2011 ffiec updated security guidance

12
a white paper presented by 2011 FFIEC Updated Security Guidance

Upload: murpohy-company

Post on 28-Mar-2016

220 views

Category:

Documents


3 download

DESCRIPTION

Murphy & Company Updated FFIECSecurity Guidance White Paper

TRANSCRIPT

Page 1: 2011 FFIEC Updated Security Guidance

a white paper presented by

2011FFIEC Updated Security Guidance

Page 2: 2011 FFIEC Updated Security Guidance

© Copyright 2011, Murphy & Company, Inc.

Murphy & Company 459 Sovereign CourtBallwin, MO 63011

www.mcompany.com888.652.8648

DisclaimerConcepts, strategies and procedures outlined in this document can and do change and may not be applicable to all readers. The content is not warranted to offer a particular result or benefit. Neither the author/publisher, nor any other party associated with this product shall be liable for any damages arising out of the use of this guide, including but not limited to loss of profit, commercial, special, incidental or other damages.

Murphy & Company is an independent consulting and publishing firm. Use of the FFIEC logo, name and publications are purely referenced as a source for the information presented and should not be considered as an indication of any affiliation or endorsement of this document by the FFIEC, FDIC or any other agency. For complete compliance information, please refer to your examining authority.

2011 FFIEC Updated Security Guidance

a focus on awareness and communication

Page 3: 2011 FFIEC Updated Security Guidance

Scope of This Document

The updated guidance document is primarily focused on the technical needs for achieving greater security, including a discussion of additional security expectations, both in policy and practice. Addressing the technical issues will, for the vast majority of FIs, be left to the online banking and cash management software vendor. This document focuses on the “awareness and communication” items detailed at the end of the guidance document. It is only one paragraph, but has a significant role to play in the security mix.

For most FIs, this will lead to a number of discussions on the non-technical issues. The scope and goal of this document is to support those discussions with our experience. For 16 years, our work with banks

Executive Overview

Responding to greater threats to both financial institutions and consumers in the online banking channel, the FFIEC has published an updated guidance for financial institutions (FIs) to follow when offering online financial transactions and related services. The original security guidance, published in 2005, was a good first step in taking online banking security beyond a basic ID and password. However, as hackers continue to develop new ways for attacking the online channel, the FFIEC is now raising the bar for FIs to formulate appropriate tools and procedures to counter these threats. Murphy & Company has updated all marketing programs and tools we offer, as later outlined, to support your efforts to comply with the requirements outlined in the updated guidance.

and credit unions has been uniquely focused on the development and execution of marketing and communication programs, driving the adoption and usage of online banking, bill pay and related services.

We begin this document with a review of the actual guidance and offer our suggestions on how to approach not only compliance, but a good customer experience, through awareness and communication. We then move on to help define the security message (or messages) that best matches your financial institution. Finally, we discuss state-of-the-art marketing and communication programs and tools available to deliver awareness and communication including those offered by Murphy & Company.

2011 FFIEC Updated Security Guidance

page 1

Page 4: 2011 FFIEC Updated Security Guidance

About Murphy & Company

Since 1995, Murphy & Company has been helping banks and credit unions achieve success with the online channel. From the very early days of online banking (we could not call it internet banking back then) and bill pay, we have had a front row seat at the confluence of technology, financial institutions and consumers. Our original mission was to provide consulting and professional services to large financial institutions as they developed their non-technical internet banking channel strategy. As the market matured, we expanded our focus to the needs of community and regional banks where many of the same experiences were occurring, simply on a smaller scale. Our consultative work with thousands of FIs all over the country is the cornerstone of the knowledge and experience which serves us to this day as we primarily help FIs with online channel marketing, awareness and communication.

Guidance Information and Details

The press release announcing the updated guidance can be found at the following address: http://www.ffiec.gov/press/pr062811.htm

The actual final document can be found at the following address:http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf

2011 FFIEC Updated Security Guidance

page 2

Page 5: 2011 FFIEC Updated Security Guidance

1 The updated guidance outlines increased and “layered” security. In other words, more than one security tool may be necessary to secure an online session or complete transactions. For example, this is driving the increased use of security tools for protecting consumer online transactions by creating a list of questions and answers, picking a security icon or image, or having a security code sent to a mobile phone. For business customers with higher-dollar transactions, this may involve more sophisticated experiences like the use of key-chain token number generators. As these tools are more consumer-facing, the use of standard disclosure text will be decreased and less effective.

