WASHINGTON — Many credit unions are not going to be in compliance with the Federal Financial Institutions Examination Council's Guidance on Authentication in Internet Banking Environment by year-end despite their efforts, according to some industry experts.

When frequently asked questions on the guidance were issued Aug. 8, some were hoping for an extension of the compliance deadline, but the FFIEC agencies, which include NCUA, did not budge. In fact, according to NAFCU Director of Compliance Anthony Demangone, credit unions were somewhat thrown for a loop when the FAQs stated that high-risk transactions over the telephone were covered by the guidance's principles. Authentication over the phone, he said, would be “cumbersome.”

However, Demangone also pointed out that the guidance is not necessarily requiring multi-factor authentication, but credit unions could also employ security layering, depending upon the individual situation of the credit union. “As long as you deem it to be adequate and you can defend it, you should be fine,” he said.

According to NCUA's Letter to Credit Unions (06-CU-13), which was sent out with the FAQs, “Credit unions providing Internet-based services to members should complete a risk assessment of those products and services to determine if high-risk transactions are performed. High-risk transactions are defined as access to member information or the movement of funds to other parties.”

The risk evaluation should, at a minimum, consider:

o the member transactional

capabilities,

o the sensitivity of the member infor-

mation being communicated to both

the credit union and the members,

o the ease of using the communica-

tion method, and

o the volume of transactions.

NCUA's letter does state, “If the risk assessment identifies the credit union providing high-risk Internet based products and services and single-factor authentication is the only control mechanism, additional controls need to be implemented. Those controls can be multifactor authentication, layered security, or other controls reasonable to mitigate the risk.” The guidance also addresses the need for monitoring systems and member education.

Single-factor authentication is never acceptable for high-risk transactions, the FAQs state, even if the institution agrees to reimburse for losses. However, single-factor is still permitted for systems that do not process high-risk transactions.

So, what happens if a credit union is not fully compliant by Dec. 31, 2006? According to the frequently asked questions, that will depend upon the credit union's efforts. “The Agencies are not considering any general extension of the timing associated with this guidance…The Agencies' examiners will assess the adequacy of each financial institution's authentication controls on a case-by-case basis,” the FAQs read. Who is Doing What

PSECU, known for its tech savvy, has employed Cyota (purchased by RSA Security which then merged with EMC), according to President and CEO Greg Smith, and has been working on the project for two years. The credit union selected a program that matches the member to a known IP address and is in the process of building an address database. If the IP address does not match, known phone numbers are checked and the credit union asks what number to call on. A pop up on the computer screen then provides a code for the member to enter into the phone for confirmation.

“What we wanted to do in meeting the requirements was to interfere with the member's process as little as possible,” Smith explained. PSECU is branchless so as few processes as possible for their members' online banking the better. He said his credit union wanted to avoid the usual list of security questions, which can have different answers between joint accountholders, or expensive tokens.

“Credit unions have been very gracious in sharing their experiences…Helping other credit unions is what credit unions do,” he added.

Demangone said he has heard complaints from credit unions that their vendors are backed up and they are not seeing any “safe harbor” from the regulators. But Cyota is geared up, even handling Bank of America, according to Smith. Additionally, Fiserv said it has PassMark security available to its clients in time for the year-end deadline.

After Fiserv identified the need for a multi-factor authentication solution, Joe Barry, president of the eastern region for Fiserv's credit union group, said they made the business decision to purchase an application rather than building one and acquired PassMark from RSA Security. Because of the large scale of its clients–numbering nearly 6,000–Fiserv was able to leverage a “real bargain” for its customers. Though he did not disclose the great deal, he said there would be a charge per home banking customer per year.

“Every Fiserv customer should be in good shape,” Barry said, which includes 2,850 credit unions. “We expect all of our clients to sign up. I can't imagine anyone wouldn't.”

How PassMark works, Fiserv's GalaxyPlus Senior Vice President of Information Technology Vince Francone explained, is that it registers the consumers device, such as a home computer. It then can allow most users through with just this one screening and challenges the high-risk users targeted in the guidance. A user ID confirms the member's identification matched with the registered device.

The credit union then sends the member a picture that they have pre-selected; it could be of anything, such as their dog. This step confirms to the member that they are communicating with the credit union and aims to help members recognize whether they are being phished or not, Francone explained. Then the member can enter their password.

Francone called Fiserv's work as one company across its various labels a “textbook case” as far as being able to “concentrate on one product, one solution” across all Fiserv's solutions.

“The larger financial institutions have been setting the bar in multi-factor authentication. A few capable vendors have been scrambling to enable a large number of institutions,” Francone explained on how some financial institutions might have difficulty meeting the compliance deadline.

He added that the credit union's risk assessment, as required by the guidance, is crucial as the risk of fraud is not so high as the risk to an institution's reputation. And, Francone said, “It's a marketing issue for consumer confidence.” If the big bank across the street is offering multi-factor authentication and a credit union is not, what will that do for members' perception of online security?

Regarding high-risk phone banking among credit unions, Francone speculated, “As credit unions start doing their risk assessment, their risk isn't going to be there yet.”

Demangone said about half the NAFCU members he has spoken with are still working hard to get their programs together. He also said he understands from anecdotal conversations that this is not just a credit union problem, but across all covered financial institutions.