Posted on Wed, Jun 05, 2013 @ 08:09 AM
Author: Jacqueline Marshall, JaMarshall@jackhenry.com
In last February’s blog – Best Practices for Building an Enterprise Wide Electronic Channel Strategy, I wrote that financial institutions should consider a paradigm shift in strategy that includes a focus on e-banking services, service components, and delivery channels.
This strategy is also important as the process will help determine how all banking delivery channels may change after deploying mobile banking. What’s key in this risk based approach is development of an effective delivery channel mix for future online and face-to-face banking interactions. Prolific use of mobile devices doesn’t necessarily spell the demise of traditional banking channels, but instead, powers customer’s demand for more information and interaction through multiple touch-points, some of which must be available anytime, and anywhere.
As your mobile delivery channel gains traction, more customers will regularly utilize their mobile device for simple transactions such as transferring funds, depositing checks, and checking balances (as you expect); however, you may also find that your front-line employees spend more time handling complex or difficult transactions. This potential issue was highlighted in a recent Gallup Research Report, which examines the banking channels customers use and for what tasks and how the delivery channel mix directly affects the health of each customer’s relationship with their bank.
In an effort to maximize your FIs customer relationships, you may want to revisit the June 2009 FFIEC Supplemental Guidance on Internet Banking Authentication. This guidance requires FIs to identify features for each online banking service and delivery channel, and to categorize online banking customers by service use. The next time you update this risk assessment, you may want to consider expanding the framework to include a similar analysis for other more traditional banking delivery channels. This may lead to new ways to combine high-tech with high-touch - think of the airlines manning their check-in kiosk areas with customer service representatives…
Forward thinking FIs keeping an eye out for changes in customer behavior may consider future utilization of video tellers and concierge type banking services. Alamo Federal Credit Union has recently launched such a service. An AFCU representative arrives in an AFCU branded SUV to meet members in person at their office, home, or coffee shop to open accounts, take and complete loan applications, help members switch from other FIs, and assist in setting up automatic bill pay or mobile services.
Could the “branch on wheels” concept be the panacea combo to satisfy the "Generation C" - always connected, communicating, content-centric, computerized, community-oriented consumer? Only a risk-based approach to Know Your Customer base will tell.
Posted on Wed, May 15, 2013 @ 08:10 AM
Author: Karen Crumbley, karenc@gladtech.net
After working with Financial Institutions (FIs) since June 2011 on compliance objectives of the FFIEC’s Supplement to Authentication Guidance, it has become clear that many FIs are still struggling with the best way to address the guidance in order to provide customer awareness and education. There appears to be a gap between the FIs providing educational materials to their customers and their customers acknowledging their receipt and understanding of the materials.
Here are some of the reasons why I believe FI customers may be ignoring educational materials:
- The educational material is not compelling -
Regardless of the distribution method, the material simply fails to capture their attention. FIs utilize multiple distribution channels such as websites, brochures, statement stuffers, but with customers inundated with materials from multiple directions, educational materials are largely ignored.
- A strategic communication plan and messaging is missing -
Many FIs fail to create and follow a strategic roadmap for ongoing Customer Awareness and Education Program initiatives. The messaging begins to lack specific focus and does not create compelling reasons why customers should be attentive to the communications regarding the need for additional or enhanced technology controls to prevent/detect fraud.
- The Customer Awareness and Education Program is stuck on that “backburner” -
The Customer Awareness and Education Program component of the FFIEC guidance is not a priority, and other projects have taken precedence leaving enhancements in the conceptual phase.
- The FI is concerned that intentional efforts to encourage education may alienate business customers -
FIs do not want to imposition their customers by making education mandatory. As a result, many business customers are falsely under the impression that their accounts are protected and insured against fraud.
Here are some ways that FIs have had success with their Education and Awareness Program:
- FI management leverages unique delivery channels for communicating to their higher risk commercial customers -
FIs see this as an opportunity to build relationships. They utilize specific campaigns designed to create interest and a desire to learn more. Successful tactics include eblasts and emails, outbound phone calls, in person meetings, marketing campaigns combined with customer facing events like ‘ lunch and learns’, and web-based training to encourage customer participation.
- FIs engage internal stakeholders for support and buy in for an active Customer Awareness and Education Campaign -
As part of the strategic communication planning process, FIs identify, create and train internal cheerleaders who understand the purpose and importance of the campaign. As a result, the FI employees are knowledgeable and are able to engage customers to emphasize the importance and to further education and awareness.
