How to Comply with FFIEC Authentication GuidanceEx-Regulator Says Anomaly Detection is Biggest Challenge
Banks and credit unions should complete a risk assessment and then develop an action plan and timeline to fulfill the requirements of the new guidelines. Anomaly detection is one area that may take more time for institutions to implement then the 180 days given by the FFIEC. "I don't know if that is a realistic possibility," says Henley, a senior vice president with BITS, a division of The Financial Services Roundtable.
"But I think that institutions that do show that they did take the supplement seriously, they've got to work soon and can show that they've got an action plan ... that will go a long way with the regulatory agencies," he says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
BITS is stepping forward to aid financial institutions in tackling the issues at hand. So far, the organization has produced a summary of the changes between the new guidelines and the 2005 Guidance, and it's continually working with members in areas such as anomaly detection and helping them develop best practices.
And regarding additional guidance in areas such as cloud and mobile, Henley says agencies are considering and researching the emerging technologies now, but the timeline is hard to narrow down. "The work could be completed within months, but the release date is somewhat of an unknown factor or wild card," Henley says.
In an exclusive interview about the FFIEC authentication guidance update, Henley discusses:
- Toughest tasks for institutions looking to conform with the update;
- What needs to be done before Jan. 2012;
- Other banking/security areas that may require additional guidance.
As BITS Senior Vice President of Regulation, Henley manages relationships with federal regulators, outlines policy positions on operations and technology issues, and provides subject matter expertise on regulator issues. Previously, he served as the Director of IT Examinations for the Office of Thrift Supervision, where he was the agency's principal advisor regarding the development, implementation and maintenance of policies, procedures and guidelines pertaining to the examination and supervision of saving associations in the area of Information Technology [IT] and Technology Risk Management, including electronic banking activities. Henley was the OTS representative to the FFIEC IT Subcommittee, serving as Chair from April 2009 to June 2010. Prior to joining the OTS, he spent 17 years with the FDIC.
TOM FIELD: For years you were with the Office of Thrift Supervision, before the FDIC. Tell us a little bit about your current role and the work you've done since taking it please.
WILLIAM HENLEY: A couple of weeks ago marked my one-year anniversary here at BITS, and it's been a very fast paced year. But it's been a great experience. I'm the senior vice president for the regulation program as you mentioned. BITS is the technology policy division for The Financial Services Roundtable, and I manage relationships with regulatory agencies and engage experts from financial institutions on information security, operational risk, vendor management, fraud risk and business continuity planning issues. I also laid the regulation program here within BITS. Our main objective or focus is primarily on advocacy work, as I mentioned, discussions and relationships with regulators, drafting comment letters in response to notices of proposed rulemaking, preparing congressional testimony and tracking top issues as it relates to the areas of operation risk. I also laid the round table's privacy and data security working group looking at the Dodd-Frank Act implementation issues. So as you can see, with all of those various assignments, my schedule stays pretty full.
FIELD: Oh I'm sure it has. Really the topics haven't changed, just your role.
FFIEC Authentication GuidanceFIELD: And before you left the Office of Thrift Supervision, what role if any did you have in shaping this guidance that has just been released?
HENLEY: The supplement to the 2005 guidance is the result of an inner-agency effort, so prior to my departure from the OTS, I served as the chair of the FFIEC's Information Technology Subcommittee of the task force on supervision. Each of the agencies had representatives to the subcommittee and members of the staffs of each of those representatives contributed to the supplement. We worked along with the working group, all of the members, in researching and drafting the various sections of the supplement. I did play a role prior to my departure.
FIELD: What was your first reaction to the supplement as you saw it when it was released a few weeks back?
HENLEY: The agencies did good work with the supplements. Since 2005, the threats and the Internet landscape have changed significantly. For example, as you recall the 2005 guidance clearly said that single-factor authentication was no longer acceptable for the authentication of high-risk transactions. At that time, one of the standards that the industries used was challenge questions as a second factor for authentication. In the interim, know that with social media many of the questions that were standard for challenge questions are easily found on social media sites. So, from that standpoint, that was one of the reasons why the guidance needed to be updated, and I think the guidance adequately addresses the areas that evolved since 2005.
FIELD: As you look at the guidance as it was released, what would you say works about it? There are a number of different elements to it. What works well?
HENLEY: I think that all the changes are good and necessary as I mentioned, primarily the reminder about the ongoing need for risk assessments. That was something that was included in the 2005 guidance. The agencies since the release have been pretty clear and pretty open about it. In a number of institutions they found that they interpreted the instructions to mean that the risk assessments were just a one point in time exercise rather than an ongoing exercise to address the changes in the environment or the Internet landscape as products and services evolved. The supplement clearly outlines what the agencies expect from institutions with respect to risk assessments, by setting a minimum frequency that they be done at least annually and more frequently as more products or services are provided.
