FFIEC Guidance: Examination UpdateRegulator Says Fraud Threats Motivate Institutions to Conform
Roughly 60 percent of examined institutions are showing conformance to the FFIEC Authentication Guidance. And in doing so, they are motivated more by recent fraud trends - not the guidance itself - to deploy new, layered security controls.
This is the observation made by a representative of the first U.S. banking regulatory agency to comment publicly on how well institutions conform to the 2011 guidance designed to strengthen the security of online banking.
"There's less education needed to convince [institutions] that the threats are real," says Patrick Truett, who oversees development and support of the National Credit Union Administration's IT examination program within the Office of Examination and Insurance. "When we can point to some of the [fraud] incidents that have occurred and then point them to controls that would have prevented them, it's a really easy sell to get them to adopt new security measures."
Truett, who has spent more than a decade with the NCUA, provided input for the development of the FFIEC guidance, and he has helped train the agency's examiners to gauge institutions' conformance to the guidance, which calls for regular risk assessments, layered security controls for online transactions and enhanced customer awareness programs.
In an exclusive interview, Truett also says examiners are being flexible with institutions that show good-faith efforts to conform to the guidance.
"It is guidance, so it's not a hard regulation, which means there's flexibility within the framework to establish those control sets that match with the services and functionalities that the [institution] is offering," Truett says. "We give flexibility within the guidance, as long as the credit unions have a reasonable control set to mitigate the risks of the particular services they offer."
Since January, examiners from each of the FFIEC's member agencies have been working with banking institutions of all sizes to gauge conformance to the guidance. But Truett is the first agency representative to speak on-the-record about trends examiners are discovering. In this interview, Truett discusses:
- The current state of conformance to the guidance;
- How the agency approaches examinations;
- Answers to common questions about mobile banking.
Truett is an information systems officer within the NCUA's Office of Examination and Insurance. His office is responsible for developing and supporting the NCUA's IT examination program, which includes maintaining examination questionnaires and training examiners. Prior to assuming his role in the NCUA's central office, Truett spent 10 years in the agency's Region 3, covering the southeastern U.S., Puerto Rico and the U.S. Virgin Islands.
TRACY KITTEN: Patrick, looking back to 2005, ongoing risk assessments were an area where institutions seemed to be failing. Based on what you're seeing today, how far have most institutions come?
PATRICK TRUETT: Well, I think if you look at the increasing level of electronic banking fraud in the years that have followed the 2005 guidance, the credit unions have really had a market-driven incentive to make investments to minimize that fraud. And I think that if we consider this as the second major initiative for FFIEC authentication, the credit unions are tending to be quite a bit more proactive. There's less education needed to convince them that the threats are real. The chance today that a credit union has experienced some type of online fraud is higher. And my experience is, in going out in the field, that credit unions have been very receptive to anything we have to offer that can help them reduce their chances of having fraud incidents.
The Examination Process
KITTEN: How does the process work, from beginning to end for each institution?
TRUETT: NCUA examiners send a need list prior to each examination, and recommended items to request include a listing of all e-banking services deployed/planned, interview(s) with key e-banking staff, risk assessments for all e-banking services, action plan(s) to address any identified deficiencies, printouts of e-banking security settings, and e-banking fraud monitoring reports and related policies/procedures.
Examiners will look for a "good faith" effort to comply, for example risk assessment(s) should have been completed by 12/31/2011, and active projects to address any noncompliant areas should be evident. If progress appears inadequate, examiners will document agreement for corrective action in the Examiner's Findings or Document of Resolution sections of the report.
KITTEN: So, how well are most of those credit unions conforming to the updated FFIEC guidelines?
TRUETT: They're working toward it. Maybe it's 60 percent or a little higher that are meeting our criteria. ... When we can point to some of the incidents that have occurred and then point them to controls that would have prevented them, it's a really easy sell to get them to adopt new security measures.
We get feedback and questions pretty much in real-time from our regional information systems officers, they're called RISOs, as they're doing exams. They'll bring up issues and they'll send them in. They may only be there that week and they may only have a day or two, at best, to get an answer and make a recommendation or issue findings.