- Educational material is promoted as a value-added service -
Instead of viewing the educational offerings as a burden to customers, FIs capitalize on education as a way to promote confidence and concern for the security of online banking transactions rather than an inconvenient feature and in this sense, embracing the guidance objectives as an opportunity rather than a burden.
An active Customer Awareness and Education program should be a strategic and ongoing initiative, designed to help your customers make the connection. They own a large part of the responsibility for the security of their online banking transactions and your FI’s participation in providing this valuable information to prevent and detect fraud can enhance and deepen the relationship with your customers.
I would love to hear your ideas for a successful Customer Awareness and Education Program.
Posted on Wed, May 01, 2013 @ 08:07 AM
Author: Debi Randol, drandol@profitstars.com
After several years of working in a stable compliance environment, I started to notice a change. Around June 2011 the FFIEC released the Supplement to Authentication in an Internet Banking Environment, and Financial Institutions (FIs) struggled with adopting the new guidelines. Things were just beginning to settle and then the FFIEC released a new host of proposed guidelines in January of this year for Social Media Communication management. After reviewing the feedback that FIs submitted to the FFIEC in response to the proposed Social Media guidelines, it appears that FIs are growing jaded from regulatory requirements. I read quotes like “You are regulating us to death!”, “Adding more laws and entities are ridiculous!”, and “Do we really need another policy?”
The truth is I can empathize with FIs because IT Regulatory Compliance expectations are high. I can understand how community banks feel, “overburdened and overregulated”. I have even heard in jest that, “bankers can’t be bankers anymore because they are too busy with policies and risk assessments”. However, I also fully understand the importance of IT Regulatory Guidance. I also know that being unprepared for an exam or audit is not a valid option. Trust me, I have some experience with assisting FIs prepare at the last minute or the week prior to an exam or audit and they are overwhelmed. All things considered, preparing for the next wave of guidance would be to the FIs advantage. Since Social Media Communication is still a new medium, it presents unique risks. For example:
- How do we keep customers and FI personnel from posting non-public information?
- How do we address record retention and vendor management when the vendors that provide these services are not traditional FI vendors?
- What do we do if our social media page domain is hacked for the purpose of identity theft that steals FI customer’s credentials?
- What about advertising regulations and employee acceptable use?
Regulatory bodies have recognized that these questions need to be addressed. So what does all of this mean? First of all, it’s important to note that the guidance does not impose additional obligations on FIs. The responsibility to manage the potential risks associated with social media usage and access is no different from that which is required for any new product or service. In addition, the pending guidance is expected to require a risk management program to be in place to identify, measure, and control the risks related to social media – even if your financial institution is not actively participating in this arena.
It will be beneficial for your FI to plan and formalize a strategy now, if you have not done so already. Is your FI going to actively participate in social media communication? If yes, what do you wish to accomplish from it, and how are you going to measure those accomplishments? These can be the building blocks for your policies, procedures, and employee training.
I strongly recommend not delegating this responsibility to one individual, as it merits the attention of more than one stakeholder. Social media is far reaching and needs to be a group effort. First, get your board and senior management approval and involvement. Then, with all the regulations that intertwine with social media (17 and counting) make sure you are involving your compliance department or vendor. Recognizing the regulatory requirements and guidance for social media communication and involving key individuals is potentially the most difficult step. Once you have made the commitment to address social media guidance, then you will find that as with anything new it will soon become part of your regular processes and procedures.
Are you ready to take the next step for planning your social media communication strategy?
Posted on Wed, Jul 25, 2012 @ 08:48 AM
Author: Jacqueline Marshall, JaMarshall@jackhenry.com
It’s hard to believe that it’s been one year since the FFIEC finalized the Supplement to Authentication in an Internet Banking Environment (June 2011). The intense media play of this guidance during the first several months of its release among financial institutions (FIs) and technology support vendors alike seems to have quieted to an eerie silence.
Is this because Technology Service Providers are exhausted from hyper-extending development teams to create new authentication controls? Or, perhaps because FIs tackling the risk assessment process (in some cases for the very first time) are feeling confident and in control or adversely, confused and frightened? Maybe the hush is due to the theory that FIs may be holding their breath to hear how peer banks are coping with exams.
