FFIEC Conformance: A Vendor's View
'We Spend a Lot of Time Coaching and Advising'Editor's Note: This is the first in a series of pieces profiling key third-party service providers on their efforts to help U.S. banking institutions conform to the FFIEC Authentication Guidance.
See Also: Report: The State of Cloud Data Security 2023
It's been more than a year since the Federal Financial Institutions Examination Council issued its updated Authentication Guidance for online banking transactions. Yet many institutions - especially smaller ones - are still confused about what their risk assessments and conformance strategies should entail.
To dispel that confusion, third-party service providers, such as Q2ebanking, spend a fair amount of time consulting with institutions about expectations and options.
"We spend a lot of time coaching and advising our institutions about what is really being required of them," says Jay McLaughlin, chief security officer for Austin, Texas-based Q2ebanking, an online banking platform provider.
Even after the first wave of FFIEC examinations this year, many institutions still feel overwhelmed, he says. "I think there is still a bit of shock out there about what is being expected and anticipated."
To dispel confusion and help institutions meet FFIEC expectations, Q2ebanking first made sure it understood the nuances of the guidance. Now the vendor works with institutions to help ensure they understand and meet the guidelines for risk assessments, layered security controls and customer awareness.
Preparing for Guidance
For smaller institutions especially, core processors and third-party service providers play a valuable role in explaining the guidance and assisting in conformance.
Q2ebanking, which provides online banking services to approximately 325 community banks and credit unions throughout the United States, began preparing for this role in early 2011, after a draft of the guidance was inadvertently released, comparing its platform offerings with what was expected to be called for by the guidance.
"Prior to the updated guidance being released mid-last year, our platform already offered features to build a layered-security model, including out-of-band transaction verification, dual-approval authorization, enhanced controls over account maintenance and behavioral analytics to model customer profiles," McLaughlin says.
By the time the guidance was formally released in June 2011, Q2ebanking had amassed an arsenal of white papers and informational material to share with its clients. The materials explained how Q2ebanking's platform matched requirements outlined in the guidance, McLaughlin says.
"Then, shortly after the guidance was released, we provided our customers with a matrix, showing how our platform matched up to the FFIEC's recommendations," he says.
Multifactor Authentication and Layered Security
In its updated guidance, the FFIEC calls for several areas for improvement, among them: ongoing risk assessments, layered security controls and enhanced customer education initiatives. Starting with risk assessments, many of Q2ebanking's client institutions have reached out to discuss strategies for FFIEC conformance, McLaughlin says.
One area where many institutions seemed to be falling short: multifactor authentication.
"You see a lot of institutions, large and small, continuing to use several multifactor techniques, such as browser registration and the reliance upon a cookie-based token to be able to authenticate a device and believing who it is to be true," McLaughlin says. "But we have seen a number of attacks in the public space that give the attacker the ability to steal these types of tokens, if you will, cookies, that basically allow those multifactor options to be bypassed."
To ensure conformance, institutions must implement multifactor authentication and layers of security.
Q2ebanking's platform includes online banking, mobile banking and voice banking services. Its banking platform is based on a .net architecture, which McLaughlin says enables online, mobile and voice banking systems to share the same architecture. The platform is streamlined, so the user experience is the same across all channels.
"We're using a physical token as a second factor for out-of-band authentication," McLaughlin says. And Q2 also offers out-of-band transaction authorization. "So, it's not just around the authentication space, but actually around the time when you go to approve or authorize a transaction," he adds.
Institutions can determine how they want to configure those different options. So, if an online user logs in from an unrecognized browser, for instance, the bank can require that an out-of-band method of authentication - token, phone call or SMS/text - be used every time before the transaction is approved. Or, the institution may decide to only require additional authentication on select transactions, McLaughlin says.
Risk and fraud analytics, based on decision models and behavioral engines that build profiles, also are part of Q2ebanking's offer.
"Based on how a user usually interacts with the platform [that] tells me whether something is normal or not," McLaughlin says. "Geo-location lookups, the time of day, the day of the week and even the week of the month are tracked to determine the typical behavior. So, if we know that we always tend to see an IP address around this region, and that the user logs in on Tuesdays and Thursdays between 9 and 11 in the morning, anything outside of that should send an alert to the bank's back-office."
Understanding how users transact is critical, McLaughlin says. Once a transaction is flagged as suspicious, it won't go through until the institution manually approves it. "Either they call the customer and cancel it, or they call the customer and approve it," McLaughlin says. "We're giving them the ability to fight this thing before the money actually leaves the bank. And if we can stop the transaction before the funds leave, that's winning the game."
During the first six months of 2012, Q2ebanking's behavioral analytics tool stopped more than $3 million in fraudulent ACH and wire transactions from leaving accounts, McLaughlin says.
First Examinations: Results
The first wave of FFIEC examinations has been insightful, McLaughlin says. Based on what McLaughlin has heard from customer institutions, regulators are focused on risk assessments and multifactor authentication
"Our customers who have undergone examinations have shared similar experiences," McLaughlin says. "Examiners seem to be focused heavily on multifactor authentication practices and are challenging institutions that are still relying upon simple device identification as a primary authentication control."
If simple device ID is still being used, examiners want to see in the institution's risk assessment that plans are in place to implement stronger authentication. "They want see that this process is ultimately driving how institutions determine which controls to deploy," McLaughlin says.
This is where McLaughlin says developing stronger programs to educate end-users will make a difference - and go a long way toward helping institutions get over fears about introducing new authentication practices that could affect customer and member convenience.
"There is often a fear in thinking that instituting new or additional methods might impose upon a customer's convenience or experience," he says. "Unfortunately, this is at the sacrifice of security."
Pointing to BankInfoSecurity's 2012 Faces of Fraud Survey, McLaughlin says survey responses related to customer notification after fraud are noteworthy.
"When 86 percent of the respondents said the customers were the first to notify them about fraud, I shared that with our client institutions as a way to show they need to give their customers the tools to help fight fraud."
Q2ebanking assists institutions' awareness efforts by visiting branches and centers to meet face-to-face with customers. "It's easier to explain to them why they need to sign up for some of theses controls," McLaughlin says. "The customer has to be part of the solution."
Due Diligence
Service providers can play a key role in institutions' conformance efforts, McLaughlin says.
"We will never get involved in the actual examination process," he says. "But it's our goal to be a partner, by either educating the regulator or examiner about how the bank or credit union is using our product, or to explain some of the features in the platform," he says.
But the institutions need to do their own due diligence when selecting key service providers. Part of that effort includes reviewing the results of banking examinations conducted on vendors such as Q2ebanking.
[The exams] often occur on a two-year interval," McLaughlin says. "They are more around the IT examination piece and what we offer as a service provider. So, oftentimes we're examined by the FDIC, the OCC, the NCUA, on the credit union side, and the Federal Reserve Board."
Results from these examinations are available to all bank and credit union customers, McLaughlin says, yet few take advantage.
"We often find that less than 5 percent of our customers actually do reach out to obtain that information," McLaughlin says.
To learn more about institutions' conformance efforts, visit the FFIEC Authentication Guidance Resource Center.