FFIEC: How Well Do Banks Conform?

Many Institutions Await Clarifications from Regulators

By , April 17, 2012.
FFIEC: How Well Do Banks Conform?
Read Transcript

How well do banks conform to the FFIEC's updated Authentication Guidance? Gartner analyst Avivah Litan says most have made progress, but they still struggle with the details.

As she reviews banking institutions, Litan sees risk assessments being completed, as well as a focus on security enhancements to ACH and wire payments systems, customer education, and a review of which existing fraud-detection systems need to be updated.

"I think they're well underway about knowing what they need to do," Litan says. "But they're still grappling with some of the details."

Specifically, Litan sees confusion about some of the guidance's finer points. The confusion fuels institutions' reluctance to move too far ahead until federal examiners offer clarification.

"It's important to note that compliance does not always equal security," she says. "But security will typically get you to compliance."

Litan's observations confirm some of the results of the 2012 Faces of Fraud survey. Only 11 percent of survey respondents say they have come into conformance since the updated guidance was issued in 2011. Half of the survey's respondents say they do not conform now, and nearly one-quarter say they don't even know their state of conformance.

"It's a siloed approach," Litan says. "The compliance people worry about compliance, and the fraud people worry about fraud. And they don't always really understand how it all fits together. ... I think at the smaller banks, they think the guidance will have more of an impact."

Out-of-band authentication is one area causing hiccups. It's noted in the guidance as a recommended verification method. But how should a bank or credit union authenticate online transactions that are initiated via mobile devices?

"The main confusion related to mobile authentication is pretty simple," Litan says. "The regulators just need to say something specific and explain which methods qualify as out-of-band for mobile banking."

During this interview, Litan discusses:

  • Why banks should focus on pure security, rather than the minutia of the guidance;
  • The top technology investments she sees financial institutions making;
  • Why too much focus on customer and member awareness and education is a mistake many smaller institutions are likely to make.

Litan is a distinguished analyst at Gartner and a recognized authority on the FFIEC guidance. She has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Sony Hack: Ties to Past 'Wiper' Attacks?

Except for the leak of celebrities' private data, the "wiper" malware attack against Sony Pictures...

Latest Tweets and Mentions

ARTICLE Sony Hack: Ties to Past 'Wiper' Attacks?

Except for the leak of celebrities' private data, the "wiper" malware attack against Sony Pictures...

The ISMG Network