Experts: FFIEC Guidance Falls Short

New Authentication Directives Don't Address Emerging Risks

By , June 29, 2011.
Experts: FFIEC Guidance Falls Short


See Also: Data Breach Battle Plans for Financial Services

b>For all the latest news and views, please visit the FFIEC Authentication Guidance Resource Center.

Six months after a draft update of the Federal Financial Institutions Examination Council's online authentication guidance was accidentally disclosed, the formal update is finally here. [See NCUA Disclosed FFIEC Draft.] And industry experts are disappointed with what they see. [See FFIEC Authentication Guidance: First Analysis.]

Specifically, critics point to the lacking mention of mobile banking, implications for call centers, future threats and specifics about how institutions should protect their online customers. [See FFIEC Draft Guidance: Where's Mobile?.]

"Banks still relying on the basic challenge questions [out-of-the-box for products like RSA's Adaptive Authentication] need to have a plan in place to replace these with stronger authenticators," says risk assessor David Shroyer, a former executive at Bank of America.

"This has big implications in the call centers as well," says Shroyer, who recently co-founded Fraud Red Team, which provides risk assessments on identity, authentication and fraud for financial institutions. "Unfortunately, the guidance doesn't say this."

Issued June 28, the formal supplement to the October 2005 "Authentication in an Internet Banking Environment" guidance has been one of the financial industry's most anticipated documents. Shroyer says bankers "live and die" by the guidance. "They look to guidance to determine what technology investments they will make," he says. "The guidance now calls for MFA [multifactor authentication] for commercial customers. This is very good, but is a day late and a dollar short. Banks need to see the bigger picture of the guidance. MFA alone for commercial customers isn't enough. It must also include the other components of layered security, which is implied in the guidance, but not explicit."

The final supplement highlights the need for:

  • Better risk assessments;
  • Effective strategies for mitigating known online risks;
  • Improved customer and employee fraud awareness. [See FFIEC Guidance: Focus on Awareness.]

'Wording is Wishy-Washy'

When compared with the December draft, only a few things have changed. First, less emphasis is placed on the need for multifactor authentication of retail or consumer account transactions. And regulators also toned down requirements for enhanced user authentication techniques, a change with which distinguished Gartner analyst Avivah Litan takes issue.

"Its wording is too wishy-washy, when it comes to delineating bank responsibility from customer responsibility," she says. "It uses words like 'could have prevented' or 'suggestion' too often. The regulators should be more matter-of-fact in setting out the guidelines and principles. For example, they should tell banks that they need to detect and stop money transfers that are clearly out-of-the-ordinary, when compared with the customer's established pattern of behavior."

Like Shroyer, Litan says the new guidance also is short-sighted, where threats related to emerging channels are concerned. "So, the FFIEC guidance does a good job of addressing today's and yesterday's threats and suggested techniques, but it is not sufficiently forward-looking," she says. "It spends a good amount of time and space on out-of-band authentication and transaction verification techniques, as it should, but does not sufficiently discuss what that should look like in the coming age of mobile banking from smart-phones or tablets."

Litan says the guidance should offer more suggestions for how banks should and can address emerging threats. "Two years from now, the guidance will be sorely out of date," she says.

As incidents of ACH and wire fraud linked to insufficient online authentication techniques have increased, financial institutions have looked to regulators to guide what should be considered "reasonable," when it comes to online security and protections that should be provided for commercial banking customers.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE GitHub DDoS Attack Traces to China

DDoS attackers have been targeting the popular code-sharing website GitHub. Security experts say...

Latest Tweets and Mentions

ARTICLE GitHub DDoS Attack Traces to China

DDoS attackers have been targeting the popular code-sharing website GitHub. Security experts say...

The ISMG Network