The Fraud Blog with Tracy Kitten

FFIEC Authentication Confuses Banks, CUs

Survey Report Shows Institutions Struggle With Conformance

Our new Faces of Fraud survey report shows banks and credit unions are making strides toward enhanced fraud detection and prevention.

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

Banking security executives say investments in enhanced fraud detection, monitoring systems and customer and member education top their lists for fighting fraud this year.

They're also upping investments to improve out-of-band verification, enhance account-activity controls, improve vendor-management practices, implement more anti-money-laundering tools, track more high-risk accounts, enhance dual authorization and conduct more internal and external audits.

Much of that increased spending and focus is linked to security enhancements outlined in the FFIEC's updated Authentication Guidance (see Fraud Survey: Banks Get Bigger Budgets).

But there's a problem. Too many executives say they don't really know that the investments they're institutions are making will have significant impacts on fraud. Moreover, they don't understand regulatory demands, and question whether the new guidelines really address the right fraud-prevention needs.

Confusion About Guidance

Here's what our survey finds: Of the more than 200 financial leaders who responded, 29 percent say they still don't understand what regulators want, where conformance with the FFIEC Authentication Guidance is concerned, and 88 percent don't believe conformance will do much to curb online fraud.

Those findings are alarming.

For one, the updated guidance is not really that updated. The update definitely offers many more details than the guidance issued back in 2005. But the tenets are the same. Multifactor authentication, regular risk assessments, transaction verification, account monitoring and customer/member education were all noted in the 2005 release, and though they're clarified in the 2011 update, the message is the same.

Those recommendations should not be surprising. Banks and credit unions should have been addressing those areas for the last seven years.

The updated guidance definitely clarifies a few suggestions, by, for example, explaining how an institution might implement multifactor authentication or transaction verification through device identification. But, really, there's no great variance between the 2005 and 2011 releases.

Why Institutions Should be Doing Better

It's troubling to learn that banks and credit unions are confused. We often hear the adage, "Compliance doesn't equal security," but have banking security leaders truly embraced that concept?

The FFIEC guidance is just that - guidance. It's a suggested roadmap for enhanced e-channel security. Banking institutions have to fill in the gaps, based on their own risks. That's what regulators want to see.

When any organization gets too caught up in compliance, it gets into trouble.

Be sure to check out the new Faces of Fraud survey report for an in-depth analysis of all the results.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.