Safety first

FST. What are some of the main initiatives you’re working on right now?

AK. I report into the Risk Management organization of the company, with responsibility to support leadership in the Marketing division.

There are a number of risk issues. We’re continuing our focus obviously on issues that have been out there for a while such as privacy, safeguarding customer data, AML, USAPA, SOX, and continuing down those paths with risk mitigation initiatives. Obviously, the company right now has a really keen focus, as do others in the industry, on credit risk, market conditions, and the like.

We’re also looking very closely at fraud, ID theft risk; the joint agencies issued late last year a final rule implementing part of the fact act, requiring institutions to have an ID theft prevention program in place by November of this year so we’re very focused on that.

I think business continuity/pandemic planning is still top of mind across the company.
From a vendor risk management perspective, off-shoring and outsourcing is an area of focus as well from a corporate standpoint – it requires a variation in the risk management operating model from one of doing the work and having more direct control to one of heavier governance and oversight of the work being done.

FST. Can you talk more about your focus on the virtual world?

AK. The online channel is a very cost-effective, quick way to reach customers and the company has certainly realized that, so a lot of strategic initiatives within the company are aimed at leveraging and using the online channel – or the virtual channel – to reach its customers.

We’ve certainly seen an increase in projects, initiatives and efforts that are inclusive of the online channel. A close relative of the online channel, mobile banking is also taking off with use of mobile bill payments and SMS messaging – we have a group dedicated to looking at ‘emerging’ tools and services so it’s definitely a priority from an organizational standpoint.

FST. How have you seen the sophistication of the attacks evolving?

AK. They continue to evolve – it’s something that fraudsters are working on 24/7. They are constantly looking for another way in, another way to circumvent the controls that are being put in place, so this isn’t just something that we’re going to put time and effort into and then be able to walk away from it for a little while.

It is a key fundamental part of the day-to-day operations for the online channel - the existence of an online security program that looks at new and emerging threats - they are ever changing on a daily basis. We have to determine how to adjust our existing controls or whether we need new controls in order to mitigate the risk. So, yes, it’s a very real-time, day-to-day operational area of focus because the risks are ever changing.

FST. Can you talk a little about the layers of security and the multi-factor authentication strategies you have in place?

AK. There’s definitely a strategy in place that looks at both retail as well as wholesale customers. Depending on the level of risk associated with the type of transaction that customers are initiating within the online channel, the appropriate level of authentication is applied. We use tokens in some areas, for example, depending on the level of risk. We also use challenge mechanisms and other layers of security behind-the-scenes primarily in the retail segment It’s not a one-size-fits-all approach. Depending on the level of risk and depending on the customer, we have different tools in the toolbox that we’ll use.

FST. How have you overcome the challenge of balancing security with convenience for customers?

AK. I think that is the crux of it – how do you provide strong security without inconveniencing the customer? We’ve taken a more behind-the-scenes approach relative to enhanced authentication, so we’ve implemented many controls in the background that, although customers don’t see them, they are protected and ideally without much, if any, inconvenience. We will reach out to them when it’s necessary to do so. So far, customers have been responsive to that.

Another component of our program is usability studies. When we have another way to enhance our authentication, we’ll put it in front of customers and ask what they think or what it means to them. We then use that feedback to tweak and develop further, so that’s a big piece of it; we listen to our customers.

FST. What are your top concerns for 2008 from a risk perspective?

AK. I don’t know that it’s so much a concern as it is just an area of priority or focus – and that is our online security program where we need to continue moving fast in that space. Online threats and fraud are ever-evolving and there are risks that we can control and, to a certain degree, there are some risks that are outside of our control – consider malware, key loggers and the like that infect consumer’s PCs; it really boils down to having a strong online security program and a good partnership with our customers to fight effectively against fraud in the online channel.

We not only provide ‘automatic’ online security for products and services, we also provide our customers with additional tools that they can use to protect themselves – for example, services like email alerts when balances fall below a certain level. We also provide education and guidance on other steps they can take, such as running anti-virus software, not opening emails from unknown sources, etc.

About Alecia Kontzen
Alecia Kontzen is SVP and Operational Risk Director for Wachovia’s Marketing division based in Charlotte, N.C. She has operational risk governance, oversight and consulting responsibilities supporting the corporation’s Marketing organization, including the Internet and intranet service areas. Wachovia is the fourth-largest banking holding company in the United States based on assets.

Alecia has over 13 years of compliance and risk management experience in the financial services industry, with particular emphasis currently on operational risk identification, monitoring and reporting, business/risk self-assessment, business continuity, and e-commerce regulatory compliance. She is also a Certified Risk Professional and Certified Regulatory Compliance Manager.

Prior roles include serving as the eCommerce division’s Privacy Officer, and in a broader compliance and operational risk role, providing leadership for enterprise-wide channel risks, developing best practices, policies and guidelines to ensure consistency within the channel across multiple lines of business. Prior to joining the eCommerce Risk Management team in 2001, she served as a Corporate Compliance Officer with First Union, holding leadership and line of business support roles related to CRA/HMDA compliance, retail credit and merger due diligence and transition. Alecia joined First Union in 1996 from SouthTrust Bank where she was a Regional Compliance Officer for North Carolina.