2 The previous example also highlights how retail and business transactions will have different security requirements. This will create the need to maintain separate retail and business messages and in some cases, separate communication tools.

3 This is probably not the last time updated security guidance will be published from the FFIEC. As long as electronic devices will be used to complete financial transactions, there will be entities looking to hack, crack or defraud legitimate users. Five years ago, MFA was put in place to counteract the threats known at that time. Hackers responded with different tools and attacks. Today, we up the ante on the FI side of the equation in response to these new threats. Unfortunately, this cycle will most likely continue. This will drive a need to rely on marketing tools which can easily be edited and republished in the future.

Technical Considerations

As mentioned earlier, the scope of this document is to help financial institutions increase awareness and communication. However, technical changes are at the core of the new guidance and will drive how, what and when you communicate with end users. As thoughts and plans are focused on building a communication strategy, we believe the following technical issues, and their impact on communication, warrant highlighting:

2011 FFIEC Updated Security Guidance

page 3

Page 6: 2011 FFIEC Updated Security Guidance

Awareness and Communication Discussion Points

1 What are your current marketing efforts for the online channel?

2 How do you want to present this new security message?

3 Do you have programs and materials you can add the awareness and communication message?

4 Do internal marketing staff members have the bandwidth to address this issue?

5 Are there other resources available to support this effort?

6 Has a budget been set aside for this type of effort?

Meeting the Awareness and Communication Requirement

The following is extracted directly from the updated guidance document, outlining the FFIECs requirements for awareness and communication.

A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders and, at a minimum, include the following elements:

• An explanation of protections provided, and not provided, to account holders relative to electronic funds transfers under Regulation E, and a related explanation of the applicability of Regulation E to the types of accounts with Internet access;

• An explanation of under what, if any, circumstances and through what means the institution may contact a customer on an unsolicited basis and request the customer’s provision of electronic banking credentials;

• A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically;

• A listing of alternative risk control mechanisms that customers may consider implementing to mitigate their own risk, or alternatively, a listing of available resources where such information can be found; and,

• A listing of institutional contacts for customers’ discretionary use in the event they notice suspicious account activity or experience customer information security-related events.

Source: Supplement to the Authentication in an Internet Banking Environment, FFIEC, Washington, DC, June 2011

In any other part of financial services, this requirement would most likely be adequately served with traditional disclosure text printed in 8-point type. We believe, however, that this communication effort will need to be more proactive and consumer-facing given the seriousness of the topic. There will be a challenge in finding a strategy which balances the need to educate the consumer to the point of being comfortable, without overstating the security issue as the following are driving factors in the process.

• Even simple mentions of security create an impediment to consumer comfort. Lacking comfort diminishes the potential for enrollments and usage of the online channel.

• The press continues to report on, and in many cases, amplify security breaches.

• The effort to raise awareness and communication regarding security presents a great opportunity to also present other features of the online banking process.

• Other features of the online banking system can support the effort to increase security for both the consumer and FI.

2011 FFIEC Updated Security Guidance

page 4

Page 7: 2011 FFIEC Updated Security Guidance

Five Marketing Campaign Tips

Although retail and cash management strategies will be different, the following are offered as campaign tips, applicable to either audience:

1 Create one message and get everyone onto that same message. It is very important that the personal bankers/members, service reps, tellers, call center, outbound sales staff and even senior management receive and promote the same security message.

2 Host as much of your communication message on your web site as possible.

3 The target messaging needs for consumers and employees will be almost identical.

Awareness Marketing Message Options

The first step is to pick the security message which most closely fits your existing online banking messaging. Best practices have pointed us towards three message options:

Security Only Message In this scenario, the messaging produced will cover just the guidance points with modest additional explanations and details. This would be very much like traditional disclosure text with a slight expansion.

Security Message Supported By Product FeaturesWith this message option, each security item required by the guidance is presented and includes a reference to its corresponding feature or technology. For example, when talking about Reg E protections, the message would include an explanation along the lines of “… the same law which has protected your credit cards for years also applies to your online banking transactions... “

4 Cash Management and Retail education are two completely different environments.

5 Prepare for content updates in the not-so-distant future. Changes to the online banking channel are quite frequent. As you set or reset your messages and campaigns today, prepare for those changes.

6 Each strategy should address how you plan to provide information to existing customers and for new account openings going forward.

