Community Bank Focus on Consumer Security Contradicts Regs

ab081711cbanc.jpg

Community bankers are strengthening security on consumer accounts, but they are not always extending those protections to business accounts, which regulators say are at a higher risk.

The banks' actions seem to contradict new security rules from the Federal Financial Institutions Examination Council. Those rules emphasize the use of multifactor authentication with business accounts, which typically hold more funds and have bigger transactions – and thus attract more attention from fraudsters.

Multifactor authentication improves security over a username and password by requiring a separate credential that is harder for fraudsters to steal. Sometimes the second factor is invisible to end users, such as software that detects the account-holder's location, or hardware. Other times it is more intrusive, say, hardware that generates a unique passcode every 60 seconds.

About 83% of community bankers are using some form of multifactor authentication for consumer transactions. But a smaller number, 74%, said they use multifactor authentication for business accounts. Just 37% use multifactor authentication for employees connecting to remote systems.

The bankers participated in a survey from the outsource compliance firm Heit Inc. of Fort Collins, Colo., and cbanc Network Inc., an online social and resource-sharing network for banks. (Computer Services Inc. is buying Heit in a deal expected to close Sept. 1.)

The survey of 113 community bankers ran from July 1 to August 9. They were polled on their understanding of the new rules, which were issued June 22 to update guidance from 2005.

"When the [2005] guidance came out, there was a general understanding that multifactor applied to online banking, no matter what type," says Paul Reymann, chief risk officer for Heit. "Now financial institutions have clarity that they can make a decision based on economics and apply multifactor authentication just to business."

Industry analysts say that the FFIEC's instructions to banks are not so clear-cut.

For example, the guidance specifies multifactor authentication for business transactions and layered security for consumer transactions – but that could mean doing the same thing for both types, says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.

"Banks are determining where multifactor authentication is appropriate in retail because the bank is the one with ultimate liability," she says.

Multifactor authentication might be useful for consumers when making changes to passwords, higher-risk transactions and for infrequent transaction types, she says.

"You can't argue that [more] security is a bad thing," says Avivah Litan, a vice president and distinguished analyst at Gartner Inc., of Stamford, Conn. "And layered security includes multifactor authentication."

First State Bank in Barboursville, a $250 million asset bank in West Virginia, added multifactor authentication to the bank's consumer accounts because accounts at community banks are much more vulnerable than those at larger banks, says Sam Vallandingham, vice president and chief information officer.

First State Bank protects consumer accounts by detecting users' Internet Protocol address, using cookies and asking complex challenge questions.

The bank also secures remote sessions for the employees delegated to access the bank's internal systems, Vallandingham says.

"We don't offer broad-based access to all employees, we have key employees, and for those we use multifactor authentication," he says. It also encrypts information between internal servers and blocks USB ports to prevent data from leaving the bank.

Banks could also do more work on detecting anomalous transactions, says George Tubin, an independent analyst who covers fraud prevention and mobile banking.

The "FFIEC says clearly that it depends on the riskiness of the transaction," says Dave Jevans, chairman of the Anti-Phishing Working Group and chairman of security vendor IronKey Inc., of Sunnyvale, Calif.

Risky transactions can also include employee access, where fewer banks have applied multifactor authentication, Reymann says.

"Electronic employee access to customer information falls into this definition, and the growing use of remote access and virtual private network (VPN) access by employees should be addressed by each institution," Reymann says.

Since banks need to conserve cash, it is critical to selectively deploy technology resources, Reymann says.

Representatives from the FFIEC did not return calls for comment.

For reprint and licensing requests for this article, click here.
Community banking Bank technology
MORE FROM AMERICAN BANKER