First Look: New FFIEC Guidelines

Risk Assessments, Multifactor Authentication Are Areas of Improvement

By , February 22, 2011.
First Look: New FFIEC Guidelines


See Also: Cybersecurity, Digital Transformation and Resiliency - A Lesson for Financial Services Institutions

preliminary draft of the new online authentication guidance from the Federal Financial Institutions Examination Council puts greater responsibility on the shoulders of financial institutions to enhance their security and prevent fraud.

The FFIEC has yet to formally unveil its long-awaited update to 2005's authentication guidance, but a December 2010 draft document entitled "Interagency Supplement to Authentication in an Internet Banking Environment" was reportedly distributed to the FFIEC's member agencies -- the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision -- for review and comment. Copies of this draft have circulated recently within the banking and security communities, and two were sent separately and anonymously to Information Security Media Group.

While it's likely that this draft will be amended before the final release of the new FFIEC guidance, the current document calls for five key areas of improvement:

  • Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
  • Layered security controls to detect and effectively respond to suspicious or anomalous activity;
  • More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
  • Heightened customer education initiatives, particularly for commercial accounts.

Building on 2005

The proposed updates remain closely aligned with recommendations made in the existing 2005 guidance.

"The Supplement reiterates and reinforces the expectations described in the 2005 Guidance that financial institutions should perform periodic risk assessments and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks, including consideration of new and evolving threats to customers' online accounts," the draft reads. It identifies certain controls that should no longer be considered effective, specifies minimum control expectations for certain online activities, and sets forth two minimum components of an effective layered security program. It also identifies specific minimum elements that should be part of an institution's customer awareness and education program.

In issuing the supplement, the regulatory agencies acknowledge the evolution of online threats, as well as institutions' failure to abide by all aspects of the 2005 guidance - including periodic risk assessments and updates to control mechanisms.

The five areas singled out in the supplement under specific supervisory expectations include:

1. Risk Assessments

Risk assessments are addressed first in the draft, leveling some criticism at banking institutions for not being diligent about regular assessments.

"Examiners have noted that some institutions that were initially responsive in conforming with the 2005 Guidance have not updated their risk assessments and consequently not upgraded their authentication or other control techniques in response to relevant changes in the threat environment," the draft states.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE China, U.S. Plan Cyber 'Code of Conduct'

China and the U.S. have agreed to create a new cyber "code of conduct." The move comes in the wake...

Latest Tweets and Mentions

ARTICLE China, U.S. Plan Cyber 'Code of Conduct'

China and the U.S. have agreed to create a new cyber "code of conduct." The move comes in the wake...

The ISMG Network