Financial Institutions Shoring Up Compliance Plans For FFIEC Deadline

For banking and financial organizations, Jan. 1 looms large as deadline day for a new set of regulations under the supplements added to the Federal Financial Institutions Examination Council's (FFIEC) "Authentication in an Internet Banking Environment" guidance. First developed in 2005 to require multifactor authentication, the new guidance released this past June added stronger requirements for increased layers of security to combat the increased threats of fraud that are assaulting institutions by the hour.

"In the intervening five years since the guidance first came out, the threat environment in terms of fraudsters and cybercriminals simply kept getting worse and worse, to the point where they were defeating multifactor authentication. It was appropriate for us to put out a supplement," says Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corp.'s Division of Risk Management Supervision, and one of the authors of the guidance.

"Banks are moving to other security controls that address the reality the FFIEC notes: 'Virtually all authentication techniques can be compromised.' If someone hijacks your computer, it doesn't matter how you've authenticated yourself,” says Kevin Bocek, director of product marketing for online banking security firm IronKey. "They're inside your browser and inside your computer. So what's really happening is the banks are moving to secure browsing as a way to isolate customers from any threats on the computer. That’s their motivation, and that’s what IronKey customers are saying."

East Carolina Bank, The Coastal Bank, and Fairfield County Bank are recent examples of customers that have added IronKey Trusted Access as an additional layer to prevent successful execution of attacks on customers’ computers.

Some of the added controls FFIEC demands are fraud-prevention measures, such as anomaly detection, and more frequent assessment of risks than annual reviews to keep up with the dynamic nature of today's threats.

"One of the things that the supplement really talks about is that the banks need to use layered security to protect online banking. In other words, it can't just rely on controls at log-in to screen the customer, and then once the customer has logged in to basically just forget about it," Kopchik says. "The bank needs to have different types of controls at different points in the process to constantly be looking for what we refer to as anomalous activity."

The guidance also specifically calls for greater protection for business banking customers, which were not mentioned before -- a fact that had many banks assuming the regulation was solely consumer-focused.

"I think it's significant that the agency for the first time distinguished between retail accounts and business accounts and set standards for each, " Kopchik says. "The reason for that is the agency said, in our opinion the risk posed to business accounts is greater because business accounts tend to have more transactions flowing through them, so it's more difficult to monitor and, quite frankly, they have more money flowing out of them and more funds going out more frequently, so there are potentially more bad things that could happen there."

According to many within the security world, the banking industry is in a much better state to deal with the increased regulations now than it was in 2005. Many banking institutions have already employed anti-fraud technologies to stem the losses they've faced in recent years; the FFIEC is simply helping them tie those efforts together.

"Many organizations have deployed anti-fraud controls over the past few years, creating a foundation for compliance. However, some organizations have deployed these controls in response to fraud losses without a coherent fraud-prevention strategy," says Yishay Yovel, vice president of marketing for Trusteer. "We believe the FFIEC compliance process will drive organizations to assess the quality and effectiveness of their controls and make the necessary changes."

Even those organizations that might be missing specific pieces of technology or processes to truly create a cohesive and compliant program are likely already on their way with a plan to get there.

"Within any large organization, trying to get something done in six months technology-wise is very hard -- you've got lots of different systems to deal with, you've got budgets and other projects that are in flight, so some of those are the execution challenges organizations face," says Ben Knieff, director of product marketing at NICE Actimize. "But most of the larger organizations and even the midsize organizations we have talked to have got their road map in place. They've got a plan, and they've got a budget, and if a regulator were to walk in in January, they'd be in good shape because they could show they're executing a very clear plan."

This, says Kopchik, is really what the examiners will be looking for. As he puts it, the agencies participating in the FFIEC are realists. They understand that not everyone will have executed on their compliance plan by Jan. 1. But he does warn that they better have one by then.

"What examiners will be concerned about is if they go into an institution shortly after the first of the year and the institution either doesn't even know about the guidance -- that's a problem -- or they do know about it, but they haven't done anything to try to prepare and get a plan together to get into conformance," Kopchik says. "And if we go farther into the year, the examiners will expect that institutions that have exams at the end of the year will be more likely to be in compliance and closer to conformance than exams that will be done in the first quarter."

According to Kopchik, documentation is key for the examiners.

"Have some sort of planning documents that can show the examiner what you've done. If you've got nothing down on paper, examiners sometimes become uncomfortable with that. They get concerned that maybe you really haven't been working on it as long as you told them," he says.

"But if you can show them some documents that show them you did put your teams together two weeks after or a month after the guidance was issued, and the team has met on X number of occasions and that's recorded in some fashions, examiners are much more comfortable with that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.