As the year-end deadline approaches for upgrading online banking security by, if necessary, implementing dual factor authentication, some institutions are racing and others...well, they're just taking a "What, Me Worry?" approach. From the latest issue of the Boston Business Journal:
Gerald T. Mulligan isn't exactly sweating over his bank's ability to meet a fast-approaching deadline to enhance online security services.
"I'm an old banker and an old regulator," said Mulligan, president of River Bank in North Andover and himself a former state commissioner of banking. "We're in a good position -- at least as well as other institutions of similar size. I think if we have a good faith effort, that the regulators will be sympathetic and understanding."
Being both an old banker and an old bank regulator, Gerald "Gramps" Mulligan is a man who's likely suffered the loss of more brain cells than anyone other than an old bank lawyer. It's an occupational hazard.
"Sympathetic and understanding"? Bank regulators? Whatever he's smoking, I'll take two baggies.
On the other hand, "Old Gerald" may be simply comfortable with the company he's keeping.
Recent studies indicate that a significant number of the country's financial institutions will not have safeguards up and running by the end of the year, and industry watchers say implementation of these guidelines will be a struggle for smaller institutions.
While the larger banks are more likely to be up to speed, said [bank analyst George] Tubin, the smaller ones are probably struggling with the details of finding a vendor and integrating the technology.
"Virtually all the banks are somewhere in the process of getting something implemented," said Tubin, of the upgraded security systems. "But the vast majority won't have anything implemented by the end of the year."
Tower [Group] has estimated that only 20 percent will have security systems implemented by the end of the year.
Most of the remaining 80 percent will be smaller banks, that rely heavily on outside vendors to provide online authentication tools. As predicted previously, they are busier than little beavers in a redwood forest and can't squeeze in all the work that needs to be done. Also, you have the age-old American problem of "integration." When will the small bank ever be truly free?
"The smaller banks are much more dependent upon their service providers than the large banks who probably have their own computer systems," said Goldman, whose bank manages $700 million in assets. "The smaller banks have to integrate the vendors that provide the service with the vendors who are providing the online banking, and it's not always the same one. So the two vendors have to talk to each other."
Smaller banks are reliant on a handful of vendors to assist them. Among those providing security software are RSA Security Inc., Corillian Corp., Business Signatures, and Verisign Inc., according to a 2006 report issued by the Aite Group LLC of Boston.
An April study by Aite stated 39 percent of the top U.S. banks won't meet the federally imposed deadline. The outfit's report noted that the FFIEC guidelines are drawing "a good amount of criticism." Out of the 21 retail banks surveyed for the report, almost half of the respondents said they perceived the guidelines as relevant; a third said they were not very relevant, and 21 percent had mixed feelings.
"Mixed feelings"? They feel "strongly both ways"?
Regardless of "feelings, nothing more than feelings," the rub is that the regulators may not get all warm and fuzzy about banks who miss the deadline, as "Old Gerald" expects.
However, despite some misgivings, most of the bank representatives in the Aite study viewed the guidelines as a requirement, not just a recommendation, according to the report; 57 percent said they would comply by the deadline, and almost all of the remaining respondents said they would comply sometime within the next year.
[Associate director of the FDIC's division of supervision of consumer protection Michael L.] Jackson said the FFIEC is empowered to fine the banks, but would be unlikely to do so. More likely, the written agreements between the FFIEC and the banks will have a time line and implications for dates not met, such as stronger criticism, he said. A civil money penalty would be a consequence of last resort, he added.
Whew, what a relief! No automatic civil money penalty likely merely for missing the deadline just
a...umm..err.."written agreement"? What's that? You mean a memorandum of understanding? A supervisory agreement?
Oh, well, then, no sweat! What's a memorandum of understanding between friends?
I wonder how well "my vendor made me do it" will work on the "sympathetic and understanding" regulators? As long as a bank started promptly after promulgation of the guidelines and has worked diligently thereafter to assess its needs and implement security procedures mandated by that assessment, maybe it will be cut some slack. However, being required to sign a "written agreement," as suggested by the FDIC's Mr. Jackson, is not exactly something any bank should slough off as a minor inconvenience. As I noted in August when I discussed the FAQs published by FFIEC, on paper at least, the regulators are taking a hard line. You need to have your assessment done and security procedures implemented by year end. No extensions.
Mr. Mulligan may very well be correct. He knows what "good faith efforts" his bank has made, and I don't. In his case, maybe he's met the guidelines.
As for others who aren't in the envious position of Mr. Mulligan's bank, perhaps, come January 1, 2007, a new era of good will and benevolence will issue forth, with regulatory understanding and forgiveness flowing across the land the likes of which we won't see again until Hillary Clinton is elected El Presidente.
I wouldn't bet my bank on it.