What About Mobile?
TRUETT: We recently had an examiner at a large multibillion-dollar credit union, one of our top 10 or 15, and the question came up about mobile banking, and whether they needed any enhanced authentication. It didn't really appear that they needed challenge questions ... but in this particular instance, we determined that there's really not a definitive answer. We don't really have a definitive analysis of mobile banking to say, "Enhanced authentication is mandatory."
So the question was: "Why does the mobile banking platform not have challenge questions, and why is it not using device identification? Our examiner wanted to know: "Is that OK?"
The answer we arrived at was: "It depends."
If you look back to the Authentication Guidance for 2005, there are certain tenets that haven't changed, and that would be the trigger for enhanced authentication beyond the username and password in what are defined as high-risk transactions or access to confidential member information. In looking at this institution's mobile application, I can see that the application, once you log in, is fairly limited in what the member can do with regard to transfers. The functionality is limited, and the ability to see any member information is minimal. In fact, it's pretty much not there. It's blind data. So, in other words, there's no account number, there's no name. You can see transactions and things like that, but you don't really have any way of knowing who the person is.
If you look at the privacy regulation, blind data is not considered NPI (non-public information). But, if check images are available, then it's possible that we would consider that NPI, especially if it has the member's name, address and other typical information that you would see on a check. If that NPI is visible in the mobile banking application, then device identification and challenge questions could be deemed necessary. If they did not have online check images visible, based on what I saw from that system, they would have been compliant without the need for challenge questions and device identification.
The control really is: Is the mobile banking application offering high-risk transactions, and is NPI something that can be masked or not revealed by the system? And when we review phone [call center] banking, we consider the same things.
Any new and unproven e-banking service creates potential risk. Mobile is an area we are watching closely since the growth rate is so high at 56%, offered by 16% of CUs as of 12/31/2011.
With any new E-banking service, the FFIEC risk management approach helps to establish a framework CUs can apply for safe adoption. Key considerations prior to implementing new e-banking services include:
- Is the service cost beneficial and aligned with strategic plan?
- Did the CU perform a risk assessment?
- Are the transaction limits appropriate?
- What are the monitoring requirements vs. capabilities?
- Does the service have compliant authentication?
An approach we have seen for mobile is to restrict the functionality and/or information disclosure. For example, not allowing the addition of new bill payment payees via the mobile channel, and limiting funds transfers only to and from accounts owned by the member. Mobile sites or applications can also be formatted not to disclose account or customer information, which can reduce the need for enhanced authentication to comply with FFIEC guidance.
KITTEN: From a legal perspective, attorneys constantly remind institutions that guidance is not law, but from a conformance perspective, shouldn't this guidance be viewed as such?
TRUETT: Yes, NCUA considers compliance with the supplemental guidance to be mandatory. Please note that January 1, 2012 was not a compliance date or due date; rather it's the date when examiners began to assess credit unions under the Supplement's enhanced expectations.
It is guidance, so it's not a hard regulation, which means there's flexibility within the framework to establish those control sets that match with the services and functionalities that the credit union is offering. I think from the perspective of the FFIEC, we have to avoid being too prescriptive, because technology is always changing. So, we may feel like we have an understanding of what some of the most effective controls are today, but as threats change and functionality changes, we have to also try to establish some sort of a risk management framework that credit unions can apply to a new technology.
If we get a question about mobile, I've provided a framework that an examiner could use to help that credit union understand how the guidance applies to mobile. It's just a framework, however - a recommendation.
KITTEN: What about enforcement of the guidance?
TRUETT: We give flexibility within the guidance, as long as the credit unions have a reasonable control set to mitigate the risks of the particular services they offer. But we have noticed that the FFIEC Authentication Guidance does tend to carry weight in a court of law so, in that regard, we want to make sure they're making what I would call a "good faith" effort to comply with the guidance. As we saw in the case of Experi-Metal versus Comerica, good faith makes a difference. It's a good case study, and one we bring up when we talk with credit unions about fraud.
