FFIEC: Industry Dialogue

Introduction

This section offers a summary of and links to helpful articles and commentary from across the industry on the updated FFIEC guidance. We've organized it by topic to make it easy for you to find articles that pertain to your area of interest. Just click on the appropriate tab below.

Initial Response/Summary

Gartner

June 29, 2011:: FFIEC finally releases new Guidance

The forest - or the sound principals introduced by the 2005 Guidance - was lost for the trees - or the technical solutions that the appendix to the 2005 Guidance outlined, many of which fell flat on their face when it came to protecting customer bank accounts. I'm afraid that could happen again this time since the FFIEC has not steered away from outlining technical measures and attack vectors that the banks will build their security to in the next few years. The cycle will likely repeat. The attacks will get more sophisticated, and will use new techniques that are not addressed in the details of the guidance.

Agency Response to Industry Reaction

FDIC

June 29, 2011:: FDIC Defends New Guidance

One of the primary authors of the updated FFIEC Authentication Guidance says critics are too hung up on mobile banking and other elements they deem mising. In fact, placing so much emphasis on what's "missing" from the guidance detracts from regulators' intent: to provide financial institutions with a guideline for securing online transactions, says Jeff Kopchik, senior policy analyst with the FDIC. "The agencies are of the opinion that this guidance and the original guidance apply to mobile," he says. "We thought that was a given." Kopchik is quick to address criticisms that the update does not do enough to address emerging and future online attacks. "I think the agencies are of the opinion that if you follow what's in the guidance, these are good common-sense controls that will work on the threats we are seeing. There's no way that we could address all the future threats, and there's no way to know what all the threats in the future will be."

NCUA

August 19, 2011:: FFIEC: NCUA Offers Tips for CUs

Credit unions have not been immune to the onslaught of cybercrime, and they'll be expected to step up their defenses.

Cause for Guidance

The Frontlines of Fraud

June 29, 2011:: FFIEC Releases Supplemental Guidance for Internet Banking Security

it is important not to overlook that at its heart and most importantly the guidance acknowledges that today's threats are too sophisticated for yesterday's controls. Authentication alone is no longer effective for protecting online accounts and transactions and financial institutions now have new expectations for risk assessments and layered security strategies.

Gartner

June 30, 2011:: Experts: FFIEC Guidance Falls Short

"[The guidance] repeats, as it should, the fact that virtually every authentication technique can be compromised," [Gartner's Avivah] Litan says. "The last FFIEC guidance in this area spent too much time on specific authentication measures and not enough on a layered security approach." National Credit Union Administration Chairwoman Debbie Matz says catching that fraud before it drains commercial accounts is precisely what regulators had in mind.

TowerGroup

July 1, 2011:: FFIEC Guidance: What Banks Should Know

As cases over incidents of corporate account takeover, a.k.a. ACH and wire fraud, heated up in the courts, the need for regulatory direction regarding reasonable online security and more risk assessment responsibility became ever more pronounced.

NCUA

July 6, 2011:: Online Security: Tough New Standard Touted by Matz

The FFIEC guidelines were last updated in 2005. A growing series of breaches and hack attacks have since then netted fraudsters around the globe millions of dollars and sparked legal battles over liability between victimized banks and customers. The new guidelines call for recognitions of layered security measures to deal with escalating levels of risk, improved and expanded authentication mechanisms, financial education and other measures to combat online fraud and identity theft.

TowerGroup

July 12, 2011:: FFIEC Guidance Is Out - Now What

Ingeneously villainous malware (ZeuS, SpyEye, Odd Job, Tatanga, ...) and plenty of old tricks that still work (phishing, whaling, vishing, Evil Twins, ...) means criminals will always find a way in.

Implementation, How to Meet New Expectations

FDIC

June 29, 2011:: FDIC Defends New Guidance

"I think the next step, whether they do this on their own or work with a service provider, is to do an assessment and compare it with the controls they have in place. They need to see where they fall short, relative to the guidance," [FDIC's Jeff Kopchik] says. "This supplement raises the bar from 2005. They have to put together a plan for the controls that will meet the supervisory [detail] that's in the guidance."