The recent Bankinfosecurity.com, 2012 Faces of Fraud Survey indicates that that only 11 percent of FI survey respondents have come into conformance since the updated guidance was issued. Half of the survey's respondents say they do not conform now, and nearly one-quarter say they don't even know their state of conformance. The survey results reflect the confusion among most FIs as to what's expected of them when it comes to practical technical solutions," says Gartner analyst Avivah Litan.
One bright spot is a rumored FFIEC Authentication FAQ on this subject, similar to what the FTC published in 2001, post-GLBA Privacy. Whether we actually see an official FFIEC guidance based FAQ surface or not, those of us who are in the business of listening to trends and feedback can offer additional FAQ- type support by suggesting that the best way to fully address high level federal regulatory directives and to mitigate risk is to implement strategic and actionable responses to risk assessment findings in order to fully address the minimum expectations outlined in the supplemental guidance document.
For example, regularly monitoring high risk online banking transactions for anomalies is considered an important activity for ensuring the security of transactions and data from internal and external threats/vulnerabilities. The examiner will also want to see actionable detail that supports reporting on exception criteria based on historical customer activity, systematic identification of events to monitor for, and assignment of appropriate responsibilities to manage. Policy and procedural activities should also include requirements for documentation and archiving, as well as appropriate follow-up (specific incident response procedures) for exceptions.
A terrific resource for implementing these types of actionable activities to complement and fully address the FFIEC Authentication Guidance objectives is the Texas Bankers Electronic Crimes Taskforce Best Practices for Reducing the Risk of Corporate Account Takeover. This 17 page document clearly and concisely supports the FFIEC Authentication Guidance with a set of best practices compiled for each of the recommended processes and controls under a Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing the nineteen processes and controls needed to reduce the risk of Corporate Account Takeover thefts.
Approaching compliance with a fluid, actionable approach will also support an ongoing initiative acknowledging that electronic crimes are dynamic, and that additional changes in risk management processes and controls will be necessary as electronic based theft continues to evolve.
What’s been your FIs strategy to addressing the FFIEC’s Supplement to Authentication in an Internet Banking Environment?
Posted on Wed, May 16, 2012 @ 08:28 AM
Author: Karen Crumbley, karenc@gladtech.net
Financial Institution (FI) management teams are embarking on the next steps in order to meet the FFIEC’s Supplement to Authentication in an Internet Banking Environment expectations. The next line item on the agenda after the initial risk assessment is commonly the Customer Awareness and Education component of the guidance. Whether your FI’s Information Security Officer is the lone soldier overseeing this project or there is a designated committee of individuals from different functional areas to manage the awareness campaign, they are likely in process with reviewing their options.
Naturally, cost effective control solutions top the list when making a decision on your Customer Awareness and Education Campaign. According to a recent fraud survey from Bank Info Security, FIs rank increasing and improving staff training just above enhancing customer and member education efforts for the top ten investments they plan to make over the next twelve months. All signs indicate that FIs are planning to take an active approach to the guidance’s suggested enhancements to customer awareness.
So, the remaining question is, “how are the funds going to be applied in line with the customer awareness campaign?” As the guidance states, both online banking retail and commercial accounts holders will need to be educated. FI management teams should really be strategically looking at three segments to provide training for, consumer/retail customers, commercial customers and internal personnel. In other words, each category will need to be given information appropriate to their needs. Consider a multi-dimensional approach to all audiences. The options for presenting material to the online customers may roughly be broken down into the following three categories:
- In person (through employee training, lunch and learns, onsite visits)
- Electronically (websites, eblasts, online training portals)
- Hard Copies (brochures, statement stuffers, standard mailings)
Given the above list of options, one of the FI’s most significant decisions will be in what delivery channels they choose to roll the training out to customers. A major concern FIs have is that they do not want to risk alienating customers by asking them to participate in an interactive training course. Another recurring concern is that FIs want to know what other FIs are doing. These concerns are clearly valid. FIs do not want to appear to be unreasonable in what they are asking of customers. However, a little “hard line” security promotion might just be a plus. In fact, I strongly encourage FIs to take a strong stance and have a thought leadership approach.
No need to wait until your auditor or examiner makes a request for enhancements or become overly concerned with what other FIs are implementing. Think of how you can provide the greatest service for your customers. The concept is a little reminiscent of JFK’s, “ask not what your country can do for you; ask what you can do for your country”. Seriously though, providing educational tools and designing an intentional campaign for your customers is a service that you can be proud to promote. Taking the lead and asking customers to assist in keeping their transactions safe is not too much to ask, is it?
