I've always been a fan of the underdog. I'll never get tired of any movie featuring an underdog or underprivileged sports team, dancer, speller, or contestant on India's Who Wants to Be a Millionaire. I cry every time even though I know they'll either win the big game or come in a very close second and be okay with the loss because they learned so much about themselves during the season…
What does this have to do with Internet banking? The FFIEC released its Supplement to Authentication in an Internet Banking Environment last summer, and banks across the country have spent the last few months ensuring they're ready for the next exam. By now, you've read the guidance (or at least read enough about the guidance) to know that it really boils down to three main elements you might not have paid attention to in the past:
- An Internet banking risk assessment
- A layered security approach to Internet banking
- Enhanced customer education
I can't help but think that customer education is the underdog here. I know banks were very quick to start assessing the risks involved in Internet banking, and in response to those risks, many banks have implemented excellent layered security programs. Options like secure browsing tools and out-of-band authorization, once considered the crème-de-la-crème of Internet security, will soon be the norm.
However, anyone who has been involved in security for even a short amount of time knows that the weakest link is the human element. As a financial institution, you have undoubtedly spent hours on training, sent countless emails, put up clever posters in the break room….all in an effort to teach your employees the value of information security. Your customers have not received that kind of education. Some, even your commercial customers, may have opened mom-and-pop stores in small towns where everyone knows each other. The idea that someone they've never seen works day and night to try to break into their commercial account may never have crossed their minds.
The newest FFIEC regulation places the responsibility of educating those customers on the shoulders of your bank. It's now your job to help your customers understand the threats associated with Internet banking as well as the controls they can put in place to mitigate the associated risks. Knowing what content you need has already been taken care of. Specifically, the guidance says your customers need to know, at a minimum:
- Protections provided, and not provided, under Reg E and how Reg E applies to accounts with Internet access;
- Under what, if any, circumstances and through what means your institution may contact a customer on an unsolicited basis and request the customer's information;
- A suggestion that commercial online banking customers perform a risk assessment and controls evaluation periodically;
- A list of controls customers may consider implementing to mitigate their own risk or a list of available resources where such information can be found; and
- A list of institutional contacts for customers' use in the event they notice suspicious account activity.
Now you just need to decide how to deliver the information, and this is the most important part. People, on average will not retain even the most important information, if they can't get through the verbiage. Whether you decide to provide handouts or use your Internet banking site to create a slideshow, it's important to remember a few basic communication principles:
- Know your audience. Don't focus on what you want to say as much as on what they want to hear. This may seem like a challenge since the FFIEC has told you what you need to say, but try to convey how relevant this is to your customers. Play on the topic on most people's minds most of the time: themselves. They don't want to lose money; they don't want their information to be stolen…Security is important to them, so if they understand the risks and how to help control those risks, they will surprise you at how important security can become to them.
- Know your audience. They are not bankers, and very few of them read information security articles in their spare time. Lose the industry lingo and use language everyone can understand. If a middle school student can pick up your education materials and understand that they need stronger passwords, then you have succeeded.
- Know your audience. In this overstimulated age, people are in a hurry and are easily bored. Don't use 20 words when 10 will suffice.
In an effort to follow the spirit of the law, spend a little extra time on the delivery and design of your information so that your customers will want to read and will understand what you have to say. Time spent on education is never wasted time.