FFIEC Guidance 2011: Focus on AwarenessFraud Awareness Among 5 Most Critical Components
Federal regulators are taking seriously the growing number of ACH- and wire-related fraud incidents that for the last 18 months have targeted small business customers. And the tone of the update to the Federal Financial Institutions Examination Council's online authentication guidance suggests banking institutions could be held more accountable when one of their customers or members suffers from an online security breach.
Julie McNelley, a financial fraud analyst for Aite Group, says banking institutions cannot wait to begin moving forward with new technology investments and strategic planning aimed at curbing fraud. "We've been talking to institutions quite a bit about this," McNelley says. "They can't afford to suffer from fraud that might result from not doing more."
McNelley says the draft of the FFIEC Authentication Guidance, which has been widely circulated throughout the industry, provides "a pretty good road map," not only from a fraud mitigation perspective, but an education perspective as well. In fact, of the five primary category recommendations - layered security, multifactor authentication, the need for greater awareness among customers and employees, better risk assessment, and stronger user authentication practices - McNelley says customer education is one area banks and credit unions should focus on. These education campaigns cannot be taken lightly, and McNelley expects regulators to closely scrutinize the education programs banking institutions put in place, regardless of the institutional asset size. Every banking institution will be required to comply, she says.
"A lot of the larger institutions I've spoken with are moving forward with layered approaches, not just from fraud mitigation, but also by looking at their education programs," she says. "As we look at the mobile channel, mobile is not mentioned in the FFIEC guidance, but mobile will be the new frontier that institutions need to watch."
McNelley is quick to point out that not all educational programs and campaigns will be equal, and an institution's size and the breadth of its customer base will likely determine how layered its education needs to be. "Education differs greatly when we go from educating consumers to educating commercial customers," she says. "For consumers, especially, the education has to be multilayered. You need to come at them via a number of different media mechanisms, because consumers, like all of us, are distracted, and they don't read everything that comes across their desk."
McNelley suggests institutions explore opportunities for television advertising campaigns, radio spots and snail-mail mailings. Online campaigns could have a place, but banks and credit unions must be mindful of the behaviors they encourage. For instance, asking a consumer to click on a link he or she receives in an e-mail is probably not a responsible option, given today's phishy e-mail environment. Regulators, she adds, will be mindful of how well thought-out an institution's educational campaign is.
"You really need to go about educating consumers and businesses without scaring them away from using platforms that are key to the business of the financial institution," like the online or mobile channel. "Keep them educated about mobile vulnerabilities, for instance, but encourage them to use it," she says.
For more, listen to this one-on-one interview with McNelley: FFIEC Guidance and Compliance.