New FFIEC Guidelines: What They Got Right

A fortnight ago, I speculated on the next set of Federal Financial Institutions Examination Council (FFIEC) guidelines, and what they might mean for security and authentication in the online banking industry. Last week, these guidelines were finally unveiled.

Various experts have already had their say on the new recommendations, with Brian Krebs questioning whether it would provide sufficient protection for SMEs, and Gartner’s Avivah Litan pointing out that it provides no guidance to service providers to whom banks may outsource their security. Both also note, though, that it is a step in the right direction.

So what has the FFIEC got right, and where has it missed an opportunity? Here are my thoughts on where they have made progress:

Firstly, it is good to see that the new guidelines specifically mention the rising threat of MITM/MITB (‘man in the middle’, or ‘man in the browser’), and highlight that it can compromise simple OTP solutions.  This will be a somewhat painful point for some banks, but one that illustrates the need to implement transaction signing OTP solutions for high risk transactions.

Secondly, the increased focus on risk assessment is also to be welcomed.  This is an absolutely essential process and one that must continue to evolve – the threat landscape is not static, so the process of evaluating threats to systems and customers must also change.  Someone must own this process within the bank and the FFIEC is at pains to point out that this should be an expected part of the audit process.  A good step.

castleThirdly, the emphasis on layered security is another critical component. Security problems cannot be resolved with one single technological implementation, and it is much more effective to have a layered approach. This could be thought of as a medieval castle , which was protected by a moat, bridge, archers, towers, high walls, etc.  One man on horseback cannot defend a whole castle, and likewise, businesses have to layer their defenses to protect against all threats.  Of particular note is the emphasis on dual approval of a transaction – an under-utilized and very basic defense but an incredibly effective one.

I’ll shortly be giving my thoughts on where the FFIEC should have gone further, or might have missed a trick. In the meantime though, I’d welcome your thoughts on the new recommendations and how they will be received.