No Upside to Online Rules

The following article, written by Michael J. McEvoy, was first published in Bank Technology News, on August 1st, 2011

In June, the FFIEC issued new guidelines detailing the measures financial institutions are expected to take in order to protect internet banking (online and mobile banking) customers from fraud and misuse of their data. The changes take effect in January 2012. Starting then, banks, thrifts, credit unions and other types of financial institutions overseen by FFIEC agencies will be expected to meet or exceed the revised guidelines and will be judged accordingly by FFIEC examiners.

The guidelines were last revised in 2005, but things have changed considerably since then. Tools to compromise authentication mechanisms and gain unauthorized access to customer accounts have become more sophisticated and readily available. Phishing, pharming, malware, and other threats have become familiar elements of the e-banking landscape.

At the same time, the size of the opportunity for fraudsters has risen tremendously as efforts to improve online functionality have been matched by growing numbers of customers availing of online services. Recent research by Novantas/Novarica has underscored the shift to digital channels (online and mobile) and the extent to which they are siphoning away transactions from banks' physical channels.

Business customers, in particular, have been victims of 'cyber crime.' Businesses tend to transfer funds at a much greater frequency than consumers and for higher transaction values. Their routine use of ACH and wire transfers makes them a relatively soft target for fraudsters.

The response of the FFIEC to this changing landscape is to issue new guidelines that update the previous directions from 2005. At the core of these guidelines are three key components: risk assessments by financial institutions, layered security to protect online customers and customer awareness efforts.

From now on, risk assessments are to be undertaken more frequently and more comprehensively than in the past. Banks will need to update their risk assessments before they offer new online products and at least once a year.

When they do conduct risk assessments, banks must formally consider certain elements laid out by the FFIEC, including:

* Changes to the internal and external threat environment;

* Changes in the customer base adopting online banking;

* Changes in online functionality offered to customers; and,

* Actual incidents of security breaches, identity theft and fraud experienced by the institution or the industry at large.

As the second 'key component' of the guidelines, the FFIEC has determined that financial institutions must implement 'layered security' for all of their online customers. Layered security involves the application of different controls at different points in a transaction process so that any weakness in one control may be offset by the strength of another control.

Such controls may include the use of dual authorization through different devices. An example might be a consumer applying for a credit line increase online, and using a different channel (e.g. home telephone) to complete the application.

At some point in the process, the applicant would receive an automated call from the card issuer providing a PIN. The applicant would type the PIN into the online application as an additional form of user authentication, to ensure the user is who he claims to be.

Other examples of controls include limits on account activities, such as transaction value thresholds, restrictions on payment recipients, number of transactions allowed per day and allowable payment windows (e.g. payments only during normal business hours).

A basic principle banks will be expected to follow is that higher transaction values should be accompanied by increased security controls.

The third key component of the guidelines is concerned with customer awareness and education. Among other things, this will involve communicating to customers the protections being provided to them and providing contact information for customers wanting to report suspicious account activity.

What does all this mean for the beleaguered CIO?

To help prepare for the enhanced expectations FFIEC examiners will have when they show up during 2012, CIOs will need to ensure they have assessed their current approaches and capabilities relative to the new guidance. Consultation with their vendors may be needed, to ensure the needed supports are in place.

For the 'big bank' CIO, the enhanced guidelines may be much ado about nothing. Their bank may already meet the guidelines.

For smaller competitors, however, there may be challenges, even for those with service bureau relationships. At a minimum, many banks will see costs increase, with no offsetting revenue gain.

While apparently necessary from a security and risk management standpoint, the revised FFIEC guidance comes at a time when banks are already feeling the burden of increased regulatory oversight. In the current climate, revenue and profitability is under pressure at U.S. banks and any addition to the regulatory and compliance burden pushes more institutions toward unprofitability and extinction. This is especially true of smaller banks. Many community banks are likely to feel particularly adversely affected by the new standards they will need to meet in order to satisfy the bank examiner in 2012.

Michael J. McEvoy is a co-founder of Nechtain LLC