A lot has changed in the online risk landscape since then, and security experts have long been clamoring for an update from the FFIEC, maintaining that the outdated guidance from the regulator was putting bank customers at risk.
"Clearly the time was right for the FFIEC to put something out to provide more specific and enhanced guidance to face today's threats, both in terms of what the criminals are doing, how they're attacking the end users, and in the amount of money that has been siphoned out itself," says Tiffany Riley, vice president of marketing for Guardian Analytics, a fraud detection software firm.
The old guidance focused mainly on getting banks to offer two-factor authentication for greater security, but failed to require other layers of security, such as anomaly detection to prevent fraud or encourage general risk management practices within the online banking environment. As a result, many banks have been able to use the regulation as a legal shield, installing little more than skimpy two-factor authentication technology and, when that is circumvented and a business customer is stolen from, claiming in court that they had followed due diligence through FFIEC compliance.
In particular, small businesses have suffered greatly from the regulation's shortcoming and their banks' subsequent legal arguments. Banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts, and small businesses don't have the same kind of pull with their financial institutions to demand better security as do large organizations. They also don't have as much budget for in-house security.
"The agreements that small businesses have with the banks is that essentially as long as the bank uses commercially reasonable security, which is pretty much defined as what other banks are doing, the small business is held liable. I've estimated that over the last couple of years, SMBs have lost a quarter of a billion dollars to bank fraud," says George Tubin, senior research director for TowerGroup and a participant in the process to help revise the guidance. "Typically, the client doesn't recover anything when they settle out of court with their bank for a fraction of their losses, and very few actually make it into an actual hearing."
Such was the case recently with PATCO Construction, which in 2009 saw $500,000 sluiced from its Oceans Bank commercial account after a malware attack made away with its authentication credentials. A judge recently threw the case out against Oceans without it ever going to trial.
Effective Jan. 1, 2012, the new FFIEC guidance (PDF) will require banks to use anomaly detection software and risk management best practices.
"The key piece is anomaly detection. The problem is that the technologies we have in place are good against most types of fraud, but they don't do very well against what we call 'man in the browser' types of fraud, which could get by the authentication that's typically put in place," Tubin says. "The anomaly detection is sort of that second layer of defense, so if a criminal does get in, let's try to identify that that happened and let's look at what transactions they're doing and what behaviors they're exhibiting, and hopefully we can see that there's potential fraud happening."
The guidance also specifically calls out greater protection for business banking customers, which were not mentioned before -- a fact that had many banks assuming the regulation was solely consumer-focused.
"I think if the banks will adopt this, and not just to check the box, but adopt this with the truest sense of using risk management to secure the existing authentication, all customers would benefit, not just small business," says Ori Eisen, founder and CIO of 41st Parameter, a fraud detection software company.
In spite of the looming deadline, SMBs probably shouldn't expect all banks to be on board by the turn of the year. According to Tubin, regulators will require banks to have deployment plans in place by the deadline, not necessarily full installations. In the meantime, he believes SMBs should probably better scrutinize where they put their money by asking for greater risk mitigating measures.
"Trying to find the banks that do more than the bare minimum is key. There are things that the small business can do, as well, as far as account restrictions that the bank may offer, sort of limiting the amount of money that can flow in and out, or limiting the amount of privileges of each of the users that are getting into the accounts," he says. "Maybe use things like reverse-positive pay or alerts so if a transaction does happen or a transaction comes in, they can see that right away and determine whether or not they want to allow it to go through. So if the bank offers some of these types of capabilities, I think it's something they should absolutely look into."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.