FFIEC Guidance: Compliance BeginsFraud Incidents Push Banks to Enhance Authentication Now
But some institutions aren't waiting for the FFIEC to act. Instead, they've already begun to comply with the major points recommended by the draft guidance.
Case in point: Moline, Ill.-based QCR Holdings Inc., a $1.7 billion multibank holding company that operates three banks -- Quad City Bank and Trust Company and Cedar Rapids Bank and Trust Company in Iowa, as well as Rockford Bank and Trust Company in Illinois.
Michael J. Wyffels, QCR's senior vice president and chief technology officer, says his banks cannot afford to delay their security enhancements. "I'd like to make sure our recommendations fit with what the FFIEC is recommending, to continue to help us mitigate risk," Wyffels says. "But the hackers seem to continue to find new ways to exploit vulnerabilities."
Given hackers' tenacity, waiting for the FFIEC to issue final guidance is simply not an option, Wyffels says.
"We, as an institution, want to do as much as reasonably is possible to mitigate risks," he says. "Like everyone, we want to make good choices and sound investments."
Interpreting the IntentThe FFIEC's update has been discussed openly since mid-2010 and is partially in response to the wave of corporate account takeover incidents that began in 2009.
A draft of the FFIEC's "Interagency Supplement to Authentication in an Internet Banking Environment" was released to member regulatory agencies last Dec. 30, the day before the formal guidance was expected to be made public. At the last minute, however, one of the agencies withheld its approval -- but not before the NCUA mistakenly posted the draft guidance on its website.
The draft was available on the NCUA site for four to five days over the New Year's holiday, during which time it was downloaded 1,100 times, according to the NCUA. Since then, the draft has circulated widely throughout the banking industry.
The five key recommendations emphasized in the FFIEC draft update:
- Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
- Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
- Layered security controls to detect and effectively respond to suspicious or anomalous activity;
- More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
- Heightened customer education initiatives, particularly for commercial accounts.
The entire draft update is contained in a 10-page word document, of which Information Security Media Group secured a copy and reported in February. Wyffels says he and his organization have studied that February article thoroughly. [See First Look: New Authentication Guidance]
"We took recommendations from the drafted guidance and broke them down into risk assessment, authentication, layered security, effectiveness of authentication techniques and stronger fraud detection," he says. "And then we looked at what we're doing, to identify gaps."
Growing fraud losses are a worry, Wyffels says, so much effort already has gone into improving fraud detection and prevention. "We're continuing to invest in fraud detection technologies for monitoring ACH and wire fraud. At the same time, we are also augmenting technology solutions with manual processes, where it makes sense."
When it comes to out-of-band authentication, Wyffels says QCR will not delay there either, but some specific guidance from the FFIEC would be helpful. "We know from the draft guidance there are comments for out-of-band authentication," he says. "We would look closely at how the guidance is worded, to be sure we are addressing the intent: the correct interpretation of words like 'would' and 'should' is very important."
'We Can't Get Comfortable'QCR has spent the last several months reviewing new authentication solutions, based on what it expects the FFIEC to mandate in its final guidance. "We took that information and compared ourselves to the existing  guidance and the draft guidance, to see how we line up," Wyffels says.
Since the accidental disclosure of the FFIEC draft, speculation has varied wildly over when the final guidance might be released. Some observers say it could be months before the formal document debuts, while NCUA board member Gigi Hyland said in a recent interview that the latest version awaits final signoff from just one member agency.
But whether the formal guidance comes next week or next fall, institutions such as QCR's banks can't afford to sit back and wait before taking action.
"We just can't get comfortable, because things are changing all the time," Wyffels says. "I hope, as an industry, no one ever says they are comfortable."