FDIC Offers Breach Prevention AdviceUrges Smaller Institutions to Monitor Merchants, Processors
In the wake of an ongoing stream of merchant and payment processor breaches, the Federal Deposit Insurance Corp. is reminding smaller banking institutions that they are ultimately responsible for ensuring the security of cardholder data.
An FDIC advisory issued Sept. 27 clarified the ongoing role community banks are expected to play in overseeing and managing the security practices of all third parties, including merchant customers and processors, with which they work.
"Financial institutions need to assure themselves that they are not facilitating fraudulent or other illegal activity," the advisory notes. "Institutions could be exposed to financial or legal risk should the legality of activities be challenged."
Regulators are warning banking institutions to step up their efforts now, in preparation for when a breach affects their cardholders, says James Wester, head of global payments for consultancy and financial advisory firm IDC Financial Insights. "They are advising banks to do the stuff they should always be doing anyway."
Ashley Stephenson, CEO of Internet security provider Corero, which specializes in DDoS migitation, says the FDIC advisory is a potential signal that regulatory mandates related to minimal requirements for vendor due diligence and cybersecurity standards are likely on the way.
"This appears to be just the tip of the iceberg, as far as proactive regulatory action is concerned," he says.
Community banks are the focus of the advice, regulators say, because merchants and processors that handle higher-risk transactions often do business with these smaller institutions.
The FDIC is reminding banking institutions that they are expected to perform risk assessments and conduct due diligence to ensure that the merchants which they work are operating in accordance with applicable laws and standards. Institutions also are responsible for ongoing monitoring of merchants and other third parties.
"The proper management of relationships with merchant customers engaged in higher-risk activities is essential," the FDIC states.
Regulatory Advice Mounting
The advisory reiterates points the FDIC highlighted back in July, when it hosted a Community Bankers Advisory Committee meeting in Washington, D.C. During that meeting, regulators pointed out that community institutions, not federal banking regulators, are accountable for vendor management and adequate due diligence (see FDIC: Improve Vendor Management).
That same message also was at the core of the Comptroller of the Currency Thomas Curry's Sept. 18 speech in Washington about the risks emerging cyber-threats were posing for financial institutions. In his speech, Curry pointed out that the interconnectedness of the modern payments landscape has magnified security challenges.
"Banks not only operate their own networks, they also rely on third parties to support their systems and business activities," he said. "Some of these third parties have connections to other institutions and servicers. Each new relationship and connection provides potential access points to all of the connected networks and introduces different weaknesses into the system."
Due diligence is a risk management and compliance obligation, Michael Versace, insights director for International Data Corp., a consultancy and data-analysis firm, pointed out just after Curry's speech. "Banks should be pushing for shared risk responsibilities with their third-party service providers. Notification of breaches or failures should be built into these contracts, and banks should be testing these systems themselves on regular basis. ... The banks should raise red flags before regulators do."
Banks are accountable for the security and risk management of third parties, Wester stresses. "The merchant bank and the [card] issuer are the ones that actually have contact with the merchant, the processor and the consumer," Wester says. "[Regulators] regulate the entity, the bank, that has the relationship with the merchant, not the merchant directly."
Complying with Standards
The breach of core processor Fidelity National Information Services raised concerns among banking institutions this summer, when news of the breach broke. Many asked why regulators did not take action to notify banking institutions when they discovered the FIS breach. And network attacks against retailers such Schnuck Markets Inc. and Harbor Freight Tools raised different concerns about lacking compliance with the Payment Card Industry Data Security Standard (see Accountability for Retail Breaches).
In May, the National Association of Federal Credit Unions asked Congress to hold breached retailers and processors accountable when their lax security practices result in the leakage of card data (see Hold Merchants Accountable for Breaches?).
The PCI Security Standards Council, which just wrapped its community meeting, continues to review how it can help ensure merchants and processors are following adequate security best practices (see PCI Updates Address Retail Breaches).
But neither the PCI Council nor banking regulators has authority over merchants and processors, which is why vendor management and due diligence is the responsibility of banks, regulators note.
"The focus of FDIC examinations is to assess whether financial institutions are adequately overseeing activities and transactions they process and appropriately managing and mitigating related risks," the FDIC points out in its advisory. "Those that are operating with the appropriate systems and controls will not be criticized for providing payment processing services to businesses operating in compliance with applicable law."