By January 2007, anyone who banks online should be better protected against fraud and identity theft. That's because, by the end of this year, all financial institutions – brokerages, banks, credit unions – must add an extra layer of security for high-risk transactions, such as account access and money transfers. A simple name and password combination will no longer be sufficient for most types of transactions.
This increased security is mandated by the Federal Financial Institutions Examination Council (FFIEC), an organization of five financial industry enforcement agencies: the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
Any institution that is governed by one of those agencies is also covered by the new guidelines. And it also faces a potential fine or other penalty if it fails to comply.
The new rules are leading to a scramble by banks to purchase security technology. It has also resulted in a surge of sales in identity and access management compliance products. IDC estimates the market shot up 78% in 2006, worldwide, with about half of that growth in the U.S. market.
"Financial institutions are working to get out in front of the deadline," said Rose Ryan, a research analyst for Framingham, Mass.-based IDC. "They're not dragging their feet on this."
Nevertheless, many banks won't make the January deadline. Estimates vary, but Ryan believes that only a little over 50% will complete the first major step, a risk assessment, by the end of the year and be in the process of deploying additional security.
As might be expected, those who are farthest along tend to be larger organizations, which have more IT resources and high-value, high-risk transactions to justify the investment.
"Most of the national and super-regional institutions have done [risk assessment] and many of the smaller ones have too," said Jonathan Penn, principal analyst for identity and security issues at Cambridge, Mass.-based Forrester Research. "Most of the laggards are very small banks and credit unions who just haven't gotten their act together."
Meeting the Mandate
An initial risk assessment can be done by an outside consultant, by internal staff, or automated by risk assessment software. But a risk assessment must be completed before new security technology is deployed..
"The guidance calls for a risk assessment that identifies all high risk transactions through the Internet and call center IVR," said Ed Neumann, managing director for the banking practice at CCPace Systems Inc., a Fairfax, Va.-based consulting firm that provides risk assessment services and software. "For instance, some banks offer wire transfers, or display differing amounts of personal information."
Banks can simply stop offering high-risk activities, he said. But few banks will want to risk losing customers by cutting popular services such as online bill payment and account information. That leaves most banks with the need to adopt a second layer of security, Neumann said.
What kind of extra security?
Banks may turn to hardware-based authentication, such as a smart card or token that can be plugged into the user's USB port. But that is a high-cost, high-maintenance option best suited for high-end customers.
"There's been a flurry of technology innovation over the last 18 months in response to the guidance," said Chris Voice, chief technology officer of Addison, Texas-based Entrust Inc., a security software company that makes fraud detection and authentication products.
At the lowest-cost end of the spectrum, banks might try to add a second password requirement. But that won't satisfy the FFIEC mandateguidance, according to experts.
"The guidelines are very clear that using multiple passwords is not a valid control. But multiple types of 'what you know' authentication – a mix of password plus challenge-response, out-of-wallet questions-- is valid. Most banks are doing this as a second factor," Penn said. "But they are usually doing it conditionally, rather than at every login, based on the user profile information."
Penn is referring to software programs that monitor user behavior and compare it to a profile of past behavior to look for anomalies. Such risk-based monitoring tools watch things such as the type of computer normally used, the user's IP address, typical account activities, etc. Only if a user does something odd does the system ask for additional authentication.
"Passively monitoring behavior behind the scenes can minimize the disruption to the customer," Voice said.
Amir Orad, vice president of marketing for RSA Consumer Solutions, a division of RSA Security, agrees that monitoring software, what RSA calls "risk-based authentication" is a popular option.
"The beauty is that 99% of users can be authenticated behind the scenes, with no disruption to their online experience," Orad said.
Orad warns that some banks will be tempted to install inadequate or outdated security measures to meet the deadline, then have to re-do it later.
Nevertheless, that is what many will do, said Sally Hudson, IDC analyst in identity and access management.
"Banks will have solutions in place, but they may not be their final solutions," Hudson said. "It's what they can get in now to meet the deadline and then upgrade it as they go."
Sue Hildreth is a freelance technology writer based in Waltham, MA. She can be reached at firstname.lastname@example.org.