FFIEC Guidance: Legal View

Authentication Draft Could Favor Customers in Court
FFIEC Guidance: Legal View
A prominent information security attorney says some of the Federal Financial Institutions Examination Council's expectations are "a little weird," but that the FFIEC's pending authentication update could carry significant weight in legal disputes between banks and customers.

David Navetta, co-chairman of the American Bar Association's Information Security Committee, reviewed the December 2010 draft guidance and shares his insight about regulators' expectations.

"As a general matter, it's interesting to see regulators putting the onus on the financial companies for fraud that occurs after the theft has already happened," Navetta says, referencing the draft's discussion of fraud against corporate customers. "Something has been breached elsewhere, like the consumer or the retailer had a system breached, but the bank is responsible for the security. It seems a little weird to me, and it will put a lot of responsibility on financial institutions."

'Leaps and Bounds' Ahead

Although the FFIEC's draft guidance has not been formally released, copies of a December 2010 draft have been circulating throughout the industry. In short, the current draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" calls for:

George Tubin, a senior research director at TowerGroup who focuses on financial security, says the draft is "leaps and bounds" ahead of the FFIEC's original 2005 authentication guidance, especially where risk assessment is concerned. "The financial institutions should have been out there doing these risk assessments for five years anyway, so they should have a pretty good handle on how to conduct risk assessments at this point."

Putting the security onus back on banks is a good thing, too, Tubin says. "The vast majority of businesses have no idea about where the liability falls," he says. "This whole notion that the relationship between a bank and the business is a relationship of equals, in today's environment, is no longer true. And the guidance in this draft gets that."

Navetta says he's anxious, once the final guidance is released, to see how the guidelines influence future legal disputes over fraud liability. "At one point, these drafted guidelines also say one-dimensional authentication is not enough," he says. "To me, that says you should assume that your authentication is going to fail; that even multifactor can be overcome and is, by itself, not enough."

Since most banks rely heavily, if not solely, on multifactor authentication as assurance that they are adequately protecting online transactions, how the courts will view the regulators' suggestion that multifactor authentication is not enough remains to be seen.

The Weight of Guidance

Guidance, by its nature, is meant to set a baseline for best practices. In the drafted guidance, as well as the original, words like "should" and "recommend" seemingly leave wiggle room for interpretation.

But Navetta says the wording does carry weight; and in a court of law any guidance issued by regulators raises questions of fact. "Having words like 'should' instead of 'will' makes the guidance broad," Navetta says. "But the reality is that these guidance documents are used by plaintiffs and litigants when determining what the standards of care should be. It does carry a lot of weight, and in that context it may help a plaintiff move a case pretty far along."

But until banking institutions focus less on complying with the letter of the guidelines and more on ensuring true transactional security, then confusion surrounding regulatory guidance will remain an issue. "It's another instance of the banks just not self-regulating," Tubin says. "And many of the smaller banks are not aware of the threats, either, so it really is up to the regulators to put more out there."

None of the banking regulators has responded to requests to discuss the draft guidance. But it is likely that some or all of the items addressed in the Dec. 2010 draft will be amended before the final release of the supplement.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network