Using Cross-Channel Fraud DetectionEnterprise Security Must Go Beyond FFIEC Authentication
As the January deadline for the Federal Financial Institutions Examination Council's updated authentication guidance looms, banks and credit unions are working toward compliance. But experts say financial institutions should be looking beyond the guidance, making investments in cross-channel fraud detection.
Increases in so-called account takeovers, often the result of phishing attacks waged against retail and commercial bank accounts, have prompted response from regulators.
The Financial Services Information Sharing and Analysis Center [FS-ISAC] says banking institutions over the last year have taken steps to invest in technology that thwarts commercial account takeovers via the online channel [See ACH Fraud: The Impact on Banks].
Errol Weiss, a member of the FS-ISAC and head of the council's Account Takeover Task Force, says financial losses associated with takeover incidents are decreasing, despite increasing online attacks. "Banks and customers are recognizing the situation sooner and are getting into response mode quicker, and so they're able to retrieve the funds before the transactions are irreversible," Weiss says.
In June, the FFIEC responded to growing concerns about online security when it issued updated guidance for authentication of retail and commercial account transactions [See FFIEC Authentication Guidance].
Susan Hawkins, senior vice president and group executive of e-banking, mobile and commercial treasury solutions for core processor FIS, says most financial institutions have spent the last six months assessing risks and laying out plans for investments in enhanced online security.
"With the FFIEC guidance, financial institutions are looking at what are the additional layers of protection they need to put in place for consumers and businesses," she says. "And they are looking at an environment where there is rising fraud in online and other channels."
Layered Security, Various Solutions
Since issuing its first guidance in 2005, the FFIEC has always recommended institutions invest in layered security controls. Authenticating online transactions and users should be built around three core tenets: something the user has, something the user is and something the user knows.
Those layers should include everything from strong online passwords and secondary or out-of-band authentication to device identification.
Ensuring layered security often means investing in multiple solutions from multiple vendors. "What I am hearing from my peers, and we are no different, is that institutions are working with multiple solution providers as the number of platforms and services that need to be examined are generally from multiple providers," says Matt Speare, who oversees security for M&T Bancorp., the United States' 17th largest bank holding company.
Julie McNelley, a fraud analyst at Aite Group, says different technology philosophies are emerging as a result of FFIEC guidance compliance. During research Aite conducted for an online fraud report, the group found that larger institutions, such as M&T, tend to invest in solutions from multiple vendors, while smaller institutions prefer to work with one core provider.
"We found a clear differentiation between large FIs and mid-sized [institutions]," McNelley says. "Fourteen of the 19 large FIs interviewed preferred point solutions, whereas the majority of smaller FIs tend to favor ease of implementation and one-stop shops."
The cost of investing in multiple solutions from various providers is not much of a concern for larger banking organizations. The greatest concern is ensuring ongoing compliance and adequate risk protection.
For smaller institutions, the story is a bit different. Cost is a factor, and that's one reason most have opted to work with core providers, like FIS. But ensuring overall security also has been a consideration.
"I would say that the smaller institutions are better set now to address enterprise monitoring," Hawkins says. "They're generally running a single core, not multiple cores, and they're working with partners who have done the investments to integrate fraud solutions."
In some cases, Hawkins says smaller institutions are better positioned than larger ones to address and thwart future attacks. Hawkins says cross-channel fraud might not be so easy to detect when more than one vendor is involved.
"We are addressing the guidance across channels, so that means mobile, online, the ATM, etc.," she says. "That way, there is consistency in the fraud detection, prevention and management across all of the channels. ... When you work with multiple third parties, one party may cover one channel, like the online channel, but it might not cover other channels."
But McNelley says such security gaps are not much of a concern. Larger institutions, she says, "apply the same layered technology approach." The difference is that larger institutions want to evaluate all options, because their transaction volume demands often call for more dynamic approaches.
"They generally prefer to do bake-offs to determine who has the best-in-class solution, then weave the technology into their own layered architecture," McNelley says.
Securing the Enterprise: Beyond the Guidance
But ensuring security requires long-term investments in solutions that address cross-channel fraud. "We hear many institutions say that the guidance is a few years behind what is going on," Hawkins says. "What they see going on is multichannel fraud, so they are looking at enterprise solutions," particularly in the cash-management space.
Hawkins says institutions are asking themselves where they need to make investments for enterprise-level transaction monitoring.
"The FFIEC guidance is obviously job one," she says. "But the forward look really has to be on enterprise fraud, and what that means as far as securing services across a growing range of channels. It's really making institutions look at what they have to do about enterprise fraud and legacy core systems, and what investments they need to make to position themselves for the future."