As Frost Bank guns for the Federal Financial Institutions Examination Council's finish line, it may be a few lengths short when the fast-approaching multi-factor authentication compliance deadline arrives on December 31. The San Antonio-based institution expects to have its online high-risk compliance components for retail customers lined up, but it won't put a bow on its more complex commercial banking authentication upgrade until after the new year.
Frost is far from alone, and is well ahead of most institutions struggling to meet the FFIEC guidelines announced last October, which called for banks to address stronger authentication for all high-risk transactions by year-end. According to a spring survey from Aite Group, only 57 percent of financial institutions will have multi-factor authentication for online banking in place before 2007-and only another 24 percent expect to be on board next year. Five percent had no plans under way to conduct a risk assessment-the minimum first step the FFIEC expects.
If the question is why banks are seemingly dawdling, consider that Frost started its risk-assessment exercises in 2003, two years before the FFIEC published its edict in the Federal Register. Assessing risk is not about combing a to-do checklist, but is a malleable and organic exercise involving customer segmentation, business lines, and technical savviness. Many bankers and fraud experts agree the FFIEC compliance path is proving more difficult than imagined, with some institutions unsure where to begin risk assessment (especially across the enterprise) and others suffering paralysis-by-analysis in the bewildering array of solutions: mutual authentication, biometrics, behavioral-based, digital certificates, etc. "The concern from financial institutions is the amount of time available to come into compliance," says Greg Hughes, chief security officer of online banking provider Corillian.
Then there are the vagaries of the guidance itself. Bank officers and executives are filled with questions regarding what constitutes compliance for this year's target implementation. What is the level of progress needed in risk assessments or deployment? Do banks need to cover the Internet-banking channel, or all "electronic banking channels" including telephone banking? If so, was that only for automated features like interactive voice response?
The FFIEC and member agencies have been vague on specifics and neutral on technology paths, but they have told banks to first concentrate in the online arena, says TowerGroup senior analyst George Tubin. "The FFIEC wants to see [compliance] as a project that banks are working on, and have put some thought into," Tubin says.
In June, Celent issued an analysis of FFIEC compliance that notes banks are "eagerly watching" how their peers react to the looming deadline, for which "many banks will scurry at the last minute to put something in place. It is quite likely that many will not deploy two-factor authentication by year-end 2006," according to Celent.
For those adding a solution just to meet the deadline, a March survey by Aite indicates they may be doing it shortsightedly. Aite's report, "Online Banking Authentication and Fraud Detection," found most banks looking to add enhanced authentication as a "one-time capital expenditure." That strategy invites scalability problems, wasteful spending and misses the boat on fraudster methodology, experts say. In an anecdotal caveat, Aite noted how a new e-mail authentication feature at a top-five U.S. bank was cracked in exactly four days, eight hours and 21 minutes.
Working under the assumption that fraud is mutable and capricious, Uday Shetgero, Frost Bank's svp of Internet security, steered an early 2003 look at the $10 billion institution's vulnerabilities toward all channels with high-risk transactions. "We developed a fraud framework, and recognized that each channel had channel-specific anti-fraud systems," says Shetgero. Looking at fraud as an enterprise problem helped Frost determine the levels of risk each area and transaction level represented, which provided a guide to adopting varied authentication strategies across retail, commercial and telephone banking. Frost is deploying the PassMark mutual authentication solution from EMC's newly acquired RSA Security, but plans a more stringent PKI digital-signatures tool for business banking next year.
Shetgero also made sure the path to a future enterprise fraud deployment remained open, by ensuring each solution would compile transactional data, events and analytics.
That is not thought to be a common practice among banks shopping for authentication solutions. Tom McDonnell, Frost Bank's svp of business banking, says a recent survey he spied at an industry forum shows "a significant variance" in adoption strategies. "Some of our peer banks had already implemented this and basically crossed the bridge, but weren't really sure if their solution would meet enterprise needs," he says.
Most regional and smaller banks are depending on the vendors to keep them apace of the evolving fraud thicket. Bank clients approaching RSA Security are driven by the FFIEC guidelines, says Chris Young, svp and general manager of the consumer solutions division, but they are also asking about the need for ongoing maintenance. "Most of the banks we're dealing with recognize that having a baseline solution is not going to be an endgame," Young says.
Besides new threats, vendors have to tune a fraud system to a customer's acceptance. At a TowerGroup conference in late May, Tubin prompted a few jaws to drop when he described a few an institution that wanted a 16 percent authentication challenge rate, far above the industry norm of three percent.
Banks must also be cognizant of how evolving Internet and security standards will impact their choices, such as ubiquitous smart-card support in Microsoft's upcoming Vista operating system, a potential market-shift product displacing token solutions.
If banks have some head scratchers ahead of them, it may not compare to the rough haul awaiting security vendors themselves. The variety of tools and methods across the globe are producing delineated market trends (risk-based factors favored in the U.S. versus tokens in Europe and Asia), and U.S. banks' relatively light fraud losses in the online channel mean less capital available for online authentication solutions, stoking third-party revenue challenges and consolidation drivers in a crowded security market.
But ultimately it's the banks whose reputation and regulatory muster is at stake in the multi-factor authentication maze. "From my perspective, I'm surprised that banks have sat on the sidelines for too long, and hadn't done anything to address the issue of [online] security," says Tubin. "Instead, they waited for the regulators."
Will the regulators wait for them?