Posted on Wed, Apr 18, 2012 @ 08:09 AM
Author: David McDaniel, DMcDaniel@profitstars.com
You know, it occurred to me recently, while watching the original Die Hard movie, that one of the most glaring gaps identified by the FFIEC’s Supplement to Authentication in an Internet Banking Environment is the need to educate and arm the small- to medium-sized business (SMB) customer against the ‘Bad Guys’. Now, I know that a comparison of the BEST action movie EVER to a financial institution governance sounds like a stretch, but stay with me.
It seems every time I turn around, I read a story about how someone surfed somewhere they had no business surfing and clicked something they shouldn’t have. Then, some bad guy broke into their computer and took something valuable (private information, credentials, money, $600 million in negotiable bearer bonds…). Sadly, too often these SMB owners, busy struggling to keep their enterprise afloat, become the weakest link in the electronic payments network by cutting corners. Among other things, they fail to recognize the value in paying for safeguards and reconciling their bank accounts regularly. The results are fraudulent debit transactions going unnoticed until the very narrow commercial ACH debit return window has passed, or funds are illegally wired/ACH’d out to money mules, and ultimately, a bankrupt business.
Somehow, we must take the time to help our customers understand just how easy it is for fraudsters to take advantage of them if they do not take precautions, and just how easy it is to ward off those same fraudsters by simply putting the cookie jar on a higher shelf. If there is one truth here, it is that the bad guys tend to go for the easiest targets, so creating more barriers between the SMB and the villains will shift the bad guys’ risk/reward equation in the customers’ favor. I mean, if Mr. Takagi had put all those bonds in his wallet (where the safeguards = button, silk thread, and a silk pants pocket) instead of in that huge vault (where safeguards = 7 locks, Al-the-Pal, and Bruce Willis), Hans Gruber would have totally gotten away with it!
Even though most small businesses do not typically have hundreds of millions to protect, there are some great safeguards out there to help deter the Hans Grubers of the world from taking their life blood. Products that allow the SMB to review and approve incoming ACH debits, and maintain their wire and ACH credit recipients, all using out-of-band communication channels. These products will help them to do it, but unless these customers begin treating their online-accessible assets with the same care they give their cash, the bad guys will continue to take them down one at a time, and the banking industry, as well as the ACH network, will suffer.
Now, I understand you may still be scratching your head about the whole comparing Die Hard to the FFIEC guidance thing. Especially since Mr. Takagi was killed, the bad guys required quite a bit of convincing to get them to leave (die), and NO ONE wants to be in Holly Gennaro’s shoes, hanging by a wristwatch from a window 80 stories up! But since SMBs cannot put all of their valuable information in a Nakatomi vault, they need to be convinced of the value of safeguarding their private information, being diligent about reconciling their accounts, and taking advantage of the tools that can allow them to protect themselves and the future of their company…because, my friends, the future of their company truly is at stake, and Bruce Willis is just an actor with bad hair (still the best action movie EVER though).
Posted on Wed, Mar 21, 2012 @ 08:06 AM
Author:Jackie Marshall, JaMarshall@jackhenry.com
When prepping for your next IT exam, visualize the examiner with a pick and a shovel. As you work through the pre-exam checklist, consider what exists behind the check-box; if you don’t, the examiner certainly will. Can you provide specific details that indicate how you are complying with that task item or initiative? How often your IT Steering Committee and management team reviews exceptions, address residual risk and implements updates (technical or procedural), will indicate to the examiner that you are intentionally addressing IT management initiatives and not falling into a “check-box mentality.”
For example, indicating that your IT management staff and Information Security Officer regularly monitor systems for intrusions is considered an important activity for ensuring the security of your internal systems and data from internal and external threats/vulnerabilities. The examiner will also want to see actionable detail that supports specific reports, exception criteria, events to monitor for, and assignment of appropriate responsibilities to manage. Policy and procedural activities should also include requirements for documentation and archiving as well as reporting and follow-up of exceptions.
Understanding that the simple answer of “internal audit monitors the Core, etc...” may not pass muster in this post-FFIEC compliance environment should draw attention to actionable supporting activities. But, don’t view this “pick and shovel” approach as negative. Your FI likely spends thousands of dollars and many resource hours annually to monitor systems and data. Maximizing the potential benefits of these services, including validation of technology service provider relationships is an important component not just for IT but for the business success of your organization.
Knowing how to spell out strategic detail to your examiner will indicate an intentional enterprise-wide security approach that will speak volumes about your FI’s management team and respect for IT from a business perspective.
