FDIC Defends Banking Authentication GuidanceGuidelines Focus on Online Authentication Specifically, Not Mobile
One of the primary authors of the updated FFIEC Authentication Guidance says critics are too hung up on mobile banking and other elements they deem missing from the new directives. [See FFIEC Draft Guidance: Where's Mobile? and Experts: FFIEC Guidance Falls Short.]
In fact, placing so much emphasis on what's "missing" from the guidance detracts from regulators' intent: to provide financial institutions with a guideline for securing online transactions, says Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corp. "The agencies are of the opinion that this guidance and the original guidance apply to mobile," he says. "We thought that was a given."
The supplement is not for mobile, Kopchik adds. "It's not focused on the access device. The point of the supplement is to address online authentication specifically."
Issued June 28, the formal supplement to the October 2005 "Authentication in an Internet Banking Environment" guidance has been one of the financial industry's most anticipated documents.
Kopchik is quick to address criticisms that the update does not do enough to address emerging and future online attacks. "I think the agencies are of the opinion that if you follow what's in the guidance, these are good common-sense controls that will work on the threats we are seeing. There's no way that we could address all the future threats, and there's no way to know what all the threats in the future will be."
Regulators: 'A Tough Job'The FFIEC is made up of five member agencies - the FDIC, the Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision.
Getting all of those agencies to work together and agree on standards that may be applied to all banking institutions is no easy feat. Too many specifications and details would only have bogged down the authentication guidance, and perhaps delayed its issuance even further, says George Tubin, a senior research director for TowerGroup.
"You have five different regulatory agencies, and they all monitor institutions," Tubin says. "Getting something out that goes across all banks in different industries, you have to have some level of compromise. That's No. 1. And No. 2, when you start to think about how broad this supplement is, it has to be restricted to online banking. ... Right now, securing the online channel is the most important area to address. I know the regulators are looking at mobile, and we'll see some guidance for mobile in the future. It's just not appropriate here."
Part of the problem is the sheer volume of institutions regulators are trying to manage, Tubin says. Some banking institutions are further along in the compliance chain than others. "There are some banks that are already doing this; some banks that don't have a clue; and others that just have not moved forward," he says. "So this has to cover a broad range of institutions, and that's challenging."
Distinguished Gartner analyst Avivah Litan, who's been critical of some of the guidance's omissions, such as missing specifications for adequate commercial customer education, does agree too much specificity creates challenges.
"Layered security is a must, and the guidance does a good job of emphasizing that," Litan says. "The regulators have a tough job, but it's the job of the regulators to protect the safety and soundness of our financial system."
Kopchik says regulators did not want to dictate how institutions should work with their customers on educational efforts, but thought it necessary to point out that education is a key part of a layered approach. "I think it's clear at the end of the guidance that all customers should be aware of the risks involved with online banking and what those customers should do to ensure that online banking is as secure as it can be," he says. "They both play a role; there are things banks and customers can do. ... We just want to encourage banks to educate their customers about what they can do to make sure they're secure."
Bank: 'Practical and Reasonable Approach'Michael J. Wyffels, chief technology officer of Moline, Ill.-based QCR Holdings Inc., says the formal guidance highlights what he hoped it would: steps for layered security. [See FFIEC Guidance: Compliance Begins.]
"By reinforcing the previous guidance and providing very matter-of-fact descriptions of new threats, they've outlined a series of business processes and security layers available to financial institutions," he says. "I believe they've taken a practical and reasonable approach to the revisions."
QCR is a $1.7 billion multibank holding company that operates three banks -- Quad City Bank and Trust Company and Cedar Rapids Bank and Trust Company in Iowa, as well as Rockford Bank and Trust Company in Illinois.
But for institutional organizations the size of QCR, the move toward compliance has been an ongoing one. At the smaller institution level, the story is much different, Litan says. "I would say 80 percent of the institutions out there don't have multiple layers. This document is going to make a lot of waves in the smaller bank community, because they have weak security."
Litan says she would have liked to have seen regulators offer those smaller institutions more details in the guidance about how core processors and vendors should work to ensure banks stay compliant. "There is nothing in the guidance that specifically addresses the needs and requirements of small banks, which constitute over 80 percent of the U.S. bank population in terms of number of institutions, that rely on third-party service providers for online banking and online banking security. Where's the guidance for them?"
Kopchik says a focus on layered security should address those concerns, whether the institution is a top tier or community.
"When you ask about why there is little guidance for smaller institutions that rely on vendors, I think that if you read the guidance very carefully, it talks about supervisory expectations. And those expectations are applicable to the largest banks and the smallest banks that work with service providers," he says. "It's a layered security approach, and that layered security approach must have at least two layers. That would have addressed a lot of the fraud that we've seen over the past year, and this is noted on Page 5," which references the role transactional-anomaly detection would have played in detecting most of the recent incidents of corporate account takeover. [See Court Favors EMI in Fraud Suit.]
Kopchik's Top 3 TipsWith assessments beginning in January 2012, financial institutions don't have a great deal of time to satisfy the elements of the new guidance.
Among the areas the supplement highlights the need for:
- Better risk assessments;
- Effective strategies for mitigating known online risks;
- Improved customer and employee fraud awareness. [See FFIEC Guidance: Focus on Awareness.]
Kopchik says banking institutions should focus immediately on:
- Identifying compliance gaps. "I think the next step, whether they do this on their own or work with a service provider, is to do an assessment and compare it with the controls they have in place. They need to see where they fall short, relative to the guidance," he says. "This supplement raises the bar from 2005. They have to put together a plan for the controls that will meet the supervisory [detail] that's in the guidance. Many rely on their service providers. We have heard from a lot of bankers that they have been working on this for a while, and my sense is, anecdotally, that a lot of banks are already on their way to compliance."
- Layered security. "Institutions need to ensure they have layers that go beyond multifactor authentication," he says. Less emphasis is placed on multifactor authentication for retail customers and members in the formal supplement MFA than in the drafted version that circulated in December. [See NCUA Disclosed FFIEC Draft.]
"There are a couple of reasons for that," Kopchik says. "We came to the conclusion that while multifactor authentication is a valuable and strong control, recent events have indicated that multifactor authentication is not the Holy Grail. We thought more of the key is layered security. The fraudsters are so good these days; the attacks are so sophisticated; you don't want to rely on just one control. If any one control is compromised, then you have other controls that will pick the fraud." [See RSA Breach Impact on Customers.]
- A plan for regular risk assessments. "If you go back to the original guidance, it says that institutions need to do regular assessments," he says. "But the regulators saw that banks were not doing that. And examiners started telling us that those controls had not been upgraded. We felt that was the reason we needed to put out this supplement; and we say in the supplement, upfront, that we expect regular risk assessments."