Gaps in FFIEC Guidance

Critics Say Draft Guidelines Raise New Questions

By , February 24, 2011.
Gaps in FFIEC Guidance


See Also: Financial Malware: Detection and Defense Strategies

xpected updates to online authentication guidance issued by the Federal Financial Institutions Examination Council may raise more questions than answers, critics say.

According to a December 2010 draft of the new guidance, regulators will be asking financial institutions to improve online security internally as well as for their consumer and commercial customers.

"The regulators' awareness of some of the threats is positive, and what they are trying to do on the business banking side is good," says former Bank of America executive David Shroyer, now a partner at risk assessment provider Fraud Red Team. Shroyer says the updates give banks more insight about online threats for which they need to prepare. "But the new guidance is not explicit about antivirus updates and patches, and that's important." he adds. "Financial institutions live and die by this guidance."

Shroyer, who oversaw identity, security and fraud-prevention initiatives at BofA, says banks need definitive guidelines, "and the way some of this is currently worded, it's not clear."

Shroyer reviewed a copy of the drafted guidance after it reportedly appeared on one of the FFIEC agencies' websites, and he says the draft does not delve into a number of concerning areas, including authentication for mobile and call-center banking, which both have proven susceptible to vishing scams.

The draft, which Information Security Media Group also reviewed, was reportedly distributed in December to the FFIEC's five member agencies -- the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision -- for review and comment.

It's important to note that the final guidance may include revisions, based on input from the agencies. Meanwhile, the current draft's highlights include:

Banks More Accountable

One overarching theme evident in the draft's language is that more security burdens can be expected for banks and credit unions. In fact, it is likely that banking institutions, going forward, will be held more accountable if and when online security is breached.

The drafted guidance explicitly mentions vulnerabilities to small and medium business accounts, since fraudsters have figured out how to compromise those accounts for high returns in ACH and wire fraud. As part of banks' responsibility to educate commercial customers about fraud risks and security, the draft suggests financial institutions clearly explain protections that are and are not provided under Regulation E.

The draft also suggests institutions encourage their "commercial online banking customers (to) perform a related risk assessment and controls evaluation." Banks also are encouraged to provide commercial customers with suggestions for alternative risk-control mechanisms that could help reduce commercial-account risks.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Banks to Roll Out Real-Time Payments

Bank-owned digital payments network clearXchange is rolling out a real-time payments platform that...

Latest Tweets and Mentions

ARTICLE Banks to Roll Out Real-Time Payments

Bank-owned digital payments network clearXchange is rolling out a real-time payments platform that...

The ISMG Network