FFIEC Draft Guidance: Where's Mobile?Mobile Security Guidelines Not a Part of Current Update
We started hearing about this new guidance last summer, when word spread that the FFIEC was looking to update its 2005 guidance on authentication.
This update further took shape in January, when we got a nudge from -- among others -- Gartner Analyst Avivah Litan, who left an FFIEC subcommittee meeting with great expectations for soon-to-be-issued guidance that would provide more clarity for bankers and protection for commercial businesses. Simply, Litan said, "The message I got is that new guidance will be coming soon."
Mobile security is a problem, namely because we don't know enough about it.
Now, the moment we've all been waiting for is nearly here in the form of a draft, and I wonder how triumphant the FFIEC has been.
I've read through the drafted guidelines the FFIEC prepared in December -- a preliminary peek the council put together for its member agencies to review. This draft has circulated widely among industry practitioners, vendors and analysts, and copies recently ended up on our desks, too.
I understand feedback from regulatory agencies is likely being taken into consideration as I type, so the guidelines that actually make the final cut could differ dramatically from what we've reviewed. Stay tuned. We haven't seen the final guidance yet.
That said, based on what I've seen, I have to note I am disappointed to see no mention of mobile banking anywhere in the FFIEC's draft.
As more banking transactions shift to the mobile environment, the absence of any recommendations for mobile-based transaction authentication is a bit alarming.
I've talked to regulators in the past about mobile security mandates and compliance concerns related to emerging technologies. They've told me financial institutions should follow existing guidance set for traditional online transactions, saying the online and mobile channels don't differ so much. Both channels are used to conduct "online" transactions, they say, and thus should follow the same guidance.
The channel through which an online account is accessed or an online banking transaction is initiated does make a difference. The security is not the same. Authenticating browser-based transactions conducted via a mobile device, which itself cannot truly be verified, is a whole new challenge for banking institutions.
Mobile security is a problem, namely because we don't know enough about it. Last October, Jason Rouse, director of the mobile and wireless practice for Cigital, told me the fluid nature of mobile browsing habits makes authentication impossible. "It's an unfortunate side-effect of the way that a lot of wireless networks are structured," Rouse explained. "As I connect and disconnect from the network, as I turn my phone on and off or as I just roam to other carriers, it is actually very difficult to maintain a single IP address. As a consequence of the way that the networks are structured, technically, we normally have IP changes in the range of hours to days for every mobile client."
"It is going to take a long-term investment in both research and implementation to get the mobile device or the mobile platform to the place where you, as a bank, would want it to be," Rouse said. "Your best friend is analytics. Keeping track of what is happening in your systems -- anti-fraud, anti-money laundering and even just transaction-risk measures -- can be your best option as you deploy mobile devices or mobile applications to mobile platforms."
Yet, this draft of the industry's most anticipated guidance doesn't even broach the mobile issue.
I don't want to be overly critical. I understand this is a huge undertaking, and from what I can tell, the regulators have taken time to understand emerging online risks and get input from a number of industry sources. I just have to point out that this draft guidance does the industry a great disservice by completely overlooking the unique challenges posed by mobile.
As new institutions dive into mobile banking, security leaders are begging for some new guidance. Where is it?