New Study Reveals Financial Institutions Will Be Rushing to Conform to New FFIEC Online Banking Security Expectations

Majority of institutions plan to invest in online banking defenses, but nearly half are unclear on FFIEC's minimum expectations for layered security

Dec 15, 2011, 08:30 ET from Guardian Analytics


MOUNTAIN VIEW, Calif., Dec. 15, 2011 /PRNewswire/ -- Guardian Analytics, the market leader in behavioral analytics-based fraud prevention solutions, today released results of the FFIEC Online  Banking Security Readiness Study, which examined the state of financial institutions' preparations to meet the 2012 deadline set forth in the FFIEC Supplement to the Authentication in an Internet Banking Environment. The Study, conducted in November 2011, surveyed more than 300 executives responsible for online banking security decisions at over 100 U.S.-based banks and credit unions of all sizes. The findings highlight that institutions are acting on the new expectations, but many will still have to rush to meet the 2012 deadline. Further, most banks lack clarity on the minimum expectations for layered security outlined by the agencies in the Supplement. To download the complimentary study, please visit:  

The June 2011 Supplement was released in response to rapidly evolving online banking attacks and ongoing growth in online fraud losses. Regulators have stated they expect banks to have taken significant steps toward conformance with the updated expectations for ongoing risk assessments, enhanced layered security and customer education by January 2012.

2012 Rush to Conform
With the deadline rapidly approaching, the study indicates that institutions are making progress in the initial phases of preparedness: 57 percent of institutions have completed their risk assessment and 59 percent have formulated a plan to fill online banking security gaps. The majority plan to invest in new technologies to address the enhanced expectations (84 percent); however, most are not far along in technology implementation. Only 43 percent of respondents said they actually purchased new technology solutions, but 49 percent intend to in the future. Many are planning their investments for the next 6-12 months, likely just in time for their 2012 exam.

"The FFIEC raised the bar on their expectations for online security, and financial institutions are scrambling to evaluate and invest in preparation for their 2012 exams," said Terry Austin, CEO of Guardian Analytics. "In the last six months, we have seen exponential growth in investments in anomaly detection by those who are following the guidance diligently. As institutions work more closely with their examiners to fully understand the new requirements, we expect that growth to continue in the coming year."

Lack of Clarity on FFIEC Expectations for Layered Security
In an effort to provide clarity on where institutions should start their layered security strategies, the FFIEC supplement outlined two minimum expectations against which banks will be examined: (1) the ability to detect and respond to suspicious activity at login and initiation of transactions in all accounts, and (2) enhanced controls of administrative functions for business accounts.

Despite the specific language in the Supplement, nearly half do not fully understand the minimum expectations. Forty-one percent were unable to identify anomaly detection as an FFIEC minimum expectation for layered security, and 56 percent were unable to identify enhanced controls for business banking administrative functions.

Minimum FFIEC Expectations in Alignment with FI Priorities for Security
When asked about the factors that determine prioritization for technology investments, respondents on average ranked "level of protection" as the most important driver for choosing a technology solution, followed closely by "customer convenience." Meeting minimum FFIEC requirements for layered security ranked the lowest.

"Maximum effectiveness and minimal intrusiveness are key criteria when evaluating online banking security practices," said Julie Conroy McNelley, senior analyst at Aite Group. "Our recent research shows that institutions find behavioral analytics to be one of the solutions that FIs perceive to be most effective and least intrusive."

"The regulators' objectives overlap with financial institutions' objectives in this case," continued Austin. "Institutions implementing anomaly detection will be prepared to show conformance to the minimum requirements and be armed to stop online banking fraud across all retail and commercial account holders."

The survey was conducted online between November 9 and November 21, 2011. The survey pool was comprised of 303 individuals responsible for making and managing decisions related to online banking security from credit unions and banks operated in the United States.

Financial institution demographics:


Bank: 75%


Credit Union: 25%

Asset Size:  

Under $500 million: 38%


$500 million - $50 billion: 42%


More than $50 billion: 20%

Margin of error:

+/- 5.5%

About Guardian Analytics
Headquartered in Mountain View, Calif., Guardian Analytics provides innovative solutions to prevent online and mobile banking fraud. The company pioneered Dynamic Account Modeling, which uses behavioral analytics to identify suspicious activity. National and community banks and credit unions rely on Guardian Analytics to protect individual account assets, the integrity of their online channels, and their brand reputations. Founded in 2005, Guardian Analytics is privately held with venture funding from Foundation Capital, Sutter Hill Ventures, Split Rock Partners and Triangle Peak Partners. For more information, please visit





SOURCE Guardian Analytics