Financial institutions have been under significant scrutinylately, with seemingly endless regulations and guidance with whichthey need to comply. We appreciate that it's hard to know where tobegin.

Our recommendation is to start with improvements that not onlymeet minimum agency requirements, but also yield compellingbusiness and member benefits.

The FFIEC's Supplement to Authentication in an InternetBanking Environment released this past summer is that rarebreed of guidance whose benefits make complying far more compellingthan simply because the agencies say so. We believe credit unionsand their members will be far better off as a result of theagencies' actions.

The FFIEC has spent months analyzing fraud and providing arecommendation for securing online banking. Now credit unions mustunderstand the guidance as a roadmap for outstanding memberservice, not just some regulatory hurdle they must clear. You wantto provide excellent service to your members? The FFIEC has justshown you how.

Part of taking the guidance to heart as the right thing to dofor your members requires understanding what the FFIEC really issaying. There are three key components of the Guidance Supplement,each with clear business or member-service benefits:

Risk Assessments. The agencies made thisexisting requirement more explicit; probably something that shouldhave been in the original 2005 guidance. And this is notunreasonable. It's just good business to have a comprehensiveunderstanding of what you have in place and where the gaps are.

Fraud attacks are changing more rapidlythan ever. At the same time, you want to introduce expandedservices in response to member banking preferences. It's importantto assess the risk introduced by both of these and developappropriate mitigation strategies so you can expand services withconfidence.

Layered Security. The agencies identified twoelements needed to meet their minimum expectation: anomalydetection and enhanced business controls.Sophisticated attacks often include reconnaissance activity such asadding new users, resetting approval levels and adding payees.These high-risk activities warrant closer oversight.

The anomaly detection requirement is the area that likelyrequires the largest technology investment, and therefore isreceiving the greatest scrutiny, especially given the number ofoptions for individual layers to include in your securitystrategy.

We encourage credit unions to prioritize their technologyinvestments around anomaly detection, for which proven solutionsare available that can be deployed quickly to protect all memberswhile yielding benefits that get to the heart of a credit union'smission of providing great member service. More on this below.

Member Education. We all know that not allmembers will listen or follow through, but who would argue that youshouldn't share information with members about the risks and whatthey can do to protect themselves? Your members look to you as theexperts, and sharing that expertise can only increase trust andloyalty.

Layered Security and Anomaly Detection

Risk assessments will help you to mitigate growing risk whilecustomer education will increase member appreciation as you helpthem lower their own risk. However, the big debate will be aroundwhich layer of a layered security strategy to implement first.

By definition, layered security makes it harder for cyber crooksto complete fraudulent transactions by placing layer after layer ofroadblocks in their way. As the FDIC's Jeff Kopchik said, “If anyone control is compromised, then you have other controls that willpick up the fraud.”

One of the layers, as per the guidance, must be anomalydetection, which is the ability to recognize and act on suspiciousonline behavior and anomalous transactions. It provides protectionagainst the broadest range of attacks to the largest group ofmembers.

Anomaly detection is based not on understanding specific fraudschemes or threats, but on monitoring and comparing each online andmobile banking session to established patterns of behavior.

This will identify fraud attacks regardless of what scheme wasused to gain access to the account or what device is being used,such as a PC, smart phone, or pad computer. In other words, it willdetect tomorrow's attacks just as well as it will detecttoday's.

The effectiveness of anomaly detection is reinforced by a recentstudy by Aite Group that found most institutions believe “thatbehavior analytics is very effective at combating onlinefraud.”

With the recent Guidance Supplement, the FFIEC has done a verygood job of laying out how to secure your online banking channels.And by starting with anomaly detection, you'll be providing thebest, most secure online and mobile banking service for yourmembers.

And that will trump merely being compliant every day.

Terry Austinis CEO of Guardian Analytics in Mountain View, Calif.