FFIEC Guidance: What Banks are MissingNew Insight on How to Meet Regulators' Expectations
As financial institutions work to conform to the Federal Financial Institutions Examination Council's updated Authentication Guidance, they have to view fraud from a cross-channel perspective. Yet, this is where many institutions are falling down, says fraud expert George Tubin. And that cross-channel gap hinders banks and credit unions more than they realize.
"Customers use multiple channels," Tubin says in an interview with BankInfoSecurity's Tracy Kitten [transcript below], and institutions have to view the entire relationship if they expect to adequately address fraud. "It gives you a much better picture of what is happening with that customer and potential fraud that may be happening in that account."
As federal bank examiners begin their reviews of FFIEC Authentication conformance, they want to know that institutions are building systems and architectures that can support ongoing compliance.
Institutions need to plan and look ahead by getting the entire organization involved. "If you're trying to get something through in the background and not involving the right people in your organization, then you run into other problems."
During this interview, Tubin discusses:
- The state of online security, and the marked difference between security practices and fraud-prevention investments being made at large banks versus community banks and credit unions;
- Steps smaller institutions need to take now to prepare for forthcoming regulatory exams;
- Why federal regulators are likely to be lenient at first re: conformance to the FFIEC Authentication Guidance, but will expect more later.
Tubin is the founder of GT Advisors, an independent consultancy that focuses on financial services and technology issues. He has been in the consumer and small business banking and high-technology industries for more than 25 years. Tubin's areas of expertise include consumer online and mobile banking, online fraud and identity theft prevention, customer authentication, and enterprise fraud management strategies as well as general delivery channel strategies and technologies. Tubin most recently served as a senior research director at TowerGroup, where he delivered thought leadership and insights to leading financial institutions, technology providers and consultancies.
TRACY KITTEN: As you talk with U.S. financial institutions about the investments that they've made and plan to make in technology and solutions to help them meet the updated authentication requirements from the FFIEC, how prepared would you say that they are for the regulatory audits?
GEORGE TUBIN: Well, I think that all depends on what part of the industry you're looking at. You will get very different answers. I think when you look at the larger banks - the very large banks - they're very prepared. These are the banks that have been very involved for the past months and actually years with the regulators and with various conferences and security experts in terms of trying to make their security better and fraud prevention practices better. You have to remember too, these are the institutions that were seeing some of the more advanced attacks, so it was certainly in their interest to improve their security to help them mitigate those attacks.
When you start to get down in the smaller-sized financial institutions, mid-sized to smaller-sized, these are the institutions that don't have a lot of customers online relative to the big banks. They haven't really seen a lot of the fraud that the big banks are seeing and therefore they haven't been as abreast of the situation of what types of technologies and processes need to be put in place to help mitigate some of the more advanced fraud. When the new supplement came out, a lot of them were unprepared for it and a little bit confused and not quite sure why they needed to do it. Then, when they read the actual supplement, they had a lot of questions about what it actually meant. When you get down to the smaller part of the market, you'll find that the majority of the institutions are not 100 percent compliant. They haven't gone through and done everything, so I don't think they're extremely prepared right now, but I think the bigger institutions for the most part are.
KITTEN: In what areas have institutions made the most investments? What online threats are they most concerned about, would you say?
TUBIN: Bigger institutions and smaller institutions approach this very differently. The bigger institutions were certainly concerned about the latest man-in-the-browser techniques that we've heard of, a lot of social engineering that's happening, especially threats toward the small businesses. The business guy that has a small business, they're focused on their business, not on the Internet and not on their banking, yet they're doing online banking and we've seen a lot of fraud. When I say a lot, it's relative, but we've seen increasing fraud in that space. There are some recent court cases that a lot of people have read about. A lot of the bigger banks were concerned with that and their legal departments were concerned with what happens when this type of fraud occurs and if it becomes public. It's not just the issue of losing money, but it's the issue of their market perception. They were concerned about those types of threats, the man-in-the-browser and the zero-day attacks. They actually have been working to put technology in place, putting investments in place and anomaly detection and cross-channel fraud, and doing a better job of fraud identification at various payment points along the way as well.
