Citi data breach shows need for new FFIEC regulations

Last updated: 19 March 2014

Last week’s data breach at Citibank, which is said to have compromised the personal details of up to 200,000 consumers, was followed on Monday by a reported hack at the International Monetary Fund (IMF). Serious incidents at two of the world’s most high-profile financial institutions within a matter of days of one another has once again highlighted the need for new legislation to govern online financial services and ensure authentication is in place.

The Federal Financial Institutions Examination Council (FFIEC) is expected to soon publish new guidelines on how banks handle their authentication processes, and not before time. Its last set of guidelines was published in 2005, and since then an awful lot has changed.

If you had the opportunity to set these new guidelines, what would you look to achieve? Here are my thoughts on three key aims and innovations which the FFEIC should be thinking about:

1.    Switching the focus from compliance to security

When the FFEIC issued its first set of guidelines in 2005 it had an unexpected result – it created an atmosphere in which many businesses became more focused on compliance than security.  Instead of approaching the topic of customer security from the standpoint of “what are we delivering to our customers online and how should we protect them”, many instead thought: “what do I have to do to get an examiner off my back?”.

In short, they lost sight of the original goals of the guidelines, and as a consequence many security solutions were implemented with the aim of complying, rather than protecting.  The new changes are a chance to make clear the intent of the guidance – to actually protect online customers, and not simply to satisfy auditors.

2.    Name and shame

Next, the changes must ensure more serious consequences for organisations which do experience security breaches.  For some banks, online fraud has been viewed simply as a “cost of doing business”, but is also a well-kept secret.

Setting-up a centralized, and publicly accessible, list of banks that have suffered attacks, would help prospective and existing customers to see how well their banks have adjusted their security policies to adapt to online threats. If banks knew that their reputation and customer base could be directly affected by each breach they suffered, they would almost certainly be more diligent in their security processes.

3.    Special protection for Not-for-Profit Organisations

The guidance should also include special protection for municipalities, churches and other Not-for-Profit organizations.  These are organizations that are likely to be using corporate banking products online and, as a consequence, likely not be covered under Reg E.  Like many small organisations, they are particularly vulnerable to any monetary loss and lack the technical know-how to understand the threats that exist in the space.

It is important to note that the goal of these suggestions is not to punish anyone. Quite the opposite – it is to change the way that security is viewed in the banking industry.  Security MUST become a part of our online experience, and it must be accepted, in the same way customers have accepted having to use a password or a PIN. It must also be remembered some authentication measures (such as the IMF’s use of RSA SecureID tokens) may not be sophisticated enough to deal with modern threats, so the industry must continue to innovate or risk being left behind.

Mobile will have a big role to play in the industry’s future, and I’ll be sharing my thoughts on this in a separate post in a few days’ time. In the meantime, we’d love to hear your thoughts on what the FFEIC should be doing to prevent another breach on the scale of those at Citibank and the IMF.