Prepping for your next Federal Exam: Actionable Activities to Prove FFIEC Authentication Guidance Accountability
Author: Jacqueline Marshall, JaMarshall@jackhenry.com
It’s hard to believe that it’s been one year since the FFIEC finalized the Supplement to Authentication in an Internet Banking Environment (June 2011). The intense media play of this guidance during the first several months of its release among financial institutions (FIs) and technology support vendors alike seems to have quieted to an eerie silence.
Is this because Technology Service Providers are exhausted from hyper-extending development teams to create new authentication controls? Or, perhaps because FIs tackling the risk assessment process (in some cases for the very first time) are feeling confident and in control or adversely, confused and frightened? Maybe the hush is due to the theory that FIs may be holding their breath to hear how peer banks are coping with exams.
The recent Bankinfosecurity.com, 2012 Faces of Fraud Survey indicates that that only 11 percent of FI survey respondents have come into conformance since the updated guidance was issued. Half of the survey's respondents say they do not conform now, and nearly one-quarter say they don't even know their state of conformance. The survey results reflect the confusion among most FIs as to what's expected of them when it comes to practical technical solutions," says Gartner analyst Avivah Litan.
One bright spot is a rumored FFIEC Authentication FAQ on this subject, similar to what the FTC published in 2001, post-GLBA Privacy. Whether we actually see an official FFIEC guidance based FAQ surface or not, those of us who are in the business of listening to trends and feedback can offer additional FAQ- type support by suggesting that the best way to fully address high level federal regulatory directives and to mitigate risk is to implement strategic and actionable responses to risk assessment findings in order to fully address the minimum expectations outlined in the supplemental guidance document.
For example, regularly monitoring high risk online banking transactions for anomalies is considered an important activity for ensuring the security of transactions and data from internal and external threats/vulnerabilities. The examiner will also want to see actionable detail that supports reporting on exception criteria based on historical customer activity, systematic identification of events to monitor for, and assignment of appropriate responsibilities to manage. Policy and procedural activities should also include requirements for documentation and archiving, as well as appropriate follow-up (specific incident response procedures) for exceptions.
A terrific resource for implementing these types of actionable activities to complement and fully address the FFIEC Authentication Guidance objectives is the Texas Bankers Electronic Crimes Taskforce Best Practices for Reducing the Risk of Corporate Account Takeover. This 17 page document clearly and concisely supports the FFIEC Authentication Guidance with a set of best practices compiled for each of the recommended processes and controls under a Protect, Detect, and Respond framework. These best practices are not an all-inclusive list and are provided as guidance to assist in implementing the nineteen processes and controls needed to reduce the risk of Corporate Account Takeover thefts.
Approaching compliance with a fluid, actionable approach will also support an ongoing initiative acknowledging that electronic crimes are dynamic, and that additional changes in risk management processes and controls will be necessary as electronic based theft continues to evolve.
What’s been your FIs strategy to addressing the FFIEC’s Supplement to Authentication in an Internet Banking Environment?