Financial institutions that meet the FFIEC's year-end compliance guidance for stronger customer data and transaction protection will be wise not to declare victory. This is not Y2K and there are no permanent one-time fixes. Fraud is not going away: it morphs, and it will exist as long as customers have money that can be stolen with little risk of apprehension and prosecution.
Today's fraudsters have created an integrated supply chain of data thieves, data salesmen and account hijackers. They understand the strengths and weaknesses of risk management, have adopted continuous process improvement as their own perverse best practice and don't go back to legitimate jobs when they run up against strengthened security.
In light of this reality, proper anti-fraud management entails an actively managed mix of customer education, access restrictions, background monitoring and rapid response in order to extinguish threats and provide redress to actual victims. Security professionals know that this challenge is not met and disposed of by the purchase of a single point solution. It demands a careful situational analysis, ongoing assessment of new risks, selection of the right tools and balance across a range of factors including customer experience, total cost of ownership and loss risk management.
The organizational structure itself must also adapt to take on a problem that is uniquely complex and disbursed. Internally, the various departments responsible for maintaining vigilance need to coordinate more adequately and work collectively to sell the program after compliance has been achieved or in the face of low loss levels. In addition, better data sharing and reporting across channels will greatly enhance overall detection and prevention effectiveness. An ever-growing array of sophisticated tools is being used to "add locks to the front door," but institutions would do well to expand the security paradigm to include detecting and stopping the fraudsters when they do manage to get in. Externally, cross-industry communication is still in its infancy, although we are encouraged by the growth of anti-fraud networks and industry efforts led by BITS, the FSTC and others.
Encouragingly, many of the financial institutions RSA has spoken to are executing on plans designed not just to meet, but to exceed the FFIEC's guidance and are also considering how to leverage this opportunity to improve their customers' trust in their brand and the remote channels.
As we move on into 2007, realism and perpetual vigilance remain key. This challenge will not be met and eliminated by the purchase of a single point solution. It demands a layered security approach and new organizational philosophies to eliminate current threats and prepare for emerging ones.