FFIEC Guidance: Legal ViewAuthentication Draft Could Favor Customers in Court
David Navetta, co-chairman of the American Bar Association's Information Security Committee, reviewed the December 2010 draft guidance and shares his insight about regulators' expectations.
"As a general matter, it's interesting to see regulators putting the onus on the financial companies for fraud that occurs after the theft has already happened," Navetta says, referencing the draft's discussion of fraud against corporate customers. "Something has been breached elsewhere, like the consumer or the retailer had a system breached, but the bank is responsible for the security. It seems a little weird to me, and it will put a lot of responsibility on financial institutions."
'Leaps and Bounds' AheadAlthough the FFIEC's draft guidance has not been formally released, copies of a December 2010 draft have been circulating throughout the industry. In short, the current draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" calls for:
- More risk assessments for banks to better understand and respond to emerging threats, such as man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
- Increased multifactor authentication;
- Layered security controls;
- Improved device identification and protection;
- Improved customer and employee fraud awareness.
George Tubin, a senior research director at TowerGroup who focuses on financial security, says the draft is "leaps and bounds" ahead of the FFIEC's original 2005 authentication guidance, especially where risk assessment is concerned. "The financial institutions should have been out there doing these risk assessments for five years anyway, so they should have a pretty good handle on how to conduct risk assessments at this point."
Putting the security onus back on banks is a good thing, too, Tubin says. "The vast majority of businesses have no idea about where the liability falls," he says. "This whole notion that the relationship between a bank and the business is a relationship of equals, in today's environment, is no longer true. And the guidance in this draft gets that."
Navetta says he's anxious, once the final guidance is released, to see how the guidelines influence future legal disputes over fraud liability. "At one point, these drafted guidelines also say one-dimensional authentication is not enough," he says. "To me, that says you should assume that your authentication is going to fail; that even multifactor can be overcome and is, by itself, not enough."
Since most banks rely heavily, if not solely, on multifactor authentication as assurance that they are adequately protecting online transactions, how the courts will view the regulators' suggestion that multifactor authentication is not enough remains to be seen.
The Weight of GuidanceGuidance, by its nature, is meant to set a baseline for best practices. In the drafted guidance, as well as the original, words like "should" and "recommend" seemingly leave wiggle room for interpretation.
But Navetta says the wording does carry weight; and in a court of law any guidance issued by regulators raises questions of fact. "Having words like 'should' instead of 'will' makes the guidance broad," Navetta says. "But the reality is that these guidance documents are used by plaintiffs and litigants when determining what the standards of care should be. It does carry a lot of weight, and in that context it may help a plaintiff move a case pretty far along."
But until banking institutions focus less on complying with the letter of the guidelines and more on ensuring true transactional security, then confusion surrounding regulatory guidance will remain an issue. "It's another instance of the banks just not self-regulating," Tubin says. "And many of the smaller banks are not aware of the threats, either, so it really is up to the regulators to put more out there."
None of the banking regulators has responded to requests to discuss the draft guidance. But it is likely that some or all of the items addressed in the Dec. 2010 draft will be amended before the final release of the supplement.