Posted on Wed, Feb 08, 2012 @ 07:02 AM
Author: Karen Crumbley, karenc@gladtech.net
The FFIEC’s Supplement to Authentication in an Internet Banking Environment has been out for over six months now, and it’s fair to say that the new Guidance has seen its share of analysis from the industry at large. At first I hesitated to broach such a topic that has already been the subject of so much focus throughout the latter half of 2011; however, I think there is a “sleeper” directive buried in the content that is being overlooked, inconspicuously hanging out in the Customer Awareness and Education section of the Guidance as follows:
• A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically
So, what does that statement mean exactly? While other items in the education section are prescriptive in nature, clearly requiring that a certain course of action be taken, this statement is somewhat vague. I am skeptical about the word “suggestion” in that statement and have a suspicion that this directive will not be nearly as capricious in nature as it implies. Instead, I believe that examiners may be looking for an action regarding this “suggestion” or prompting in an effort to address this aspect of the Guidance.
Financial institutions (FIs) seem hesitant to recommend a risk assessment of this nature. Among other reasons, some of the uncertainty lies in the fact that they do not want to task a customer with this exercise. The FIs are in a market that competes for the commercial customers’ business and could construe this as potentially burdensome from the customer’s view point.
FIs are accustomed to examiners/auditors’ expectations that they must perform several types of risk assessments, but now the tables are turned, and the FI finds itself suddenly thrust into a new role of being the enforcer. The FI will need to set expectations and provide the commercial customers with some type of framework so that they can conduct a risk assessment themselves. Additionally, the FI will need to guide the customer in determining the methodology, the frequency of this activity, and the way in which the information will be disseminated.
A few compelling reasons why FIs could benefit in this new role:
- FIs can use this task as an opportunity to emphasize the shared responsibility (FI and customer together) for ensuring the security and confidentiality of Non Public Information (NPI) and FI transactions with business customers.
- The FI will gain a risk perspective of each business as a unique entity and “risk rank” each business based on the combination of banking products/services and environment.
- The business entity may gain a comprehensive understanding of the preventative, detective, and response measures involved with each banking product/service and provide a framework for risk aptitude and tolerance for future banking products/services.
If the overarching goal of the Guidance is to ensure that the customer’s non-public information is protected then why wouldn’t an FI implement this education directive and require its commercial customers to participate?
Posted on Wed, Feb 01, 2012 @ 06:59 AM
Author: Kevin Moland, kmoland@profitstars.com
Thanks to the FFIEC, the words “layered” and “security” have been permanently welded together. The phrase appears sixteen times (seventeen, if you allow the variation, “a layered approach to security”) in last June’s Supplement to Authentication in an Internet Banking Environment. Since then, the happy adjective and noun have been spotted side-by-side in gazillions of blog posts, white papers, and online security ads; they are part of the same family, like Donnie and Marie; paired for all time, like Snookie and “The Situation.”
On page four of the aforementioned guidance, the FFIEC defines layered security as being “characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control.” In many of the side streets that feed into the online financial services marketplace, this sentence is being interpreted simply—but incorrectly—as, “Financial institutions need more security.” Those who condense the guidance this way do so at their own peril.
To be fair, the guidance does require “the use of different controls,” which will result in FIs deploying more security measures, but the FFIEC specifically requires that those controls be placed “at different points in the transaction process.” Replacing current fraud prevention tools with new ones (e.g., removing tokens and replacing them with out-of-band phone authentication) may or may not improve a particular checkpoint, but it won’t add new security layers and it won’t meet the goals set forth by the FFIEC. Adding more of the same kind of security (e.g., adding out-of-band authentication in addition to tokens) won’t add a new layer either, it will just make the existing layer fatter. Adding more cheese to your cheeseburger doesn’t make it a different kind of sandwich, it just makes it cheesier.
In addition to deploying fraud prevention tools at different points in the transaction process, the FFIEC further directs that these controls be implemented in a way that ensures “a weakness in one control is generally compensated for by the strength of a different control.” In other words, what the FFIEC really wants is intelligently layered security, where each layer is designed to prevent attacks engineered to defeat other layers.
So how can an FI add new layers intelligently? In the guidance, the FFIEC discusses a plethora of security measures, but it talks very little about the “transaction process” or how to arrange security measures within it. To meet the requirements of the guidance, financial institutions will need to construct an enterprise-wide diagram detailing the flow of their electronic transactions. This flow chart should serve as the foundation for their risk assessment.
