New FFIEC Guidelines: What’s Missing?

Last updated: 19 March 2014

Last week I blogged about how the new Federal Financial Institutions Examination Council (FFIEC) guidelines were highly welcome and outlined what issues they would help address. Today I am continuing with the series on these guidelines by outlining what else they could (and perhaps should) have included.

As identified, customer education is critical. However, there should be a bigger focus on ensuring that customers actually read the education components, instead of considering it secondary to the security process. Considering the percentage of customers who never read a statement this is unlikely to be successful and more needs to be done.

The component that specifically mentions potentially compromised customer devices is a new and interesting addition, but could certainly go further. For an effective practice, you should assume the customer is compromised instead of worrying about figuring it out. When you operate under that premise, you can pre-empt a lot of problems.  Another possibility would be to encourage banks to consider how they can assist those who may not have virus protection or malware defenses.  It is a good start and some progressive banks will move in this direction – we hope.

It is disappointing, but expected, that the guidelines did not expand on recommendations to protect the more vulnerable.  In particular, retail users, SMBs, municipalities, and non-profits. These are the groups that are the least “internet savvy” and most vulnerable to low-tech attacks that are common and still easy to execute –  “low hanging fruit” for hackers according to Forrester’s John Kindervag. The vulnerable need the most protection – not simply those with the most money.

It is also strange that size or number of ACH/wire transactions is what the FFIEC claims creates more risk.  In fact, it’s not the size of the transaction that creates risk, but the speed with which it happens.  Wire transactions were first attacked because you can move large amounts fast. If it was as slow as a check, it would not have been attacked.  Second to be attacked is ACH – also settling fast but also because it is a large batch and difficult to validate specific transactions.  The risk of ACH/wire is that they settle fast so they need to be protected in real-time – not with analytics that can take too long to act upon.  This is also why retail is not widely attacked – transactions take too long to settle (and customer balances are smaller).

In all, the guidance provides a nice “next step” but, again, lacks real teeth.  Other countries are already introducing stringent guidelines, such as Singapore which has mandated 2FA for home banking, meaning everyone has to use a token (two-factor authentication) for home banking, and Germany, which has introduced the convenient Ezio Optical Reader that sits alongside your bank card in your wallet for convenient multi-factor authentication.

That said, the FFIEC guidelines provide a good reminder for banks to “do something.”