Initial Commentary on the FFIEC Internet Banking Guidance FAQs

Initial Commentary on the FFIEC Internet Banking Guidance FAQs
The FAQs recently published by the FFIEC on August 15, 2006, is an attempt by the FFIEC to answer questions asked of them about their guidelines on Internet Banking Authentication published October 12, 2005. The 2005 guidelines were an outgrowth of a previous guidance document issued in 2001.

As with all federal level guidance publications, as well as federal level legislation, it is not expedient to recommend specific technologies to solve the problem, whatever that problem is. The problem before the Internet banking industry is one of weak authentication. The problem can be solved in a number of ways with a number of technologies – one way is not recognized to be better than another necessarily. Technology changes and morphs; seemingly at the speed of light, leaving the solutions of 2001 pre-empted by the solutions of 2006.

There have been a number of early adopters of multi-factor authentication. The leaders in the banking industry have been planning for quite some time to move towards stronger authentication and were ready to move forward when the FFIEC began publishing guidance documents. There were significant financial investments made in new technologies, departments were created, and people were hired. Other Bankers held back and watched. Many banking institutions do not have the capital to invest in cutting edge technology and must wait until tried and true solutions emerge.

The FAQs focus on Internet banking, but the principles also apply to all forms of electronic banking, including telephone banking systems. While the Agencies do not mandate particular solutions, they stress the principles of best practices in securing customer information. The requirement is not to implement multi-factor authentication per se, but to use several methods to mitigate risk. For instance, if single-factor authentication is the only control mechanism, with no other control mechanisms in place, it is not considered “enough”.

Even if an institution acquired an external security assessment and the results of that assessment stated that existing controls were sufficient, and if that institution used only single-factor authentication for high-risk transactions, then the conclusions of the security assessment could not be justified. The emphasis, again, is on “high-risk transactions that involve the movement of funds to other parties and access to customer information”.

While there has been a significant increase in incidents of fraud, including identity theft, not all incidents relate strictly to Internet banking. Most incidents of identity theft have been related to theft – theft of information and theft of equipment that stores customer information. There is also the problem of e-commerce, the use of debit and credit cards over the Internet. The FAQs do not attempt to address these problems.

The guidance suggests that financial institutions not skip the step of a risk assessment and jump into implementing particular controls. That’s just good advice. How can you implement controls if you are not clear on what the particular risks are in any given area of the transaction environment?

Financial institutions are advised to consider the risks of phishing, pharming, and malware. This is interesting because many financial institutions consider this to be the responsibility of the customer. It sounds like that responsibility has been put squarely back in the lap of the customer’s financial institution. This is a good thing for customers, but requires more work on the part of the financial institution.

In regards to customers, institutions may not permit customers to “opt-out” of additional authentication controls, but may permit customers to choose between different authentication options offered Institutions must also provide a customer awareness program. This can be implemented in a number of ways. I noticed recently that my bank immediately took me to a particular page when I logged in, asking me to read the material and click to continue. You can easily skip by the page, but it was a nice effort to inform on the bank’s part and did not cause me any undue time commitment. I appreciated the effort.

While the FFIEC did a good job of answering the most common questions, the answers to the problem are not clear cut and the absolute path is not known. The important thing to take away is that the risk assessment is clearly an absolute requirement, identifying high risk transactions is an absolute requirement, and safeguarding those high-risk transactions with more than single-factor authentication is an absolute requirement. Other than that, selecting and implementing the right technology solutions is up to the financial institutions themselves.


About the Author

Marcia J. Wilson, CISSP, CISM

Marcia J. Wilson is an Information Security Professional and a freelance writer. Her expertise includes network security assessments, information security policy and procedure development, business continuity and disaster recovery planning as well as security awareness training for small and medium sized companies.




Around the Network