TowerGroup

July 12, 2011:: FFIEC Guidance Is Out - Now What

1. Complete a risk assessment: types of transactions; current system capabilities
2. Complete a gap analysis: where controls needed to contain identified risks are missing
3. Develop your Technology / Process Strategy: Define policies, select technology, implement
4. Customer Communications: Develop messages, then define how you'll communicate them
5. Update Risk Assessment: trigger events, or at least every 12 months

Gartner

July 15, 2011:: FFIEC: First Steps Toward Compliance

The new FFIEC Authentication Guidance is a very good "cookbook" for financial institutions to apply layered security to their systems, says Avivah Litan of Gartner. Institutions can take the document and look at their systems honestly and objectively and ask themselves how many security layers have they put in.

Layered Security/Anomaly Detection

Bank Info Security

December 20, 2011:: FFIEC Guidance: Are Banks Ready?

Regulators want to see what institutions have done to fill the gaps identified in their assessments - especially in terms of the layered security controls prescribed by the guidance.

Gartner

June 29, 2011:: FFIEC finally releases new Guidance

The FFIEC Guidance did a really good job outlining the need for layered security measures, giving broad examples of layered security controls, specifying detection and response strategies, as well as offering sound advice on administrative controls, and customer awareness and education...The guidance clearly outlines the need for a system of layered security and repeats, as it should, the fact that virtually every authentication technique can be compromised.

The Frontlines of Fraud

June 29, 2011:: FFIEC Releases Supplemental Guidance for Internet Banking Security

The supplement reinforces the need for a layered security approach, and explicitly states that the agencies expect (not suggest or encourage, but expect) that an institution's layered security program will contain two elements at a minimum: 1) the ability to detect and respond to suspicious activity, and 2) improved control of administrative functions. It defines the first element as processes designed to detect and effectively respond to suspicious or anomalous activity related to initial log-in and electronic transaction requests. That is, check for suspicious activity from log-in to log-out.

FDIC

June 29, 2011:: FDIC Defends New Guidance

"When you ask about why there is little guidance for smaller institutions that rely on vendors, I think that if you read the guidance very carefully, it talks about supervisory expectations. And those expectations are applicable to the largest banks and the smallest banks that work with service providers," [FDIC's Jeff Kopchik] says. "It's a layered security approach, and that layered security approach must have at least two layers. That would have addressed a lot of the fraud that we've seen over the past year, and this is noted on Page 5," which references the role transactional-anomaly detection would have played in detecting most of the recent incidents of corporate account takeover..."We thought more of the key is layered security. The fraudsters are so good these days; the attacks are so sophisticated; you don't want to rely on just one control. If any one control is compromised, then you have other controls that will pick the fraud."

Gartner

June 30, 2011:: Experts: FFIEC Guidance Falls Short

The guidance now calls for MFA [multifactor authentication] for commercial customers. This is very good, but is a day late and a dollar short. Banks need to see the bigger picture of the guidance. MFA alone for commercial customers isn't enough. It must also include the other components of layered security....The regulators should be more matter-of-fact in setting out the guidelines and principles. For example, they should tell banks that they need to detect and stop money transfers that are clearly out of the ordinary, when compared with the customer's established pattern of behavior...Layered security and anomaly detection will likely catch the fraud the small banks have been experiencing.

TowerGroup

July 5, 2011:: FFIEC's New Security Rules Will Weaken Banks' Lawsuit Defenses

The updated guidance looks beyond the initial authentication. The agency now requires banks to have a layered approach to security and to have continuous risk assessments. Banks must protect security at the transaction level....Transaction-level scrutiny can be expected from now on. "The [FFIEC] supplement explicitly requires anomaly detection for business accounts, so if the bank didn't have it in place they would likely be held liable," Tubin said.

