It's been about a month since the FFIEC issued their supplement to the "Guidelines for Authentication in an Internet Banking Environment" first published in 2005. The supplement has generated a blizzard of white papers and an avalanche of commentary. Most of the discussion has focused on the technology solutions designed to help banks and FI's demonstrate an improved security and defense posture to comply with the guidance.

Playing the devil's advocate for a moment, I thought I would pose the question, which is more important, compliance, or customers?

Obviously both are important. FI's can find themselves in deep trouble without either one. At the end of the day, however, the FFIEC guidance is intended to provide banks and FI's with thought leadership on what it takes to adequately protect a customer's online account. (I'll call it "thought leadership" because the guidance is not really regulatory in the strictest sense. It is, however, guidance on what auditors will be looking for relative to a bank's security posture and risk mitigation.)

That said, the goal is still to ensure customer accounts are adequately protected.

Many average online customers do not fully appreciate the dangers posed by malware and just how cunning cybercriminals have become. Therefore, much of the technology deployed to protect customer accounts is transparent to the end user and hidden as much as possible from the cybercriminals. Still, while the average user may not understand the technologies underlying online banking and security, they will understand what is supposed to be happening to their accounts. That $250 to the daughter at college is not supposed to be $25,000 to an account in the Ukraine.

The above is an easy example, and likely one that would be caught by any of the fine analytical or account profiling tools available. Still, it would be useful to bring the user's knowledge of their own account activities to bear against the cybercriminals. Interactive account reviewing and approval technologies that communicate with the end user via an "out-of-band" separate communication channel have been available for at least a decade. (Authentify introduced a phone-based transaction confirmation process that repeated transaction details to the end user over the phone in 2001.)

Involving the legitimate user in a final review and approval process via telephone or other separate device offers a strong defense against malware that compromises and modifies transactions while they are being conducted. It is equally effective against criminals logging on when the legitimate user is not even online. (Imagine your phone displaying account activity when you are not banking – and giving you a chance to cancel that activity.)

Offering customers MORE control seems to go against the grain of some of today's security trends, but layer that control with other security measures and you will have both strong security and customers who feel secure as well. It has been demonstrated that customers who feel secure are more loyal to their banking brand. Can you meet FFIEC requirements and gain customer dedication?

It's certainly something to think about.