, then you have other controls that will pick up the fraud."
One of the layers, as per the guidance, must be anomaly detection, which is the ability to recognize and act on suspicious online behavior and anomalous transactions. It provides protection against the broadest range of attacks to the largest group of members.
Anomaly detection is based not on understanding specific fraud schemes or threats, but on monitoring and comparing each online and mobile banking session to established patterns of behavior.
This will identify fraud attacks regardless of what scheme was used to gain access to the account or what device is being used, such as a PC, smart phone, or pad computer. In other words, it will detect tomorrow’s attacks just as well as it will detect today’s.
The effectiveness of anomaly detection is reinforced by a recent study by Aite Group that found most institutions believe “that behavior analytics is very effective at combating online fraud.”
With the recent Guidance Supplement, the FFIEC has done a very good job of laying out how to secure your online banking channels. And by starting with anomaly detection, you’ll be providing the best, most secure online and mobile banking service for your members.
And that will trump merely being compliant any day.
Terry Austin is CEO of Guardian Analytics in Mountain View, Calif.