TowerGroup

July 6, 2011:: FFIEC Guidance: What Banks Should Know

"The key piece is anomaly detection. The problem is that the technologies we have in place are good against most types of fraud, but they don't do very well against what we call 'man in the browser' types of fraud, which could get by the authentication that's typically put in place," Tubin says. "The anomaly detection is sort of that second layer of defense, so if a criminal does get in, let's try to identify that that happened and let's look at what transactions they're doing and what behaviors they're exhibiting, and hopefully we can see that there's potential fraud happening."

NCUA

July 6, 2011:: Online Security: Tough New Standard Touted by Matz

Detection of transaction anomalies also was heavily stressed and included in the measures the FFIEC said it expected financial institutions to use "at a minimum." "Based upon the incidents the agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer's established patterns of behavior," the new guidance said.

TowerGroup

July 12, 2011:: FFIEC Guidance Is Out - Now What

Layered Security means: Different controls at different points; Fill in gaps; There's no silver bullet; No "one size fits all" approach; It's dynamic; Layers must be coordinated; Different clients will dictate different methods; You don't know what you don't know.

Gartner

July 15, 2011:: FFIEC: First Steps Toward Compliance

I think they've got the principles right. For example, they emphasize the need for a system of layered security, and they repeat time and again that virtually every authentication technique can be compromised, so it's important to have this layered system. If the criminals get through one layer, you've got another layer to back you up...I would venture to say that in 80 percent of the financial institutions of the United States have very weak security. Those banks do have a lot of work to do. I don't think there are any two ways to look at it. They need to put in a layered system security approach.

NCUA

August 19, 2011:: FFIEC: NCUA Offers Tips for CUs

An effective layered security program should include: Fraud detection and monitoring systems with a focus on customer history and behavior; Dual control and segregation of duties settings; Out-of-Band verification for transactions; and appropriate controls over account activities (see article for full list).

Timing

Gartner

June 30, 2011:: Experts: FFIEC Guidance Falls Short

NCUA's Debbie Matz adds that federally insured credit unions, like other institutions that fall under regulatory scrutiny, will be expected to adopt strategies from the supplement to strengthen and enhance controls by January 2012. "Beginning in 2012, at credit unions offering electronic services, NCUA examiners will evaluate these controls under the enhanced expectations outlined," she says.

TowerGroup

July 1, 2011:: FFIEC Guidance: What Banks Should Know

The FDIC's Jeff Kopchik defended regulators' decision to begin compliance assessments in January, less than six months from now. "We felt this time that institutions would not need as long a period of time to bring themselves into compliance. The 2005 guidance has been out there a while, and, frankly, people like yourself have been writing about it for a while and talking about it for a while."

NCUA

July 6, 2011:: Online Security: Tough New Standard Touted by Matz

"For federally insured credit unions, they will be expected to adapt appropriate strategies to strengthen and enhance controls by January 2012," [NCUA Chairman Debbie] Matz said. "Beginning in 2012, at credit unions offering electronic services, NCUA examiners will evaluate these controls under the enhanced expectations outlined in the supplement."

TowerGroup

July 12, 2011:: FFIEC Guidance Is Out - Now What

You have to do this; putting it off won't make it go away. Guidance terms "should" and "suggest" = Regulation term "must".

Risk Assessment

Bank Info Security

December 20, 2011:: FFIEC Guidance: Are Banks Ready?

"I think the annual risk assessment is a much bigger deal than most banks realize," (Gartner analyst Avivah) Litan says. "Most banks have not done an annual risk assessment to the level that the new guidance calls for."

FDIC

June 29, 2011:: FDIC Defends New Guidance

"I think the next step, whether they do this on their own or work with a service provider, is to do an assessment and compare it with the controls they have in place. They need to see where they fall short, relative to the guidance," [FDIC's Jeff Kopchik] says. "This supplement raises the bar from 2005. They have to put together a plan for the controls that will meet the supervisory [detail] that's in the guidance."

