FFIEC Authentication Guidance: A Bank's Steps to Comply
Customer Education Is Priority for First NiagaraThis $38 billion bank has invested a great deal of time and effort into its online security program, continuously conducting risk assessments and making strides to ensure commercial customers stay informed about evolving online-banking risks. First Niagara has made fulfilling requirements highlighted in the new authentication guidance from the Federal Financial Institutions Examination Council a priority.
"We're actually updating our fraud detection software, currently increasing our challenge questions as the FFIEC guidance talks about to ask out-of-wallet questions, and we're getting some additional fingerprinting of cookies," says Joe Rogalski, First Niagara's information security officer and first vice president.
Fraud is increasing, especially cross-channel fraud. Rogalski says the bank's information security and fraud team stays in close communication, to ensure they stay abreast of cross-channel patterns and work together on cyberinvestigations. "This is really looking at threats that are coming down the road and possible fraud that's coming down the road, making sure we have a plan in place and a way to attack it," Rogalski says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
During this interview, Rogalski discusses:
- Why customer education is so critical;
- Steps First Niagara is taking to ensure compliance with the FFIEC's new authentication guidelines; and
- How the bank is mapping courses of action for fighting future and emerging online threats.
Rogalski is the information security officer and first vice president of First Niagara Bank, a top 25 regional bank located in the northeast. Rogalski currently holds CISM and CRISC certifications. Rogalski has more than 18 years of experience in technology and security in a variety of technical and management positions. Before joining First Niagara, Rogalski led information security risk management for M&T Bank. Rogalski also frequently speaks about security, risk management and awareness with industry leaders and First Niagara customers.
TRACY KITTEN: Emerging cyberthreats, complying with the new FFIEC guidance and developing a strategy to adequately tackle online fraud has been a priority for Buffalo, N.Y.-based First Niagara Bank. The $30 billion institution has made online security a priority by investing in new technology and getting buy-in from executives at the top. First Niagara has undergone some significant changes in recent years, primarily associated with rapid growth that's been brought on by merger and acquisition. Could you give our audience a little background about the bank such, as its geographic footprint and the general profile of your customer base?
JOE ROGALSKI: First Niagara is a top 25 bank. We're primarily located in upper New York State, eastern and western Pennsylvania, Connecticut as well as Massachusetts. We primarily target retail and commercial customers both and we also have an insurance agency that is a top 50 insurance agency in the country as well.
Security Challenges
KITTEN: And what have been the primary security and fraud-related challenges the bank has faced in recent years?ROGALSKI: With the evolution of online threats in the last few years, with Spy I and Zeus, and the real problems with commercial account takeover, it has been our primary focus for fraud and security-related issues. What we're seeing now is more cross-channel fraud.
KITTEN: And when you talk about the integration of these channels, or when you see cross-channel fraud, how has some of that been impacted by the recent acquisitions?
ROGALSKI: The recent acquisitions really have not impacted fraud so much more as just to general fraud growing. As we grow we're seeing more fraud in cross-channel fraud. The fraudsters are now targeting more than retail customers as they move down the chain.
Addressing Online Security
KITTEN: Now online threats as you've noted are a top concern, and the new online authentication guidance that's been issued by the FFIEC does highlight how serious regulators are taking the financial fight against cyberattacks and online fraud. What steps has First Niagara taken to address online security?ROGALSKI: First Niagara has done a number of things. We're continually doing risk assessments of our platforms. We're continually testing our controls and the effectiveness of our controls. We do a lot of emerging threats monitoring and planning for emerging threats, making sure we know what's coming down the road so we can react to it when it does get here.
KITTEN: How does the bank address some of these new guidelines that are outlined by the FFIEC for online authentication?
ROGALSKI: Currently we're still evaluating the new guidelines. We've had a number of things in the works for a while waiting for the guidance to come out. We're conducting gap analysis of what controls we have in place today and what we're missing. We feel we're about 75 percent compliant with the new guidance, and we've been doing risk assessments all along. We have layered security. We're doing online detection on transactions as well as a lot of end-user education and we have risk-based controls in place.
