FDIC: FFIEC Guidance Progress ReportRegulator on Examiners' Expectations, Institutions' Response
Henley, associate director for the Federal Deposit Insurance Corp.'s Technology Supervision Branch, has seen institutions responding appropriately to the Jan. 1 deadline that went into effect this year for conformance with the new guidance, which calls for institutions to:
- Perform periodic online banking risk assessments;
- Deploy layered security controls for online transactions;
- Enhance customer awareness programs.
"We've seen that most of the institutions have taken the update to the guidance seriously and began developing plans to conform," he says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
Understanding that budgets and expenses impact institutions' responses to the guidance, examiners were looking for "reasonable, good faith efforts" to conform to the guidance as soon as possible, Henley explains. "If there was evidence that once the guidance was issued that an institution began working on a compliance plan, we instructed our examiners to really give credit or allowances," he says.
Regulators also acknowledged that smaller, community banks are particularly dependent upon technology service providers to help them conform to the updates in the authentication guidance. "Many of the larger institutions were in conformance prior to Jan. 1," Henley explains, and those that weren't continued to work and were able to meet the date.
During this interview, Henley discusses:
- Fraud trends he deems most concerning;
- Steps regulators are taking to address new guidance, regulatory mandates and institutional conformance;
- How regulators are addressing new risks facing mobile banking and payments.
Henley is the associate director for the FDIC's Technology Supervision Branch. In this role Henley supervises the Applied Technology, Information Technology and Cyber Fraud and Financial Crimes Sections. Before going to the FDIC, Henley served as the senior vice president for regulation of BITS, the technology policy division of the Financial Services Roundtable, where he managed relationships with regulatory agencies and engaged experts from financial institutions about information security, operational risk, vendor management, fraud risk and business continuity planning. Prior to joining BITS in July 2010, Henley spent more than 20 years as a financial institution regulator, including service as the director of IT examinations for the Office of Thrift Supervision and as chair of the FFIEC's IT Subcommittee.
TRACY KITTEN: Your role with the Federal Deposit Insurance Corp. might be new, but you've worked as a regulator in the past. In fact, you left the Office of Thrift Supervision in the summer of 2010 to join BITS. What can you tell us about your previous regulatory experience?
WILLIAM HENLEY: I joined the FDIC in 1989 as a bank examiner trainee in Houston, Texas. I worked as an examiner there in the Dallas region from 1989 to 1998 when I came to headquarters here in Washington to work as a policy analyst in various roles, including spending some time in the capital market section, the policy section here in Washington. Finally when they formed the technology supervision branch around 2000, I was one of the initial staff members.
I left the FDIC to join the OTS as the director for IT risk management and spent four years at the OTS. During that time, I had the opportunity to chair the FDIC sub-committee. I returned to the FDIC having in the past spent over 20 years as a regulator. I'm glad to be back where my career started.
Technology Supervision Branch
KITTEN: What can you tell me about the FDIC Technology Supervision Branch? What does it oversee?
HENLEY: The Technology Supervision Branch oversees three sections within the division of risk management, the apply technology section, cyber fraud and financial crime section, and the information technology section.
The apply technology section serves as the liaison between the division of risk management and our division of information technology. We manage the division's portfolio of IT applications that support our core business functions. We ensure that the division is in compliance with the various information security and privacy laws and regulations to which the FDIC must adhere. We support the division's needs with respect to its internal and external websites, and probably most importantly we work with the division of information technology to ensure that our examiners have the IT hardware and software needed to carry out their responsibilities; in other words, the tools that they need to work most effectively and efficiently.
The cyber fraud and financial crime section leads all aspects of fraud-related initiatives including the establishment of regulatory policies and procedures, supervisory programs and examination techniques, examiner training related to financial crimes and outreach to banking industry and the public. And some of the primary initiatives of the cyber fraud and financial crime section include serving as a clearing house for information related to fraudulent activities impacting financial institutions, developing educational resources and materials about scams that target consumers, issuing special alerts regarding cyberfraud incidents and other fraudulent activity, and conducting background investigations in connection with applications submitted to the FDIC, such as federal deposit insurance or notices of acquisition of control and applications subject to sections 19 and 32 of the Federal Deposit Insurance Act.
Finally, in the information technology section we seek to be the leader in the effective supervision of insured financial institutions focusing on technology and operational risk management. We do this by supporting examiners in their evaluation of risk management practices related to information technology and operations. We also are involved in that section in the supervision of large technology service providers.
