MOUNTAIN VIEW, Calif. (12/19/11)--Credit unions and banks are making progress in the initial phases of preparing for new Federal Financial Institutions Examination Council (FFIEC) expectations on online banking security that will be effective in 2012, according to a new survey. However, many will have to rush to meet the January 2012 deadline.
Fifty-seven percent of the credit unions and banks surveyed have completed their risk assessment, and 59% have formed a plan to fill online banking security gaps, according to a study by Guardian Analytics, a Mountain View, Calif.-based fraud prevention provider, who released the findings Thursday.
The company surveyed more than 300 executives responsible for online banking security decisions at more than 100 U.S.-based banks and credit unions of all sizes in November. Most respondents lack clarity on the minimum expectations for layered security outlined in the FFIEC Supplement to the Authentication in an Internet Banking Environment, the study found.
Of those surveyed, 84% plan to invest in new technologies to address the enhanced expectations. However, most are not far along in technology implementation--43% said they have purchased new technology solutions, and 49% said they intend to in the future. Many plan their investments for the next six to 12 months, in time for their 2012 exam, said the report.
"The FFIEC raised the bar on expectations for online security, and financial institutions are scrambling to evaluate and invest in preparation for their 2012 exams," said Terry Austin, CEO of Guardian Analytics. "In the last six months, we have seen exponential growth in investments in anomaly detection by those who are following the guidance diligently. As institutions work more closely with their examiners to fully understand the new requirements, we expect that growth to continue in the coming year."
The FFIEC supplement outlined two minimum expectations against which financial institutions would be examined: The ability to detect and respond to suspicious activity at login and initiation of transactions in all accounts, and enhanced controls of administrative functions for business accounts.
The survey indicated that despite the specific language in the supplement, nearly half the respondents did not fully understand the minimum expectations. Roughly 41% were unable to identify anomaly detection as an FFIEC minimum expectation for layered security, and 56% could not identify enhanced controls for business banking administrative functions.
Respondents also ranked the factors that determine their priorities for technology investments. "Level of protection" was ranked most important driver for choosing a technology solution, followed closely by "customer convenience." "Meeting minimum FFIEC requirements for layered security" was ranked the lowest.
The FFIEC supplement, released in June, was in response to rapidly evolving banking attacks and ongoing growth in online fraud losses. Regulars have said they expect financial institutions to take significant steps toward conforming with updated expectations for ongoing risk assessments, enhanced layered security and customer education by January 2012.