Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:19 PM

How Ready Are Banks For FFIEC?

Confusion abounds about new Federal Financial Institutions Examination Council (FFIEC) Supplement to the Authentication in an Internet Banking Environment

With the effective date for new banking authentication rules less than two weeks away, speculation is heating up among security executives within the financial sector as to how ready banks will be when examiners show up on their doorsteps in 2012.

A new survey shows that while the majority of banks are aware of the regulation and are actively planning for compliance, there is still some confusion about new expectations laid out by the Federal Financial Institutions Examination Council (FFIEC) Supplement to the Authentication in an Internet Banking Environment.

"The big thing is that the overwhelming majority of banks have taken some action or are taking the guidance really seriously," says Terry Austin, CEO of Guardian Analytics, which sponsored the survey. "They've started to do their risk assessments and formulate their plan. I think that's good news that the guidance has had a desired impact."

Conducted in November among more than 300 banking executives from 100 U.S. institutions, the survey found that 85 percent of respondents reported that their institutions are actively taking action to address the updated guidelines laid out by the FFIEC. Approximately 80 percent of organizations have undertaken risk assessments in the past six months as a first step in the process, and 59 percent have already established a plan to fill online banking security gaps.

The high awareness saturation can likely be attributed to regulator champions within the FFIEC, which is comprised of several government financial agencies whose executives have been on a public relations blitz. The Guardian Analytics survey validates assessments of the market from Federal Deposit Insurance Corporation (FDIC) leadership.

"The agencies have done a lot of outreach," says Jeff Kopchik, senior policy analyst with the FDIC's Division of Risk Management Supervision and one of the authors of the guidance. "I've spoken at a lot of conferences, I've done a lot of webinars and conference calls, and things like that. My impression from talking to members of the industry is that there is very good awareness of the guidance. I haven't run into anyone who has said to me, 'What are you talking about?'"

[How large to midsize banks have at least a road map to comply with tougher FFIEC authentication and anti-fraud guidelines. See Financial Institutions Shoring Up Compliance Plans For FFIEC Deadline.]

While there might be good awareness, the survey showed that many institutions still might not be 100 percent clear on what the new requirements mean for their security operations.

"The guidance was really clear that there would be two absolute minimum expectations no matter what else you do," Austin says. "You have to be able to monitor account behavior and identify anomalous or suspicious activity. And the second thing the guidance said is that you have to be able to put controls in place for business banking administrative functions -- meaning things like dual controls or even admin rights to set up users and approval limits. You have to have fraud detection in place that can work in that environment."

According to the survey, 41 percent of respondents didn't see anomaly detection as a minimum expectation as laid out by the regulators, and 56 percent did not see enhanced administration functions in business accounts as a minimum expectation.

"I think there's still some kind of rereading and re-education and absorption of the information that's needed in the market for banks to fully grasp the fact that there are these two minimum expectations and that they're kind of inescapable, and then everything else is an option based on your risk assessment," Austin says.

As far as risk assessments go, 98 percent of banks plan to institute a higher frequency of assessments than what the supplement requires. However, Ben Knieff, director of product marketing at NICE Actimize, says that risk assessments could trip up smaller financial institutions, an issue that wasn't necessarily examined in this survey but which Knieff sees playing out in 2012.

"I think that segment is in relatively different shape than the rest. Most of them get their online services and portals provided to them by a third party that usually handles a number of other banking functions for them," Knieff says. "I know that all those large service providers are communicating what they have and where they're making investments for compliance. The challenge for smaller organizations is less on the technology side and more on the risk assessment and customer education side. That's something much more difficult for them to outsource to a technology service provider, and the bank still remains responsible for adherence."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...