Countdown to FFIEC Compliance

Survey Measures Efforts to Conform with Authentication Guidance
Countdown to FFIEC Compliance
A new survey finds that only 56% of U.S. banking institutions have conducted risk assessments, but 87% have deployed layered security controls. Are banks ready to conform with the FFIEC Authentication Guidance?

"The survey shows that in the past six months, since the guidance was released, financial institutions have really jumped into action," says Terry Austin, CEO of Guardian Analytics, which commissioned this FFIEC Online Banking Security Readiness Study, which includes input from over 300 bank and credit union executives. "Eighty-five percent of the respondents say they have been actively taking steps to address specifics of the guidance, and they're planning a lot more over the next six months. So, it's going to be a very busy time as the 2012 audits approach."

In an exclusive interview about the findings of this new survey, Austin discusses:

  • Banking institutions' progress in conforming with the FFIEC Authentication Guidance;
  • Survey results specific to risk assessments, layered security and customer awareness;
  • Technology investments institutions plan to make.

Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.

TOM FIELD: To start out with, tell us a little bit about this survey that you commissioned.

TERRY AUSTIN: It was conducted between Nov. 9-21 of this year, and the survey pool was comprised of about 300 individuals who are responsible for making decisions related to online banking security, and these were from credit unions and banks across the U.S., about 75 percent banks and about 25 percent credit unions, and a range of asset sizes, everything from under $100 million in assets up to over $200 billion in assets, and everything in between. We got responses from online banking executives primarily, but also operations people, risk officers, treasury management folks and a few other categories. We feel like it's a pretty comprehensive survey and pretty well-representative of the demographics.

FIELD: We're coming up to January 2012, when examiners are going to start checking financial institutions for conformance with the guidance. Let's talk about the timing. Why commission this study right now?

AUSTIN: First, we're committed to understanding the fraud marketplace, certainly, and this is part of our ongoing investment to research and understanding how fraud is impacting financial institutions and their account holders. But also there is a self-interest part of this. Since the guidance came out in June, we've had absolutely exponential growth in our customers, and we've been hiring like crazy. In fact, we've about doubled the size of our company from a headcount standpoint in the last six months or so, and we really needed some data in order to plan for our business growth in 2012.

FIELD: The question everybody wants to hear the answer to, based on your survey results: how would you say institutions are doing in improving their fraud security in response to the FFIEC guidance?

AUSTIN: The survey shows that within the last six months since the guidance was released, the financial institutions have really jumped into action. Eight-five percent of the respondents said that they have been actively taking steps to address the specifics of the guidance, and they're planning a lot more over the next six months. It's going to be a very busy time as the 2012 audits approach.

FIELD: The results uncovered some interesting information about institutions' motivation for improving fraud security. What can you tell us that you learned in this specific area?

AUSTIN: We had gone in with an initial hypothesis that the guidance was a prime driver of what the financial institutions are going to do, and it's important, and it shows up being important. But when asked about the factors that are determining their priority and the technology investments they're going to make, the survey shows that improving their level of protection against all threats and doing it in a way that did not impact customer service were really the top two reasons that financial institutions are going to make these upgrades to their fraud defenses. And meeting minimum requirements, while important, did not rank as high as these other things. It looks like the financial institutions have some higher aspirations than simply conforming to the regulation. This is speculation on my part, but I begin to wonder if the financial institutions are starting to see improved fraud defenses as a competitive differentiator.

FIELD: As you know, the guidance focuses on three areas: risk assessments, layered security and customer education. Let's talk about each of these. What can you tell me you learned from the survey regarding the risk assessments?

AUSTIN: Fifty-six percent of respondents have already completed a risk assessment and 80 percent of those having done so in the last six months. The guidance has really driven activity around the risk-assessment area. Fifty-nine percent of the respondents have already created a plan to fill the gaps that they identify from the risk assessment. Also interestingly, 89 percent of the respondents plan on refreshing their risk assessment at least every quarter. It's had a real impact on the frequency of these risk assessments. The trigger FIs mentioned that will drive them to repeat the risk assessment - at least half the respondents concluded whenever a significant attack happens at other banks, whenever they add new services and when any time new risks are identified in the marketplace.

FIELD: One of the other two topics - layered security - what have you learned about layered security controls from your respondents?

AUSTIN: Fifty-five percent of the respondents indicated that they already had some form of layered security in place at the time the guidance was released. An additional 32 percent had instituted other layered-security practices since the guidance came out. We asked a long list of layers that FIs might have in place, including transaction monitoring, account-exposure limits based on suspected account activity, device identification, IP-representation tools, out-of-wallet questions and things like that, and everyone of them is already in place. Every one of those layers is already in place for at least half of the institutions we surveyed. We also received some interesting results about FIs' understanding of the FFIEC minimum expectations to layered security as part of that.

FIELD: Let me follow up with you on that. Interesting question there about the results of minimum expectations - can you expound upon that please?

AUSTIN: Ninety-seven percent - almost 100 percent of the respondents - indicated that they were either fully aware or somewhat aware of the FFIEC guidelines. Everybody knows it's out there practically, yet only about half of the respondents were able to correctly identify the specific items that the FFIEC included in the guidance as "minimum expectations." For example, the ability to detect and respond to suspicious activity was identified as a minimum expectation by only 59 percent of respondents. Enhanced controls for the administrative functions associated with business accounts, which is the second minimum expectation for layered security, was only identified by 44 percent of the respondents. We're not criticizing the FIs here. I think they're jumping into action, but we're highlighting that there's still some more education and interpretation of the guidance that's needed to fully appreciate what the minimum expectations are.

FIELD: Education is a good word and that leads into our other topic, customer awareness and education. This is typically an area where financial institutions have struggled. What did your survey find?

AUSTIN: Two out of three financial institutions already have expansive customer-education programs in place, and the remainder indicated that they plan to implement or improve their education programs over the next six to 12 months. Some examples of what they're planning to cover are already covered in their program. Seventy percent disclosed the protections that are provided and the protections that are not provided. Sixty-eight percent explained the circumstances under which they will contact a customer on an unsolicited basis requesting personal information, and 60 percent explained what customers might do to mitigate the fraud risk on their own. It's getting out there and it's providing some pretty good coverage.

FIELD: We've hit the main topics here. Are there any other results that strike you as interesting, unexpected or that you just want to share for people to get them to go and read more about this survey?

AUSTIN: Going back to my original points about us gearing up and getting ready, a very large majority of institutions - 84 percent of them - plan on making technology investments over the next six to 12 months that are specifically geared to meet the FFIEC expectations. This is more reassuring than surprising, but specifically related to anomaly detections, 63 percent of those that are going to make an investment intend to purchase anomaly detection within the next 12 months. And another 31 percent haven't yet made a decision on this, so it could be as high as nine out of ten institutions purchasing new anomaly detection technology in 2012. I'm anticipating that we're going to have a really big growth year and we're preparing ourselves and getting ready to make sure that we can meet that demand and can serve our customers in the exceptional manner we have been doing so far.

About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 28 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.