“even the rats know the troubles gonna come
to the edge of the city see the little guys run
I hear spring is nice in Canada
maybe the men up on Capitol Hill
need a little less Jack and a little more Jill
you can have my stereo
even though the race may never be won
I can lay like a dandy get heavy in the sun
take a love song and beatify”
I believe the aforementioned lyrics capture how many within the Gonzonation feel at the moment about the now infamous FFIEC Guidance on Online Banking. There are only four months left in 2006 and, according to some, the world may just end for banks that have not complied with the FFIEC guidance. Already I picture banks across the nation displaying “For Sale” signs in their branches. Underneath the For Sale sign it reads: “We give up.”
But wait one minute. Did not the FFIEC provide clarity in its last memo dated August 15: Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment? According to Tower Group, the FAQs provided all the clarity a financial institution needed to comply with this guidance. This group even went so far as to let us know that the regulators weren’t joking about the deadline.
Yes, the FFIEC provided this list of FAQs, but with year-end 2006 drawing near, better late than never just doesn’t cut it. In my opinion, the FAQs were much ado about nothing. (One particular answer did catch my attention, but I will address that in a moment.)
Some interesting data
According to the Aite Group, only 57% percent of financial institutions will have multi-factor authentication for online banking in place by the end of this year – and only another 24% will be on board in 2007. The study went on to say 5% had no plans under way to even perform a risk assessment.
Believe or not, I think the Aite Group numbers are probably a good reflection of the truth. The reason these numbers are not alarming is – and here it comes folks – the guidance indicates multi-factor or two-factor or whatever you want to call it is just one component of an overall strategy to strengthen the policies, procedures and supporting controls surrounding our online banking environments. Sure, the guidance mentions technology, but just implementing multifactor authentication purchased from the first vendor that buys a round of golf will not make a bank compliant. Let’s just say that’s my professional opinion.
Consequently, the bank whose main focus has been and continues to be on simply choosing a technology solution may want to go ahead and shut down its online bank, because this myopic thinking will more than likely force online banking customers to migrate to the competitor across the street. Why? Well, the competitor probably took a little more time in making a decision and realized purchasing a technology solution was the last item on the project plan.
Real Life Scenarios
GonzoBankers, I do not take this guidance lightly. I firmly believe that a simple user name and password are totally ineffective in protecting access to customers’ information and their online accounts. I also think blindly implementing a multifactor authentication technology solution that causes repeated customer impact is just as pointless and actually borders on naive. Let’s look at some real life examples, shall we?
Several financial institutions panicked and bought the first technology solution they came across. The technology was FFIEC Compliant, according to the salesperson. Unfortunately, the devil is always in the details and the impact on the end-user, the call center, the network and branch personnel within the FI were not well thought out. I will not disclose the identity of the institutions, but let me assure you the following tidbits are the truth, the whole truth, and nothing but…so help me Gonzo.
Financial Institution #1:
The FI implemented a multifactor authentication solution but customers were allowed to voluntarily enroll with the new multifactor solution during the first few months before mandatory enrollment.
The solution sounded simple, but as 96% of online customers were forced through this process the following issues began to surface:
Results from this rollout led to a call center volume increase of around 25% – 30%, which translates into roughly 70 – 80 new FTE in the call center. Now let me ask you this, GonzoBankers. Do you think the vendor that sold the technology solution bothered to bring this aspect up? Heck no, it simply said it could have you up and running in 30 days or less with minimal customer impact. Well, you were up and running… but running for the hills.
Financial Institution #2:
This institution was one that didn’t choose its technology solution but relied solely on its Internet banking provider. Following implementation, the institution had to distribute an apology letter to every customer. Below are a couple of the statements made in that letter:
To summarize, this FI experienced some very ticked-off customers, had to spend a great deal of money on new Internet pipes and hire many more FTE for the call center.
Lessons to be learned
First and foremost, the FFIEC guidance does not say a technology solution must be implemented by year-end. Actually, on page four of the latest FAQ publication, under the section titled Timing, it states the following:
Q-1 – What do the Agencies expect institutions to have accomplished by year-end 2006?
A-1 – The Agencies expect that institutions will complete the risk assessment and will implement risk mitigation activities by year-end 2006. The Agencies are not considering any general extension of the timing associated with this guidance.
So, GonzoBankers, where in that, what I would call a pretty clear statement, does it even indicate you must buy technology by the end of the year?
Many institutions that rushed to purchase a technology solution thinking it was the silver bullet are just now realizing they may have created even more risk than before by only using a username and password. As a result, these institutions risk losing all of their customers because the strategy wasn’t planned out from end to end before the technology solution was purchased.
To that point, financial institutions should initiate the following risk mitigation activities:
Step 1: Perform a detailed risk assessment of not only the online banking environment but also of all electronic channels, including the IVR.
Step 2: Inform executive management of the risk assessment results.
Step 3: Update the appropriate policies, procedures and supporting controls within in the current environment based on the risk assessment.
Step 4: Assign a team to perform extensive due diligence on multiple technology vendors – not just the vendors with the most press releases or the solution offered by your Internet banking vendor.
a) Determine the risks of each solution. What does the company’s pipeline look like, will it be around in six months, has it just been purchased by another company, etc. The technology of the solution may be solid, but risks include a lot more than just the software and a pretty new server.
b) Forecast end-to-end costs (i.e. anticipate call volume increase, bandwidth issues, etc.). This new technology is just one component of a much larger solution.
c) Most importantly, fully comprehend the end-user impact of a new technology solution. Have a communications plan ready to go internally and externally. Customers will go through change once, but twice… don’t count on it.
Step 6: Select the technology solution best suited to the organization.
Step 7: Develop a detailed project plan and timeline for implementing the new technology solution.
Step 8: Begin contract negotiations with the selected vendor.
Step 9: Have the vendor agree in writing to the project timeline.
Step 10: Sign on the dotted line and cut the check.
“But dude, there are only four months left until the deadline…” Correct. But in my translation of risk mitigation activities and all the other FFIEC documents I have read, it is never explicitly stated that a financial institution must purchase and implement a TECHNOLOGY solution by year-end.
Come on, folks, if your entire process was a 10-minute vendor decision looking only at a PowerPoint that described a multifactor authentication technology solution and I was your regulator… guess what? Even I would give you a failing grade.
At the end of the day, this guidance is no different than any of its predecessors. The guidance wants banks to focus on the things we bankers love to overlook all the time: documentation, up-to-date policies, putting in controls, governance, project plans, time lines and following procedures. Simply buying a new technology is always the easiest part.
“And that’s all I have to say about that.”
Read parts 1 and 2 of this series:
Security, Compliance, and the Costs….Oh My!
Security, Compliance, and the Costs… Oh My! – Part Deux