Credit unions today face extreme challenges to protect theonline security of members and their own institution.

To address those challenges, the FFIEC recently released asupplement to its Authentication in an Internet BankingEnvironment guidance, which describes customer authentication,layered security and other controls in the increasingly volatileonline environment.

Where Does Multifactor Fit?

While multifactor authentication is an essential component ofthe FFIEC's guidance, the supplement's primary focus is onpreventing rootkit-based malware, conducting stronger riskassessments, and implementing layered security controls.

In fact, many credit union executives are surprised to learnthat multifactor authentication is not required for all onlineactivity. The guidance only mandates multifactor for onlinebusiness member accounts and other high-risk transactions such asremote deposit capture or remote employee access.

According to a September 2011 study conducted by HEIT, aComputer Services Inc. (CSI) Company, and cbanc Network, 73% ofcommunity financial institutions are using multifactor for businessaccounts, while 37% are using it for high-risk transactions.Interestingly, while not required, 83% of community financialinstitutions are using multifactor authentication for retail onlinebanking accounts.

At the Heart of the Guidance

The heart of the FFIEC guidance is an attempt to ensure creditunions are taking the necessary steps to protect online access totheir systems and member accounts. To ensure compliance with theguidelines, credit unions cannot rely solely on any single controlfor authorizing high-risk transactions.

Instead, they should institute a system of layered security andreview and update their existing risk assessments as (1) newinformation becomes available, (2) prior to implementing newelectronic financial services, or (3) at least every twelvemonths.

Security in Layers

In addition to the recognized industry approach to adopting alayered security program, the FFIEC expects credit unions to meetthe following two minimum requirements for layered security:

1. Structure the security of online accounts to detect and respondto suspicious activity at the initial login and during theinitiation of any electronic funds transfers
2. Enhance control of privileged administration functions forbusiness accounts

While the guidance provides a list of additional layeredsecurity controls that should be considered, these two controls areidentified as the minimum requirements that must be met.

According to the HEIT and cbanc Network survey of communityfinancial institutions, 50% did not realize the guidance definestwo minimum required elements of a layered security program.

In 2012, examiners will be charged with ensuring a process is inplace to detect and respond to suspicious activity at initial loginto an electronic banking system and initiation of electronictransactions involving funds transfer.

Preparing for the 2012 Exam Cycle

Examiners have just completed their training for the pendingexam cycle. Credit unions may see an FAQ document released to theindustry over the next few months to address many industryquestions since the guidance was published.

NCUA examiners will be monitoring these standards beginningJanuary 2012. Credit unions must act now to complete the necessarysteps to achieve compliance.

1. Review and update your IT risk assessment and consider the newinformation that is provided in the June 2011 FFIEC SupplementalAuthentication Guidance
2. Work with your managed service provider, core provider or otheronline banking solution provider to begin evaluating strongerauthentication techniques that can supplement weaker methods suchas basic challenge questions or simple device identification
3. Consider whether you need to add additional controls throughoutyour security program, including high-risk transactions, remoteemployee access to customer data, and business accounts. Where yourIT risk assessment identifies similar high risks for retailaccounts, you should also consider the use of appropriatemultifactor authentication
4. Consider adopting the benefits of a cloud-based managedcompliance service as an alternative to project-based complianceinitiatives to cost-effectively support your continuedsuccess.

Rethink Traditional Compliance Methods

Traditional manually intensive, project-based, point-in-time,paper-laden compliance and risk management programs just won't cutit anymore. In 2012, examiners will expect credit union executivesto have a process in place to continuously monitor and update theircompliance and risk management practices to adjust for newinformation and changes in the business, compliance, and risklandscape.

Credit unions need visibility and transparency across the entireorganization. Furthermore, credit unions will be challenged withtaking on more with less, as well as finding access to subjectmatter expertise and a pool of resources to interpret and implementthese and many other new mandates.

Cloud-Based Managed Compliance Services

An innovative alternative to traditional compliance methods iscloud-based managed compliance services. Credit unions alreadyoutsource many of their supporting operations to trusted,knowledgeable third parties. Outsourcing compliance is now arealistic and viable option, and perhaps the only cost-effectivealternative.

A managed compliance approach allows your institution to drivetime and cost out of compliance efforts, while expanding your teamof resources with constant coverage by qualified risk experts,along with comprehensive services and reporting to provide thecontinuous support needed to manage risk and achieve, maintain, andprove compliance with all of the FFIEC guidelines.

Paul Reymann ischief risk officer for Fort Collins, Colo.-based HEIT, a CSICompany.