Trends and Challenges With New FFIEC Guidance
Credit unions today face extreme challenges to protect the online security of members and their own institution.
To address those challenges, the FFIEC recently released a supplement to its Authentication in an Internet Banking Environment guidance, which describes customer authentication, layered security and other controls in the increasingly volatile online environment.
Where Does Multifactor Fit?
While multifactor authentication is an essential component of the FFIEC’s guidance, the supplement’s primary focus is on preventing rootkit-based malware, conducting stronger risk assessments, and implementing layered security controls.
In fact, many credit union executives are surprised to learn that multifactor authentication is not required for all online activity. The guidance only mandates multifactor for online business member accounts and other high-risk transactions such as remote deposit capture or remote employee access.
According to a September 2011 study conducted by HEIT, a Computer Services Inc. (CSI) Company, and cbanc Network, 73% of community financial institutions are using multifactor for business accounts, while 37% are using it for high-risk transactions. Interestingly, while not required, 83% of community financial institutions are using multifactor authentication for retail online banking accounts.
At the Heart of the Guidance
The heart of the FFIEC guidance is an attempt to ensure credit unions are taking the necessary steps to protect online access to their systems and member accounts. To ensure compliance with the guidelines, credit unions cannot rely solely on any single control for authorizing high-risk transactions.
Instead, they should institute a system of layered security and review and update their existing risk assessments as (1) new information becomes available, (2) prior to implementing new electronic financial services, or (3) at least every twelve months.
Security in Layers
In addition to the recognized industry approach to adopting a layered security program, the FFIEC expects credit unions to meet the following two minimum requirements for layered security:
- Structure the security of online accounts to detect and respond to suspicious activity at the initial login and during the initiation of any electronic funds transfers
- Enhance control of privileged administration functions for business accounts
While the guidance provides a list of additional layered security controls that should be considered, these two controls are identified as the minimum requirements that must be met.
According to the HEIT and cbanc Network survey of community financial institutions, 50% did not realize the guidance defines two minimum required elements of a layered security program.
In 2012, examiners will be charged with ensuring a process is in place to detect and respond to suspicious activity at initial login to an electronic banking system and initiation of electronic transactions involving funds transfer.
Preparing for the 2012 Exam Cycle
Examiners have just completed their training for the pending exam cycle. Credit unions may see an FAQ document released to the industry over the next few months to address many industry questions since the guidance was published.
NCUA examiners will be monitoring these standards beginning January 2012. Credit unions must act now to complete the necessary steps to achieve compliance.
- Review and update your IT risk assessment and consider the new information that is provided in the June 2011 FFIEC Supplemental Authentication Guidance
- Work with your managed service provider, core provider or other online banking solution provider to begin evaluating stronger authentication techniques that can supplement weaker methods such as basic challenge questions or simple device identification
- Consider whether you need to add additional controls throughout your security program, including high-risk transactions, remote employee access to customer data, and business accounts. Where your IT risk assessment identifies similar high risks for retail accounts, you should also consider the use of appropriate multifactor authentication
- Consider adopting the benefits of a cloud-based managed compliance service as an alternative to project-based compliance initiatives to cost-effectively support your continued success.
Rethink Traditional Compliance Methods
Traditional manually intensive, project-based, point-in-time, paper-laden compliance and risk management programs just won’t cut it anymore. In 2012, examiners will expect credit union executives to have a process in place to continuously monitor and update their compliance and risk management practices to adjust for new information and changes in the business, compliance, and risk landscape.
Credit unions need visibility and transparency across the entire organization. Furthermore, credit unions will be challenged with taking on more with less, as well as finding access to subject matter expertise and a pool of resources to interpret and implement these and many other new mandates.
Cloud-Based Managed Compliance Services
An innovative alternative to traditional compliance methods is cloud-based managed compliance services. Credit unions already outsource many of their supporting operations to trusted, knowledgeable third parties. Outsourcing compliance is now a realistic and viable option, and perhaps the only cost-effective alternative.
A managed compliance approach allows your institution to drive time and cost out of compliance efforts, while expanding your team of resources with constant coverage by qualified risk experts, along with comprehensive services and reporting to provide the continuous support needed to manage risk and achieve, maintain, and prove compliance with all of the FFIEC guidelines.
Paul Reymann is chief risk officer for Fort Collins, Colo.-based HEIT, a CSI Company.