Well, after much anticipation and speculation we finally have the updated FFIEC guidance, and there doesn’t appear to be anything radically new here that would justify waiting an additional 6 months. At the very least I thought we might see some changes in the Effectiveness of Certain Authentication Techniques section, or in the Appendix (Threat Landscape and Compensating Controls), but both sections are virtually unchanged. That said, I examined the final release against the draft, and here are my observations divided into 3 categories; Good, Bad, and Odd (all bold and italics in quoted text is mine):
Education: “A financial institution’s customer awareness and educational efforts should address both retail and commercial account holders…”. Agreed. This is a good change from the draft. Education shouldn’t be limited to high-risk transactions only.
Risk Assessments for Financial Institutions: (Generally good, but see below under Bad and Odd)
Layered Security Programs: (Again, generally good, but see below under Bad)
Multifactor Authentication: The draft release stated that “Financial institutions should implement multifactor authentication and layered security…”. The final release changed that to “Financial institutions should implement layered security…the Agencies recommend that institutions offer multifactor authentication to their business customers.” The verbiage change seems to remove multifactor authentication as a requirement.
Layered Security Programs: “Financial institutions should implement a layered approach to security for high-risk Internet-based systems”…how about layered security for ALL Internet-based systems? (Late edit – the guidance does recommend layered security for both retail and business banking customers, but only “consistent with the risk” for retail customers. More prescriptive guidance on determining a high risk retail customer from a low risk retail customer would have been beneficial here.)
“The Agencies expect that an institution’s layered security program will contain the following two elements, at a minimum.
Detect and Respond to Suspicious Activity”. NO, NO, NO, the FFIEC has previously stated that layered security programs must contain ALL THREE types of controls; preventive, detective and corrective. The omission of preventive controls is particularly puzzling because in the section on Control of Administrative Functions it states “For example, a preventive control could include…An example of a detective control could include…”. Preventive controls are the least expensive to implement, and by far the most effective. It’s such a glaring error that I’m inclined to believe it was a typo.
Risk Assessments for Financial Institutions: The final release changed an “and” to an “or”, possibly introducing some confusion. Here is what the draft release said:
“Financial institutions should review and update their existing risk assessments as new information becomes available, focusing on authentication and related controls at least every twelve months and prior to implementing new electronic financial services.”
The final release says:
“Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months“
The final guidance might be misinterpreted to suggest that conducting risk assessments every 12 months are an either/or situation instead of a minimum requirement.
Risk Assessments for Customers: “A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically” Really? Nothing stronger than a suggestion? This should be a requirement.
Specific Supervisory Expectation – Risk Assessments: Original draft: “…financial institutions should perform periodic risk assessments and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks, including consideration of new and evolving threats to customers’ online accounts.”
Final release: “…financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks.”
Not sure why the verbiage change there, but I don’t perceive any change in meaning…I actually liked the original verbiage better.
General Supervisory Expectations: This verbiage appeared in both the draft and final version, and it is this final odd observation that disturbs me the most…”The concept of customer authentication…is broad. It includes more than the initial authentication of the customer when he/she connects to the financial institution at login.” It would be extremely instructive here to define the “concept” by focusing on what it is, and not what it’s not. Specifically, what more does the concept include beyond initial authentication? The authentication of the transaction itself? The transmission of the transaction through the Internet? All interaction of the user with the interface? The processing of the transaction at the financial institution and/or payment provider? By defining the concept only as “broad”, by saying that it includes more than the initial authentication, this guidance has the potential of expanding the liability of the financial institution, and I can easily see this used in a future legal proceeding to obfuscate the lines of responsibility*.
In the end, although the basics of the guidance are sound, I was disappointed that it didn’t go farther. I will repeat what I said back in February; the guidance is still behind the curve on this issue, and institutions simply have too much to lose. Implement additional preventive controls at the merchant side, additional controls at the institution side (such as dual authorization, out-of-band, positive pay, etc.), conduct annual (or more frequent) risk assessments, and most of all, educate everyone on basic security best practices.