Good Bad and Ugly of the New FFIEC Guidance on Banking Security
THE GOODLayered security in favor of just authenticationGartner’s Litan thought it great that the document made it clear "that virtually every authentication technique can be compromised." She believes the FFIEC’s emphasis on urging banks to implement layered security is a big improvement.
No Title
THE GOODAdvice on risk assessmentsThe document offers good leadership in promoting the updating of risk assessments "and what environmental and customer changes to take into account when doing so," Litan says.
No Title
THE GOODFocus on risk managementLitan says that by promoting a "risk-based approach where controls are strengthened as risk increases" will greatly aid banks to better face threats.
No Title
THE GOODAdded focus on business bankingLas time the guidance came around, the FFIEC didn’t differentiate between consumer and business banking customers, leading some within the financial sector to think they only needed to worry about consumer accounts. Litan says the agency did well to mention businesses this time around.
No Title
THE GOODAdded best practices not directly tied to specific technologyThe FFIEC added more process-oriented input to security strategies for banks this time, " including the use of ‘positive pay’, debit blocks, dual customer authorization, etc, and does not focus solely on technology measures," Litan says.
No Title
THE GOODSpecifies details necessary to better reign in privileged accessLast time around the FFIEC didn’t breathe mention privileged user accounts. Litan says the new word out from the agency does a better job laying out controls needed there.
No Title
THE GOODOffers wakeup call that old tools and practices don’t cut it anymoreIn this guidance the FFIEC was very forthright about the shortcomings of the old security regime. By mentioning simple device identification and challenge questions as weak protections, the agency does banks a favor, Litan says.
No Title
THE BADToo many trigger clauses"Its wording is too wishy washy when it comes to delineating bank responsibility from customer responsibility," Litan says. "It uses words like ‘could have prevented’ or ‘suggestion’ too often. The regulators should be more matter of fact in setting out the guidelines and principles."
No Title
THE BADSmall banks that don’t do their own security are left in the darkSmall banks make up 80 percent of the U.S. bank population and they usually depend on third party services to administer online banking and its security. And yet there’s no mention of them in this document. "Where’s the guidance for them?" Litan asks.
No Title
THE BADCustomer education still inadequately discussedWhile the guidance does say banks need to explain to customers about the protections it uses, it doesn’t really specify how they do that.
No Title
THE UGLYIt still isn’t future-proofedYes, it is hard to do this, but the FFIEC still isn’t looking forward with this document, Litan says. "Surely the threats will change substantially over the next five years," Litan warns, saying there’s not enough mention at how the mobile environment will change the online banking game. "Given that the guidance is specific in its discussion about the techniques used to prevent yesterday’s attacks, it should devote more time describing how those attacks are likely to change."