FFIEC Authentication Guidance: First AnalysisTimeline is Tight For Institutions to Meet Expectations
With the final FFIEC Authentication Guidance issued, institutions need to start moving ahead in order to prepare for regulatory assessments starting January 2012.
And a lot of institutions aren't waiting, says Julie McNelley, banking fraud analyst for Aite Group. "They are moving forward pretty aggressively and a lot of them already have the layered approach in place."
McNelley's advice is to begin developing multi-pronged platforms, not just from a fraud mitigation technology perspective. Institutions should be looking at their education programs and figuring out how to make them more effective in reaching consumers and businesses.
As part of any successful risk management initiative, institutions need to have a periodic review so that they can make sure their risk mechanisms are keeping up with the latest attack vectors.
The threat landscape has changed considerably, and institutions can't just rely on username and password and device authentication. "As we've seen, those single-point solutions are susceptible to breach," McNelley says. "You really need to have a number of different approaches and layers of security to address the online threats."
During this interview [transcript below] about the pending FFIEC guidance, McNelley discusses:
- The five primary takeaways regulators have included in the updated guidance;
- Steps institutions can follow to determine which parts of the guidance they should focus on first;
- Why layered security is so critical, and applies to, everything from authentication to customer education to the security of emerging channels such as mobile.
McNelley is a senior analyst at Aite Group LLC who covers banking and payments fraud. She has more than a decade of hands-on product management experience working with financial institutions, payments processors and risk management companies. McNelley most recently served as senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business.
Before joining Golden Gateway, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Under McNelley's leadership, Early Warning launched multiple new solutions to successfully detect and prevent fraud; further, she was a key member of the team that facilitated the spin-off of Early Warning Services from First Data Corp. to Bank of America, JPMorgan Chase, Wells Fargo, and BB&T. She also led operational process improvements for NextCard, identifying points of compromise and implementing solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering, where she analyzed online financial services and risk-management firms.
Five Compliance AreasTRACY KITTEN: You've reviewed the updates the FFIEC has released when it relates to online authentication guidance. There are five areas of compliance that are noted in the guidance: layered security, multifactor authentication, the need for greater awareness among customers and employees, better risk assessments and stronger authentication as it relates to, for instance, device identification and challenge questions. I'd like to go through each of those one by one, if we could, and see what advice you could offer financial institutions as they're reviewing this guidance. What should they be doing to prepare and comply with some of these standards? Let's take the first one, layered security. What can institutions be doing now as they're reviewing this pending guidance where layered security is concerned?
JULIE MCNELLEY: The main security recommendation is in recognition of the fact that any one-point solution has proven to have a workaround from the fraudster's perspective. If you're just deploying device identification, there are a number of attack vectors that the fraudsters can use to get around that and breach the perimeter. The layered authentication guidance is really making sure that you have a number of different layers of security and a number of different approaches to the security to make sure that you're not relying heavily on any one particular mitigation technique.
KITTEN: Then what about multifactor authentication? We've talked a lot about that in the industry lately, and I guess the reason is because a lot of institutions have not been complying with the need for additional layers of authentication. What should they be doing when they think about multifactor?
MCNELLEY: In the wake of the 2005 guidance, the FFIEC basically said single password and username is not enough. You need to do more and it needs to be risk-based. That left a lot of room for interpretation. In consumer applications, a lot of financial institutions went out and said we'll do device printing and geolocation, and we're done. We've now got two-factor authentication, so we're complying with the FFIEC guidance. At that time, online fraud was not that big of an issue for financial institutions, so it really was more of a compliance play than a loss avoidance play.
The landscape has changed considerably since then. You can't be just looking at deploying two different types of authentication - username, password and device authentication - and saying that's enough. Because as we've seen, those single-point solutions are susceptible to breach; you really do need to have a number of different approaches and layers of security to address the online threats.
KITTEN: And then what about this notion of education and customer awareness? What role do institutions play there when it comes to educating their commercial customers as well as consumers?
MCNELLEY: It's a very different approach to educating consumers versus the commercial customers. Obviously, you have an exponential number more consumers than you do commercial customers. A number of institutions I've been talking to have periodic webinars that they push out to their commercial customers. They have them so that they can fulfill various professional credits that the corporate treasury managers and others need to receive. They push out the fraud and security methods that way, as well as through a number of other more direct communications. Just like with fraud prevention, the education has to be multilayered, because people have a lot of information coming up every day in their jobs. They don't read everything that comes to them, so you need to come at them with a number of different media mechanisms. You need to repeat the message so that consumers and businesses truly understand the risks out there.
The mobile platform is going to be increasingly a great channel for financial institutions, but it's also one that is fraught with increasing perils that consumers and businesses just have no concept of. I've heard the app store referred to as the greatest malware distribution platform ever invented because people go out there and willy-nilly download things, having no idea what the provenance is. That's a great way to distribute malware as we've seen with some of the apps that have been pulled back from the app stores in recent months.
Back to my original point, it needs to be a multi-layered communication mechanism, and you need to really go about educating consumers and businesses without scaring them away from platforms that are very strategic mechanisms for the bank.
KITTEN: Then what about the need for better or more frequent risk assessments?
MCNELLEY: That was a key part in the preliminary draft of the guidance that was released back in December. In that draft, the FFIEC made the point that a number of institutions deployed something to comply with the 2005 guidance and haven't really gone back and revisited it since. In this guidance, they were really emphasizing the need to have a periodic review just like you do with any of your other compliance programs, like AML, so that you can make sure that your risk mechanisms are keeping up with the latest attack vectors.