Customer Education

Gartner

June 29, 2011:: FFIEC finally releases new Guidance

The guidance is much too unclear on Customer Awareness and Education. It does say that banks need to explain to their customers what protections are provided - and not provided - to account holders relative to electronic fund transfer. But it makes no mention of HOW they need to impart this explanation. So banks can still get away with burying the explanations on protections to their business customers in long multi-page wordy contracts printed in very small font, which customers may not read.

FDIC

June 29, 2011:: FDIC Defends New Guidance

[FDIC's Jeff] Kopchik says regulators did not want to dictate how institutions should work with their customers on educational efforts, but thought it necessary to point out that education is a key part of a layered approach. "They both play a role; there are things banks and customers can do. ... We just want to encourage banks to educate their customers about what they can do to make sure they're secure."

NCUA

August 19, 2011:: FFIEC: NCUA Offers Tips for CUs

Education is an essential component in increasing consumer security awareness. NCUA encourages credit unions to take proactive steps to educate consumers, such as: Establishing an online consumer security awareness center, Performing ongoing customer education, Providing educational articles, and Updating consumer awareness information as the internal and external threat environment changes.

3rd Party Providers

Bank Info Security

December 20, 2011:: FFIEC Guidance: Are Banks Ready?

(Gartner analyst Avivah) Litan believes most community institutions are working hard to meet the FFIEC's demands for risk assessment strategies, layered security controls and improved customer awareness of online banking risks - the core tenets of the guidance. But for the smaller institutions, FFIEC conformance depends heavily on the effectiveness of their core processors - their third-party service providers.

FDIC

June 29, 2011:: FDIC Defends New Guidance

[Gartners Avivah] Litan says she would have liked to have seen regulators offer smaller institutions more details about how core processors and vendors should work to ensure banks stay compliant. "There is nothing in the guidance that specifically addresses the needs and requirements of small banks, which constitute over 80 percent of the U.S. bank population in terms of number of institutions, that rely on third-party service providers for online banking and online banking security. Where's the guidance for them?" [The FDIC's Jeff Kopchik replied] "When you ask about why there is little guidance for smaller institutions that rely on vendors, I think that if you read the guidance very carefully, it talks about supervisory expectations. And those expectations are applicable to the largest banks and the smallest banks that work with service providers. It's a layered security approach."

Gartner

June 30, 2011:: Experts: FFIEC Guidance Falls Short

That heightened scrutiny will likely mean more reliance on third-party service providers. [Former BofA exec, David] Shroyer says vendors will have to help banks quickly determine the best routes to pursue. "Banks will now be graded on both the existence and effectiveness of their layered security controls, which requires front-door authentication, in-flight transaction protection and backdoor fraud detection," he says.

Gartner

July 15, 2011:: FFIEC: First Steps Toward Compliance

About 80 percent of the banks in the United States rely on third-party service providers that are providing their online banking platforms and also the security for online banking. Even some of the large banks rely on those service providers for ACH and wire transfer. It's not clear in this guidance how a small bank will take this guidance and apply it when they rely on their service provider...Right now they're at the mercy of those providers, and they don't have direction on how to get the kind of security measures they need out of them.

Lawsuits over Fraud Losses

Gartner

June 30, 2011:: Experts: FFIEC Guidance Falls Short

George Tubin, a senior research director for TowerGroup, says the timing of the guidance is interesting, relative to the case between EMI and Comerica. "If you look at the technology that they are recommending in this new supplement and you look at the case with Experi-Metal, if Comerica had been using the technology recommended, it would have caught the fraud," Tubin says. "Based on the court ruling, I think banks will be held more accountable. But as long as the banks are following what's outlined here in this new FFIEC guidance, they will be covered. At least that's the way the court seems to have viewed it in this case."

TowerGroup

July 1, 2011:: FFIEC Guidance: What Banks Should Know

The crux of the EMI case revolved around "good faith." [TowerGroup's George] Tubin says that good faith is what the new FFIEC authentication supplement addresses when it points out that banks should be monitoring transactions with industry-acceptable technology. Quite simply, they should be putting forth their best efforts to thwart fraud. "If Comerica had used that recommended technology, it would have caught the fraud."

