We all know, or should know by now, that the Federal FinancialInstitutions Examination Council issued its supplement tothe Authentication in an Internet BankingEnvironment guidance last summer.

The action item to this supplement was to begin examinationsJanuary 2012 that formally assess how financial institutions arefaring with their electronic banking security under these enhancedexpectations. Now that the examinations have commenced, what cancredit unions expect?

Expect the FFIEC will want to review the credit union's riskassessment as it relates to the initial FFIEC guidance provided in2005 and the follow-on guidance supplement issued June2011.

Risk assessments should be updated to address the areas of riskaddressed in last summer's supplement. If any credit union has notupdated their assessment, do so now to help avoid negative findingsduring your next examination.

The most common audit exception that could be written up, forinstance, is failure to have an up-to-date risk assessment. Forthose credit unions that have performed and/or updated their riskassessments, the next tripwire will be the absence of a riskremediation plan to deal with material risks identified in the riskassessment.

At the end of the day, it is all about identifying the risk anddevelopment and execution of a reasonable remediation plan.NCUA/FFIEC will be reluctant to recommend a specific technology toremediate risk. The reason for this reluctance is the fact thatjust about every specific technology suggested in the past has beensummarily defeated.

Credit Union Issues

One of the biggest risks for credit unions is they may implementa technology that prevents members from authenticating easily andquickly. This “raising of the authentication bar” can actuallycreate other risks that need to be considered.

For example, if it becomes cumbersome for members and businessusers to authenticate, they likely will not check their accounts asoften. It becomes a barrier instead of a resolution and mayactually serve to increase risk.

One of the keys to fraud prevention is routinely checking youraccounts to ensure nothing bad is happening. If your newauthentication schemas encumber members by having them jump throughtoo many hoops, they will not check nearly as often.

The other issue is competition. Many larger financialinstitutions have studied various advanced authentication schemasonly to abandon them or simply do nothing. They react to actualregulations, which spell out exactly what the law requires them todo. When challenged by examiners, their legal counsel or compliancestaff will simply say, “This is guidance only and our riskassessment indicates we will disenfranchise large numbers ofpeople.” And so they just don't do it.

The best means of addressing these issues is to do yourassessment. Make sure it is up to date, and develop a remediationplan for risks. That remediation plan may involve looking atmultiple solutions over a period of time and should certainly takeinto account the credit union's actual fraud experience.

If your membership is not experiencing significant fraud, youshould be very careful about any changes you make. Your riskassessment may indicate that your risk and incidence of fraud isminimal and that implementation of authentication hurdles willdisenfranchise members or even worse, specific classes of members;i.e., the elderly or handicapped.

In general, the credit union industry needs to continue to havean ongoing mantra of consumer protection. This is no different thanthe past and is congruent with the FFIEC mission. Elevated levelsof fraud perpetrated through authentication mechanisms should because for alarm and should be monitored, analyzed andremediated.

Good Intentions

FFIEC has a mission to help financial institutions, creditunions in this case, to be safe and sound. They are consumeroriented and don't want to see consumers defrauded. Theorganization's guidelines are warranted as long as you remember thekey word “guidelines”, as their main goal is to raise the level ofawareness for financial institutions.

It is ironic that the single-largest fraud conduit is cardfraud: debit and credit cards. The technology to secure these cardshas existed for well over a decade but has been largely ignored inAmerica. The largest opportunity for consumer protection is in thearea of card fraud prevention. To this end, the FFIEC might use itsresources more effectively to address the card fraud problem.

Many credit unions are already well prepared. Many“out-of-the-box” authentication schemas used today have yielded lowauthentication-related fraud. Even though many providers offer good“out-of-the-box” solutions, there are also additionalauthentication technologies that have been around for over adecade. The adoption rate of these technologies has been verylow due to four primary factors:

• Actual Fraud Experience: For most creditunions, as a percentage of total fraud, the fraud through theInternet banking channel has been very low. As a percentage oftotal transactions, the Internet banking channel accounts for arapidly growing portion of the total number financial transactions.As the transaction volume has grown, so have the number of onlinefraud incidents – but notdisproportionally. As for credit unionsreporting fraud incidents, the overall number of incidents has beenvery low, especially when compared to other transactional conduits.A good example of this would be the high levels of card, ACH, andwire fraud reported by some financial institutions.
• Inconvenience: Another reason for lowadoption of advanced authentication technologies has been theconvenience factor. Many credit unions, and especially theircompetitors, are reluctant to introduce any technology that standsin the way of consumer convenience and transaction execution. Mostadvanced authentication technologies introduce some measure ofconsumer inconvenience, transaction failure, or inequity. Advancedauthentication technologies often create usage barriers for peoplewho do not own a computer, have old computers, have other legacyInternet access devices, are handicapped, or are otherwisetechnology challenged.
• Cost/ROI: Another factor limiting theadoption of additional authentication technologies is theircost/inconvenience relative to their return on investment (ROI).This scenario has played out for years with debit and credit cards.While the technology to dramatically improve the authentication ofcard transactions has existed for more than a decade, Americanfinancial institutions, their regulating authorities, and cardlicensors have not compelled adoption of these authenticationtechnologies in any significant way. The desire for successfultransaction execution, consumer convenience, and low ROI arefactors limiting broader adoption of advanced authenticationtechnologies.
• Uncertainty: Often, itis costly to deploy authentication technologies both in terms ofconsumer convenience and recurring dollar costs. Adding to theuncertainty is the fact that frequently, today's leading technologybecomes tomorrow's hacked failure. Many of the name brandauthentication schemas deployed by leading financial institutionsand governments have been summarily defeated by criminals whotarget these institutions. These defeats have created uncertaintyabout which technology to utilize.

As FFIEC examinations continue into 2012, credit unions shouldbe prepared in advance of their examiner's arrival. If any creditunion has not updated their assessment, do it now!

RobertBroadwell is general manager of PM Systems Corp., An ACIWorldwide Company, in Chapin, S.C.