Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

11/7/2011
05:00 PM
50%
50%

Financial Institutions Shoring Up Compliance Plans For FFIEC Deadline

Most large to midsize banks are well on their way with at least a road map to comply with tougher FFIEC authentication and anti-fraud guidelines

For banking and financial organizations, Jan. 1 looms large as deadline day for a new set of regulations under the supplements added to the Federal Financial Institutions Examination Council's (FFIEC) "Authentication in an Internet Banking Environment" guidance. First developed in 2005 to require multifactor authentication, the new guidance released this past June added stronger requirements for increased layers of security to combat the increased threats of fraud that are assaulting institutions by the hour.

"In the intervening five years since the guidance first came out, the threat environment in terms of fraudsters and cybercriminals simply kept getting worse and worse, to the point where they were defeating multifactor authentication. It was appropriate for us to put out a supplement," says Jeff Kopchik, senior policy analyst with the Federal Deposit Insurance Corp.'s Division of Risk Management Supervision, and one of the authors of the guidance.

"Banks are moving to other security controls that address the reality the FFIEC notes: 'Virtually all authentication techniques can be compromised.' If someone hijacks your computer, it doesn't matter how you've authenticated yourself,” says Kevin Bocek, director of product marketing for online banking security firm IronKey. "They're inside your browser and inside your computer. So what's really happening is the banks are moving to secure browsing as a way to isolate customers from any threats on the computer. That’s their motivation, and that’s what IronKey customers are saying."

East Carolina Bank, The Coastal Bank, and Fairfield County Bank are recent examples of customers that have added IronKey Trusted Access as an additional layer to prevent successful execution of attacks on customers’ computers.

Some of the added controls FFIEC demands are fraud-prevention measures, such as anomaly detection, and more frequent assessment of risks than annual reviews to keep up with the dynamic nature of today's threats.

"One of the things that the supplement really talks about is that the banks need to use layered security to protect online banking. In other words, it can't just rely on controls at log-in to screen the customer, and then once the customer has logged in to basically just forget about it," Kopchik says. "The bank needs to have different types of controls at different points in the process to constantly be looking for what we refer to as anomalous activity."

The guidance also specifically calls for greater protection for business banking customers, which were not mentioned before -- a fact that had many banks assuming the regulation was solely consumer-focused.

"I think it's significant that the agency for the first time distinguished between retail accounts and business accounts and set standards for each, " Kopchik says. "The reason for that is the agency said, in our opinion the risk posed to business accounts is greater because business accounts tend to have more transactions flowing through them, so it's more difficult to monitor and, quite frankly, they have more money flowing out of them and more funds going out more frequently, so there are potentially more bad things that could happen there."

According to many within the security world, the banking industry is in a much better state to deal with the increased regulations now than it was in 2005. Many banking institutions have already employed anti-fraud technologies to stem the losses they've faced in recent years; the FFIEC is simply helping them tie those efforts together.

"Many organizations have deployed anti-fraud controls over the past few years, creating a foundation for compliance. However, some organizations have deployed these controls in response to fraud losses without a coherent fraud-prevention strategy," says Yishay Yovel, vice president of marketing for Trusteer. "We believe the FFIEC compliance process will drive organizations to assess the quality and effectiveness of their controls and make the necessary changes."

Even those organizations that might be missing specific pieces of technology or processes to truly create a cohesive and compliant program are likely already on their way with a plan to get there.

"Within any large organization, trying to get something done in six months technology-wise is very hard -- you've got lots of different systems to deal with, you've got budgets and other projects that are in flight, so some of those are the execution challenges organizations face," says Ben Knieff, director of product marketing at NICE Actimize. "But most of the larger organizations and even the midsize organizations we have talked to have got their road map in place. They've got a plan, and they've got a budget, and if a regulator were to walk in in January, they'd be in good shape because they could show they're executing a very clear plan."

This, says Kopchik, is really what the examiners will be looking for. As he puts it, the agencies participating in the FFIEC are realists. They understand that not everyone will have executed on their compliance plan by Jan. 1. But he does warn that they better have one by then.

"What examiners will be concerned about is if they go into an institution shortly after the first of the year and the institution either doesn't even know about the guidance -- that's a problem -- or they do know about it, but they haven't done anything to try to prepare and get a plan together to get into conformance," Kopchik says. "And if we go farther into the year, the examiners will expect that institutions that have exams at the end of the year will be more likely to be in compliance and closer to conformance than exams that will be done in the first quarter."

According to Kopchik, documentation is key for the examiners.

"Have some sort of planning documents that can show the examiner what you've done. If you've got nothing down on paper, examiners sometimes become uncomfortable with that. They get concerned that maybe you really haven't been working on it as long as you told them," he says.

"But if you can show them some documents that show them you did put your teams together two weeks after or a month after the guidance was issued, and the team has met on X number of occasions and that's recorded in some fashions, examiners are much more comfortable with that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32094
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to upload arbitrary files.
CVE-2021-32095
PUBLISHED: 2021-05-07
U.S. National Security Agency (NSA) Emissary 5.9.0 allows an authenticated user to delete arbitrary files.
CVE-2021-32096
PUBLISHED: 2021-05-07
The ConsoleAction component of U.S. National Security Agency (NSA) Emissary 5.9.0 allows a CSRF attack that results in injecting arbitrary Ruby code (for an eval call) via the CONSOLE_COMMAND_STRING parameter.
CVE-2021-32098
PUBLISHED: 2021-05-07
Artica Pandora FMS 742 allows unauthenticated attackers to perform Phar deserialization.
CVE-2021-32099
PUBLISHED: 2021-05-07
A SQL injection vulnerability in the pandora_console component of Artica Pandora FMS 742 allows an unauthenticated attacker to upgrade his unprivileged session via the /include/chart_generator.php session_id parameter, leading to a login bypass.