What Needs WorkFIELD: As you know there are a number of different elements here, from layered security to customer awareness. As you look through the guidance, what do you feel still needs more work?
HENLEY: The expectation that the agencies have with respect to anomaly detection. With strengthening authentication practices, one of the things that they point to is anomaly detection and I think they understand that this takes time. But I think they've underestimated the amount of time and work that goes into institutions setting up or developing a robust anomaly detection system. Given that there is just a 180-day phase-in for compliance with the supplements, this is an area where the agencies can take another look and get some consideration to the industry with the tight timeframe for them to try to comply with that portion of the supplement.
FIELD: Do you think that the date might get pushed back at all? I know there has been some talk that maybe 180 days just isn't enough.
HENLEY: I don't see that being pushed back. What I do think may happen in many cases is the agencies will give the institutions credit for work that they've done, those that have taken the supplement seriously and can document that they have started to work on compliance immediately.
Biggest Tasks For 2012FIELD: What do you see as being the toughest task for banking institutions between now and 2012?
HENLEY: There is a new requirement, or a new audience, that the supplement addresses and that is commercial customers. You will recall in 2005 that the authentication practices, or the strengthening of the authentication practices, applied strictly to consumer customers as opposed to commercial customers. I think that one of the toughest tasks for institutions will be working with small business accounts or commercial customers to take an active role in their security to implement the administrative controls. What I mean by that is that there have been various studies and research done that point to the fact that some of the weakest links are security vulnerabilities that occur at the customer site, particularly with small businesses, where they may have a single terminal, several employees and they have a single log-on or sign-in that's available to all the staff or all the employees. Now with the supplement, those types of practices will no longer be sufficient. There is some work that has to be done to strengthen these administrative controls at the client's site, or at the customer's site. So I think it has the potential to be a tough task for the institutions.
FIELD: What really has to happen with banking institutions between now and January of 2012? I know there is a presumption on the behalf of the agencies that much of this work should have been done already, and this should be just reinforcing good practices. But realistically, what needs to happen between now and the next examination?
HENLEY: There are some thoughts that the supplement is just addressing the last mile, but sometimes that last mile can be the toughest. The work that has to be done, or the thing that the institutions have to do, is to get started right now. Start early, complete a risk assessment and then develop an action plan and a timeline. It will be important for institutions to begin work on these enhancements immediately. And as you alerted to, there has been talk about the need to extend the phasing period past 180 days. And as I mentioned before, I don't know if that is a realistic possibility. But I think that institutions that do show that they did take the supplement seriously, they got to work soon and can show that they've got an action plan and a timeline, even in the third quarter of 2011, that will go a long way with the regulatory agencies, showing that they did have the intent to try to comply with the supplement. We are anticipating that it may take them longer than 180 days to comply.
FIELD: In other words, you've got to show the effort and you've got to show that it started before December?
HENLEY: Absolutely, yes.
Additional Guidance?FIELD: In a number of areas that have come up for discussion about perhaps requiring additional guidance, mobile banking is one. When you look at this supplement, do you see banking and security areas that are going to require additional guidance soon down the road?
HENLEY: There are emerging technology issues and we're aware that the regulatory agencies are considering or are researching these emerging technology areas. In addition to mobile banking and mobile payments, cloud computing would be another such emerging area and those areas are important to us, to our members and to the industry as a whole. As you are aware, BITS recently released our cloud computing paper and the malware study, so these are areas that we've been giving attention to and our members are looking at sound security practices. Last fall we also had the mobile banking summit. As the agencies think these emerging areas are important, likewise we, the industry, take these areas very seriously as well.
FIELD: You've got a good sense of how things work with the agencies. What sort of a timeline will we be looking at to see any additional guidance on some of these areas such as cloud and mobile? Are we talking months or are we talking years?
HENLEY: Within our agency guidance, sometimes the difficult parts can be the coordination between the agencies. The actual assessments or content may be able to be completed within months. For example, with the authentication supplement, there were many other areas that required the agency's overall attention. Sometimes, because of resource allocation and priorities, while the work may be completed the review at the senior levels may not be able to be completed as quickly as I think the overall agencies would like. The work could be completed within months, but the release date is somewhat of an unknown factor or wild card.
Top Three Steps to ConformFIELD: Here's a final question for you. If you could boil it down, how should banking institutions now approach conforming to the update and the 180 days they have before them?
HENLEY: In simple sound bytes, start immediately, develop a plan and document your process.
FIELD: You make it sound so easy.
HENLEY: I think if they follow those steps, that will be considered favorably by the agencies.
FIELD: And what will BITS be doing to help financial institutions get their arms around the issues that they need to tackle?
HENLEY: We've already sponsored a call for our members in going over the changes that the supplement provides. We've produced a one-page summary that outlines where the areas of change are that the supplement has introduced and we'll be continuing to work with our members with areas such as anomaly detection and helping them to develop best practices in order to comply with the guidance as close to that 180-day phase period as possible.