FFIEC Guidance and Compliance

Institutions Should be Prepped for Future Tech Investments
As the financial industry anxiously awaits the release of new online authentication guidance from the FFIEC, experts speculate about what steps banks and credit unions should be taking now to prepare.What impact will changes to existing online authentication guidance have on financial institutions and the consumers and commercial businesses they serve?

As financial institutions and industry experts speculate about how to interpret the Federal Financial Institutions Examination Council's preliminary draft of new online authentication guidance, industry experts such as Aite Group banking fraud analyst Julie McNelley say banks and credit unions need to move forward with new initiatives, even if the guidance update is still pending.

"We've been talking to institutions quite a bit about this, ranking all of these technologies and how banks should invest in them," McNelley says. "Institutions shouldn't wait for this guidance to begin making an investment in technology. They can't afford to suffer from fraud that might result from not doing more risk assessments. ... The threat vectors are multiplying. It's something that needs to be addressed sooner rather than later."

From layered security to multifactor authentication, McNelley highlights measures banking institutions can embrace today, to ensure they are ready to comply with the new guidance when it is made official. Layered security, McNelley points to as an example, is specifically mentioned by the regulators in the pending guidance. Why? "Because any one point solution has proven to have a workaround from the fraudsters' perspective," she says. "So if you just rely on authentication, the fraudsters can get around that, and you need to do more. So, it's about having a number of different choices to catch fraud."

And when it comes to multifactor authentication, McNelley says regulators are giving banking institutions some technology and investment wiggle room; but they've made great strides to clarify multifactor authentication, which in the 2005 was interpreted in myriad ways.

"In the wake of the 2005 guidance, where the FFIEC said a single username and password were enough, that left a lot of room for interpretation," McNelley says. "Some institutions did geolocation and required a password and said 'that's enough.' ... It really was more about a compliance play than a loss-avoidance play."

During this interview about the pending FFIEC guidance, McNelley discusses:

  • The five primary takeaways regulators have included in the pending guidance;
  • Steps institutions can follow to determine which parts of the guidance they should focus on first; and
  • Why layered security is so critical, and applies to, everything from authentication to customer education to the security of emerging channels such as mobile.

McNelley is a senior analyst at Aite Group LLC who covers banking and payments fraud. She has more than a decade of hands-on product management experience working with financial institutions, payments processors and risk management companies. McNelley most recently served as senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Before joining Golden Gateway, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Under McNelley's leadership, Early Warning launched multiple new solutions to successfully detect and prevent fraud; further, she was a key member of the team that facilitated the spin-off of Early Warning Services from First Data Corp. to Bank of America, JPMorgan Chase, Wells Fargo, and BB&T. She also led operational process improvements for NextCard, identifying points of compromise and implementing solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering, where she analyzed online financial services and risk-management firms.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.