If you're part of a financial institution, chances are you've memorized the Federal Financial Institutions Examination Council (FFIEC) guidance chapter and verse, and, with risk assessment in hand, are in the midst of rolling out some form of consumer authentication. If yours is like most financial institutions, you approached FFIEC audits with a "good enough" mentality, meaning that whatever you install to protect people against online fraud and ID theft is better than what you had — and the less invasive to the consumer the better.
The banking industry is indeed the one to watch. The regulatory pressure and the compressed timeframes for investing in critical technologies may very well be a harbinger of what awaits you as your company expands its online channel.
For example, when it comes to online services, banks have two main charters: keep online customers happy, and continue to reap and expand the high margins of the online channel.
Given the high margins associated with online banking, banks believe that erecting too many electronic barriers between customers and their money will drive customers away from online services and back into the branch. However, things change — and the notion that users place a higher premium on the convenience of online banking may not prevail in light of huge increases in theft and fraud perpetuated on the online channel.
The challenge presented by the FFIEC regulation is that it proposes a variety of two-factor options that could be appropriate. Which one makes the most long-term business and security sense depends on a number of factors, such as the number of online users, the primary nature of their online transactions, their current network infrastructure, etc.
Will current buying decisions for authentication based on customer convenience and "good enough" security serve banks as threat models change? Possibly...as long as what you purchase today provides the ability to calculate a more strategic, long-term plan that accounts for two major shifts: IT security will become less reactive as IT and business units deepen partnerships in order to expand online business models. And, end-users care about security and are willing to adjust their behavior accordingly.
Authentication vendors are moving toward what is generally known as a risk-based, or adaptive, approach. This means the riskier the transaction, the stronger the authentication. Here's the rub — the stronger the authentication, the more users will have to modify their behavior in order to interact with authentication systems. The idea that users will have to actively participate in their own protection is scary not only to those responsible for maintaining and growing online margins, but to those in IT chartered with managing the increased risk and complexity that introduces.
I'd like to propose that we don't underestimate the ability of our customers to adapt to change. Online bankers — or anyone involved in any sort of value-based online exchange — may be savvier and much more willing to adopt new online behaviors, especially if they are aware of how much they have at stake.
Consumers are, in fact, more likely to embrace online controls than to reject them. With all the current "flavors" of multifactor authentication available, what makes the most sense depends on a host of factors specific to the institution, its customer base, service offerings, etc. Remember, the FFIEC did not mandate multifactor authentication, it mandated that banks do a risk assessment and where needed adopt measures that mitigate transactional risk. Multifactor authentication is simply the most appropriate mechanism.
So, until the auditors weigh in, financial institutions will be anxiously awaiting word that they have one less compliance checkmark to worry about. Wouldn't that mental energy be better spent determining how many more customers will flock to online banking once they know their bank is committed to keeping their identity safe in cyberspace?
- John De Santis is chief executive officer of TriCipher, headquartered in San Mateo, Calif.