A study by the Journal of Consumer Research finds the further back in the alphabet the first letter of your last name is, the faster you make purchasing decisions. This so-called "last name effect" probably comes about because growing up in school; we all had to stand in lines sorted in alphabetical order. In so doing, by the time the teacher got to the M's and beyond, these individuals had plenty of time to see what was going on and decide what they wanted to do. As they grew up, this led faster decisioning to become ingrained. Simply by knowing someone's last name you can guess whether they will make quick decisions or not. Try it when you are in the next meeting and someone chimes in with an idea or when you try to guess what customer might be interested in getting into the next hot product.
Speaking of working backwards and making quick decisions, late yesterday regulators pushed out an updated "supplement" to their 2005 guidance on internet banking authentication. This is no doubt in response to recent hacking incidents where even security firm EMC saw its RSA SecurID devices exploited. This is a big deal because research firm Gartner estimates about 80% of banks in the US use that type of security token and hacking attacks seem to be more prevalent than ever.
Looking further into the specifics of the Supplement, we find regulators are basically telling bankers to get more focused because the threat is real. As part of that, banks need to perform risk assessments in context of new and evolving threats (or at least annually). That means you will have to read more and stay on top of things even further here, because customer authentication, layered security and other controls all need to be in place and revised/reviewed as needed to make sure risks are identified and managed.
Another key area regulators want bankers to focus on relates to ensuring certain specific minimum elements are in place. Banks should be incorporating factors such as changes to both the internal and external environments; how the customer is evolving and using technology and interacting with the bank; what functionality is offered online; making sure security officials of the bank stay on top of any security breaches, identity theft, or fraud experienced by either the institution or industry. That is a lot of work for sure, but getting into work groups and communicating with law enforcement regularly are two good ways to begin.
The update also implores bankers to utilize a "layered security" approach. Here, regulators remind bankers to have different controls at different points in any transaction all along the process so weaknesses in one area are generally compensated for by other controls. The key here is to protect customer information and limit access to only those who need it. Features and controls on such items as fraud detection; customer history; timely response; dual customer authorization; positive pay; debit blocks; out of band transaction verification; transaction value thresholds; payment receipts; transactions allowed per day; payment windows; IP address blocking; policies for dealing with potentially compromised customers; account maintenance; and improved customer education are all regulatory focal points of interest and review.
There is no sure way to prevent online security threats, but moving quickly can reduce the potential impact. Meet with your security and technology teams, discuss the Supplement and assign responsibilities to begin protecting your bank right away. It sure beats standing in line waiting for your name to be called.