KITTEN: In your role you oversee the applied technology/information technology in cyber fraud and financial crime sections. Is this a newly created position or are you stepping into a role that someone else had previously filled?
HENLEY: The position was initially created in 2000 and the current director of the division of risk management, Sandra Thompson, was the first leader of the Technology Supervision Branch and then she was succeeded by Michael Jackson, who recently retired after 41 years of federal service. So I'm privileged to be the third associate director.
Experience at BITS
KITTEN: Before taking this new role at the FDIC, you spent just more than a year with BITS. Why did you leave?
HENLEY: As I mentioned, I started with the FDIC right after graduating from college, and so I had spent my entire professional career on the public side. When the opportunity presented itself to get some private sector experience, this was an opportunity that I couldn't pass up working for the Financial Service Roundtable, and actually spent almost two years - it was about a month short of two years - working there. The Financial Services Roundtable is an outstanding association that represents its members well. It just helps to round out my career and my abilities and experience being able to work with many of the institutions that I had supervised. Now I'm regulating and supervise once again, seeing how the guidance and the regulation that we either draft or implement here at the FDIC is received and how it affects institutions. It provided me with the opportunity to be a more complete regulator.
KITTEN: How do you think your time with BITS assisted you in your new role? And you've touched on this a little bit, talking about getting a different perspective perhaps from some of the institutions that you had once regulated.
HENLEY: It helped me to see the effect on institutions that guidance and regulation can have. From the public side, personally, I know that at times I may have suffered from a little bit of myopia or have been a little myopic. As regulators, we regulate and we expect the industry to comply and just comply immediately, but working on the private side and working with the members of the roundtable I was able to see that the guidance and regulations have immediate and clear consequences for those institutions.
For example, when a piece of guidance, regulation or a rule is issued and it's in the middle of the financial year for an institution, the compliance may require the addition of staff. It may require the purchase of equipment, hardware or software that are expenses that may not have been budgeted for that year. Meeting the target dates for compliance may be much more difficult if there aren't dollars in the budget for those institutions. So I think I will understand that and be much more understanding and sympathetic to those institutions that while they may be making plans to comply there may be real impediments, financial impediments, that keep them from meeting certain deadlines.
KITTEN: I wanted to ask a little bit about the technology focus that you took from BITS, coupled with the regulatory experience that you've had in the past and that you're building on now in your current role. When it comes to FFIEC examinations that are related to the updated authentication guidance, what are you hearing from examiners and institutions? What are you learning?
HENLEY: The reports of examinations are confidential so I can't comment on specific institutions but generally the expectation of the agencies has always been on that, their recognition that from June to January was just six months, but what the examiners were looking for was reasonable, good faith efforts to conform to the updated guidance as quickly as possible. If there was evidence that once the guidance was issued that an institution began working on a compliance plan, even if they were able to recognize that they started in June or July of 2011 that they wouldn't meet the full compliance until after January 2012, we have instructed our examiners to really give credit or allowances to those institutions, particularly for the community banks that we supervise.
And we've also recognized that community banks are particularly dependent upon technology service providers to help them conform to the updates and the authentication guidance. Many of the larger institutions were in conformance with the guidance even prior to January 1 and those that weren't continued to work and most of them were able to meet that suggested date. But overall, we've seen that most of the institutions have taken the update to the guidance seriously and began developing plans to conform to the guidance.
KITTEN: What about some of the fraud trends that you're hearing about or that you're actually seeing out there in the industry? Some of these could relate to trends that were addressed in the updated authentication guidance, or just fraud trends generally. What trends concern you the most and how do see financial institutions addressing some of those trends?
HENLEY: I'd say the use of blended threats concerns me the most. For example, criminals using social engineering to convince someone to do something that leads to the installation of malicious software malware on their system. This could be a customer's computer system, as we've seen with the rash of corporate account takeovers in the recent years, or it could be targeted at the senior officials at an institution. The cybercriminals are very good at collecting publicly available information about people and then using it to spear-phish or target e-mails or phone calls or on social networking websites to convince people or to trick them into installing malware or giving up their credentials. Banks are addressing this concern by strengthening authentication and making it harder for cybercriminals to spoof log-in credentials, and they're also improving monitoring tools that look for indications that fraud might be happening.
