Tag: Reg E

14 Jan 2011
Hot Topics Tom Hinkel 4 Comments

FFIEC to issue updated authentication guidance?

I’ve been hearing this rumor for a while now, but we may actually be seeing something new from the FFIEC soon.  Gartner is the latest to suggest that an update to the 2005 guidance on authentication is imminent.

In addition to updating it for technological advances since 2005, (Facebook and LinkedIn were in their infancy, and Twitter hadn’t even been launched), I hope it also addresses the increasing responsibility held by the customer, (both commercial and consumer) for data security.  I continue to believe that there should be shared responsibility, and liability, for establishing and maintaining a secure electronic banking environment.

Reg. E protects the consumer, and so far the courts have held overwhelmingly in favor of the commercial customer as well.  Will regulators extend Reg. E to commercial accounts, or place more responsibility on the customer?  Could the new guidance further define “commercially reasonable”?

My guess is that we may not see much clarification on these issues, but we are likely to see additional burdens placed on the financial institution.  For example, don’t be surprised to see customer education become more prescriptive, with the financial institution being responsible for it.

Stay tuned!

18 Oct 2010
Hot Topics Tom Hinkel 0 comment

Reg. E reform and RDC

I recently ran across an excellent post on this topic regarding the fact that even though Reg. E does not currently regard corporate and municipal accounts the same as consumer accounts, they do, in fact, pose the same risk to the financial institution.  As the original post on Krebs’ site points out, why should the proposed changes to Reg. E stop at municipalities?  Corporate accounts are being targeted as well, and recent corporation vs. FI court cases are being decided (or quietly settled) in favor of the corporation.  FI’s would be wise to regard remote capture devices and ACH/Wire origination devices as de-facto extensions of their own network. Once the true risk of these remote devices is understood, how many FI’s would find the residual risk acceptable?

The only alternative is to implement additional controls (beyond a strong contract) designed to educate the customer on security basics, and monitor the security status of their devices.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy