I’ve been hearing this rumor for a while now, but we may actually be seeing something new from the FFIEC soon. Gartner is the latest to suggest that an update to the 2005 guidance on authentication is imminent.
In addition to updating it for technological advances since 2005, (Facebook and LinkedIn were in their infancy, and Twitter hadn’t even been launched), I hope it also addresses the increasing responsibility held by the customer, (both commercial and consumer) for data security. I continue to believe that there should be shared responsibility, and liability, for establishing and maintaining a secure electronic banking environment.
Reg. E protects the consumer, and so far the courts have held overwhelmingly in favor of the commercial customer as well. Will regulators extend Reg. E to commercial accounts, or place more responsibility on the customer? Could the new guidance further define “commercially reasonable”?
My guess is that we may not see much clarification on these issues, but we are likely to see additional burdens placed on the financial institution. For example, don’t be surprised to see customer education become more prescriptive, with the financial institution being responsible for it.
Stay tuned!
I heard the NCUA accidentally made the guidance available in December ahead of the other agencies (10-CU-24.pdf). If that is true, I'm wondering what kind of negative feedback the agencies must have gotten to that early release, since they didn't officially release it yet. It must be ready to go right?
Yes, I've seen this guidance and I'm hoping that the final FFIEC version is more prescriptive. The NCUA release didn't really move the ball forward much relative to the 2005 release as far as I could see. There were a couple items in there about additional education (of merchant by FI), and additional back office monitoring, but not much beyond that. Too many "weasel words" like 'can' and 'may' and 'might', not many 'must' and 'should'. Thanks for the comment!
And in my opinion the early release had several problems. That may be why the FFIEC has delayed the final. I'm going to reserve final judgment until I see it, but my main issue with the version released to the NCUA is the almost complete lack of focus on preventive controls.
Pingback: The RSA breach, and 5 things you should do : FFIEC Guru
[…] 6 years later, in the draft release of the FFIEC updated guidance, they […]