Many banks are confused over how to implement new federal regulations
aimed at reducing cybersecurity threats. It’s a signal that corporate should review their banks’ security efforts, said David Bellinger, CTP, Director of Payments for AFP.
Released last summer, guidelines by the Federal Financial Institutions Examination Council (FFIEC) require banks to complete periodic risk assessments, establish layered security controls, and educate retail and commercial clients on the widespread threat of fraud.
Avivah Litan, analyst at Gartner, said that although the top U.S. banks are assimilating the FFIEC guidance, small and mid-sized banks are having trouble understanding the requirements. Additionally, smaller banks “are very dependent on their online banking processors, most of whom are still upgrading their security strategies,” Litan told The Fraud Blog, an online cybersecurity resource.
In November, Guardian Analytics surveyed about 300 executives at more than 100 banks and credit unions of all sizes on the FFIEC Guidance. Guardian found that although most banks are working to implement the requirements, many were having difficulty interpreting the minimum expectations for layered security.
The FFIEC supplement specified two requirements for banks on layered security: the ability to detect and respond to anomalies at login and initiation of transactions, and enhanced controls of administrative functions for business accounts. According to Guardian, 41 percent of survey respondents were unable to identify anomaly detection as an FFIEC minimum expectation, and 56 percent were unable to identify enhanced controls of administrative functions.
Fifty-seven percent of respondents to the Guardian survey said they have completed their risk assessments, and 59 percent said they have formulated strategies to fill online banking security gaps. The majority (84 percent) said they plan to invest in new technology to address the FFIEC’s expectations, however only 43 percent had actually purchased new technology at the time of the survey.
Despite a lack of clarity on layered security by some survey respondents, Terry Austin, CEO of Guardian Analytics, sees positive results in the future. “In the last six months, we have seen exponential growth in investments in anomaly detection by those who are following the guidance diligently,” he said. “As institutions work more closely with their examiners to fully understand the new requirements, we expect that growth to continue in the coming year.”
In the meantime, corporates should check in with their banks and see how far along they are in the process of implementing the new FFIEC guidelines. “I think it’s a safe bet that most large companies are working mainly with the top-tier banks, which have used layered security approaches for a while,” said Bellinger. “Still, with all of the account takeover threats we’re seeing, it is probably prudent for all corporates to have a sit-down with all of their banks to review the security procedures currently in place and review any other available options.”