Prepare Now for FFIEC Online Security Exams
We all know, or should know by now, that the Federal Financial Institutions Examination Council issued its supplement to the Authentication in an Internet Banking Environment guidance last summer.
The action item to this supplement was to begin examinations January 2012 that formally assess how financial institutions are faring with their electronic banking security under these enhanced expectations. Now that the examinations have commenced, what can credit unions expect?
Expect the FFIEC will want to review the credit union’s risk assessment as it relates to the initial FFIEC guidance provided in 2005 and the follow-on guidance supplement issued June 2011.
Risk assessments should be updated to address the areas of risk addressed in last summer’s supplement. If any credit union has not updated their assessment, do so now to help avoid negative findings during your next examination.
The most common audit exception that could be written up, for instance, is failure to have an up-to-date risk assessment. For those credit unions that have performed and/or updated their risk assessments, the next tripwire will be the absence of a risk remediation plan to deal with material risks identified in the risk assessment.
At the end of the day, it is all about identifying the risk and development and execution of a reasonable remediation plan. NCUA/FFIEC will be reluctant to recommend a specific technology to remediate risk. The reason for this reluctance is the fact that just about every specific technology suggested in the past has been summarily defeated.
Credit Union Issues
One of the biggest risks for credit unions is they may implement a technology that prevents members from authenticating easily and quickly. This “raising of the authentication bar” can actually create other risks that need to be considered.
For example, if it becomes cumbersome for members and business users to authenticate, they likely will not check their accounts as often. It becomes a barrier instead of a resolution and may actually serve to increase risk.
One of the keys to fraud prevention is routinely checking your accounts to ensure nothing bad is happening. If your new authentication schemas encumber members by having them jump through too many hoops, they will not check nearly as often.
The other issue is competition. Many larger financial institutions have studied various advanced authentication schemas only to abandon them or simply do nothing. They react to actual regulations, which spell out exactly what the law requires them to do. When challenged by examiners, their legal counsel or compliance staff will simply say, “This is guidance only and our risk assessment indicates we will disenfranchise large numbers of people.” And so they just don’t do it.
The best means of addressing these issues is to do your assessment. Make sure it is up to date, and develop a remediation plan for risks. That remediation plan may involve looking at multiple solutions over a period of time and should certainly take into account the credit union’s actual fraud experience.
If your membership is not experiencing significant fraud, you should be very careful about any changes you make. Your risk assessment may indicate that your risk and incidence of fraud is minimal and that implementation of authentication hurdles will disenfranchise members or even worse, specific classes of members; i.e., the elderly or handicapped.
In general, the credit union industry needs to continue to have an ongoing mantra of consumer protection. This is no different than the past and is congruent with the FFIEC mission. Elevated levels of fraud perpetrated through authentication mechanisms should be cause for alarm and should be monitored, analyzed and remediated.
FFIEC has a mission to help financial institutions, credit unions in this case, to be safe and sound. They are consumer oriented and don’t want to see consumers defrauded. The organization’s guidelines are warranted as long as you remember the key word “guidelines”, as their main goal is to raise the level of awareness for financial institutions.
It is ironic that the single-largest fraud conduit is card fraud: debit and credit cards. The technology to secure these cards has existed for well over a decade but has been largely ignored in America. The largest opportunity for consumer protection is in the area of card fraud prevention. To this end, the FFIEC might use its resources more effectively to address the card fraud problem.
Many credit unions are already well prepared. Many “out-of-the-box” authentication schemas used today have yielded low authentication-related fraud. Even though many providers offer good “out-of-the-box” solutions, there are also additional authentication technologies that have been around for over a decade. The adoption rate of these technologies has been very low due to four primary factors:
- Actual Fraud Experience: For most credit unions, as a percentage of total fraud, the fraud through the Internet banking channel has been very low. As a percentage of total transactions, the Internet banking channel accounts for a rapidly growing portion of the total number financial transactions. As the transaction volume has grown, so have the number of online fraud incidents – but not disproportionally. As for credit unions reporting fraud incidents, the overall number of incidents has been very low, especially when compared to other transactional conduits. A good example of this would be the high levels of card, ACH, and wire fraud reported by some financial institutions.
- Inconvenience: Another reason for low adoption of advanced authentication technologies has been the convenience factor. Many credit unions, and especially their competitors, are reluctant to introduce any technology that stands in the way of consumer convenience and transaction execution. Most advanced authentication technologies introduce some measure of consumer inconvenience, transaction failure, or inequity. Advanced authentication technologies often create usage barriers for people who do not own a computer, have old computers, have other legacy Internet access devices, are handicapped, or are otherwise technology challenged.
- Cost/ROI: Another factor limiting the adoption of additional authentication technologies is their cost/inconvenience relative to their return on investment (ROI). This scenario has played out for years with debit and credit cards. While the technology to dramatically improve the authentication of card transactions has existed for more than a decade, American financial institutions, their regulating authorities, and card licensors have not compelled adoption of these authentication technologies in any significant way. The desire for successful transaction execution, consumer convenience, and low ROI are factors limiting broader adoption of advanced authentication technologies.
- Uncertainty: Often, it is costly to deploy authentication technologies both in terms of consumer convenience and recurring dollar costs. Adding to the uncertainty is the fact that frequently, today’s leading technology becomes tomorrow’s hacked failure. Many of the name brand authentication schemas deployed by leading financial institutions and governments have been summarily defeated by criminals who target these institutions. These defeats have created uncertainty about which technology to utilize.
As FFIEC examinations continue into 2012, credit unions should be prepared in advance of their examiner’s arrival. If any credit union has not updated their assessment, do it now!