Credit unions are doing multifactor authentication to make regulators happy, according to pundits-and one security vendor is poised to reap the rewards.
"Complying with the FFIEC and NCUA guidance has become a game: go with whichever vendor is getting the most press and you'll escape the regulatory scrutiny," asserted Tripp Johnson, a senior director at Scottsdale, Ariz.-based Cornerstone Advisors.
The NCUA year-end deadline for layered authentication is forcing credit unions to ante up, agreed Kelly Dowell, executive director of the Credit Union Information Security Professionals Association (CUISPA) in Austin, Texas. "The majority of credit unions are obviously implementing a solution because of the regulation," Dowell said.
The NCUA declined to comment.
About 75% of all credit unions are launching a strong authentication platform in a race to meet the Dec. 31, 2006 NCUA deadline, according to a February CUISPA survey of 180 CUs. And 95% of credit unions said multifactor authentication was a spending priority in 2005, in response to a Callahan & Associates survey.
Authentication vendors are fueling the fire, using the deadlines to push proprietary products, added Johnson. "Kudos to the vendors because we're the lemmings that go along with it," he joked.
RSA Security is the vendor that could reap the lion's share of any rewards.
The Bedford, Mass.-based security provider is gobbling up major authentication players, last month acquiring PassMark Security just after FiServ, Inc. announced it would offer PassMark to its credit union and bank clients.
One year ago, PassMark pulled ahead of the 20-odd vendors selling authentication after it landed a contract to control Bank of America log-ins. And in December, RSA bought out Cyota, Inc., which provides authentication products for Jack Henry & Associates, Online Resources Corp., and eCU Technologies, among others.
"At the end of the day, credit unions will go with whatever viable solution their Internet banking provider comes up with," Dowell said. "So all Fiserv credit unions will have PassMark. There aren't going to be a lot of different solutions in use out there."
The rush to comply is a double-edged sword, Dowell added.
"The push is good because it will force credit unions to do something quickly to protect their members, but it's also bad because it's going to push credit unions into a solution too quickly," he explained. "As a result, they're not going to have time for as much due diligence."
Indeed, credit unions are at the mercy of their vendors, said Patricia Lareau, vice president of Product Management at Passfaces Corp., which provides strong-authentication using images of the human face.
"Most credit unions do not have either the talent or time or budget to build a solution of their own preference," she said. "They long ago subrogated their decision-making to their service providers and don't really know how to get it back."
Added Johnson, "One pattern I see is that companies are doing the minimum possible to score compliance, and then forget about it."
However, First Entertainment CU in Hollywood will "do it right," said Charles Bruen, CEO at the $600-million CU.
"I don't feel pushed," he said. "Multifactor authentication is not a mandate, and I don't believe it's a Y2K kind of thing that has to be in place by Dec. 31 or the world comes to an end."
In Harrisburg, Pennsylvania State Employees CU signed a contract to use the RSA Security Adaptive Authentication platform before the NCUA guidance was issued, said Kevin Doyle, Information Security manager at the $2.3-billion CU.
"Our NCUA examiners recently confirmed that, if the transaction is not high-risk, you don't need an authentication solution," Doyle said. "But I'd recommend that it's best to know o's logging in to your online accounts."
CUJ Resources
For info on this story:
* First Entertainment CU at www.firstent.org
* Pennsylvania State Employees CU at www.psecu.com
* CUISPA at www.cuispa.org
* Cornerstone Advisors at www.crnrstone.com
* Passfaces at www.passfaces.com
