FFIEC's New Mobile Security Guidance: An AssessmentGuidance Sets Bar for Bank Examiners' Evaluations of Mobile Services
The Federal Financial Institutions Examination Council has released security guidance for mobile banking and payments that its examiners will now use in their assessments of financial institutions.
See Also: Taking Advantage of EMV 3DS
Unlike the authentication update added to the FFIEC's IT Examination Handbook back in June 2011, which was criticized for not including enough details and specific recommendations, this new guidance aimed at mobile transactions is extremely detailed.
The 18-page Appendix E: Mobile Financial Services, which is an addition to the Retail Payments Systems booklet, precisely spells out steps banking institutions need to take to ensure that their mobile offerings are secure.
"The guidance is a good reference point for banks that have to implement mobile security," says Gartner analyst Avivah Litan. "It's generic enough that banks have the liberty to use their best judgment on which technologies and layered security measures make sense for their environment. But it also justifiably puts much of the onus on the business managers of mobile banking applications to assess the business risks inherent and formulate mitigation strategies commensurate with the risk."
Stephanie Collins, spokeswoman for the Office of the Comptroller of the Currency, one of the five regulatory agencies that make up the FFIEC, says banking examiners have been assessing the safety and soundness of mobile financial services since mobile banking and payments were introduced. "Appendix E provides guidance to examiners - factors that should be considered as part of that assessment," she says.
Examiners likely will immediately start using this guidance during their IT assessments, says Ben Knieff, a financial fraud analyst at the consultancy Aite. "Financial institutions should take a look at their risk assessments and controls and compare how they line up against this most recent guidance," he says.
Burdensome for Smaller Banks?
Smaller institutions may see the new guidance as being too burdensome to follow, especially as it comes on the heels of the July 2015 issuance of the FFIEC Cybersecurity Assessment Tool, says Mike Wyffels, chief technology officer of QCR Holdings, which owns four banks.
Many financial institutions are still trying to figure out how examiners expect them to use the tool (see: Banks to FFIEC: Cyber Tool is Flawed). And banking groups have asked the FFIEC to re-evaluate the tool, because they say its recommendations are too rigid and do not adequately address real cybersecurity risks (see FFIEC Cyber Tool Needs Urgent Revamp).
"We already are a little anxious regarding additional burdens and respective expenses to support them," Wyffels says. "Each year, the expectations become more burdensome, which impacts staff, suppliers and board members. Continued administrative oversight and new tools or services to mitigate risks and demonstrate adherence to guidance expectations are driving expenses and causing 'reasonable risk' balance conversations to take place."
Wyffels acknowledges, however, that the specifics offered in the new mobile guidance should help bankers better understand regulators' expectations for mobile security.
Dave Jevans, vice president of mobile security at cyber threat defense firm Proofpoint and chairman of the Anti-Phishing Working Group, a global coalition focused on unifying response to cybercrime, says the new release from FFIEC "is an excellent piece of guidance and covers most issues. It is missing the risk of Wi-Fi hotspots that can perform man-in-the-middle attacks against banking users. Other than that, it is very good."
Financial institutions "need to be educated on the growing mobile risks for mobile financial services, and this document is a good primer," Jevans says. "Many FIs simply rely on an outsourced software developer to do this, which rarely happens."
Areas Covered in New Guidance
Key areas the new guidance addresses are mobile technologies, risk identification, risk measurement, risk mitigation, monitoring and reporting.
The guidance offers best practices for verifying customers' identities before enrolling them in mobile payments offerings. It also recommends that institutions implement layered customer authentication, such as coupling biometrics with PIN entry, for mobile banking and especially payments, to mitigate the risk of fraudulent transactions and other malicious activities.
The FFIEC update stresses the need to ensure customers take responsibility for mobile security through customer awareness training, as well as the need for contracts with third parties, such as networks, carriers and app stores, to specify that security controls are in place to coincide with the controls banks must have in place to meet regulatory demands.
Banking regulators over the last two years have put more emphasis on the need for institutions to ensure the security of the third parties with which they work. The FFIEC's new mobile guidance falls in line with that trend, says QCR's Wyffels.
"The directed third-party oversight from the financial institution continues to be a message, as part of an effort to drive awareness and adherence by the third-party to the FI's vendor management expectations," he says.
The FFIEC points out that the complexity of the mobile infrastructure, which includes many non-financial players, is cause for concern.
"The mobile ecosystem is the collection of carriers, networks, platforms, operating systems, developers and application stores that enable mobile devices to function and interact with other devices," the new guidance notes. "Vulnerabilities may exist in any area of this decentralized mobile ecosystem and, therefore, result in a multi-entity patch-management process among mobile device operating system developers, device manufacturers, wireless carriers and other application developers. As a result of the decentralized ecosystem of some devices, a known vulnerability may remain unremediated, while the various parties review, update and ensure compatibility with their applications and the security mitigation."
The level of detail in the new guidance should help banking institutions to manage risks, says Aite's Knieff.
"This new guidance effectively highlights the different risks associated with different delivery methods," he says. "SMS, app and mobile web each have their own risks that must be addressed. Organizations that applied the 2011 authentication guidance to mobile should not be seeing too many surprises.
"I also think, for the most part, that the industry has already internalized much of this guidance on their own. ... Leading institutions have proved some tactics effective, and those can be formalized for institutions that are following."