FFIEC deadline just the beginning

What do you get when you combine deep-pocketed, IT-dependent enterprises with tough-worded federal regulations and the threat of big penalties? A Silicon Valley bonanza, for one thing.

That was the case throughout 2006, as U.S. banks and credit unions struggled to comply with guidance from the Federal Financial Institutions Examination Council (FFIEC), an intergovernmental agency, to shore up Internet banking security.

The FFIEC guidance, issued in October 2005, set a Dec. 31, 2006, deadline for banks to complete risk assessments of their Internet banking operations and mitigate any risks they identified. In response, banks spent an average of $2 million each just on consumer security in 2006, said Avivah Litan of Gartner, which recently surveyed 50 banks of various sizes on their FFIEC compliance efforts.

But that figure is misleading. For large banks, the price tag for FFIEC compliance was much higher: as much as $15 million each. Smaller banks spent less: as little as $50,000. On average, approximately 10 percent of the surveyed banks’ total IT budget went toward consumer security in the past 12 months, Litan told InfoWorld.

That’s been a boon for companies like RSA Security, which invested heavily in consumer authentication before by EMC acquired it for $2.1 billion in June.

The authentication land rush has given life to a host of smaller firms that make consumer-authentication and fraud-detection software. Jon Fisher of San Francisco-based Bharosa likened FFIEC’s guidance to “rocket fuel” for his company. At strong authentication vendor Passfaces, FFIEC is a significant part of the company’s business, said Lennie Myers, vice president of sales. The good times aren’t likely to end now that the deadline has come and gone.

First, many banks have yet to satisfy the FFIEC guidelines­ -- fully one-third, according to Gartner’s survey data.

Second, even banks that are technically in compliance will be looking for ways to fine-tune the strong authentication solutions they have adopted. Stringent authentication may make government regulators happy, but it can also irritate customers who find themselves locked out of accounts after flubbing “challenge and response” questions designed to weed out fraudsters, Litan said.

Support center calls to restore account access for those customers start at $7 a piece, she said.

The FFIEC deadline also made strange matches of security vendors, banks, and service providers such as Corillian and Digital Insight. With the deadline passed, Myers expects banks to take measure of the authentication technology they’ve chosen, and service providers to offer more choices to customers.

Ultimately, banks may go for what Litan calls a “bifurcated strategy”: using visible security measures like Passfaces’ or RSA Passmark to build consumer confidence, while also investing heavily on the back end to reduce false positives and spot fraud. Either way, banks will continue to write big checks to technology vendors in 2007 to get right with regulators.

“There’s nothing like regulations and a big stick to get people moving,” Litan said.