3rd Party Risk Management , Standards, Regulations & Compliance

FFIEC Authentication Guidance: Essential Questions You Need to Ask Your Vendors

FFIEC Authentication Guidance: Essential Questions You Need to Ask Your Vendors
Banking regulators make no bones about it: Your third-party service providers aren't responsible for ensuring that you attain conformance with the FFIEC Authentication Guidance. You are. How do you ensure their ability to aid your efforts towards compliance? Learn the secrets of a vendor management expert, who will share with you the probing questions to ask your vendors, including:

  • When and how does your vendor perform external audits checking the security of its products?
  • Which authentication controls are built into your vendor's current online banking products - do they conform to the FFIEC Authentication Guidance 2011 update?
  • What is your vendor's tactical plan for the remainder of 2011 to ensure its products and services conform to the new guidance in time for 2012?

See Also: 2024 Global Threat Landscape Overview

The entire FFIEC Guidance series:


In a recent interview with BankInfoSecurity, Jeff Kopchik of the FDIC made clear the expectations for banks re: third-party service providers and compliance with the new FFIEC Authentication Guidance.

"The agencies have said many times - and authentication is no different - that it's the financial institution that's ultimately responsible for bringing itself into conformance with the guidance," says Kopchik, one of the principal authors of the guidance. "The buck stops at the financial institution's desk."

For several of the larger banking vendors, the federal regulators conduct their own examinations to ensure compliance. But for the majority of service providers, the responsibility is the banking institution's to ensure that products and services all align with regulatory expectations. This due diligence requires institutions to:

  • Sit down with core vendors and ensure mutual understanding of the FFIEC Authentication Guidance;
  • Gap analysis to determine which products/services do not currently bring the institution into conformance;
  • Creation of a strategic plan with milestones to ensure conformance prior to 2012 regulatory exams.

But two challenges that institutions frequently encounter are:

  • What are the specific questions I need to ask my vendors re: FFIEC Authentication Guidance?
  • What information will my vendors not offer up unless I know to ask?

To assist you with this due diligence, Philip Alexander, an information security officer at a major U.S. financial institution, will share with you the vendor management tricks he's learned in years of overseeing such relationships for one of the nation's largest banking institutions.

In this exclusive two-part series, Alexander will tackle several key vendor management topics, including:

  • Security reviews;
  • Vendor's own regulatory compliance;
  • Vendor's financial stability;
  • Use of 4th-party service providers;
  • Liabilities in the event of a breach.

Webinar Registration

Premium Members Only

OnDemand access to this webinar is restricted to Premium Members.

Join Now to Access
Have an account? Sign in.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.