Online Banking Overview With Security MessageThe third option is to execute an updated user’s guide or demo for your online banking solution and insert the security elements at the appropriate point. This holds three primary benefits to the FI. First, it satisfies the requirements outlined in the guidance document. Second, it takes the spotlight off the security topic. Third, once the budgeting has been established to meet the security requirement, the incremental cost of adding in the rest of the online banking experience is slightly more expensive.

2011 FFIEC Updated Security Guidance

page 5

Page 8: 2011 FFIEC Updated Security Guidance

Awareness Marketing Message Campaign Elements

The second step is to pick the marketing components you would like to use to execute this campaign, ranging from a very basic to extensive education.

The Basic Discloser LetterDuring the Reg-E compliance effort in 2010, there was a great deal of direct mail communication and a lot of small-text disclosures. This was presented in a #10 envelope with one window and mailed to all consumer accounts. It is our opinion that if the customer/member has an ID or password to your online banking system which is active, or they can reactivate it without going through future disclosures, you should include them in the communication effort. This strategy will solve what we believe to be your communication and awareness requirements at the most basic level.

A Personalized Direct Mail/Self-MailerWith the desire to stand out in the mail box, moving from the traditional #10-sized letter and envelope to a self-mailer is a great alternative.

After testing with several print and fulfillment options, our experience suggests the use of a four-panel, wafer-sealed self-mailer with a two-panel, gate-fold insert. The total single page size is 6 inches tall by 20 inches long, folded into a 6 X 8.5 final format. Our experience also suggests that PDMs offer the following benefits:

• The option to offer a more user-friendly format.

• The ability to include a tear-off card, which for FFIEC purposes may be a good place to present your contact details for security and fraud issues.

• Available in smaller runs via a digital print method so they are affordable to the smallest financial institutions.

• When produced digitally at any quantity, PDMs can insert text on a contingent basis presenting personalized messaging.

Email Email marketing is a popular choice because of the small expense. However, email hacking and phishing is at the heart of the current security concerns. This does NOT mean it cannot be used; it just needs to be used wisely.

Email communication is an excellent tool for alerts and messaging to help consumers stay in touch with account balances and transactions. Our experience suggests that this is a great pattern to follow for marketing emails. Sample email communications:

• Alert customers via email regarding the availability of a new product. The call to action would NOT be a link in the email but to visit the website or call a personal banker.

• Announce a change in policy. For example: “effective January 2, 2011, the cut-off time for branch transactions will be 5:00”.

• Call their attention to something coming in the mail. For example: “Look in the mail for information regarding our new security policies which becomes effective January 1, 2012”.

Email will continue to be a component of the online banking communication plan for both retail and cash management customers. It will just be used for alerts from within the online banking system and as a supplement to other marketing and communication mediums when presenting other products, services and policies.

2011 FFIEC Updated Security Guidance

page 6

Page 9: 2011 FFIEC Updated Security Guidance

Online Video Online demos/tutorials/videos are great tools for delivering a consistent message to both staff and consumers. Videos are very effective for managing and presenting all product details in one location. Our experience with videos suggests the following:

1 The YouTube format is desirable as it allows you to organize content into “nuggets” which can be easily added, changed and reorganized.

2 Creating content and actually placing it on a public/social video website (i.e. YouTube) with a search capability presents a double-edged sword. On one hand, a search for your FI’s name will yield a list including your video content. On the other hand, the same search results will list ANY video on YouTube from ANY person who creates a video and references your FIs name. This could be troublesome if the basis of their video is not complimentary.

3 There is no reason that the interface, or web pages presenting your video content, should not be branded to your FI.

4 The debate continues regarding whether or not a presenter should actually appear onscreen during a video presentation. In the early days of online videos, the actor would appear on screen for the entire presentation. Today, videos have migrated to a 70/30 split with the actor voice throughout the presentation and bringing the actor on screen for introductions, major instructions and important points which require highlighting – about 30% of the video.

5 Video presented in individual topic or “nugget” form allows for easy updating. Not only should FIs expect updates to security in the future, basic online banking and bill pay features will undoubtedly change in the future. These changes to content will only require the short nuggets to be edited, not the entire demo system.

6 A video interface should be able to present content produced locally by your FI. For example, a taped message from the president, or an Olympic video from a credit card issuer.

7 With a heavily branded video interface, FIs can deliver their online messaging with common or generic content. Drawing from a pool or subscription of common content will keep the expense for video presentations to a fraction of the cost of a custom effort. Should there be a particular part of the demo which MUST be customized to your FI, the expense will be limited to creating the custom nugget in question, which can be inserted alongside the rest of the common content.

