3rd Party Risk Management

FFIEC Authentication Guidance: What Your Vendors Won't Tell You (Unless You Ask)

FFIEC Authentication Guidance: What Your Vendors Won't Tell You (Unless You Ask)
So, you've met with your key vendors and conducted a gap analysis of areas that need to be addressed prior to January 2012 to conform to the FFIEC Authentication Guidance. But how do you know if a specific vendor is sharing with you a complete picture of preparedness? Some vendors are upfront on their capabilities and limitations. However, many simply lack the expertise to understand the challenges that come with working with financial institutions. It's important to go into vendor relationships fully informed, even with the data they might not want to tell you freely. Join our vendor management expert, who will share these 'dirty little secrets,' including:
  • Does your vendor outsource the work they're doing for you to a fourth-party service provider - particularly overseas?
  • Does the vendor employ fulltime employees only, or does it also hire temporary workers, (contractors) who may be allowed to work remotely?
  • Is the potential loss resulting from a data breach greater than the vendor's contractual liability plus the vendor's total net worth?

See Also: Leadership Guide for SEC Cybersecurity Disclosure Rule Preparedness

The entire FFIEC Guidance series:


In a recent interview with BankInfoSecurity, Jeff Kopchik of the FDIC made clear the expectations for banks re: third-party service providers and compliance with the new FFIEC Authentication Guidance.

"The agencies have said many times - and authentication is no different - that it's the financial institution that's ultimately responsible for bringing itself into conformance with the guidance," says Kopchik, one of the principal authors of the guidance. "The buck stops at the financial institution's desk."

For several of the larger banking vendors, the federal regulators conduct their own examinations to assess compliance with the regulatory requirements. But for a range of other product/service vendors, that's not the case. Nonetheless, it's the banking institution's responsibility to ensure that products and services used by the institution align with regulatory expectations. This due diligence requires institutions to:

  • Work with core products and services vendors and ensure mutual understanding of the FFIEC Authentication Guidance;
  • Conduct gap analysis to determine which products/services do not currently bring the institution into conformance;
  • Creation of a strategic plan with milestones to ensure conformance prior to 2012 regulatory exams.

But two challenges that institutions frequently encounter are:

  • What are the specific questions I need to ask my vendors re: FFIEC Authentication Guidance?
  • What information will my vendors not offer up unless I know to ask?

To assist you with this due diligence, Philip Alexander, an information security officer at a major U.S. financial institution, will share with you the vendor management tricks he's learned in years of overseeing such relationships for one of the nation's largest banking institutions.

In this exclusive two-part series, Alexander will tackle several key vendor management topics, including:

  • Security reviews;
  • Vendor's own regulatory compliance;
  • Vendor's financial stability;
  • Use of 4th-party service providers;
  • Liabilities in the event of a breach.

Webinar Registration

Premium Members Only

OnDemand access to this webinar is restricted to Premium Members.

Join Now to Access
Have an account? Sign in.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.