TowerGroup

July 5, 2011:: FFIEC's New Security Rules Will Weaken Banks' Lawsuit Defenses

In an unintended consequence of the newly revised federal rules on cybersecurity, banks are likely to fare much worse in lawsuits over fraud losses...George Tubin, a senior research director with TowerGroup, said the Comerica decision may encourage more businesses to sue their banks over fraud liability because the businesses stand a better chance of a favorable outcome.

Bank Info Security

November 21, 2011:: ACH Fraud: More Education Needed

Patco Construction remains at legal odds with Peoples United, which acquired Ocean Bank shortly after the PATCO breach (in 2009). PATCO is now appealing a ruling handed down by a magistrate earlier this year that found the bank's fraud-detection systems at the time of the takeover were commercially reasonable. Patco's Mark Patterson says the legal process has been long and drawn out. But ultimately, he hopes his case raises awareness - an area he says remains in need of improvement. Until banks are held legally liable and accountable for losses suffered after incidents of ACH and wire fraud, security won't improve, Patterson argues.

Authentication

The Frontlines of Fraud

June 29, 2011:: FFIEC Releases Supplemental Guidance for Internet Banking Security

It is important not to overlook that at its heart and most importantly the guidance acknowledges that today's threats are too sophisticated for yesterday's controls. Authentication alone is no longer effective for protecting online accounts and transactions and financial institutions now have new expectations for risk assessments and layered security strategies.

FDIC

June 29, 2011:: FDIC Defends New Guidance

"We came to the conclusion that while multifactor authentication is a valuable and strong control, recent events have indicated that multifactor authentication is not the Holy Grail. We thought more of the key is layered security. The fraudsters are so good these days; the attacks are so sophisticated; you don't want to rely on just one control. If any one control is compromised, then you have other controls that will pick the fraud." [Jeff Kopchik, FDIC]

Gartner

June 30, 2011:: Experts: FFIEC Guidance Falls Short

The guidance now calls for MFA [multifactor authentication] for commercial customers. This is very good, but is a day late and a dollar short. Banks need to see the bigger picture of the guidance. MFA alone for commercial customers isn't enough. It must also include the other components of layered security, which is implied in the guidance, but not explicit..."[The guidance] repeats, as it should, the fact that virtually every authentication technique can be compromised," [Gartner's Avivah] Litan says. "The last FFIEC guidance in this area spent too much time on specific authentication measures and not enough on a layered security approach."

TowerGroup

July 5, 2011:: FFIEC's New Security Rules Will Weaken Banks' Lawsuit Defenses

The FFIEC's new rules, issued June 29, stress that the fraud protections put in place six years ago are no longer sufficient to withstand today's threats. This could not have come at a worse time for banks that are in court over fraud losses they refused to cover for business clients...The original FFIEC guidance required banks to use something stronger than a static password to authenticate users. The updated guidance looks beyond the initial authentication. The agency now requires banks to have a layered approach to security and to have continuous risk assessments. Banks must protect security at the transaction level.

TowerGroup

July 6, 2011:: FFIEC Guidance: What Banks Should Know

The old guidance focused mainly on getting banks to offer two-factor authentication for greater security, but failed to require other layers of security, such as anomaly detection to prevent fraud or encourage general risk management practices within the online banking environment. As a result, many banks have been able to use the regulation as a legal shield, installing little more than skimpy two-factor authentication technology and, when that is circumvented and a business customer is stolen from, claiming in court that they had followed due diligence through FFIEC compliance.

Gartner

July 15, 2011:: FFIEC: First Steps Toward Compliance

I think they've got the principles right. For example, they emphasize the need for a system of layered security, and they repeat time and again that virtually every authentication technique can be compromised, so it's important to have this layered system...Authentication on its own, or some of these measures on their own, can be beaten. And [the Agencies] saw that firsthand. So I think that the recent breaches certainly pushed them over the edge to making sure they were very clear about the need for a layered security approach.