8 The cost of online videos continues to plummet. With a custom video interface, retail online banking, cash management and security content can be presented in a fully-braded interface for about $10 a day.

2011 FFIEC Updated Security Guidance

page 7

Page 10: 2011 FFIEC Updated Security Guidance

Printed Branch Collateral/User GuidesResearch and anecdotal evidence continue to confirm the branch as the most effective channel for enrolling new online banking and bill pay customers/members. The challenge with branch marketing is that the retail locations continue to be inundated with more and more products and programs. Further, staff levels are challenging and turn-over remains an issue. So how does management ensure that the online banking messages (whether product features or compliance information) travel all the way from their office to the consumer -- without a deviation in the message?

The answer is a printed Quick Start Guide. Whether produced for retail or cash management audiences, a printed Quick Start Guide helps to foster the conversation between the personal banker and the consumer during a branch visit or face-to-face meeting.

Murphy & Company has produced millions of Quick Start Guides for hundreds of financial institutions. Our experience has driven us to build an online ordering system, where we have pre-loaded common online banking marketing and communication messages (content) into an edit-and print-on-demand publishing system. This allows our customers to create and brand a cover and select content from a library of existing material. These content libraries are organized around the most common online banking systems. Content libraries are organized for retail, cash management and security topics.

Content selection is broken down into the subject matter level so that when producing a quick start guide, the FI can choose as much or as little content as needed. For example, if the cash management goal for the first quarter of next year is to sign up small business accounts to the cash management system, a relatively shorter (and cheaper) guide can be created and printed. If for the second quarter the goal is large businesses like hospitals and major manufacturing firms, larger guides can be produced – all with the latest content including security explanations.

The guidance document addresses the need for a differentiation between retail and cash management awareness and communication. It also discusses that cash management security will increase in complexity with the type and size of transactions. This creates a real challenge in making sure an adequate message

is created, edited and reaches users of your cash management system.

Our system and content meet this need.

As a side note, when customized content is requested or the size of the FI is large enough to justify the cost, completely custom guides are available.

Online Collateral/User GuidesThere is very little debate about the value of having a clear explanation of online services in the branch. The recent guidance document will drive the need for additional educational content. What is up for debate is the use of printed or online content for branch conversations versus electronic content.

There has also been a tremendous leap forward in the tools available for presenting previously printed content online. Our firm has brought our content with our tools together in our eGuide program.

This program offers the same great content as we offer in our printed guides, but instead of sending it to the printer; we develop a page-turning, branded guide which can be displayed on your website. Highlights include:

• Available in branded or custom versions.

• Online access means branch or in home/office use.

• Call center employees can direct consumer questions to the guide.

• Guides are built in a format consistent with an 8.5 X 5.5 printed booklet mentioned above. This provides for day-to-day use of an online guide and the ability to print small quantities for special events like new branch openings, community meetings and new account openings.

• As changes to the online banking offerings are released during the year, changes to the online guide are easy and inexpensive.

2011 FFIEC Updated Security Guidance

page 8

Page 11: 2011 FFIEC Updated Security Guidance

Planning Questions / Action Items

As your team meets to discuss the awareness and communication issues, we offer the following questions. The answers will hopefully point you in a successful direction.

1 How many retail online banking customers are enrolled in our retail service?

2 How many cash management customer are enrolled in our cash management system?

3 Which retail security message are we going to with? (Simple Security/Security with some product information/Product overview with prominent security discussions)

4 Which cash management security message are we going to with?

5 Do we have a conversion coming up in the next six months?

6 Do we have a budget?

7 If we are going to commit the time and money to satisfy the new disclosure requirement, how much incremental time and cost would we incur if we turned this into an online banking promotion?

8 What is the plan for awareness and communication for existing users?

9 What is the plan for new users going forward?

ConclusionWe realize budgets and resources are more challenged than ever before. In response, a common first reaction will be to commit the minimum amount of resources to the awareness and communication portion of your compliance with the updated FFIEC guidance. We hope

2011 FFIEC Updated Security Guidance

page 9

this white paper has provided some ideas and options for taking a few extra steps and turning a compliance requirement into a good customer service experience or even an expansion of your online banking success.

Page 12: 2011 FFIEC Updated Security Guidance

© Copyright 2011, Murphy & Company, Inc.

Murphy & Company 459 Sovereign CourtBallwin, MO 63011

www.mcompany.com888.652.8648