Booz Allen Hamilton: The clear and present danger in the world of bank fraud

The repercussions of these actions will be felt worldwide. This time, the American government agency is the Federal Financial Institutions Examination Council (FFIEC), and the new guidance, Authentication in an Internet Banking Environment, calls for more stringent controls on electronic banking services. By 31st December 2006: financial institutions must show that they have tackled three immediate challenges:

•Determine what technical solutions will bring them into compliance
•Marshal the organization to implement these solutions
•Develop a consumer-awareness program as a defense against identity theft and other kinds of fraud

"Financial institutions with holdings in the United States will be required to make changes to the way they conduct electronic banking services," said Deborah Banning, Principle of Booz Allen Hamilton.

"The regulations that come about from American action will have reverberations around the globe. Other markets, including the Middle East may someday emulate them, and consumers might demand the heightened American regulations from their banks in this region in order to guard against fraud."

Non-compliance could be costly. Punishments could range from cease and desist orders to the removal of officers and directors. If customers see a company as lagging behind, the loss of customer confidence could cost millions.

The FFIEC guidance applies to all forms of electronic banking that allow customers to access account information or transfer funds.

Determine what technical solutions will bring them into compliance

To determine the proper technical solutions a risk assessment to understand the institution's current rate of exposure must be done. The first and most common hazard is the rapid adaptation of overly complex and expensive solutions that have both direct and indirect costs much higher than originally anticipated. Any decision to implement a new technology should take several key factors into account: initial implementation costs; ongoing maintenance costs; customer-support costs; vendor stability; and the strength of the solution.

Marshal the organization to implement these solutions

Attempting to graft a centralized security program onto a decentralized organization can often result in the corporate equivalent of organ rejection. Banks must create a management structure with the express purpose of uniformly managing risk exposure and regulatory compliance. That structure, which should include stakeholders representing businesses across the institution, should be responsible for determining risk appetite, communicating changes in risk level, and implementing best practices risk-mitigation strategies, strategic investment planning, and customer-communication strategy.

Develop a consumer-awareness program

Many banks are finding that well-educated customers are their front line defence many forms of fraud. Customer awareness programs are now an FFIEC requirement. Beyond the requirements, however, enhanced online security is a key differentiator in the marketplace. A well-publicized security program could prove a significant lure to new customers in the highly competitive banking environment.

Conclusion

"These are important guidelines to follow for financial institutions in Dubai and other parts of the Middle East," said Deborah Banning, Principle of Booz Allen Hamilton. "Though laws in this region are not as stringent in the area of security as those in the United States, banks there are finding it beneficial to implement security procedures and publicize them. The result has been happy customers, and safe customers. Financial institutions here would benefit to follow suit."

There is no question that financial institutions will need to come up with a response to FFIEC guidance. But a comprehensive and nuanced approach to online security, as outlined here, makes it likely that financial institutions will be able to stay one step ahead of both regulatory guidelines and risk exposure. A strategic investment in risk management can result in reduced fraud, decreased costs associated with emerging regulatory requirements, and increased comfort on the part of customers. That is a winning proposition by any standard.