The approaching FFIEC deadline requires fast action to upgrade online security, but institutions shouldn't rush into adopting a "point" solution and overlook the potential for more lasting value and more flexible security.
Savvy financial institutions look at FFIEC compliance as part of a series of broader plans for utilizing technology to enhance security and online features for consumers.
They often want to know how they can satisfy their FFIEC needs through an upgrade, and also repurpose the same, one-time installation to address other priorities for the institution, such as enabling single sign on across diverse online applications. In other words, how can they leverage the FFIEC-compliance effort across multiple products within the enterprise, giving the institution more bang for its IT buck?
It's advisable for institutions to choose FFIEC-compliant software products that can support a "one-stop installation" for authentication, anti-fraud, SSO, LDAP and other core security applications. This not only satisfies FFIEC needs initially, but also creates a foundation upon which the institution can introduce other key applications. Broader security initiatives can be achieved through a one-time investment at the start, leading to far lower costs and greater efficiency over the long term.
This approach also creates a vastly more effective IT architecture. It does this by establishing a stand-alone nexus of access control that is independent of any particular vendor or third-party product. This framework operates as the "hub" onto which any number services can be easily layered. The five benefits of this are:
#1 - Adjustments are made quickly and easily, without vendor support. All banks want the flexibility to make adjustments within their systems, rather be at the mercy of a vendor's timing. This is especially true for the largest institutions that are often struck early and hard by newly emerging attacks, and may need to respond more quickly than their providers can accommodate.
#2 - Removes dependencies between applications. In a typical bank, there are often are half a dozen different applications powering various facets of online banking. These can be a mix of custom applications created in house and solutions powered by outsourced providers. With a one-stop installation, changes are made just to the shared hub which then ripple across to the rest of the systems; the bank does not need to update these systems individually. The savings in terms of organizational resources alone are enormous.
#3 - Enables site enhancements for the consumer. Then there's the fact that lifting security as a constraint makes new online features and enhancements far more feasible. Take the case of a bank that wants to establish a common user interface for its online features-each powered by separate applications, such as bill pay and cash management. It used to be that creating these enhancements was a major undertaking; adding security to each application individually was enough to break the bank, so to speak.
#4 - With security functions siphoned off to one place, a single implementation effort gets the job done. And vendors don't need to be integrated into the process in order to ensure their proprietary code becomes updated with the new security measures, because that update becomes automatic. Whether a vendor platform can support this sort of middleware approach is the true test of whether a vendor is truly using "open standards."
#5 - New capability can be easily phased in (or out). Banks may wish to replace their vendor solutions from time to time. Research shows core banking systems are replaced more often today than ever before. Suppose the bank wants to switch payments platforms at the back end due to the current vendor's technology becoming outmoded, or simply wishes to execute a change in strategy. The bank can do this without affecting the online fraud solution. Spokes can be either added or removed to the hub without the others being affected. The winner here is the customer, because the back-end system can be replaced without the front-end user experience changing.
It's also helpful to ask your FFIEC vendor the following questions to determine their products' compatibility with a one-stop installation approach: Is your software based on open standards? Can it support a universal installation option? Can it be deployed across multiple user bases and applications for a variety of different user needs (costs included)? Are there any limits on scalability to additional users or applications? How will changes to this software impact other online banking systems? Will changes to other online banking systems affect this software? What makes the solution easy to implement? How frequently are security features added to this product?
Thomas Varghese is president, CTO and co-founder of Bharosa, Inc.
