FFIEC Guidance: Has It Reduced Fraud?Two Years Later, Experts Weigh In on Authentication Updates
Two years after federal banking regulators issued updated guidelines aimed at enhancing authentication for online-banking transactions, BankInfoSecurity asked industry leaders whether that new guidance has been effective at curbing account takeover losses.
Federal banking regulators declined to comment about the progress they've seen since June 2011, when the updated guidance was issued. But according to financial fraud analysts, vendors and bankers, the investments U.S. institutions have made to conform with the Federal Financial Institutions Examination Council's updated authentication guidance have improved their abilities to detect account takeover incidents sooner, but those investments have had no impact on fraud losses resulting from those incidents. In fact, according to some observers, losses resulting from ACH and wire fraud continue to increase.
More banking institutions, especially at the regional and community level, have invested in behavioral analytics and transaction anomaly detection, largely as a result of conformance with the updated online-banking authentication guidance. And these technologies, along with secure browsing and out-of-band authentication, have helped institutions with fraud detection, but not necessarily prevention.
"We're not decreasing account takeover at all," contends Julie Conroy, a financial fraud analyst for the consultancy Aite. "New malware strains are being deployed every day."
The June 2011 supplement to Authentication in an Internet Banking Environment noted that emerging malware attacks had too easily compromised many existing online authentication techniques, including some forms of multifactor authentication. As a result, the guidance pointed out a number of technical solutions, such as out-of-band authentication and device identification, that could be more effective at thwarting ACH and wire fraud.
Security Strategy Essential
Now, online security experts say banking institutions have to focus more on a comprehensive security strategy and less on FFIEC guidance conformance. If they don't, they will continue to see fraud losses grow, because the threats are evolving more quickly than regulatory guideposts can be updated.
Conroy acknowledges that fraud losses would likely be much higher had federal banking regulators not issued their authentication update. But she says banking institutions - especially smaller ones - cannot continue to lean solely on regulatory guidance when making security decisions. "The guidance came out two years ago, and it takes banks a while to deploy the technology," she says. "It just shows how fast the fraud is progressing."
And it's not just a U.S. problem. Financial losses resulting from account takeover fraud have steadily increased over the last year throughout the world, despite banks' investments in new technology and education campaigns, Conroy says.
New research from Aite, expected to be released in August, estimates global fraud losses linked to ACH and wire fraud totaled $409 million 2011 and $455 million in 2012. For 2013, Conroy predicts those losses will jump to $523 million and continue to increase through 2016, when they'll near the $795 million mark.
And preliminary results from BankInfoSecurity's soon-to-be-released 2013 Faces of Fraud Survey show similar trends. Despite the 2011 FFIEC guidance, respondents to the survey ranked ACH and wire fraud as the fourth greatest fraud threat they continue to face. And despite investments in security controls recommended by the FFIEC, 46 percent of respondents say they see no impact on the number of account takeover incidents they suffered in the last 12 months; 43 percent also report that they see no impact on account takeover losses.
Peter Tapling, president and CEO of Authentify, an online authentication provider, says banks of all sizes have spent the last 12 months adopting new technologies. But the evolution of attacks has forced banks to budget for the absorption of fraud losses, he says.
"The FFIEC has spurred banks to turn on technology that improves security," he says. "So the guidance has met its objective of pushing all the financial institutions in that direction."
But it's hard to know if the new guidance has actually curbed losses, he adds.
"The [banking institutions] that I talk to say they are comfortable with their current position," Tapling says. "The good news is that they see these attacks, so they can do something about them. If you go back to 2009 and 2010, there was some surprise at both the velocity and the vigor of some of these ACH movements."
Most online security investments since June 2011 made by U.S. financial institutions have been to conform to the updated guidance, Conroy says. This has been especially true for regional and community institutions, which often don't have the budgets or technical know-how to make new technology investments without an incentive, she adds.
"It gave smaller institutions a chance to deploy top technology they had on their wish-lists," Conroy says. "But the threat environment is just moving so fast, it's hard for financial institutions to keep up."
The FFIEC's updated guidance notes that banking institutions must deploy multiple layers of security. It also stresses the need for non-technical strategies, such as more customer fraud education, and points out that banking institutions must implement policies for ongoing and regular risk assessments.
For American Business Bank, a California-based institution with $1.3 billion in assets, the risk assessment piece has proven the most valuable.
"From our perspective, it seemed like 2012 was really about the risk assessment and developing a roadmap," says Craig Priess, founder and vice president of Guardian Analytics, which signed with American Business Bank in June 2011 to provide behavioral analytics and transaction monitoring. "2013 has really been about showing regulators the technology has been implemented."
Ongoing risk assessment is now part of American Business Bank's overall security strategy, he says. "The need for periodic risk assessments was one of the best things to come out of the FFIEC guidance."
Tapling says the guidance provided a roadmap for banks. "They have to have a plan with some input that says, 'What are the attacks that have not yet made the headlines?'"
Federal banking examiners started reviewing conformance in 2012, yet many U.S. institutions didn't start making big investments for conformance until this year, says financial fraud expert George Tubin of anti-malware provider Trusteer.
While many of the largest banks were the first to test new technologies, other institutions, by waiting, gave themselves time to evaluate technology options and focus more time on risk assessments, he explains.
"When guidance first comes out, there are a lot of questions and there is a lot of interpretation," he says. "And frankly, there are some discrepancies between the regulators, too. Each examiner may interpret things differently. As time goes on, a lot of those questions and disconnects get worked out. So we are in a better place now to actually know what types of solutions will help comply with the guidance supplement and enhance security, based on risk."
Investments in authentication won't pay off unless the technology can be integrated with the institution's online-banking platform, Tubin says.
At American Business Bank, ongoing risk assessments throughout the year have made a huge difference in helping to fill security gaps that could emerge as new solutions are deployed. Risk assessments, for example, spurred the bank to invest in anomaly detection, Peplow says.
"Anomaly detection has been great for us to ID fraud," he says. "In one case, we were able to stop a fraudulent transaction within 30 minutes, even before the customer noticed anything."
American Business Bank also has focused more heavily on customer education.
"We have training that we e-mail out to our ACH and wire customers," Peplow says. "And we can track who has taken it and who has not taken it. We are constantly trying to educate our customers, and remind them about how critical it is for them to be vigilant on their end."
Fraud is moving downstream to smaller institutions. And the problem is that many of them don't fully understand or appreciate the threats, Authentify's Tapling says.
"The banks that are leaders will tell you that the guidance is redundant, because by the time it comes out, they've already implemented everything that is in the guidance," he says. "But smaller ones are not doing what the guidance calls for until it comes out. ... Smaller banks can often only do what their bank service providers offer to them. So they are limited in that way as well."
By focusing on the guidance, smaller institutions have made significant strides, Aite's Conroy adds. But they need to focus on layers of security and ongoing risk assessments.
"One institution said they were looking at things like behavioral analytics or secure browsing," she says. "But it should not be either/or. They should have both."
Any banking institution that fails to go beyond regulatory recommendations will continue to suffer from losses linked to account takeover, Tapling says.
"The core problems still exist - logins and passwords," he says. "The new technologies recommended by the FFIEC are helping. But we have to remember, the guidance is a minimum. Based on risk assessment, you will see now that many banks are doing much more than that."