KITTEN: As the associate director of the FDIC's Technology Supervision Branch, I suspect that you'll be closely involved in a number of regulatory initiatives that touch on everything from cybersecurity to emerging technology enhancements. What can you tell us about expectations you have for upcoming regulatory oversight, especially where cybersecurity initiatives are concerned?
HENLEY: This is an area that's important and receiving attention at the highest levels. No doubt you're aware that this administration, Congress, the financial and technology industry leaders, academia and others are all looking at how to best legislate cybersecurity, but I'm hopeful that this ongoing discussion about the issues leads us to a place where we end up with an appropriate, well thought-out framework that's not onerous and difficult to comply with.
Addressing New Technologies
KITTEN: What about emerging technologies and services such as mobile banking and payments, or even cloud-based financial services? How's the FDIC watching and monitoring those types of technologies and services and transactions?
HENLEY: That's an excellent question and this is an area that I would like to give a little attention to. The FDIC and the banking regulators in general want to move from a control-based oversight to a governance-based oversight. What I mean by that is we don't want to constantly be chasing the newest technology and coming out with the specific checklist or set of rules or standards for each technology that comes, because we would be constantly reactive and it's very difficult to keep up as the dynamic nature of technology changes come more and more frequently.
[With] governance-based oversight, we want to focus on the risk management and the decisions that bank management, the board of directors and the senior executives at each institute make [on] how they're able to support the decision to invest in these new technologies or deploy these new technologies. It's how they identify the risk and address these risks through a mitigation strategy and that they've deployed individually in each institution, because with these technologies there's generally not a one-size-fits-all architecture or solution, but if we get the word out to our examiners and to the institutions that governance is really where we want to look and that they take into account the risk in addition to the benefits - whether it be cost reduction or expanded markets - they look at those risks and they've identified and mitigated those risks, that's really what we're looking at regardless of what the technological development may be, whether it be mobile, cloud and on and on.
KITTEN: We've talked a little bit about the FFIEC conformance and some of the concerns there, and the FFIEC's updated authentication guidance has been top-of-mind but then there's also the newly released guidance on cloud computing. Are there any additional guidance expectations for which institutions should be bracing for or are there any updates or policies your office is currently reviewing that you can tell us about?
HENLEY: With cloud, it's not guidance. It's an information document, but it's not guidance. It's an informational document. Where an institution would want to go to would be the outsourcing booklet which is contained within the FFIEC's IT examination handbook.
KITTEN: We've talked a little bit about mobile banking risks, but are there any areas of concern or any places that you're hearing about from institutions where you think they need the most help or guidance?
HENLEY: The evolution of mobile in financial services is transforming the way that consumers interact with their bank. It's an area that all the banking regulators are monitoring closely across all supervisory disciplines. At this time we've made a distinction between mobile banking which we define as the use of a mobile device to conduct traditional banking activities and mobile payments, which is the use of a mobile device to initiate a payment to a business or another consumer. Now the marketplace for mobile banking services is well established and offered in one form or another by many banks.
The FDIC recently discussed many of the issues surrounding mobile banking in our Supervisory Insights journal, which is available publicly at the FDIC website. Since most FDIC-supervised banks are likely to depend on third-party technology service providers to develop their own mobile banking applications, vendor selection and oversight are a key component of managed mobile payment risk. We expect banks to work with reliable, knowledgeable and reputable vendors and to manage these relationships accordingly.
The mobile payments marketplace on the other hand is rapidly changing and continues to evolve. It seems like virtually everyday there's some new major product announcement or initiative that claims to fundamentally change how people will pay for goods and services, but at this time the FDIC is monitoring developments in the mobile payments marketplace to identify any potential issues that may impact the banking system.
KITTEN: Before we close, what final thoughts would you like to share with our audience about expectations and/or initiatives you have and plan to spearhead over the course of the next 12-18 months?
HENLEY: My expectations and initiatives over the next 12-18 months is to continue collaboratively working with my colleagues and counterparts at the other federal banking agencies and also with the state banking agencies. That's one area that we're particularly proud of and we recognize the comments from the industry that we want to avoid regulatory burden or duplication of efforts, particularly on the IT or the operations risk side, as we work closely with the members of FFIEC and our coordination of the handbook and any guidance pieces that we issue. Also, [it's important] to make sure that all IT examiners are well-trained and are the best examiners to identify IT and operations risk in the institutions that we supervise.