ith the FFIEC deadline for implementing multifactor authentication now but a memory, banks have improved their efforts to secure customers' information, according to a study by Javelin Strategy & Research. However, there is more banks can do, notes Javelin founder James van Dyke.
"We saw a big shift toward banks using multifactor authentication [MFA]," Van Dyke says, crediting the FFIEC for prompting banks to improve security measures. "Last year, the numbers were very low, with about 20 percent of banks in the survey using MFA. This year, 88 percent of banks have this in place."
The Pleasantville, Calif.-based research and advisory firm's 2007 Banking Identity Safety Scorecard ranks banks and credit unions on their customer-facing identity-fraud prevention, detection and resolution capabilities. Javelin has been issuing the scorecard for the past four years, steadily increasing the criteria by which it measures financial institutions' security procedures. Twenty-five institutions are included in the 2007 study, representing half of the U.S. market by dollar value of deposits, according to the FDIC.
Of the three measures examined in the study, the area in which Javelin saw the greatest improvement was in banks' after-the-fact fraud resolution. This year, the average institution met 77 percent of Javelin's criteria for fraud resolution, compared with 67 percent in 2006. The average institution met 51 percent of the criteria for fraud detection, compared with 49 percent in 2006.
While the percent of prevention criteria met by the average institution actually dropped from 50 percent in 2006 to 44 percent in this year's scorecard, Van Dyke emphasizes that the decline doesn't necessarily mean banks are less safe -- it's more a matter of Javelin toughening its criteria. "Banks need to go to the next step and adopt best practices, such as stop using customers' full Social Security numbers for authentication," he explains. "Seventy-six percent of banks still do this to identify customers. Only 24 percent prohibit the use of SSNs. ... Why isn't it 100 percent at this point in time?"
Perhaps the No. 1 best practice for banks to adopt, according to Van Dyke, is the need to deputize their customers in the war on fraud. For instance, he says, one in two cases of identity fraud is detected by the victim. Further, "The majority of data leakage points are under the customers' control, like lost or stolen wallets, mailboxes and unsecured PCs," Van Dyke notes. "We're not blaming the consumers, but banks are pretty safe organizations."
The safe bank of the future, Van Dyke stresses, will be one in which consumers and the institution partner with one another. Customers can be "unpaid allies" in the battle against criminals, he says. They just need the tools, such as proper authentication procedures and the ability to receive electronic statements.
It's no surprise that the bank ranked No. 1 for overall security by Javelin -- Bank of America (Charlotte, N.C.; $1.3 trillion in assets) -- provides consumers with a number of security tools, including several authentication methods. "Online security is a top priority at Bank of America," says Betty Reiss, a bank spokeswoman. "We provide a number of security features to help protect customers," including automatic e-alerts; the ability to create unique, temporary account numbers for online purchases; a zero-liability guarantee; and online information on fraud scams.
Of course, achieving optimal security measures comes with a price. "There is a cost to doing this, but the cost will be outweighed by lower losses and higher adoption," Javelin's Van Dyke contends. "This concept is a net profit maker," he adds. "But if you look at their systems, this is not a trivial undertaking at all."