I participated in a meeting of the FFIEC IT Subcommittee today. Like the rest of the FFIEC, this subcommittee has key representatives from all of the agencies regulating U.S. banks and credit unions – the Federal Reserve Board, FDIC, OCC, NCUA, and OTS, and was the body that issued the last FFIEC guidance on secure electronic banking “Authentication in an Internet Banking Environment” in 2005. This last guidance came none-too-soon and was actually ahead of many of the security threats banks faced. It ‘persuaded’ or shall I say ‘coerced’ U.S. banks and credit unions to require, in part, more than a user id and password when users logged into Internet banking.
The 2005 FFIEC guidance had a major positive influence on online bank security. It served as a catalyst for much of the innovation we have seen in the past 5 years in online fraud detection and user authentication. It also made for a safer online banking environment. And the healthy competition among the fraud detection and authentication vendors even drove prices down, while the FFIEC-inspired technological innovations were spread around the world, and not just throughout the U.S.
Nonetheless, not all financial institutions have kept up with the spirit of the 2005 guidance. The threats and associated risk levels have clearly moved ahead of the safeguards many banks and credit unions, and their service providers have in place today.
Typically, the larger banks and credit unions have remained proactive, for reasons ranging from reducing fraud costs, maintaining reputations, and improving organizational efficiency.
But most of the smaller financial institutions have relied on their online banking service providers to mitigate fraud risk with appropriate services, but the service providers have not introduced risk appropriate fraud mitigation services across their various platform versions and implementations, leaving thousands of U.S. financial institutions — and their customers — unnecessarily exposed. This has become especially problematic for small businesses that have fallen victim to the Zeus banking trojan and have had a hard – if not impossible – time recovering funds stolen from their bank accounts. Banks are not generally obligated by law to refund businesses their stolen funds, in these types of cases.
This untenable situation is probably one big reason the FFIEC is now stepping in, and I expect an imminent update in the FFIEC guidance for Internet and electronic banking security to be issued soon. None of the regulators said that was specifically going to happen, but based on previous public statements and some of the innuendos at the meeting today, it’s clear to me that an update will be issued soon.
I don’t envy the regulators’ job of striking the right balance between too much and too little prescriptive guidance. But based on what happened with the last round, it appears that many executives at financial institutions need more regulatory prodding and detailed guidance in order to allocate budgetary resources to their online and mobile (and other channels’) banking security programs.
The fate of a customer’s bank account safety should not be determined by the U.S. courts. It should be proactively guided by well-informed and balanced regulators, and conscientious security staff at our nation’s banks.
So here’s one area where I believe we need more regulatory guidance – and not less than what we have today. We all know that compliance drives security spending (and helps security and risk management staff get budgetary resources). Based on what happened over five years ago, I believe the FFIEC updates will be something banks and the rest of us can comfortably live with and that we will end up with a safer and more sound financial system as a result. It’s nice to see Washington work the way it’s supposed to.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.