FFIEC Guidance: Examination Update

Regulator Says Fraud Threats Motivate Institutions to Conform

By , July 18, 2012.
FFIEC Guidance: Examination Update

Roughly 60 percent of examined institutions are showing conformance to the FFIEC Authentication Guidance. And in doing so, they are motivated more by recent fraud trends - not the guidance itself - to deploy new, layered security controls.

See Also: Actionable Threat Intelligence: From Theory to Practice

This is the observation made by a representative of the first U.S. banking regulatory agency to comment publicly on how well institutions conform to the 2011 guidance designed to strengthen the security of online banking.

"There's less education needed to convince [institutions] that the threats are real," says Patrick Truett, who oversees development and support of the National Credit Union Administration's IT examination program within the Office of Examination and Insurance. "When we can point to some of the [fraud] incidents that have occurred and then point them to controls that would have prevented them, it's a really easy sell to get them to adopt new security measures."

Truett, who has spent more than a decade with the NCUA, provided input for the development of the FFIEC guidance, and he has helped train the agency's examiners to gauge institutions' conformance to the guidance, which calls for regular risk assessments, layered security controls for online transactions and enhanced customer awareness programs.

In an exclusive interview, Truett also says examiners are being flexible with institutions that show good-faith efforts to conform to the guidance.

"It is guidance, so it's not a hard regulation, which means there's flexibility within the framework to establish those control sets that match with the services and functionalities that the [institution] is offering," Truett says. "We give flexibility within the guidance, as long as the credit unions have a reasonable control set to mitigate the risks of the particular services they offer."

Since January, examiners from each of the FFIEC's member agencies have been working with banking institutions of all sizes to gauge conformance to the guidance. But Truett is the first agency representative to speak on-the-record about trends examiners are discovering. In this interview, Truett discusses:

  • The current state of conformance to the guidance;
  • How the agency approaches examinations;
  • Answers to common questions about mobile banking.

Truett is an information systems officer within the NCUA's Office of Examination and Insurance. His office is responsible for developing and supporting the NCUA's IT examination program, which includes maintaining examination questionnaires and training examiners. Prior to assuming his role in the NCUA's central office, Truett spent 10 years in the agency's Region 3, covering the southeastern U.S., Puerto Rico and the U.S. Virgin Islands.

Risk Assessments

TRACY KITTEN: Patrick, looking back to 2005, ongoing risk assessments were an area where institutions seemed to be failing. Based on what you're seeing today, how far have most institutions come?

PATRICK TRUETT: Well, I think if you look at the increasing level of electronic banking fraud in the years that have followed the 2005 guidance, the credit unions have really had a market-driven incentive to make investments to minimize that fraud. And I think that if we consider this as the second major initiative for FFIEC authentication, the credit unions are tending to be quite a bit more proactive. There's less education needed to convince them that the threats are real. The chance today that a credit union has experienced some type of online fraud is higher. And my experience is, in going out in the field, that credit unions have been very receptive to anything we have to offer that can help them reduce their chances of having fraud incidents.

The Examination Process

KITTEN: How does the process work, from beginning to end for each institution?

TRUETT: NCUA examiners send a need list prior to each examination, and recommended items to request include a listing of all e-banking services deployed/planned, interview(s) with key e-banking staff, risk assessments for all e-banking services, action plan(s) to address any identified deficiencies, printouts of e-banking security settings, and e-banking fraud monitoring reports and related policies/procedures.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE OPM Breach Victims: Tens of Millions?

The hack of the U.S. Office of Personnel Management may have exposed personal information for "tens...

Latest Tweets and Mentions

ARTICLE OPM Breach Victims: Tens of Millions?

The hack of the U.S. Office of Personnel Management may have exposed personal information for "tens...

The ISMG Network