FFIEC Guidance: It's All About RiskRisk Assessment Is Priority No. 1 for Institutions
"Every institution has to be extremely hands-on as it relates to their risk assessment," he says.
Most banks and credit unions are falling short in their assessments, and the rapidly changing online threat environment requires that institutions establish procedures to regularly review and assess their online risks.
If institutions go through the risk assessment process appropriately, then the environment benefits. "Customer information will be better protected; financial institutions will suffer fewer losses; and the financial institution regulators will be happier," Johnson says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
With the January conformance deadline fast approaching, institutions need to begin the evaluation process and document their strategies. Regulators will most likely give banks and credit unions some leeway, but banking institutions have to prove they have plans in place to quickly meet guidance compliance mandates.
During this interview, Johnson discusses:
- Steps to ensure risk assessments are constant and dynamic;
- The mobile channel's role in the strategic plan;
- Well-developed risk assessments and keeping regulators happy.
Johnson is the American Bankers Association's vice president and senior advisor risk management policy, where he is involved in a variety of public policy and compliance issues. He currently leads the association's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness.
Johnson represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and serves on the BITS/Financial Services Roundtable Security Steering Committee. He is also a board member of the Financial Services Information Sharing and Analysis Center, a private corporation that works with government to provide the financial sector with cyber and physical threat and vulnerability information, as part of the nation's homeland security initiative.
TRACY KITTEN: This updated guidance has been discussed at length over the last several months. Now that the formal guidance is out, what are your general thoughts about the guidance?
DOUG JOHNSON: My observations are that it's basically a fairly consistent document on authentication guidance from what was first put out in 2005. It's mostly a clarification document. And from that standpoint I think it's very helpful for financial institutions to get some of those clarifications. For instance, we know that the agencies did have concerns about whether or not institutions were doing periodic risk assessments to see whether their risks had changed or whether or not they were essentially one and done doing a risk assessment, putting in authentication, setting up procedures and then thinking that the exercise was over. In fact, because the threats change, our measures that we need to take as financial institutions against those threats need to change as well. I don't think that frankly was any particular surprise. Those shouldn't be a secret to a lot of institutions either. I think that a lot of institutions with robust information and security programs recognize that authentication is just one piece of the overall information security puzzle and that the puzzle always changes and risks always do change. So therefore, as part of our process, your evaluation of your authentication procedures needs to change with that.
Online SecurityKITTEN: You probably answered this question. Does the guidance hit the mark where online security and necessary authentication requirements for online banking are concerned?
JOHNSON: First of all, I think that we appreciated the process that the FFIEC agencies went through to get to their final destination. They asked us, along with others, to pull together banks of all sizes, community banks as well as money center banks and the working group. They asked us to come to them and talk about what we were seeing in the environment. I know the FFIEC agencies also spoke to the core processor and all the vendor portions of the community as well to get their perceptions on where the environment was and where the environment could be further improved.
From a process standpoint, although it took a while to get there I think that what the agencies did is get an appropriate level of guidance from the stakeholders in that process. There's been some concern as to whether or not the guidance hits the mark as it relates to the vendor community. I think that the guidance does give financial institutions some additional tools to provide to the vendor community to say these are the things that our agencies wants to have in place. These are things that we're going to be examined against, and as a result of that you need to have those tools as a vendor available to us and give us options as to what types of authentication measures we may want to put in place, based upon our risk.
Individual institutions do have different risk profiles. It remains to be seen whether or not from the vendor side if this hits the mark. But I think that the agencies did try to put together a process whereby institutions would have some additional leverage. Frankly there are some instances where the vendor committee has said to us that some institutions have been resistant to authentication measures because they didn't believe that their customers would find them appropriate and would find them too difficult to use. I think that what this guidance does is it gives the vendor community tools to say here is what you have to adhere to because of those situations that may hesitate to some degree. Has it hit the market? I think to some degree it remains to be seen but I think they clearly hit the target and we'll see how close to that ultimate mark the guidance ultimately ends up. But I also do think that we're very appreciative of the fact that the agencies did make the determination that this was going to be the FFIEC guidance, rather than if they were all going to essentially sign on to the guidance and not have any individual regulatory agency come up with something, which might be different than what the other agencies were envisioning.
Risk AssessmentsKITTEN: That's a great point that you make, especially when it comes to the vendors and the role that they play. One of the questions that I did want to ask you relates to how much advice banking institutions can seek when it comes to developing plans for risk assessments and how much they should rely on vendors to assist with that.
