FFIEC Guidance: Just First StepEnterprise-Level Detection Could be Next on Regulators' List
Reductions in debit interchange fees brought on by Dodd-Frank and fraud-prevention investments mandated by the FFIEC are raising all sorts of questions for banking leaders. [See FFIEC Authentication Guidance.]
Ultimately, financial institutions want to take calculated steps that are based on strategic approaches. In the security and fraud-prevention space, especially as it relates to authentication standards outlined by the FFIEC, that means investing in technologies and solutions that will ensure ongoing compliance. Banks and credit unions want technology and systems that can evolve over time. As threats change, the systems must adjust.
We hear many institutions say that the guidance is a few years behind. What they see going on is multichannel fraud.
It's quite a different mindset from just five years ago, when most banks and credit unions were not thinking that long-term. Security, ultimately, was not the catalyst for investments in fraud prevention. Complying with regulatory mandates, however, was. It was a backwards approach that obviously has come back to bite us.
And some experts say it all could come back and bite us again, if institutions don't expand their fraud views by looking beyond the stipulated mandates of the updated FFIEC guidance this time around.
"We hear many institutions say that the guidance is a few years behind," says Susan Hawkins, senior vice president and group executive of e-banking, mobile and commercial treasury solutions for core processor FIS. "What they see going on is multichannel fraud."
Looking out, Hawkins says financial institutions are asking themselves where they need to make investments for enterprise-level transaction monitoring. [See Using Cross-Channel Fraud Detection.]
"The FFIEC guidance is obviously job one," she says. "But the forward look really has to be on enterprise fraud." And that means securing services across a growing range of channels, such as mobile and the ATM. "It's really making institutions look at what they have to do about enterprise fraud and legacy core systems, and what investments they need to make to position themselves for the future."
Matt Speare, who oversees security for M&T Bancorp., the United States' 17th largest bank holding company, agrees cross-channel detection is the future. But he also says for long-term security, financial institutions really must demand more from vendors, networks and processors.
"I think we as institutions should be demanding more from our clearing houses, because none of us process an ACH transaction entirely on our own," he says. "Demanding from them more robust fraud-detection technology and processes that can stop fraud mid-stream, versus waiting for it to show up at one of the banks, is something we should focus on going forward. I think that is where we need to push most as an industry, to have them help us."
Perhaps some help is needed here. Integrating systems and deploying solutions that offer true enterprise fraud detection is no simple feat. And with so many different entities connecting to and with the enterprise, without some collaboration among all of the congruous parties, I don't see how true enterprise-level detection of fraud across all channels will be possible.
Some of that collaboration may be a bit down the road, granted. But I do agree with the experts: Investments in technology and solutions that go beyond the FFIEC mandates that can stand the test of fraud-prevention time are definitely the wisest ways to go.
After all, it could just be a matter of time before enterprise-level fraud detection is the next mandated move.