Survey Shows About Half Ready for New FFIEC Guidance
Guardian Analytics, a Mountain View, Calif.-based provider of behavioral analytics-based fraud prevention solutions, said just more than half of the financial institutions it surveyed are ready for the new FFIEC guidance that takes effect in 2012.
The company reported the results this week in its FFIEC Online Banking Security Readiness Study, which examined the state of financial institutions’ preparations to meet the 2012 deadline set forth in the FFIEC Supplement to the Authentication in an Internet Banking Environment.
The study was based on a survey taken last month among more than 300 executives responsible for online banking security decisions at more than 100 U.S.-based banks and credit unions, the company said.
The findings highlight that institutions are acting on the new expectations, but many will still have to rush to meet the 2012 deadline, the company said. Also, most of the institutions lack clarity on the minimum expectations for layered security outlined by the agencies in the supplement.
With the deadline rapidly approaching, institutions are making progress in the initial phases of preparedness: 57% of institutions have completed their risk assessment and 59% have formulated a plan to fill online banking security gaps, Guardian Analytics said.
Eighty-four percent plan to invest in new technology to address the enhanced expectations, however, most are not far along in technology implementation, the company said.
Only 43% of respondents said they actually purchased new technology solutions, but 49% intend to do so in the future, the study said.
In an effort to provide clarity on where institutions should start their layered security strategies, the FFIEC supplement outlined two minimum expectations against which credit unions and banks will be examined: the ability to detect and respond to suspicious activity at login and initiation of transactions in all accounts, and enhanced controls of administrative functions for business accounts.
Despite the specific language in the supplement, nearly half do not fully understand the minimum expectations, Guardian Analytics said of its respondents.
Forty-one percent were unable to identify anomaly detection as an FFIEC minimum expectation for layered security and 56% were unable to identify enhanced controls for business banking administrative functions, the study said.
The study indicated that when asked about the factors that determine prioritization for technology investments, respondents on average ranked level of protection as the most important driver for choosing a technology solution, followed closely by customer convenience.
Meeting minimum FFIEC requirements for layered security ranked the lowest.
NCUA Chairman Debbie Matz is currently chair of the multi-agency FFIEC, which issued the new guidance this summer.