Banks' Top Anti-Fraud InvestmentsPost FFIEC, Where Are Institutions Making Enhancements?
The Federal Financial Institutions Examination Council's updated Authentication Guidance, issued a year ago, is still a strong catalyst for increased fraud-fighting and security budgets.
See Also: Move Beyond Passwords
But many banking institutions say they're looking beyond the guidance and investing in technologies and services that address everything from card fraud to corporate account takeover.
Risk assessments have been a top priority this year. Next year, more banks will be investing in layered security, out-of-band authentication and emerging technologies and services to improve long-term security.
FFIEC: What Regulators Want to See
When the FFIEC issued its updated guidance in June 2011, it asked banking institutions to review their risk assessments, multifactor authentication practices and layered security controls as well as their customer and member education programs.
BankInfoSecurity's second annual Faces of Fraud survey confirms that banking institutions are increasing funding for new anti-fraud technology and personnel. More than half of survey respondents list enhanced fraud detection, transaction monitoring, and customer and member education as being anti-fraud priorities aimed at FFIEC conformance. But they also cite investments in out-of-band verification, internal and external audits, improved vendor management practices, and dual authorization through different access devices as being important as well.
Many institutions are putting their time and energy into risk assessments this year, and that's exactly where the focus should be, says Doug Johnson, head of risk management policy for the American Bankers Association.
"The agencies want to see that the risk assessment is either complete or well under way, and that there is a reasonable and rational path forward through the balance of this year and into next year associated with the ramping up of any of the additional security measures that have been recommended," Johnson says.
Now that the risks have been identified, banks and credit unions need to have anti-fraud strategies in place. And Johnson says financial institutions are making progress.
Patrick Truett, who oversees development and support at the National Credit Union Administration, says more than half of the credit unions that have undergone FFIEC examinations so far are in conformance.
"There's less education needed to convince [institutions] that the threats are real," Truett says. "When we can point to some of the [fraud] incidents that have occurred and then point them to controls that would have prevented them, it's a really easy sell to get them to adopt new security measures."
Those measures vary from institution to institution, of course, but banks and credit unions are using what they've gleaned from risk assessments to enhance security across the enterprise.
"Banks understand they absolutely have to use these other technologies, because it is all about having a variety of layers of security," Johnson says.
Internal and external audits to assure FFIEC conformance have made a big difference. A fraud prevention executive at one $30 billion institution, who asked to remain anonymous, says his organization spent a year just reviewing its security risks.
"We've looked across the whole landscape," the executive says. "We had a team come in and codify all the areas that needed to be looked at and categorize the risk. It was a long, drawn-out effort. ... But with so many partners, so many processors, so many systems, so many vendors, we had to review every customer touch-point across every line of business and then dissect where we had a potential gap and where we needed to address risks."
In the end, that institution got a positive review from FFIEC examiners. "The regulators said what we did right was that we did not make any decisions in a silo," the executive says. "We involved many entities and business lines, and that's what regulators wanted to see."
Some smaller banks are funneling assessment work through core processors to identify security gaps and determine which technologies best meet their needs, Johnson says. "But community banks are now recognizing that, in response to customer demand as well as new guidance, they have to look at other third parties to add on additional services, whether they be anomaly detection or out-of-band authentication, which may or may not be available through their core processor," he adds. "We'll see core processors trying to respond to that by developing relationships with those third parties."
The Tech Focus
Executives at several banking institutions shared with BankInfoSecurity their anti-fraud investment strategies.
For example, at Ann Arbor-based United Bank & Trust, the focus is out-of-band authentication. Executives at the $1 billion bank knew they had to improve online authentication for conformance and security, says Marsha Whitehouse, vice president of treasury management. And the bank got the ball rolling early, in anticipation of the FFIEC's expected update.
"One thing we kept hearing was that you need to increase your security," Whitehouse says. "Username and password are just not enough, and we know that."
Last year, the bank identified the need for an additional layer of authentication; it opted for an out-of-band authentication feature that it now requires all commercial accountholders to use.
United Bank implemented two-factor authentication from PhoneFactor for ACH and wires initiated online. "We hold on to that transaction until we get it authenticated, so a fraudulent transaction would never make it to the bank's back-end for processing," Whitehouse says.
At San Francisco-based Presidio Bank, the focus is on ensuring the security of online transactions. The $394 million institution opted for a multilayer application from IronKey that confines online transactions to a trusted network. The application secures transactions from the customer's end. Ultimately, the bank provides users a separate operating system for online-banking sessions through a one-time software download.
Fred Bailard, executive vice president of cash management solutions at Presidio, says the technology, in essence, provides two-way authentication. "On the client side it authenticates the IP address and the bank's URL," he says. "When they go to log in to the bank, it takes them into this hardened browser. That's been a huge leap forward from a security perspective."
Other institutions, like the unnamed $30 billion bank, are still reviewing their options. Complex device identification and enhanced anomaly detection are the focus. "We need to have a way to detect if a customer is making a suspicious wire payment, or create a way for a customer to call us back," the executive at that bank says. "This will be the bulk of the investments we make."
But in addition to securing the online channel, securing the call center and other channels prone to fraud is a big concern as well. And for that, this institution is reviewing emerging voice biometrics. "It could be a very good way for the call centers to enhance security," the executive says (see Voice Biometrics as a Fraud Fighter).
At Bank of America, the focus has been on mobile security, including investments in technologies that help the bank enhance mobile device ID.
"We're able to see what devices our customers are coming to us from on a typical basis, so that if, per chance, we see something that's anomalous or maybe a new device, we can proactively challenge that experience or that session to ensure that it's that customer trying to authenticate," says Keith Gordon, who oversees authentication and security strategies for Bank of America's consumer online and mobile banking units. "If a fraudster is trying to access an account, we're able to block it right at that point, just in knowing that it's not the customer's device trying to come to us."
Following are links to more information about the FFIEC guidance and anti-fraud investments institutions are considering: