FFIEC Guidance: Compliance Begins

Fraud Incidents Push Banks to Enhance Authentication Now
FFIEC Guidance: Compliance Begins
More than four months after a draft update of the Federal Financial Institutions Examination Council's 2005 authentication guidance was inadvertently disclosed by the National Credit Union Administration, the final, formal guidance has yet to be released. [See NCUA Disclosed FFIEC Draft.]

But some institutions aren't waiting for the FFIEC to act. Instead, they've already begun to comply with the major points recommended by the draft guidance.

Case in point: Moline, Ill.-based QCR Holdings Inc., a $1.7 billion multibank holding company that operates three banks -- Quad City Bank and Trust Company and Cedar Rapids Bank and Trust Company in Iowa, as well as Rockford Bank and Trust Company in Illinois.

Michael J. Wyffels, QCR's senior vice president and chief technology officer, says his banks cannot afford to delay their security enhancements. "I'd like to make sure our recommendations fit with what the FFIEC is recommending, to continue to help us mitigate risk," Wyffels says. "But the hackers seem to continue to find new ways to exploit vulnerabilities."

As the latest wave of wire fraud incidents originating in China proves, account takeover, perpetrated by online attacks, continues to grow. [See New Wave of Wire Fraud Strikes Banks]

Given hackers' tenacity, waiting for the FFIEC to issue final guidance is simply not an option, Wyffels says.

"We, as an institution, want to do as much as reasonably is possible to mitigate risks," he says. "Like everyone, we want to make good choices and sound investments."

Interpreting the Intent

The FFIEC's update has been discussed openly since mid-2010 and is partially in response to the wave of corporate account takeover incidents that began in 2009.

A draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" was released to member regulatory agencies last Dec. 30, the day before the formal guidance was expected to be made public. At the last minute, however, one of the agencies withheld its approval -- but not before the NCUA mistakenly posted the draft guidance on its website.

The draft was available on the NCUA site for four to five days over the New Year's holiday, during which time it was downloaded 1,100 times, according to the NCUA. Since then, the draft has circulated widely throughout the banking industry.

The five key recommendations emphasized in the FFIEC draft update:

  • Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
  • Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
  • Layered security controls to detect and effectively respond to suspicious or anomalous activity;
  • More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
  • Heightened customer education initiatives, particularly for commercial accounts.

The entire draft update is contained in a 10-page word document, of which Information Security Media Group secured a copy and reported in February. Wyffels says he and his organization have studied that February article thoroughly. [See First Look: New Authentication Guidance]

"We took recommendations from the drafted guidance and broke them down into risk assessment, authentication, layered security, effectiveness of authentication techniques and stronger fraud detection," he says. "And then we looked at what we're doing, to identify gaps."

Growing fraud losses are a worry, Wyffels says, so much effort already has gone into improving fraud detection and prevention. "We're continuing to invest in fraud detection technologies for monitoring ACH and wire fraud. At the same time, we are also augmenting technology solutions with manual processes, where it makes sense."

When it comes to out-of-band authentication, Wyffels says QCR will not delay there either, but some specific guidance from the FFIEC would be helpful. "We know from the draft guidance there are comments for out-of-band authentication," he says. "We would look closely at how the guidance is worded, to be sure we are addressing the intent: the correct interpretation of words like 'would' and 'should' is very important."

'We Can't Get Comfortable'

QCR has spent the last several months reviewing new authentication solutions, based on what it expects the FFIEC to mandate in its final guidance. "We took that information and compared ourselves to the existing [2005] guidance and the draft guidance, to see how we line up," Wyffels says.

Since the accidental disclosure of the FFIEC draft, speculation has varied wildly over when the final guidance might be released. Some observers say it could be months before the formal document debuts, while NCUA board member Gigi Hyland said in a recent interview that the latest version awaits final signoff from just one member agency.

But whether the formal guidance comes next week or next fall, institutions such as QCR's banks can't afford to sit back and wait before taking action.

"We just can't get comfortable, because things are changing all the time," Wyffels says. "I hope, as an industry, no one ever says they are comfortable."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.