One of the big “must do” take-aways from the updated FFIEC Authentication Guidance was the requirement for all institutions to conduct risk assessments. Not just prior to implementing electronic banking services, but periodically throughout the relationship if certain factors change, such as:
- changes in the internal and external threat environment, including those discussed in the Appendix to this Supplement;
- changes in the customer base adopting electronic banking;
- changes in the customer functionality offered through electronic banking;
- and actual incidents of security breaches, identity theft, or fraud experienced by the institution or industry.
The guidance also mandated annual re-assessments if none of these previous factors change, but given the increasingly hostile on-line environment it’s really a question of ‘when’ actual incidents occur, not ‘if’. That being the case, if you only update your risk assessment annually the regulators could reasonably take the position that you’re not doing it often enough.
So risk assessments must occur “routinely”, but what is the best way to approach them? Although the guidance does not specify a particular approach, it might be instructive to take a look at what the FFIEC has to say about Information Security and Disaster Recovery, both of which require (separate) risk assessments. In both cases the FFIEC encourages that you approach the task by analyzing the probability and impact of the threat, not the nature of the threat. This makes perfect sense. By shifting the focus of your risk assessment off of the moving target of the constantly changing threat environment, and on to strengthening the overall security of your Internet-based services1, you can build a secure transaction environment that will scale and evolve as you grow. Here is the critical difference between the two approaches; if you take a “nature-of-the-threat” approach, you must list every possible specific threat both existing and reasonably anticipated2. It doesn’t work very well for disaster recovery or information security risk assessments, and in my opinion it is not the best approach for Internet banking either.
Although certainly not the only way to do the risk assessment, I would recommend a 2-step approach that addresses most if not all of the updated FFIEC guidelines. Step 1 of this approach is to assess the overall risk of your products by listing the capabilities and controls for each one. As a part of that step you would determine how many customers use the product, and then also how many of those you consider to be “high-risk” as defined by high transaction frequency and high dollar amount. In Step 2 you should list those high-risk customers you identified in step 1 separately, along with the associated controls you plan to implement for each one.
Again, there is no one single way to do this correctly. Whatever you do should be consistent with the size and complexity of your institution, and the nature and scope of your Internet banking operations. Good luck!
1 Although other regulations and guidelines address financial institutions’ responsibilities to protect customer information and prevent identity theft, this guidance specifically addresses Internet authentication, and should be the primary focus of this risk assessment.
2 You must still re-assess if either you or the industry experience any actual incidents, but instead of adding a new threat to your risk assessment, you simply determine if your existing control environment is sufficient to address the impact of the threat. In other words, you re-assess for the impact, not the nature of the threat.