I attended a conference this week where I had the privilege of hearing a state banking examiner speak about corporate account takeover. One idea he expressed has stuck with me the last few days: "we have to make this a security issue, not a compliance issue..." How many of you have been struggling with the latest FFIEC supplement for Internet Banking? Are you feeling it's yet another compliance mandate? Is your biggest concern to please an examiner or provide the best security for your customers?
When understanding this is a security – rather than compliance – issue, it's easy to see the importance of a risk assessment. Learning how attackers gain information from your customers and which types of customers are most vulnerable, can help your organization understand what controls are needed. You may currently have the same controls for retail customers and commercial customers, but seeing the difference in risk levels for those types of accounts will help you make more informed decisions about multifactor authentication, out-of-band transaction authorizations, etc. A risk assessment is a valuable security tool rather than a compliance exercise.
The guidance also addresses customer education. So, have you provided yet another disclaimer in a tiny font for your customers? If so, you technically made those resources available to them, but if we're honest, who ever reads any of those? Your customers (even commercial customers) probably do not have the level of security awareness training you provide for your staff. They likely do not understand the need for information security. As a result, they may be the weakest security link against corporate account takeover. They need to know about the risks of online banking as well as the controls they could and should put in place. You, as their financial institution, serve as the best means for education. Just as good teachers everywhere, it's up to you to make the information relevant and easy to retain.
The last area the supplement addresses is the notion of layered security. The supplement specifically states that, "financial institutions should not rely solely on any single control for authorizing high-risk transactions, but rather institute a system of layered security." With layers of security, if attackers get past one security control, there are other layers to thwart their attempts to access information or funds. Most banks have already embraced a layered security approach, recognizing its importance aside from being a compliance requirement. Prior to the release of this supplement, I have seen banks requiring out-of-band authorization for wires, tokens for commercial customers, etc.
It was nice to meet an examiner more concerned with real-world security than a compliance checklist. Acknowledging the security benefits of assessing risk, implementing layered security controls, and educating your customers will go a long way in providing better quality controls and education materials for your Internet banking customers. And if you are driven by the goal of security, you might not even notice you took care of your compliance as well.