How can small banks decide whether they need two-factor authentication, and if so how to implement it? An online banking technology company and a consulting firm may help.
The consulting firm, CC Pace Systems Inc. of Fairfax, Va., is offering what it calls a toolkit on the issue. The technology company, Digital Insight Corp. of Calabasas, Calif., plans to have one for its customers in April.
Jacqueline Thompson, the compliance officer for Alliance Bank of Chantilly, Va. - a Digital Insight customer - plans to use both.
"You feel lost," said Ms. Thompson, whose bank's holding company is the $662 million-asset Alliance Bankshares Corp. of Chantilly.
October guidelines from the Federal Financial Institutions Examination Council advised banks that by the end of this year they should use more than just a password to confirm the supposed customer's identity in high-risk transactions.
But Ms. Thompson said the regulators should have provided some direction. "I don't understand why, when this guidance and these laws come out, why there can't be … maybe several avenues they can suggest," she said.
Whether and how to comply are especially difficult questions for small banks with correspondingly limited legal and technology teams.
"Sometimes you feel like you're shooting darts in the dark," Ms. Thompson said. "You don't know if you're hitting the target, and you don't know if you're hitting the bull's-eye. You find out when the regulators come in."
Edward Neumann, a managing director at CC Pace, said many banks need some sort of guidebook to tell them what to do. "Literally two thirds of banks have really small IT budgets focused on compliance and Internet banking" and cannot afford consultants or new staff to address the guidelines, he said.
His company's toolkit and online seminars - for two of which Ms. Thompson has signed up - are meant to address these concerns at a lower cost.
The toolkit costs $5,500. Mr. Neumann said it consists of "three binders and two CDs - hard and soft copies - of all of the questions that banks have to answer to determine if they have high-risk transactions."
Digital Insight's compliance kit will explain the authentication changes it plans for its software and tell customers how to discuss the authentication issue with regulators and end users, said Scott Mackelprang, its vice president of security and compliance.
This year the company will add one strong-authentication method from TriCipher Inc. of San Mateo, Calif., to its hosted service, Mr. Mackelprang said. Next year it add more TriCipher methods, he said.
If banks and credit unions "have outsourced the Internet banking stuff, I don't know that they would be capable of doing [the risk assessment] by themselves," he said. "We understand the product, and we understand the risks."
Alliance's Ms. Thompson said she wants to compare the information in the CC Pace kit and the one from Digital Insight.
Ariana-Michele Moore, an analyst at Celent Communications LLC in Boston, said the FFIEC's guidelines "are rather vague" because they are meant to give flexibility. But many banks would prefer straightforward instructions, she said.
"I can appreciate why these guidebooks could offer some value, particularly to the smaller firms," Ms. Moore said. "Even among the larger financial institutions, there are some questions."
But banks, though they should discuss such matters with their vendors, should make their own decisions, Ms. Moore said.
"I would never trust a vendor to tell me how to comply," she said. "It's up to every financial institution to determine … because at the end of the day, it's the bank that's responsible."
