How Ready Are Banks For FFIEC?

Confusion abounds about new Federal Financial Institutions Examination Council (FFIEC) Supplement to the Authentication in an Internet Banking Environment

With the effective date for new banking authentication rules less than two weeks away, speculation is heating up among security executives within the financial sector as to how ready banks will be when examiners show up on their doorsteps in 2012.
A new survey shows that while the majority of banks are aware of the regulation and are actively planning for compliance, there is still some confusion about new expectations laid out by the Federal Financial Institutions Examination Council (FFIEC) Supplement to the Authentication in an Internet Banking Environment.
The big thing is that the overwhelming majority of banks have taken some action or are taking the guidance really seriously, says Terry Austin, CEO of Guardian Analytics, which sponsored the survey. Theyve started to do their risk assessments and formulate their plan. I think thats good news that the guidance has had a desired impact.
Conducted in November among more than 300 banking executives from 100 U.S. institutions, the survey found that 85 percent of respondents reported that their institutions are actively taking action to address the updated guidelines laid out by the FFIEC. Approximately 80 percent of organizations have undertaken risk assessments in the past six months as a first step in the process, and 59 percent have already established a plan to fill online banking security gaps.
The high awareness saturation can likely be attributed to regulator champions within the FFIEC, which is comprised of several government financial agencies whose executives have been on a public relations blitz. The Guardian Analytics survey validates assessments of the market from Federal Deposit Insurance Corporation (FDIC) leadership.
The agencies have done a lot of outreach, says Jeff Kopchik, senior policy analyst with the FDICs Division of Risk Management Supervision and one of the authors of the guidance. Ive spoken at a lot of conferences, Ive done a lot of webinars and conference calls, and things like that. My impression from talking to members of the industry is that there is very good awareness of the guidance. I havent run into anyone who has said to me, What are you talking about?
[How large to midsize banks have at least a road map to comply with tougher FFIEC authentication and anti-fraud guidelines. See
Financial Institutions Shoring Up Compliance Plans For FFIEC Deadline
.]
While there might be good awareness, the survey showed that many institutions still might not be 100 percent clear on what the new requirements mean for their security operations.
The guidance was really clear that there would be two absolute minimum expectations no matter what else you do, Austin says. You have to be able to monitor account behavior and identify anomalous or suspicious activity. And the second thing the guidance said is that you have to be able to put controls in place for business banking administrative functions -- meaning things like dual controls or even admin rights to set up users and approval limits. You have to have fraud detection in place that can work in that environment.
According to the survey, 41 percent of respondents didnt see anomaly detection as a minimum expectation as laid out by the regulators, and 56 percent did not see enhanced administration functions in business accounts as a minimum expectation.
I think theres still some kind of rereading and re-education and absorption of the information thats needed in the market for banks to fully grasp the fact that there are these two minimum expectations and that theyre kind of inescapable, and then everything else is an option based on your risk assessment, Austin says.
As far as risk assessments go, 98 percent of banks plan to institute a higher frequency of assessments than what the supplement requires. However, Ben Knieff, director of product marketing at NICE Actimize, says that risk assessments could trip up smaller financial institutions, an issue that wasnt necessarily examined in this survey but which Knieff sees playing out in 2012.
I think that segment is in relatively different shape than the rest. Most of them get their online services and portals provided to them by a third party that usually handles a number of other banking functions for them, Knieff says. I know that all those large service providers are communicating what they have and where theyre making investments for compliance. The challenge for smaller organizations is less on the technology side and more on the risk assessment and customer education side. Thats something much more difficult for them to outsource to a technology service provider, and the bank still remains responsible for adherence.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps