How Ready Are Banks For FFIEC?

With the effective date for new banking authentication rules less than two weeks away, speculation is heating up among security executives within the financial sector as to how ready banks will be when examiners show up on their doorsteps in 2012.

A new survey shows that while the majority of banks are aware of the regulation and are actively planning for compliance, there is still some confusion about new expectations laid out by the Federal Financial Institutions Examination Council (FFIEC) Supplement to the Authentication in an Internet Banking Environment.

"The big thing is that the overwhelming majority of banks have taken some action or are taking the guidance really seriously," says Terry Austin, CEO of Guardian Analytics, which sponsored the survey. "They've started to do their risk assessments and formulate their plan. I think that's good news that the guidance has had a desired impact."

Conducted in November among more than 300 banking executives from 100 U.S. institutions, the survey found that 85 percent of respondents reported that their institutions are actively taking action to address the updated guidelines laid out by the FFIEC. Approximately 80 percent of organizations have undertaken risk assessments in the past six months as a first step in the process, and 59 percent have already established a plan to fill online banking security gaps.

The high awareness saturation can likely be attributed to regulator champions within the FFIEC, which is comprised of several government financial agencies whose executives have been on a public relations blitz. The Guardian Analytics survey validates assessments of the market from Federal Deposit Insurance Corporation (FDIC) leadership.

"The agencies have done a lot of outreach," says Jeff Kopchik, senior policy analyst with the FDIC's Division of Risk Management Supervision and one of the authors of the guidance. "I've spoken at a lot of conferences, I've done a lot of webinars and conference calls, and things like that. My impression from talking to members of the industry is that there is very good awareness of the guidance. I haven't run into anyone who has said to me, 'What are you talking about?'"

[How large to midsize banks have at least a road map to comply with tougher FFIEC authentication and anti-fraud guidelines. See Financial Institutions Shoring Up Compliance Plans For FFIEC Deadline.]

While there might be good awareness, the survey showed that many institutions still might not be 100 percent clear on what the new requirements mean for their security operations.

"The guidance was really clear that there would be two absolute minimum expectations no matter what else you do," Austin says. "You have to be able to monitor account behavior and identify anomalous or suspicious activity. And the second thing the guidance said is that you have to be able to put controls in place for business banking administrative functions -- meaning things like dual controls or even admin rights to set up users and approval limits. You have to have fraud detection in place that can work in that environment."

According to the survey, 41 percent of respondents didn't see anomaly detection as a minimum expectation as laid out by the regulators, and 56 percent did not see enhanced administration functions in business accounts as a minimum expectation.

"I think there's still some kind of rereading and re-education and absorption of the information that's needed in the market for banks to fully grasp the fact that there are these two minimum expectations and that they're kind of inescapable, and then everything else is an option based on your risk assessment," Austin says.

As far as risk assessments go, 98 percent of banks plan to institute a higher frequency of assessments than what the supplement requires. However, Ben Knieff, director of product marketing at NICE Actimize, says that risk assessments could trip up smaller financial institutions, an issue that wasn't necessarily examined in this survey but which Knieff sees playing out in 2012.

"I think that segment is in relatively different shape than the rest. Most of them get their online services and portals provided to them by a third party that usually handles a number of other banking functions for them," Knieff says. "I know that all those large service providers are communicating what they have and where they're making investments for compliance. The challenge for smaller organizations is less on the technology side and more on the risk assessment and customer education side. That's something much more difficult for them to outsource to a technology service provider, and the bank still remains responsible for adherence."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.