As Frost Bank guns for the Federal Financial Institutions Examination Council's finish line, it may be a few lengths short when the fast-approaching multi-factor authentication compliance deadline arrives on December 31. The San Antonio-based institution expects to have its online high-risk compliance components for retail customers lined up, but it won't put a bow on its more complex commercial banking authentication upgrade until after the new year.
Frost is far from alone, and is well ahead of most institutions struggling to meet the FFIEC guidelines, which call for banks to address stronger authentication for all high-risk transactions by year end. According to a recent Aite Group survey, only 57 percent of banks will have online multi-factor authentication in place before 2007-and only another 24 percent expect to be on board next year. Five percent had no plans under way to conduct a risk assessment-the FFIEC's minimum first step.
If the question is why banks are seemingly dawdling, consider that Frost started its risk-assessment exercises in 2003, two years before the FFIEC published its edict in the Federal Register. Assessing risk is not about a to-do checklist, but is an organic exercise involving customer segmentation, business lines and technical savviness. Many bankers and fraud experts agree the FFIEC compliance path is proving more difficult than imagined, with some institutions unsure where to begin risk assessment and others suffering paralysis-by-analysis in the bewildering array of solutions: mutual authentication, biometrics, behavioral-based, digital certificates, etc. "The concern from financial institutions is the amount of time available to come into compliance," says Greg Hughes, chief security officer of online banking provider Corillian.
The FFIEC has been vague on specifics and neutral on technology paths, but has told banks to first concentrate in the online arena, says TowerGroup senior analyst George Tubin.
In June, Celent issued an analysis of FFIEC compliance that notes banks are "eagerly watching" how their peers react to the looming deadline, for which "many banks will scurry at the last minute to put something in place. It is quite likely that many will not deploy two-factor authentication by year-end 2006," according to Celent.
For those adding a solution just to meet the deadline, a recent Aite survey indicates it may be shortsighted: It found most banks expect a "one-time capital expenditure." That strategy invites scalability problems and wasteful spending, experts say. In an anecdotal caveat, Aite noted a new email authentication feature at a top-five U.S. bank was cracked in four days, eight hours and 21 minutes.
Working under the assumption that fraud is mutable and capricious, Uday Shetgero, Frost Bank's svp of Internet security, steered an early 2003 look at the $10 billion institution's vulnerabilities toward channels with high-risk transactions. "We developed a fraud framework, and recognized that each channel had channel-specific anti-fraud systems," says Shetgero. Frost is deploying the PassMark mutual authentication solution from EMC's soon-to-be acquired RSA Security, but plans a more stringent PKI digital-signatures tool for business banking next year.
Tom McDonnell, Frost Bank's svp of business banking, says a recent survey at an industry forum shows "a significant variance" in adoption strategies. "Some of our peer[s] had already implemented this and basically crossed the bridge, but weren't really sure if their solution would meet enterprise needs."
Banks approaching RSA Security are driven by the FFIEC guidelines, says Chris Young, svp and general manager of the consumer solutions division, but are also asking about maintenance. "Most of the banks... recognize that having a baseline solution is not going to be an endgame," he says.
Banks must also consider how evolving Internet and security standards will impact their choices, such as ubiquitous smart-card support in Microsoft's Vista operating system, a potential market-shift product displacing token solutions.
If banks have some head scratchers ahead of them, it may not compare to the rough haul awaiting security vendors themselves. The variety of tools are producing delineated market trends (risk-based factors favored in the U.S. versus tokens in Europe and Asia), and U.S. banks' relatively light fraud losses in the online channel mean less capital available for online authentication solutions, stoking third-party revenue challenges and consolidation drivers in a crowded security market
But ultimately it's the banks whose reputation is at stake in the multi-factor authentication maze. "From my perspective, I'm surprised that banks have sat on the sidelines for too long, and hadn't done anything to address the issue of [online] security," says Tubin. "Instead, they waited for the regulators."
Will the regulators wait for them?