We're specifically mentioning that case in our training for examiners, using it as an example of how you could almost be asleep at the wheel with regard to monitoring. We don't want credit unions to get calls from members who are missing tens of thousands of dollars, saying that they didn't draw on their home equity line of credit or things like that. We want the credit union to notice, and hopefully prevent that before it occurs. If they're just not doing any sort of monitoring at all, we feel that could be an issue. And if they're involved in commercial-account activity, where they're allowing large-dollar transactions or processing large-dollar transactions, the monitoring aspect becomes even more critical, as described in that EMI versus Comerica case.
KITTEN: Do you see credit unions focused more on growing their commercial-account lines of business?
TRUETT: I do believe credit unions generally are seeking to grow their commercial-account activity. And while that's been more evident in commercial lending, we also do see small-business type accounts in credit unions. And the systems used for monitoring consumer deposit accounts are not really set up to support the controls you'd expect to see on a true commercial deposit account, where you're seeing large-dollar ACH and wire transfer activity. There are specialized core-system modules for those commercial accounts, and it would be a red flag to us to see a credit union using the same monitoring and controls for consumer accounts that it uses for commercial accounts. With a consumer-deposit platform, most likely you only have one user ID and a really limited ability to have a second level of review or control of a transaction before it's processed.
What we recommend on the commercial side is something like FedLine Advantage. That's a system that has multiple-user IDs for the purpose of supporting things like segregation of duties and dual controls prior to executing large-dollar transactions. And so it's really that type of functionality we're looking for in those commercial-deposit-account platforms.
The Right Controls
KITTEN: You note that many credit unions ask what areas they should be focused on before their exams, to ensure they are implementing new controls and technologies in a safe manner. What do you tell them?
TRUETT: Rather than necessarily trying to chase every new technology with extremely specific guidance, we are trying to establish a risk management framework that financial institutions can apply to the technology they are considering. And then they can get more granular from there, if they need to. So, things like the risk assessment and transaction limits that are reasonable and consistent with normal usage of the system make sense as controls. Is $100,000 a reasonable limit for a bill-payment system? We see that type of limit all the time, but I would argue it's got at least one too many zeroes for what we would consider normal usage. Those are types of things we work through when we talk to credit unions.
And I've mentioned fraud monitoring a few times. I don't think there's one comprehensive solution out there that I've seen yet that addresses every particular area of fraud or monitoring or monitoring of unusual activity on e-banking systems. Of course, every system has its own set of functionality there and its own risks; so if we're looking at transaction monitoring, what you might see initially would be transactions over X dollar amount show up on a report that the credit union could look at. But what if there's some sort of structuring on the fraudsters' part, where they are trying to do a whole bunch of smaller transactions that in total could amount to a significant amount of fraud?
Those transactions might be missed by the monitoring. It implies that some ability to aggregate transactions and/or have cumulative limits per day, per week, per month, is important. There's also certain risk areas that might not all relate to the transaction amounts or activity. They might relate to areas that would enable a credit union to detect the fraud before the transaction even occurs. So, a couple of examples in the FFIEC guidance relate to where the guidance talks about detecting suspicious activity at login.
Failed login attempts are a big one. If you saw, for example, 50 failed log-ins on a normal day and all of a sudden you had 10 or 100 times that many failed attempts, that would be a sign that something was wrong. These are the types of things we explain to credit unions, to help them understand the guidance. And I think administrator activity on any system is a known risk area, and so we're looking for credit unions to be monitoring that activity and looking for any anomalies there as well.
KITTEN: So it's really more about a very common sense approach to detection and security, rather than just conformance, right?
TRUETT: Well, yes. And I've got a list of fraud-monitoring items that we've adopted in our Exam Work Program that we believe are consistent with the FFIEC guidance. We note the failed log-ins, the admin activity, the unusual transactions and the password resets. But those are the things that you should look at on any e-banking system.
We also have a section in our Examination Work Program that talks about commercial deposit account activity, and it does trigger an expanded review for our examiners.