FFIEC: Where is Authentication Guidance? Banking Industry Anticipates, Prepares for Compliance
It has been more than three months - one quarter of a year - since federal banking regulators inadvertently disclosed their draft update to the 2005 authentication guidance.

Since that time, there have been two high-profile data breaches - the RSA SecurID hack and the Epsilon e-mail breach - both of which pushed the topic of authentication squarely into the public spotlight. Meanwhile, banking institutions, industry associations and vendors alike have dissected the draft guidance and begun planning for how best to comply.

So, when will the Federal Financial Institutions Examination Council finally release this long-awaited update, which one observer calls the "worst-kept secret" in banking? Regulators won't say, leaving industry experts to speculate about when exactly this new guidance will be issued.

"I think it's impossible to make any guess," says Gartner Analyst Avivah Litan. "I don't think we're any less safe; we just need to step up enforcements."

What the Draft Says

Speculation about the FFIEC update began roughly a year ago in response to increased incidents of fraud, including the wave of ACH fraud impacting banking institutions and their corporate customers. It was clear to regulators that threats to online banking had evolved since 2005, and so they began meeting with industry experts and discussing how to update their guidance and address these new threats.

In mid-December, the FFIEC circulated among its member agencies a 10-page draft update entitled "Interagency Supplement to Authentication in an Internet Banking Environment." On Dec. 30, this draft guidance was inadvertently disclosed.

According to the National Credit Union Administration, one of the FFIEC members, regulators intended to issue this guidance on Dec. 31. "There was, however, a delay with the approval processes at one FFIEC agency," according to an NCUA statement. "NCUA did not receive notification in time to prevent the public release of the document."

The FFIEC draft was mistakenly posted on the NCUA website for a handful of days over the New Year's holiday. During that time, the agency says, the draft was downloaded more than 1,100 times, and it subsequently spread virally throughout the banking industry.

The five key recommendations emphasized in this draft:

  • Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
  • Layered security controls to detect and effectively respond to suspicious or anomalous activity;
  • More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
  • Heightened customer education initiatives, particularly for commercial accounts.

Aside from the NCUA statement about the accidental disclosure, no FFIEC member agency has spoken on the record about the draft guidance or about what delayed the approval process.

Industry Impact

But even in the absence of formal new guidance, the banking industry has responded quickly to the elements of the FFIEC's draft.

Tom Hinkel, director of compliance for security vendor Safe Systems says the draft guidance is the banking industry's "worst kept secret." He says many banking institutions already have adjusted their online authentication practices to comply with what they believe the forthcoming guidance will demand. These institutions assume the guidance will come soon, and non-compliance is not an option. Now is the time for them to begin tailoring plans and budgets.

Banking and security vendors also have begun to customize their offerings to speak specifically to elements of the draft. BankInfoSecurity is currently hosting an authentication webinar sponsored by PhoneFactor, which references the pending guidance. Similarly, Entrust is sponsoring a mobile banking session that in part speaks to "how mobile devices can strengthen mobile and online security and address pending FFIEC regulatory guidance."

Industry associations are also taking action. NACHA - The Electronic Payments Association is drafting a new ACH Security Framework that addresses topics discussed in the draft guidance. Meanwhile, the American Bankers Association just hosted its Risk Management Forum in Denver, and one of the agenda items was described as "Authenticating Customers Against New Threats - Discuss the new authentication guidelines put in place by FFIEC to protect financial institutions from fraud."

When Will Guidance be Issued?

So, if the banking industry has already responded to the draft guidance, when might the formal, final release emerge?

A common belief among industry insiders is that the draft's inadvertent disclosure delayed the guidance indefinitely, as it opened the FFIEC members to an unexpected round of feedback from banks, associations and vendors. "It will be a matter of months before the new FFIEC guidance is released, not weeks," one insider said off the record.

Ori Eisen, founder and chairman of security vendor 41st Parameter, also does not see the new guidance being issued anytime soon. "They won't put out anything now," he says. "It will probably be the fall, based on when banks align their budgets for the new year."

And while the draft update does offer more specificity about device authentication, Eisen points out that the same security tenets are just restated from what already exists in the 2005 guidance. Which raises the question of whether the update, as currently constituted, is necessary.

"I don't know that we really need it," says Gartner analyst Litan. "The current guidance is broad enough. It's not like we don't have guidance, it's just not being enforced."

Hinkel of Safe Systems agrees that many of today's threats were addressed by the original 2005 guidance, including the layered security approach. "So why do we need new guidance?" Hinkel asks. "Now banks realize they do need to move to layered controls, which has been the FFIEC's position the whole time. Is it the FFIEC's fault that banks chose to ignore the need for layered security?"

Still, David Shroyer, a former executive at Bank of America who co-founded risk assessor Fraud Red Team, says banking institutions are trying to anticipate new regulatory demands, based on the FFIEC draft, and they still could use some further guidance on "high-risk" transactions - such as those that have led to corporate account takeover, a topic of significant discussion in the FFIEC draft.

"I think that we have to keep in mind that they're right when they say that the money movement is around the high-risk transactions," Shroyer says, "but what might also be an opportunity is to look at the additional points of vulnerability, and these are the ones that always seem to precede the fraud" - specifically, the points of customer compromise.

Banking institutions continue to search for ways to define "high risk" and how to address it, Shroyer says, and this is one area where they could use additional guidance. "The one thing I'd like to see more of is the language requiring a risk review of controls and processes after breaches."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network