While banks are in varying stages of readiness for compliance, the guidance has affected smaller and regional banks disproportionately. Many rely on core banking providers for security, have smaller technology staffs and budgets, and must cobble together security systems from multiple vendors to make the grade.
This is problematic because core banking providers tend to design services for mass appeal, not specific problems. Similarly, banks must make a case for more technology spending in a market seeking to consolidate vendor relationships. The development cycle for such projects can also be quite lengthy.
"It is harder for smaller banks who don't have the manpower and staff and don't push the budget to IT," says Will Sampson, senior vice president and chief information officer for The East Carolina Bank.
The bank, which is based in Engelhard, N.C., and has about $1 billion in assets, had been in the process for years of upgrading its entire security platform before the guidance was released, Sampson says.
Because new guidance had been expected for a long time, many bankers were relieved to finally see it in writing. The new guidance covered security issues for electronic banking such as the need for a multi-layered approach. This means combining strong authentication at log-ins with device identification, anomaly detection, or other systems that can be invoked at any point of the online banking process.
Central Bank and Trust, which has about $2 billion in assets, says it has worked for the past four years to create a multi-layered security system. Still, the Lexington, Ky., bank
says it will have to make investments in back-end technology to add transaction anomaly detection and other protections.
"The new guidance and the specific language of addressing and monitoring systems similar to the way the debit and credit card networks do is going to take some adjustment for us," says Jeff Jacob, director of security for Central Bank and Trust.
The bank works with Fiserv Inc., NCR Corp. and ACI Worldwide Inc. for core banking, retail Internet, and commercial online banking, respectively. While each of those vendors has its own security protocols, Central Bank must fill in the gaps with its own security program or reach out to other vendors, it says.
Most recently, to address man-in-the-middle and man-in-browser attacks, the bank contracted with Trusteer Inc. of Wellesley, Mass., to use its Rapport secure browser product.
The new FFIEC guidance "impacts credit unions and community banks disproportionately because they tend to outsource their online and security practices," says Ward Howell, director of security solutions consulting for Q2ebanking, a unit of CBG Holdings Inc. of Austin, Texas. Q2 provides core online banking and security products and services.
Eighty-five percent of small and regional banks say they have plans to update their security controls in the coming months. About 85% say they will purchase new technology over the same period to meet the new guidance, according to a survey by Guardian Analytics Inc. of about 300 financial institution executives.
But 44% say they have done no formal risk assessment yet, though they are required to do one annually by the guidance, the survey says.
"The way I read this, the overwhelming majority know they have to make an investment and make a plan and take action, but many have not done the basics yet," says Terry Austin, president and chief executive of Guardian, which is based in Mountain View, Calif.
Be the first to comment on this post using the section below.