JOHNSON: Every institution has to be extremely hands-on as it relates to their risk assessment. What I've seen in institutions is there's a tremendous attempt on an enterprise risk management basis to try to develop some level of consistency associated with risk evaluations. And there are some instances where compliance risk can overlap with risk associated with fraud and information security. So there should be some level of consistency associated with the risk assessments in those particular areas. Consultants and the vendor really can assist in trying to think through some of that to the extent that the service providers are providing products in those particular areas. But you don't want to leave the evaluation of risk associated with any particular product obviously to the service provider that's providing you that product.
You have to take ownership of that and demonstrate to the regulatory agencies that you did that and can appropriately answer the questions that they're going to ask you about your risk assessment and what the process was associated with it, because a lot of the questions are going to be process questions. They're going to be questions associated with how did you go about the risk assessment? Who did you pull into the process associated with the risk assessment? How did you socialize that risk assessment with the leadership of the institution and the institution's directors - things of that nature which are completely under the control and ownership of the institution in approach to any particular service provider or consultant.
KITTEN: Right, that makes sense. I also wanted to ask you about mobile. Many concerns have been raised in the mobile arena. Does this guidance adequately cover mobile transactions?
JOHNSON: I believe that the agencies are continuing to look at mobile. Whether or not there will be specific, discreet guidance associated with mobile will be a possibility. I don't know that it's a certainty. They're going out to the financial services community, the service provider community and the mobile environment and really getting a good understanding of what's being deployed and what the risk mitigation measures that are being put in place associated with mobile. Some of those risk mitigation measures are different in a mobile environment when they are within a strict Internet environment. But clearly those worlds are blending. For example, when you're talking about how to band authentication, in some instances one of those measures is going to be a call or a text message to the phone. As those measures blend together what you see is really a need to think about authentication and information security in a holistic fashion, as opposed to trying to think of them discreetly as this is Internet and this is mobile.
Areas of ImprovementKITTEN: That's a good point. One of the areas that's highlighted in the FFIEC guidance is the need for more layered security practices and stronger authentication methods, which of course would bring in what you're discussing, the out-of-band authentication. But where do you see most banks falling short now and what steps should they be taking to ensure that they're compliant and ready by January?
JOHNSON: I believe it's in risk assessment. I think that's what the agencies saw as part of their exams, to the extent that institutions can more effectively address the change in the risk environment as part of that risk assessment, to make that risk assessment a dynamic process as opposed to one-and-done, I think the environment will all be better served. Customer information will be better protected. Financial institutions will suffer fewer losses and the financial institution regulators will be happier. That's a good combination of three different stakeholders that are all moving in the right direction. That's really what's key, making sure that you've gone through that risk assessment process appropriately, because let's face it that's where everything starts. That's where you've done the evaluation to make the determination of what risk you need to mitigate and it's only after having done that appropriately and continuing to do that that you really are able to address those risks by putting in the proper procedures and mitigation measures.
The one thing I want to compliment the agencies on is the fact that they continue to recognize, particularly in the consumer, retail environment, that there's some really basic blocking and tackling that institutions can do as opposed to always looking through technology solutions. Standard internal controls are always vital in these particular instances and should not be ignored, and that's particularly true in the community bank environment. Sometimes it's not about technology. Sometimes it's about the human factors.
Meeting the January DeadlineKITTEN: That's a good point that you make, and customer education and awareness of course is something that the FFIEC has noted as well that would tie in with the risk assessment. But I'd also like to ask you about this January deadline. What advice can you offer to institutions that will be scrambling to comply by January?
JOHNSON: Open up that risk assessment. Look at what they've done before and see whether or not they think that those are the risks. Do that risk evaluation, make a determination as to whether or not the risks that you determined were prevalent when you first did that assessment are the risks that are still prevalent, and if they aren't then you've got a revision to make. Set up a process whereby at least on an annual basis you're reviewing that risk assessment to make a determination as to whether or not it's a dynamic document. That's where I would start first and foremost. But also I would talk to the extent that you're looking to your core processors and Internet banking service providers to provide you with solutions. Really talk to them about what their feelings are associated with the guidance and what their approach is going to be in terms of helping you address the risk issues that you see within your environment, because it's only if you have an appropriate partnership between yourself and those that are providing you those products which will be able to effectively protect the environment.