Credit Unions

NCUA

August 19, 2011:: FFIEC: NCUA Offers Tips for CUs

For the nation's credit unions, conforming to the guidance has some nuances. In response to questions about how NCUA examiners are expected to view those nuances, the NCUA provided a list of suggestions regarding how credit unions should develop strategies to comply...Credit unions are encouraged to establish online fraud prevention strategies. Such strategies should include: identification of compliance gaps, conducting risk assessments, implementing robust/multifactor authentication, and installing layered security controls based on their complexity of services and threat environment to facilitate fraud detection and respond to suspicious activity.

Emerging Security Threats

Gartner

June 29, 2011:: FFIEC finally releases new Guidance

It spends a good amount of time on addressing threats from attacks to PC-based electronic banking, but does not address telephone banking attacks that can take various forms. Surely the threats will change substantially over the next five years. Given that the guidance is specific in its discussion about the techniques used to prevent yesterday's attacks, it should devote more time describing how those attacks are likely to change. (Granted that's a very difficult thing to do).

Gartner

July 15, 2011:: FFIEC: First Steps Toward Compliance

We will see big shifts in the next five years to mobile banking, whether from smart phones or tablets. So the techniques that they're talking about in the guidance have no relevance there or very little relevance there, and I can just see this document getting out of date again, as it did last time.

NCUA

August 19, 2011:: FFIEC: NCUA Offers Tips for CUs

Cybercriminals increasingly use malware programs, such as Trojans, rootkits, keyloggers, and spyware, to infiltrate a member's computer system and steal their banking credentials to originate fraudulent wire transfers...Top emerging security threats to credit unions include: debit and credit card threats; social network threats; mobile banking threats; advanced phishing attempts; and sophisticated malware attacks (see article for complete list).

Business Banking

TowerGroup

July 6, 2011:: FFIEC Guidance: What Banks Should Know

In particular, small businesses have suffered greatly from the regulation's shortcoming and their banks' subsequent legal arguments. Banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts, and small businesses don't have the same kind of pull with their financial institutions to demand better security as do large organizations...The guidance also specifically calls out greater protection for business banking customers, which were not mentioned before -- a fact that had many banks assuming the regulation was solely consumer-focused...SMBs should better scrutinize where they put their money by asking for greater risk mitigating measures.

Gartner

July 15, 2011:: FFIEC: First Steps Toward Compliance

I was encouraged that the regulators made it clear to the banks that you've got to tell customers what kind of protections they do have and don't have when it comes to money transfer. As we all know by now, Regulation E doesn't apply to business accounts.

Bank Info Security

November 21, 2011:: ACH Fraud: More Education Needed

Patco Construction learned the hard way that losses associated with account takeover are not always covered by the bank. In fact, most losses associated with ACH-related fraud aren't covered for small business accounts. Mark Patterson of Patco, like many small business owners, just assumed losses associated with fraudulent transactions would be covered by the bank. "I think the banks should sit down with the business owners when they open an account and say, 'This is what the potential loss can be if someone compromises your computer,'" Patterson says. "I just don't think small businesses know the threat that's out there."

Consumer Banking

NCUA

August 19, 2011:: FFIEC: NCUA Offers Tips for CUs

For the nation's credit unions, conforming to the guidance has some nuances. The majority of the FFIEC's clarifications in the updated guidelines focus on ways institutions can enhance fraud detection for commercial accounts. Since most credit union accounts are retail accounts held by consumers, conforming to the guidelines to meet regulatory expectations is a bit tricky. In response to questions about how NCUA examiners are expected to view those nuances, the NCUA provided a list of suggestions regarding how credit unions should develop strategies to comply.

Response to FFIEC Guidance 2011 Supplement

The FFIEC now expects institutions to be able to "detect and respond to suspicious activity" as part of a layered security program. Read how we can enable them to meet this key expectation.

Download Now

FFIEC

Download Guidance Supplement

FFIEC Guidance Supplement
FFIEC Press Release