BAI Notes: Authentication and ATMs
FFIEC Draft Guidance Provides Fodder for Conversations, Marketing PlansSome parting thoughts on the key topics raised at the BAI Payments Connect Conference & Expo in Phoenix ...
FFIEC Draft Guidance
No question, one of the dominant subplots of this event was the widely circulated draft of the FFIEC's authentication update. The document, which was inadvertently disclosed by the NCUA over the New Year's break, had been reviewed by every banking executive and vendor I met. Noteworthy from my conversations:- Banking/security leaders aren't crazy about regulators telling them they could have done a better job detecting incidents of ACH fraud, and they're eager for more specific guidance on what to do going forward. The most common word used to describe the current draft is "vague."
- Still, banking/security vendors are already incorporating language from the draft into their marketing messages. I heard a lot about "risk assessments," "layered security" and "increased awareness" - all of which are core tenets of the draft guidance.
- Everyone's eager to see the final document, and the feeling is that it's coming soon. In fact, the American Bankers Association is hosting a Risk Management Forum in Denver in April, and one of the preliminary agenda items is "FFIEC Update: Discuss the new authentication guidelines put in place by FFIEC to protect financial institutions from fraud."
Siloed Solutions
A dominant theme of our recent Faces of Fraud survey is the prevalence of cross-channel fraud and the lack of teams, tools and processes focused on this challenge. The issue: Banks' traditional organizational silos.Well, an interesting perspective offered by a solutions vendor: It's not just the banks that are siloed. The vendors are, too. According to this leader, the industry is focused more on specific fraud vectors than on cross-channel solutions. Until the vendors start actively pursuing industry partnerships that will help break down some of these silos, cross-channel fraud will remain a daunting challenge.
I'd welcome some feedback on this observation.
Global ATM Risks
I had the opportunity to speak with several industry thought-leaders, and one of the most fruitful conversations was with Chuck Somers, VP of ATM Security at Diebold.The topic: ATM fraud. Somers' message: Skimming is a global concern that's only becoming more lucrative for the fraudsters.
"Unfortunately, there's a high ROI on this crime," Somers says. "At the end of the day, even the people who are out there taking the biggest risks, either attaching the skimming devices or redeeming the fraudulent cards ... even if they do get arrested, even if they do get prosecuted, they do pretty soft time in a local jail."
And because ATM skimming is a non-violent crime - as opposed to bank robbing, which typically involves a gun and results in tough sentencing - the courts have generally treated criminals more leniently. "This crime is more lucrative than drugs," Somers says. "There's a lower chance of being caught and lower punishment for the crime afterwards."
Interesting, too, is the rise of logical security breaches - malware - on machines in parts of Europe and Latin America. The fear is: External threats to ATMs have been challenging enough to detect; what happens when the violations occur internally?
For more insight on global ATM threats, please listen to this interview with Somers.
And to share your own insights on the fraud issues raised at BAI, please submit comments in the form below. I'll publish the best of them in a future blog entry.