Gaps in FFIEC GuidanceCritics Say Draft Guidelines Raise New Questions
According to a December 2010 draft of the new guidance, regulators will be asking financial institutions to improve online security internally as well as for their consumer and commercial customers.
"The regulators' awareness of some of the threats is positive, and what they are trying to do on the business banking side is good," says former Bank of America executive David Shroyer, now a partner at risk assessment provider Fraud Red Team. Shroyer says the updates give banks more insight about online threats for which they need to prepare. "But the new guidance is not explicit about antivirus updates and patches, and that's important." he adds. "Financial institutions live and die by this guidance."
Shroyer, who oversaw identity, security and fraud-prevention initiatives at BofA, says banks need definitive guidelines, "and the way some of this is currently worded, it's not clear."
Shroyer reviewed a copy of the drafted guidance after it reportedly appeared on one of the FFIEC agencies' websites, and he says the draft does not delve into a number of concerning areas, including authentication for mobile and call-center banking, which both have proven susceptible to vishing scams.
The draft, which Information Security Media Group also reviewed, was reportedly distributed in December to the FFIEC's five member agencies -- the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corp., Office of the Comptroller of the Currency, National Credit Union Administration and Office of Thrift Supervision -- for review and comment.
It's important to note that the final guidance may include revisions, based on input from the agencies. Meanwhile, the current draft's highlights include:
- Better risk assessments to address emerging threats, such as man-in-the-middle or man-in-the-browser attacks and keyloggers;
- The need for more multifactor authentication;
- Outlines for layered security controls;
- Enhanced user-authentication techniques as well as explanations for improved device identification and protection;
- Recommendations for improved customer and employee fraud awareness.
Banks More AccountableOne overarching theme evident in the draft's language is that more security burdens can be expected for banks and credit unions. In fact, it is likely that banking institutions, going forward, will be held more accountable if and when online security is breached.
The drafted guidance explicitly mentions vulnerabilities to small and medium business accounts, since fraudsters have figured out how to compromise those accounts for high returns in ACH and wire fraud. As part of banks' responsibility to educate commercial customers about fraud risks and security, the draft suggests financial institutions clearly explain protections that are and are not provided under Regulation E.
The draft also suggests institutions encourage their "commercial online banking customers (to) perform a related risk assessment and controls evaluation." Banks also are encouraged to provide commercial customers with suggestions for alternative risk-control mechanisms that could help reduce commercial-account risks.
Distinguished Gartner Analyst Avivah Litan says that acknowledgment of vulnerability for commercial customers is the best thing to come out of the draft. In a recent blog entry, Litan writes: "Business account holders will now have to be explicitly informed that the business holds the bag if their accounts are raided through online banking (unless the bank promises to cover such losses by means of binding contracts between the bank and its customers).
"At least this measure finally makes the rules of the game transparent and doesn't keep them buried in the fine print of long contractual agreements that many customers find hard to read. With the introduction of this measure, customers should not be so shocked when they are not reimbursed by their bank for often crippling losses."
Guidelines 'Spot-on?'TowerGroup's George Tubin, who agrees regulators have not been vigilant when it comes to breach liability transparency, says the draft reflects moves in a promising direction. "I personally think the new requirements are spot-on, and the supplement is very well and clearly written," says Tubin, a senior research director in Delivery Channels and Financial Information Security research.
But former BofA executive Shroyer says the guidance is too vague. "One of the key things we're finding is that processes need to be reviewed," he says. "Banks must continue to implement control mechanisms that are in accordance with the risk of the transaction."
Shroyer says criminals are breaching control mechanisms through process gaps between siloed banking channels. "Cross-channel fraud is the new big threat facilitated by enhanced malware and open-source identity compromise," he says. "The guidance doesn't address that. And when different organizations have different goals, you end up with process overlaps that are conflicting. It would be great if the guidance would point more of that out."
2005 Guidance Was ClearRegulators suggest many of those process gaps and overlaps resulted from banks' decisions to ignore recommendations clearly stated in the original 2005 authentication guidance. For example, from an authentication standpoint, three-factor authentication -- something the user knows, has and is -- could have prevented many online and cross-channel breaches, regulators say.
"I don't know of anyone who's actually following this by doing all three (factors)," says Ben Sady, manager of Risk Advisory Services for Keiter Stephens, a certified public accounting firm and consultancy. "Even with a symbol, that's something you know, so it's not true multifactor authentication, as the guidance intended. And most banks were only following this first one, something the user knows, trying to figure out if they really had to comply with one [factor] or all three."
Regulators have taken note of this noncompliance with multifactor measures. As the new draft states: "The Agencies are increasingly concerned that customer authentication methods implemented several years ago may no longer be effective." And from a risk assessment standpoint, regulators argue banking institutions were not doing enough to stay current.
Sady says most banks conduct audits to address risk only once every two years; at large banks, audits may occur annually. "Judgment is required on behalf of bank management, internal auditors and regulators to determine the best approach to security," he says. "This approach to provide guidance is meant to provide the flexibility and reduce the burden of compliance, where a square peg does not fit a round hole."