On the Road to FFIEC Compliance
Today’s fraudsters are more agile and adaptive than ever before. Innovation is quickly being outpaced, and fraud continues to be a daunting threat to financial institutions.
With new technologies emerging every day, it is critical for organizations to fraud proof their systems to ensure minimal amount of loss in the event of a breach and provide a secure experience for their clients.
Changing regulations and updated guidelines from the FFIEC are intended to help with this, but sometimes just make the situation more daunting.
According to a recent BankInfoSecurity survey, 29% percent of the 200 financial leaders surveyed said that they still don’t understand what regulators want in terms of FFIEC conformance, and 88% don’t believe conformance will do much to curb online fraud.
We need to reach a landscape where organizations have a clear understanding of compliance requirements, how these will bolster their security and what more they can do to go beyond simply checking boxes off a guideline list. It’s critical to be able to adapt to new risks and attack vectors, and FFIEC compliance is the first step in thwarting these threats.
To help smooth the journey ahead, here are five of the necessary steps organizations need to take to navigate the road to compliance.
Risk Assessment: The first step to FFIEC compliance – and a robust fraud prevention program – is to conduct periodic risk assessments. It’s important to know what you’re up against; fraud threats, especially in the online world, evolve rapidly, and your organization needs to adapt as new threats emerge. This also includes understanding the impact of changes in the banking ecosystem such as the increased adoption of mobile banking and shifting use patterns of your customer base.
Layered Security: Once you’ve assessed the current threat landscape and your organization’s vulnerabilities, constructing your security strategy is the next step. Taking a layered approach to security ensures that your organization can maintain comprehensive threat protection even if one element suffers a vulnerability.
This approach should combine a variety of authentication techniques (such as dual customer authorization through different device access, out-of-band verification for transactions), account activity controls (such as “positive pay,” transaction value and frequency thresholds, allowable payment windows, control over account maintenance activities performed by customers or service channels, etc.) and policies and practices such as customer history monitoring and effective customer education.
Vigilant Monitoring: Even the best security solutions won’t do much good without monitoring and analysis to respond to threats when they are identified. With security systems and protocols in place, vigilant monitoring of transactions, customer behavior patterns, account activity and access to admin functions will reveal any anomalies and possible threats in progress, as well as potential areas of future vulnerability.
Complex Device Identification: Device identification allows you to implement multifactor authentication or transaction verification. It’s critical that the solution you rely on goes beyond cookies or IP identification alone, and takes into account device-specific parameters in order to detect compromised or fraudulent devices.
Customer Awareness and Education: Through effective communication and education, your customers can become another line of defense. Make sure that customers know under what circumstances your organization may contact them to request their banking credentials. Remind them of the resources available both for additional risk mitigation they can implement themselves, and how to sound an alert if they notice suspicious account activity or experience customer information security-related events.
Compliance can be a complex and time-consuming task, but adhering to FFIEC guidelines is an excellent way to ensure your organization is maintaining stringent security measures and staying abreast of developments in both the threat landscape and in the technology and solutions available to combat risks.
Following these five steps of risk assessment, layered security, vigilant monitoring, complex device identification and customer awareness and education, you and your organization should have safe travels on the road to FFIEC compliance.