FFIEC: Where is Authentication Guidance?

Banking Industry Anticipates, Prepares for Compliance

By , April 15, 2011.
FFIEC: Where is Authentication Guidance?


See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

t has been more than three months - one quarter of a year - since federal banking regulators inadvertently disclosed their draft update to the 2005 authentication guidance.

Since that time, there have been two high-profile data breaches - the RSA SecurID hack and the Epsilon e-mail breach - both of which pushed the topic of authentication squarely into the public spotlight. Meanwhile, banking institutions, industry associations and vendors alike have dissected the draft guidance and begun planning for how best to comply.

So, when will the Federal Financial Institutions Examination Council finally release this long-awaited update, which one observer calls the "worst-kept secret" in banking? Regulators won't say, leaving industry experts to speculate about when exactly this new guidance will be issued.

"I think it's impossible to make any guess," says Gartner Analyst Avivah Litan. "I don't think we're any less safe; we just need to step up enforcements."

What the Draft Says

Speculation about the FFIEC update began roughly a year ago in response to increased incidents of fraud, including the wave of ACH fraud impacting banking institutions and their corporate customers. It was clear to regulators that threats to online banking had evolved since 2005, and so they began meeting with industry experts and discussing how to update their guidance and address these new threats.

In mid-December, the FFIEC circulated among its member agencies a 10-page draft update entitled "Interagency Supplement to Authentication in an Internet Banking Environment." On Dec. 30, this draft guidance was inadvertently disclosed.

According to the National Credit Union Administration, one of the FFIEC members, regulators intended to issue this guidance on Dec. 31. "There was, however, a delay with the approval processes at one FFIEC agency," according to an NCUA statement. "NCUA did not receive notification in time to prevent the public release of the document."

The FFIEC draft was mistakenly posted on the NCUA website for a handful of days over the New Year's holiday. During that time, the agency says, the draft was downloaded more than 1,100 times, and it subsequently spread virally throughout the banking industry.

The five key recommendations emphasized in this draft:

  • Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
  • Layered security controls to detect and effectively respond to suspicious or anomalous activity;
  • More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
  • Heightened customer education initiatives, particularly for commercial accounts.

Aside from the NCUA statement about the accidental disclosure, no FFIEC member agency has spoken on the record about the draft guidance or about what delayed the approval process.

Industry Impact

But even in the absence of formal new guidance, the banking industry has responded quickly to the elements of the FFIEC's draft.

Tom Hinkel, director of compliance for security vendor Safe Systems says the draft guidance is the banking industry's "worst kept secret." He says many banking institutions already have adjusted their online authentication practices to comply with what they believe the forthcoming guidance will demand. These institutions assume the guidance will come soon, and non-compliance is not an option. Now is the time for them to begin tailoring plans and budgets.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Retail Breaches: More to Come

The Target breach was the hot topic for many RSA 2014 attendees, but Gartner's Avivah Litan was...

Latest Tweets and Mentions

ARTICLE Retail Breaches: More to Come

The Target breach was the hot topic for many RSA 2014 attendees, but Gartner's Avivah Litan was...

The ISMG Network