Financial institutions are acting on the new expectations outlined in the FFIEC Supplement to the Authentication in an Internet Banking Environment, but many will still have to rush to meet the 2012 deadline, according to a study by Guardian Analytics. Further, most banks lack clarity on the minimum expectations for layered security outlined by the agencies.
Guardian’s study, conducted in November 2011, surveyed more than 300 executives responsible for online banking security decisions at over 100 U.S.-based banks and credit unions of all sizes.
FFIEC’s June 2011 supplement was released in response to rapidly evolving online banking attacks and ongoing growth in online fraud losses. Regulators have stated they expect banks to have taken significant steps toward conformance with the updated expectations for ongoing risk assessments, enhanced layered security and customer education by January 2012.
With the deadline rapidly approaching, the study indicates that institutions are making progress in the initial phases of preparedness:57% of institutions have completed their risk assessment and 59% have formulated a plan to fill online banking security gaps. The majority plan to invest in new technologies to address the enhanced expectations (84%); however, most are not far along in technology implementation. Only 43% of respondents said they actually purchased new technology solutions, but 49% intend to in the future. Many are planning their investments for the next 6-12 months, likely just in time for their 2012 exam.
"The FFIEC raised the bar on their expectations for online security, and financial institutions are scrambling to evaluate and invest in preparation for their 2012 exams," says Terry Austin, CEO of Guardian Analytics. "In the last six months, we have seen exponential growth in investments in anomaly detection by those who are following the guidance diligently. As institutions work more closely with their examiners to fully understand the new requirements, we expect that growth to continue in the coming year."
In an effort to provide clarity on where institutions should start their layered security strategies, the FFIEC supplement outlined two minimum expectations against which banks will be examined: the ability to detect and respond to suspicious activity at login and initiation of transactions in all accounts, and enhanced controls of administrative functions for business accounts.
Despite the specific language in the supplement, nearly half do not fully understand the minimum expectations. Forty-one percent were unable to identify anomaly detection as an FFIEC minimum expectation for layered security, and 56% were unable to identify enhanced controls for business banking administrative functions.
When asked about the factors that determine prioritization for technology investments, respondents on average ranked "level of protection" as the most important driver for choosing a technology solution, followed closely by "customer convenience." Meeting minimum FFIEC requirements for layered security ranked the lowest.
"Maximum effectiveness and minimal intrusiveness are key criteria when evaluating online banking security practices," says Julie Conroy McNelley, senior analyst at Aite Group. "Our recent research shows that institutions find behavioral analytics to be one of the solutions that financial institutions perceive to be most effective and least intrusive.
"The regulators' objectives overlap with financial institutions' objectives in this case. Institutions implementing anomaly detection will be prepared to show conformance to the minimum requirements and be armed to stop online banking fraud across all retail and commercial account holders."