Banks Starting to Adopt Authentication Technology As Deadline Nears
As of July, only 16% of financial institutions had implemented authentication technology capable of meeting FFIEC requirements, according to a survey by Roth Capital Partners. In the same survey, only 5% said they intended to use hardware tokens to meet the FFIEC requirements; hardware tokens, which are devices that plug into a computer's USB port, are a form of multifactor authentication, which is based on something the user knows, such as a password, and something he has (the token).
Banks have more than the FFIEC to be concerned about; there's mounting evidence that consumers are leery of conducting transactions online for fear of having their identities stolen. Studies reveal that retail consumers are quitting online banking altogether, and are going back to conducting transactions in person, despite the obvious inconvenience.
The good news for banks is that these consumers can be won back if they're assured that their identities are protected. That, combined with the FFIEC guidance, is likely to trigger a boom in authentication spending; according to a UBS study, the market for authentication technology, now $200 million worldwide, will grow at a compound annual rate of 26% through 2010.
Leading-edge financial institutions are adopting technology that meets the FFIEC guidelines and scores a hit with customers as well. Citibank, for example, has adopted fraud detection software that analyzes the user's navigation and behavior during an online banking session, producing a dynamic risk score during each session. If the risk score exceeds allowable levels at any time, the application can ask for a second-factor authentication, such as a challenge question or out-of-band phone call, or can deny the transaction.
Citibank customers appreciate the added precautions and are more likely to stick around as a result. When a suspicious activity is detected, consumers get alerted via text message or e-mail.
Citibank, like most banks, requires authentication and antifraud systems to be compatible with its existing online banking platforms, without costly tweaking. The technology it uses satisfies this by working in real-time with data viewed from network traffic, rather than via application programming interfaces embedded within the banking application itself.
A data warehouse is used to store profiles and queries, enabling real-time analysis. For example, fraud analysts can run a query to find out how many accounts were accessed by a particular IP address, and marketers can query the system to find out which Web application features generate the most customer response.
On the front end, banks can employ strong authentication technology such as grid cards, cookie-based device recognition, one-time passwords, mutual authentication, and out-of-band authentication using e-mail or text messages.
H&R Block, which has adopted the same technology as Citibank, used it successfully during the 2006 tax filing season to stop tax refund scams. The company employed several Linux-based Intel processors to sniff Web traffic, which generated a terabyte of data. As with Citibank, the application didn't require modification to existing systems. H&R Block also offered two-factor authentication, implemented through challenge/response questions and answers, and reported that customer opt-in exceeded the expected 20% adoption rate.
It's safe to say that financial institutions will be doing a lot of investigation into such technology in the months ahead as they race to meet the FFIEC deadline.