KITTEN: The final point that I wanted to ask about as it relates to these five areas that were noted in the guidance is: what about stronger authentication? And I'm talking about authentication that relates to device identification and challenge questions.
MCNELLEY: In the guidance, they provided a listing of a number of the leading technologies in this space, and it spanned everything from device identification to challenge questions to behavior analytics. I thought this was actually a pretty useful section of the guidance. It was definitely an improvement over the very nonspecific guidance that came out in 2005. It really highlighted some of the best practices that are in play and gave institutions a bit of a road map towards what types of technologies they should consider as they are deploying a layered security mechanism. We've been talking to financial institutions quite a bit about this lately, and we're actually going to be releasing a report later in June that ranks the effectiveness of all of these technologies from financial institutions' perspectives. And the good news is that in the guidance, the FFIEC did touch on many of the leading approaches in this space.
Customer EducationKITTEN: Now when I step back and think about these five recommendations, one of the most difficult ones, I think, relates to customer education. How do you reach customers to educate them about threats and encourage them to conduct their own risk assessments more often?
MCNELLEY: That's a great point. And it's actually funny. I received a communication from my bank not too long ago. It was an e-mail communication. It was a marketing message, but it had the verbiage in there saying that if you're concerned about the authenticity of this message, click here. That really underscores the complexity of educating consumers in particular about this because if somebody is concerned about the authenticity of that message, the last thing they should be doing is clicking on the message itself. It really does need to be something that goes at it from a multimedia approach - educating via TV commercials, educating the PR, educating via e-mail. But don't encourage your consumers to click here to learn more, because that's sending a completely mixed message.
KITTEN: That's a good point that you raise, and a lot of institutions I know have historically relied on communication via e-mail. Moving forward, it's a different way of thinking about education.
KITTEN: But what about from your view? When you look at these five recommendations, which do you deem to be the most difficult or challenging for institutions to comply with?
MCNELLEY: In my opinion, it shouldn't be a compliance question at all at this point because we've seen that the attack vectors are multiplying. The numbers of attacks are multiplying. There was a study by Panda Security that was released in the last couple months that was saying that 76,000 new malware threats are being released every day. Institutions shouldn't be waiting before deploying a layered security approach to combating the threat, because it represents a reputation risk perspective, as well as a financial loss perspective on the consumer side. And it represents a risk to their customers. So I don't see it as much as what's going to present the most difficult problem in this FFIEC guidance. I think the lack of guidance right now is the biggest problem, and institutions should be moving forward ahead of the guidance.
KITTEN: So even if some of these seem challenging, they need to be doing this just to protect themselves, their consumers and their commercial customers.
KITTEN: Now, some banking institutions have suggested that they have so many things to focus on. We talk about Dodd-Frank, the Durbin Amendment. When we talk about the FFIEC guidance, they have some concerns but they say that they have other things they might focus on. What do you say to that? What advice could you offer to an institution that's taking that perspective?
MCNELLEY: I think it depends on who you're talking to in the institution. If you're coming at it from a compliance perspective, yes those folks are completely overwhelmed right now. They have I believe 243 new regulations coming at them over the period of a year. But if you're looking at it from a fraud prevention perspective, consolidating your channel and making it a safe experience for your customer base, this really should surface to the top because the threat vectors are multiplying and it's something that needs to be addressed sooner rather than later.
Preparing for 2012KITTEN: Finally, before we close, can you tell us in a nutshell, from your perspective, what should institutions be doing now to prepare for the FFIEC guidance? What advisable steps can you suggest that they take?
MCNELLEY: The preliminary guidance provided a pretty good roadmap from a compliance perspective. A lot of the larger institutions that I've spoke with aren't waiting. They are moving forward pretty aggressively and a lot of them already have the layered approach in place. I would say that all institutions should be taking that approach and developing multi-pronged platforms, not just from a fraud mitigation technology perspective. Also really look at their education programs and figuring out how to make them more effective in making consumers and businesses aware of the threats, particularly as the mobile channel becomes a more strategic asset and more high-risk transactions are pushed to the mobile channel. While institutions aren't taking a lot of losses on the mobile channel today - and the FFIEC guidance had a pretty glaring omission by not even mentioning mobile in the guidance - mobile will be a new frontier for a lot of institutions. They should be taking a similar approach to both online and mobile as they're looking at these issues.
KITTEN: And that's something that we've talked about, the absence of mobile in the FFIEC guidance. But as you've noted, a lot of it just comes back to consumers and the mechanisms that they're using to access this online channel. Institutions that are concerned about mobile, I guess the advice at this point would be just to focus on the same things you're doing for the online channel to protect it - multifactor authorization, device identification, those types of things.
MCNELLEY: Yes. You can't use all of the same technologies. For example, mobile has a fluid IP, so some of the IP-based technologies are a little bit more challenging on the mobile platform. But take the same layered approach to your fraud mitigation and take the same approach from a consumer education perspective.
Institutions deployed a pretty effective education campaign around phishing a few years ago and really made consumers more aware of the perils around it. They need to take the same approach with the perils of mobile and use a balanced approach. Don't scare consumers completely away from the channel, or businesses, because businesses are also increasingly exhibiting interest in mobile banking. But make sure that somebody knows that if you're downloading an app from the app store, from a little mom-and-pop developer that you have no idea who they are, you need to also deploy some anti-spyware and take some precautions before you engage in higher risk transactions.