Compliance Guru • FFIEC Guidance
  • Ask the Guru
  • The Guru Speaks
  • About
  • Ask the Guru
  • The Guru Speaks
  • About
By Tom Hinkel In Hot Topics

FFIEC to issue updated authentication guidance?

I’ve been hearing this rumor for a while now, but we may actually be seeing something new from the FFIEC soon.  Gartner is the latest to suggest that an update to the 2005 guidance on authentication is imminent.

In addition to updating it for technological advances since 2005, (Facebook and LinkedIn were in their infancy, and Twitter hadn’t even been launched), I hope it also addresses the increasing responsibility held by the customer, (both commercial and consumer) for data security.  I continue to believe that there should be shared responsibility, and liability, for establishing and maintaining a secure electronic banking environment.

Reg. E protects the consumer, and so far the courts have held overwhelmingly in favor of the commercial customer as well.  Will regulators extend Reg. E to commercial accounts, or place more responsibility on the customer?  Could the new guidance further define “commercially reasonable”?

My guess is that we may not see much clarification on these issues, but we are likely to see additional burdens placed on the financial institution.  For example, don’t be surprised to see customer education become more prescriptive, with the financial institution being responsible for it.

Stay tuned!

Print Friendly, PDF & Email

Share this:

  • Facebook
  • LinkedIn
  • Twitter
  • Print
Authentication commercially reasonable security FFIEC Reg E

Article by Tom Hinkel

As author of the Compliance Guru website, Hinkel shares easy to digest information security tidbits with financial institutions across the country. With almost twenty years’ experience, Hinkel’s areas of expertise spans the entire spectrum of information technology. He is also the VP of Compliance Services at Safe Systems, a community banking tech company, where he ensures that their services incorporate the appropriate financial industry regulations and best practices.

Related Articles

  • Reading Between the Lines
    Reading Between the Lines: The Interagency Examiner Guidance for Assessing Safety and Soundness During COVID-19
  • Going beyond the FFIEC Cybersecurity Assessment Tool (CAT)
    Cybersecurity – Beyond the Assessment

4 replies added

  1. Tom February 1, 2011 Log in to Reply

    I heard the NCUA accidentally made the guidance available in December ahead of the other agencies (10-CU-24.pdf). If that is true, I’m wondering what kind of negative feedback the agencies must have gotten to that early release, since they didn’t officially release it yet. It must be ready to go right?

    • Tom February 1, 2011 Log in to Reply

      Yes, I’ve seen this guidance and I’m hoping that the final FFIEC version is more prescriptive. The NCUA release didn’t really move the ball forward much relative to the 2005 release as far as I could see. There were a couple items in there about additional education (of merchant by FI), and additional back office monitoring, but not much beyond that.

      Too many “weasel words” like ‘can’ and ‘may’ and ‘might’, not many ‘must’ and ‘should’.

      Thanks for the comment!

    • Tom February 22, 2011 Log in to Reply

      And in my opinion the early release had several problems. That may be why the FFIEC has delayed the final. I’m going to reserve final judgment until I see it, but my main issue with the version released to the NCUA is the almost complete lack of focus on preventive controls.

Leave your comment Cancel Reply

You must be logged in to post a comment.

Join Our Community

Browse Posts

  • Ask the Guru
  • Ask the ISO
  • From the Field
  • Hot Topics
  • Reading Between the Lines
  • Resources

Copyright ©2021 Compliance Guru®.
All Rights Reserved.

Powered by Safe Systems. Privacy Policy

Stay up to date with these pandemic resources for community banking.See COVID-19 Resources
+