The smaller institutions haven't, for the most part, heard about these more advanced attacks, because frankly a lot of the fraudsters weren't going after that size bank. When they did go after the smaller bank - and remember there are thousands of these smaller size institutions - even if a hundred of them had some type of advanced fraud happen to them, still the vast majority didn't. So on that lower end, I think that I've seen a lot of institutions actually making investments in out-of-band authentication, one-time password fobs for their corporate customers, which they feel once it gets put in place, it's just a great fraud-prevention technology and one that will get them by their audit. Of course, there are still issues with one-time password fobs but it's certainly much better than what they've had.
Then, I think they're just beefing up some of their front-end authentication capabilities: making sure their secure cookies really are security cookies and can't be moved from one machine to another; looking at their challenge questions the way the FFIEC supplement suggested and making sure that the questions are more out-of-wallet type questions, questions that a fraudster can't find out if they happen to peruse somebody's Facebook page or LinkedIn account. I think a lot of the investments have still yet to be made in that mid- and smaller-size institution.
KITTEN: Can you say, generally, where you see some of these institutions lacking in their investments, or is it too difficult to make a broad statement like that? Do we need to break it down by institution size?
TUBIN: Just remember that the larger institutions are further along and a lot of the issues that we see pertain more to the smaller institutions. So for the most part, I think we see institutions lacking in anomaly detection, even just the most fundamental basic, simple type of anomaly detection where let's say a certain company sends a wire out every month on the 30th for $800,000, or whatever it is. All of a sudden, there's a different routing number on that wire, different from what it's been for the past year. Something like that should be flagged as an anomaly. Simple things like that, not even necessarily much more complex anomalies that people are logging in at certain times and from different IP addresses and the navigation is different than it had been previously, which certainly gives you a lot more power behind your anomaly detection, but even at the most fundamental level. So I think that's really the area where we see most institutions lacking at this point in time.
KITTEN: Have you actually spoken with any institutions who have undergone audits?
TUBIN: I have not. I would love to, but of all the ones that I've talked to, they haven't received the audit yet and a lot of the smaller institutions I talk to don't even know really when to expect their audit.
FFIEC and Mobile FAQs
KITTEN: Based on your own perception and based on maybe some of the things that you're hearing from financial institutions, even though you haven't spoken with anyone who has undergone an audit, do you think we can expect an FAQ from the FFIEC in coming months, just something to clarify certain points of the guidance?
TUBIN: I think that once the examinations start, the feedback starts to come back into the agencies on trying to find some common issues and some common questions that the institutions actually have when the examiners go in. This is really direct input from the examiners in the field back into the policy writers and policy makers, and the regulatory agencies. Once they start to see some consistent issues, consistent questions and consistent problems, I think that's when you'll see a FAQ. It may be something that you'd see several months out from now.
KITTEN: Then what about mobile? Do you expect the FFIEC to issue some sort of addendum or FAQ that directly touches on authentication requirements from mobile banking?
TUBIN: There may be mention of it in a FAQ, a very brief mention, but I think that in the same way the agencies really spent well over a year looking at some of the issues in the industry that have occurred since the last or since the first FFIEC authentication guidance was put out, the agencies tend to spend a lot of time. They spend time with the financial institutions, with the vendors, with various experts, and try to weigh the inputs from all those sources and then each of the agencies focus on a different part of the market.
Then they have to talk to each other and sort of see things somewhat the same before the FFIEC sort of gets together to do a regulation. I think that we're still in that discovery phase right now with mobile banking, where behind the scenes there's a lot happening in terms of analysis and getting a read on what's happening right now in the market and what to expect over the next month and year. Then I think you'll see the regulators issue something, I think separate on mobile banking. It may be another addendum to the authentication guidance, which would probably make the most sense. That way they don't have to go through the extra hoops they need to issue something completely new. This authentication guidance was designed somewhat to be a living document that was updated periodically, so I think you may see an update that specifically focuses on mobile banking in a little bit more distant future, maybe very late this year.
On the positive side so far in the mobile-banking space, what banks have out there is really fairly benign in terms of what a criminal might do if they got access to mobile banking. There's information that could be had, but for the most part money movement is only within online banking bill-pay and the money can only happen to payees that have been previously registered within online banking, and other than that there may be transfers within the same account. We're starting to see more P2P types of services offered. So I think as that roles out more and we start to see some of the implications of that, and whether or not there is any fraudulent activity in that space, that will maybe accelerate how fast the regulators get something on mobile banking out.