KITTEN: And what about new technologies, such as out-of-band authentication by mobile devices? Is First Niagara considering anything like that?
ROGALSKI: We are looking at the number of different options for out-of-band authentication. The mobile channel is one of them. Currently today there is some spyware going on in Europe that has already reversed the effects of out-of-band authentication on a mobile device. We're also looking at things like browser hardening. We're actually updating our fraud detection software, currently increasing our challenge questions as the FFIEC guidance talks about to ask out-of-wallet questions, and we're getting some additional fingerprinting of cookies.
Risk Management
KITTEN: Now you mentioned risk management, and I'm going to ask a little about risk management as well as customer education. These are two areas the FFIEC has stressed as being critical to ongoing online security. What can you tell us about the strategy First Niagara has in place to address those two areas?ROGALSKI: We're continually doing risk assessments on our online systems as well as our internal systems. We cycled through about a year cycle for risk assessments and we've been doing them all along. We feel we've got a really good control on that. As far as education goes, on our website we offer a security center for our customers and we talk about account takeover-type fraud, knowing your credit report, those types of things. This year we actually put out a commercial account takeover brochure to our commercial clients, talking to them about best practices, what to do and how to avoid online fraud. We're actually in development right now of a retail brochure to go out to our customers and it will address some of the FFIEC regulations as well.
We also meet with customers fairly regularly. I meet with customers and talk to them about online safety, security and commercial account takeover. The big thing that we really instituted this year though was I am constantly meeting with our branch managers and relationship managers of those commercial clients. I make them aware of what's going on, to have them in the middle so that they can speak to it when they're talking to customers because they really are our front line.
KITTEN: Do you feel that customers have been receptive to some of the education efforts that you've put out there?
ROGALSKI: They're much more receptive after they have an issue. That being said, they are receptive and they know we're willing to help. Banking is built on trust and the more you can build that trust relationship with the customer the happier they are. They understand we're looking out for them.
Fraud and Security
KITTEN: Now can you tell us a little bit about how your fraud and security teams are aligned and what steps you've taken to ensure that the two teams work in tandem to address ongoing and emerging cyberthreats, as well as risks?ROGALSKI: As luck would have it, my team actually sits directly next to our fraud team, so it actually makes things very easy for us to communicate. Additionally, I regularly meet with the head of fraud at least twice a month, if not more than that. He sits around the corner from me as well. We do assist in all the cyberinvestigations that the fraud group takes on. They're more of a traditional fraud group and they're getting more cyber now as we start to grow bigger. Then we also have something called the emerging threats working group that the fraud group participates in with us. This is really looking at threats that are coming down the road and possible fraud that's coming down the road, making sure we have a plan in place and a way to attack it.
KITTEN: What advice can you offer other institutions as they work to develop plans and strategy to address online authentication, whether that be in-band or out-of-band?
ROGALSKI: I think the best advice I can give is just be proactive about it. Don't wait for something to happen or wait for the regulation to come. We've been looking at different options and we were waiting for the FFIEC regulation to come down. But we felt like we were in a pretty good secure place because of the ongoing risk assessments.
KITTEN: Before we close, what final thoughts would you like to leave with our audience as they relate to online security, complying with the new FFIEC guidance and user authentication generally?
ROGALSKI: Get started early. You can't start soon enough. Awareness is a great tool and it's pretty cheap to do. It's a couple of hours of your time typically to go out and speak to a group of customers. It makes them feel much better about awareness and it's cheap and effective. With layered security there is no silver bullet. If there was a silver bullet, I wouldn't be working here because I'd be working for that company. And leverage your partners. You need to leverage the people you're working with and your partners, both internal and external partners. The last thing I'd close with is security should be enabling business, not getting in the way of it.