Everybody's finally in the pool.
Nearly a year after half of all U.S. institutions missed the deadline to adopt stricter FFIEC guidelines for online authentication, analysts say that banks have finally, and almost universally, put their multifactor and other risk-mitigation layers in place.
In a new research report, TowerGroup now deems 95 percent of institutions in compliance with the FFIEC guidance issued in 2005 that required stricter measures for enhanced authentication of users. Most banks read that as a call to adopt multifactor solutions, ranging from behind-the-scenes customer-behavioral analytics that flagged unusual activity to the corporate banking-oriented token solutions.
(Technically, the FFIEC did not stipulate multifactor itself; but its demand for better risk-mitigation meant that the single-factor user name/password system widely used was no longer adequate.)
TowerGroup's compliance measurements found 80 percent of institutions have adopted an acceptable technique; 10 percent have one planned; and another five percent must fix errors in their chosen layered security approach.
Any institution that has a fix in place or one on the way meets the FFIEC's rule, according to TowerGroup research director George Tubin. The remaining five percent of institutions that still fall short of compliance include ones that bought or built a non-compliant method (such as multiple passwords) or who are still twiddling thumbs.
As Tubin notes in his report, these banks have inexplicably (and very wrongly) concluded guidance was "not pertinent to their particular situation."
"I think going into 2006 a lot of banks were hoping the regulators would back off a little bit" about the year-end deadline, says Tubin. "That didn't happen."
But banks got into gear this year, and so will be heading into 2008 with the guidance-adoption rush over. The FFIEC itself has yet to issue any statistics on the levels of enhanced authentication, and a regulatory agency spokesman did not return a call for comment.
Now that so many banks have chosen their authentication solution, it's becoming clear which vendors emerged as winners.
RSA Security-an EMC company that owns the Passmark Security image and challenge-based mutual authentication technology that was adopted by Bank of America in 2005-has a 41 percent market share among top 100 banks, according to an online banking study by Aite Group. CheckFree was second with 31 percent.
Most solutions adopted protect users without requiring them to do much of anything. Device identification techniques that authenticate users take residence on customer PCs through Flash-shared objects and secure cookies.
Behavioral and risk-based analytics work from the bank's end, creating in-session profiles of online banking habits (for example, does the person pay online bills at a certain time of the month?).
Most solutions are tweaked so that challenges are prompted as infrequently as possible. The multifactor solutions that require hardware tokens, PC plug-ins, biometrics and PKI-based digital keys remain "impractical" for most consumer banks, according to Tubin.
Not all tools are covert. In September, Bank of America began a free service called SafePass that allows customers to restrict more "sensitive" payments through a one-time PIN code delivered via a text message. "We want customers to understand what the risks are and how to mitigate those risks," says Mike Pennella, an e-commerce enterprise services executive with BofA.
What Tubin found intriguing from the survey is how little interest banks have in back-end detection systems, IP intelligence measures and out-of-band authentication. Those are the predominant measures in Australia, where an e-payment based clearing system has reduced monthly fraud totals from $20 million in 2006 to $500,000 in 2007.
With stronger online tools in place, banks may next face calls from regulators to ramp up security measures for other electronic channels such as mobile and IVR/call center banking. But banks face serious challenges in building out mobile and telephone banking solutions. Celent senior banking analyst Jacob Jegher, in a multifactor report, said banks with telephone banking authentication (only 30 percent this year) "have to find a balance between human intervention and cutting-edge technology," in the IVR setting. And the most likely solution, voice authentication, has to overcome intrusive interaction hurdles.