Cross-Channel Fraud Detection
KITTEN: This is a nice transition to my next question. You've noted in the past that banks and credit unions shouldn't get too hung up on the ways that they secure specific channels such as mobile. Instead, they should aim for cross-channel or enterprise-level security. Would you still agree that's the best approach?
TUBIN: I certainly think so. It's the approach that every top-tier bank is doing or implementing or investigating at one level or another. We find that customers use multiple channels. There's not somebody that signs up for mobile banking and all they do is mobile banking, but they may do mobile banking and have a debit card and a credit card and visit the branch every now and then. So it's important to watch the entire relationship with the customer and look at what's happening across the channels vs. isolating just single incidents of channel usage. It gives you a much better picture of what is happening with that customer and potential fraud that may be happening in that account. If you just look at a single channel like the call center, where somebody comes in and asks for money to be sent to what they may call an associate's account or a friend's account and they have all the information they need, the person at the call center may not realize that there has been a tremendous amount of online-banking activity. The person may have been in the branch looking for additional information from the branch personnel, and then we're trying to find potential fraud just sitting within that one channel, which you may or may not catch; but when you see the fuller picture of what activity has been happening on that account, you certainly can get a much better read on potential fraud.
KITTEN: When we talk about cross-channel fraud prevention, are there any nuances that institutions should consider?
TUBIN: The biggest challenge I see with cross-channel and implementing across cross-channel fraud prevention capability is really organizational because it touches so many parts of the company. Whenever you're putting in a cross-channel or an enterprise-class type of technology, it sort of gets everybody involved, if you're doing it right. If you're trying to get something through in the background and not involving the right people in your organization, then you run into other problems.
First of all, whoever is the champion for a cross-channel fraud prevention approach really needs to be inclusive and needs to understand how the platform, how the technology, is going to benefit various constituencies within the organization, whether it's the customer-service folks, the product management folks, the fraud folks, the loss-prevention folks, and really understand how it touches them so they can sell the project to them as well as work with them on an ongoing basis.
When it comes to a more granular level of the technology, institutions should look at putting things in the phase approach so that they're not trying to boil the ocean and throw an entire system in thinking they can flip a switch and suddenly everything is going to work fine. But they need to maybe look at a few of their higher priority channels, their higher risk channels implementing first. Then start including other channels as you go along, maybe first implementing the common case-management platform that takes feeds from all the channels and normalizes some of the alerts that are coming out so the fraud analysts can start to look at and prioritize fraud that's happening within the channels differently and start to be able to use the case-management tool to pull in information from other channels and from other back-end systems to do a better job of analyzing the fraud.
Probably the overall recommendation is to plan for it, build the architecture and think about what it's going to look like when the institution is done, but then really carefully think about the steps that need to be taken to get there. Phase it into multiple project pieces, tangible deliverables every step of the way.
KITTEN: What recommendations would you offer to institutions that have not yet undergone an audit on what should they focus?
TUBIN: First of all, every institution should have done a risk assessment and they need to have that in hand when the examiner comes in. Secondly, they have to show progress. They have to show that they've been doing something for the past six months and they didn't just start looking at this thing in January. That won't prove as a good result. Then they have to have a plan. They have to be able to demonstrate that they're going somewhere, they understand what it is they need to do and these are the steps they're going to take and maybe it's "demoing" or putting a beta out of a certain technology, but they really have to show that this is something they're taking seriously, they have taken seriously and there's a plan in place to get them in compliance within a specific time frame.
Fraud Trends in 2012
KITTEN: Before we close, I wanted to ask what fraud trends are you most concerned about for banks as we start 2012?
TUBIN: I think it's the same ones we've been concerned with. It's the man-in-the-browser type of attack that we've seen occur across a lot of institutions, and I think that what the regulators are requiring is certainly going to help institutions mitigate that type of fraud, but I think that for at least half a year, until at least a majority of institutions get into compliance, they're still very vulnerable. I think you'll see the fraudsters start to focus on the smaller institutions and the mid-sized institutions that they know take longer to get into compliance.
We'll continue to see those problems for several months, and as we roll out more payment capabilities in the mobile channel, as much as I could say all the institutions I've spoken with and all the vendors are doing just a tremendous job and really putting security first, and really thinking about the implications of offering payments in that channel, we always miss something and the criminals will always find whatever it was we missed. That's one thing you can count on. We will see vulnerabilities. Hopefully, the way it's being developed is mitigating most of the ones that we could think of, but there's always something you didn't think of.