The diagram can be built around these online system activities:
• User Login
• Transaction Submission
• FI Review and Processing
• System Administration
Financial institutions should first identify the security measures they deploy today and determine how they are spread across the activities above. They must then evaluate how known threats will fare against those measures. In a perfect world, any attack that defeats a measure in one part of the process will be thwarted by measures in other parts. In the real world, FIs will likely find scenarios where existing defenses are inadequate to prevent certain types of fraud.
Take, for example, fraudsters’ increasing ability to manipulate legitimate online sessions. In this type of attack, malicious entities observe system traffic unnoticed until after a user has logged in to the system. Once the user establishes a valid session, the fraudster, via embedded browser “add-ins” (Man-in-the-Browser) or by setting himself up as a proxy service (Man-in-the-Middle), assumes control of the session and submits fraudulent transactions. This type of attack takes place after user login, circumventing the strong authentication tools most FIs added in response to the FFIEC’s original 2005 guidance. Adding more user authentication measures during login won’t prevent this kind of fraud. What will help is establishing new controls in the transaction submission phase, such as dual control, velocity limits, or additional out-of-band approval for transactions sent to accounts not previously targeted by that business. Anomaly detection tools deployed in the reviewing and processing phase will further protect against these types of attacks, as will customer-installed, FI-endorsed security modules designed to police the user’s PC.
Using this type of approach, financial institutions must examine how each threat fares against their security measures during each phase of the transaction process. FIs that do this will be able to identify “holes” in their current prevention plans. Once an FI understands where its security measures fall short, it can take action to strengthen weak areas.
In summary, “layered security” isn’t just about adding more stuff. It’s about adding the right stuff in the right places. FIs that intelligently arrange their layered security measures will have nothing to fear from examiners and, more importantly, their customers will have less to fear from fraudsters.
Posted on Wed, Nov 23, 2011 @ 08:21 AM
Author: Karen Crumbley, karenc@gladtech.net
In recent conversations with financial institution (FI) employees, I have received varied responses when asking, “What are your plans for your customer education program in regard to the FFIEC’s Supplement to Authentication in an Internet Banking Environment?” Usually, their response is something along the lines of “that is yet to be determined.” I gather that the reason this initiative is not quickly run through the decision-making process is because there are several stakeholders involved. Plus, the outcome will be customer-facing, so it would seem logical that FIs would want to proceed carefully, giving the subject careful consideration.
I am concerned that because customer education enhancements are not an easy item to check off of the “to do” list, the final outcome may suffer as a result. Some FIs may decide to stay the course using traditional communication channels regarding education initiatives. For example, an FI may invest in brochures and statement stuffers and simply “go through the motions” of fulfilling a regulatory directive. Unfortunately, this method of education is not compelling, and I speculate that statement stuffers and brochures likely find their way to the bottom of customers’ reading lists, and then eventually to the bottom of the trash bin. The guidance released recently in June 2011 by the FFIEC strongly suggests that regulatory agencies are looking for something more…education efforts that go beyond the basic statement stuffer.
Be aware that various other “typical methods” of educating customers may be less than ideal, as well, including:
Posting information to the FI’s website
Let’s face it; this is really just a statement stuffer in electronic form. It is not as if customers are lacking things to do and so will turn to their FI’s website for a quick reading break on malware. If you choose to go with this option, I recommend strategically placing the info on the online banking logon page.
Lunch-and-Learn Events
The positive aspect of using these events to educate customers about the latest online banking threats is that you are giving them an incentive; however, realistically, these events only involve a small percentage of the customer base.
Including information along with the customer agreement
Customers often neglect to read the fine print of customer agreements and so often sign and turn them in without paying much attention to detail.
Newsletters
Newsletters can be a creative way to provide information if done well and distributed via email, but many FIs lack the expertise and resources for this undertaking.
The recent FFIEC Guidance gives us every indication that the bar has been raised as far as expectations regarding enhancing your existing customer education program, so FIs need to address this matter. Since many traditional educational methods are uninspired, I encourage you to “think outside the box” and consider non-standard methods to engage customers. Having documentation to demonstrate this effort to examiners would be optimal. For instance, what about trying out technology-driven educational methods such as social media communications, online training that tracks activity, or recorded webcasts?
How will you demonstrate your FI’s commitment and enhanced customer education program to auditors, examiners, and most importantly, to customers?