-
In an unintended consequence of the newly revised federal rules on cybersecurity, banks are likely to fare much worse in lawsuits over fraud losses.
July 1 -
Many banks must go back to the drawing board in deciding which security systems to use to protect online banking users.
June 29
The first federal regulators are set to meet with banks next year to examine security plans for online banking, as stipulated by the newest Federal Financial Institutions Examination Council
While banks are in varying stages of readiness for compliance, the guidance has affected smaller and regional banks disproportionately. Many rely on core banking providers for security, have smaller technology staffs and budgets, and must cobble together security systems from multiple vendors to make the grade.
This is problematic because core banking providers tend to design services for mass appeal, not specific problems. Similarly, banks must make a case for more technology spending in a market seeking to consolidate vendor relationships. The development cycle for such projects can also be quite lengthy.
"It is harder for smaller banks who don't have the manpower and staff and don't push the budget to IT," says Will Sampson, senior vice president and chief information officer for The East Carolina Bank.
The bank, which is based in Engelhard, N.C., and has about $1 billion in assets, had been in the process for years of upgrading its entire security platform before the guidance was released, Sampson says.
Because new guidance had been expected for a long time, many bankers were relieved to finally see it in writing. The new guidance covered security issues for electronic banking such as the need for a multi-layered approach. This means combining strong authentication at log-ins with device identification, anomaly detection, or other systems that can be invoked at any point of the online banking process.
Central Bank and Trust, which has about $2 billion in assets, says it has worked for the past four years to create a multi-layered security system. Still, the Lexington, Ky., bank
says it will have to make investments in back-end technology to add transaction anomaly detection and other protections.
"The new guidance and the specific language of addressing and monitoring systems similar to the way the debit and credit card networks do is going to take some adjustment for us," says Jeff Jacob, director of security for Central Bank and Trust.
The bank works with Fiserv Inc., NCR Corp. and ACI Worldwide Inc. for core banking, retail Internet, and commercial online banking, respectively. While each of those vendors has its own security protocols, Central Bank must fill in the gaps with its own security program or reach out to other vendors, it says.
Most recently, to address man-in-the-middle and man-in-browser attacks, the bank contracted with Trusteer Inc. of Wellesley, Mass., to use its Rapport secure browser product.
The new FFIEC guidance "impacts credit unions and community banks disproportionately because they tend to outsource their online and security practices," says Ward Howell, director of security solutions consulting for Q2ebanking, a unit of CBG Holdings Inc. of Austin, Texas. Q2 provides core online banking and security products and services.
Eighty-five percent of small and regional banks say they have plans to update their security controls in the coming months. About 85% say they will purchase new technology over the same period to meet the new guidance, according to a survey by Guardian Analytics Inc. of about 300 financial institution executives.
But 44% say they have done no formal risk assessment yet, though they are required to do one annually by the guidance, the survey says.
"The way I read this, the overwhelming majority know they have to make an investment and make a plan and take action, but many have not done the basics yet," says Terry Austin, president and chief executive of Guardian, which is based in Mountain View, Calif.
One reason so many banks have not begun to craft a plan is that they have too much on their plates with other new regulations, Austin says
If they don't perform the assessments, however, regulators could put a negative finding in their reviews of the banks, or they could be fined over time, experts say.
"The banking industry has rapidly turned to gaining compliance status, but by and large [banks] are not there now and they won't be fully there on January 1," says Bill Repasky, a partner and banking expert with law firm Frost Brown Todd LLC of Louisville, Ky.
One issue is that banks have to craft a comprehensive, multi-page risk assessment plan, and continue to present one annually to regulators. That is both complex and time-consuming, experts say. The FFIEC guidance is also purposely vague in places, experts say, in an attempt not to be overly prescriptive. But that has left many of the smallest banks scratching their heads.
"It is an elaborate process to assess risk to an electronic banking system," says Avivah Litan, vice president and distinguished analyst for Gartner Inc. "The smaller banks I talk to have a hard time with the interpretation, and they are not clear on what they have to do."
A big area of confusion is around automated clearing house transfers and large batch files, Litan says. Criminals are increasingly placing fraudulent transfer requests within aggregated files with many names, most of them otherwise legitimate.
Big banks are spending millions of dollars to build systems that can look carefully at ACH batch files. Meanwhile, smaller banks must rely on vendors that provide them with core banking services. And most of these are not providing such services yet, experts say.
Another area of confusion is around mobile. While the FFIEC created a definition of an electronic transaction in the guidance, "it was sufficiently vague so that it could apply to mobile or online," says Julie Conroy McNelley, a senior analyst fraud expert with Aite Group, of Boston. "That does not serve financial institutions well."
Currently most banks do not allow users to perform complicated transactions on mobile devices, and fraud is less prevalent in that channel — but the level of technology in phones is likely to change quickly, experts say.
While only 15% of community banks offered mobile banking in 2010, according to the Independent Community Bankers Association, half say they are planning to offer it within the next two years. And as more banks offer mobile services and allow customers to conduct higher value transactions, security concerns for that channel will also increase.
Vendors are scrambling to produce products that solve both mobile and ACH security issues implied by the guidance.
IronKey Inc. of Sunnyvale, Calif., for example has linked its secure PC browser with mobile authorization for two-factor authentication. It is also working on technology that will work inside a banking application to conduct a malware scan of mobile devices to determine the security health of the device, reporting conditions back to the bank. The new product should be available in the second quarter of 2012.
"Subsequent guidance will have to tackle [the mobile channel] and be more prescriptive," says Dave Jevans, founder and chief technology officer of IronKey.
Bankers agree with this prediction.
"We were most surprised by the fact that mobile banking is not addressed in more detail [in the guidance] but we think this will certainly come, as that product is still somewhat in the early stages," says Steve Kelly, executive vice president and director of marketing for Central Bank.
Similarly, Guardian Analytics plans in the second quarter to release something it calls FraudMap for ACH, which will look for behavioral abnormalities in ACH batch files and file origination points.
"In the last 12 months we have seen 140% growth in customers as they continue to take action and get ready for FFIEC," Austin says.
