FFIEC Risk Assessments Are PriorityRegulators Also Want to See Banks' Plans for Investments
Financial institutions are focusing a great deal of their attention on risk assessments. And that's exactly what regulatory examiners reviewing institutions for conformance with the FFIEC's updated Authentication Guidance want to see, says Doug Johnson, who oversees risk management policy for the American Bankers Association.
"Clearly, the examination process is leaving institutions with an impression that they should be swiftly moving forward; that there is no need for conformance today, but that the right people within the institution have to be involved in that process," Johnson says in an interview with BankInfoSecurity's Tracy Kitten (transcript below). "They need a plan for getting those [people] in place."
The FFIEC wants banks and credit unions to demonstrate that they are taking a balanced approach to security, and that they have ongoing plans to maintain a high-level of security that involves layers and continuous upgrades, says Johnson, who's been speaking with banks and regulators about where the industry stands on FFIEC conformance.
During this interview, Johnson discusses:
- How investments in customer education and technology are shaping strategies for FFIEC conformance;
- What the ABA is doing to educate banks about emerging fraud threats; and
- How banks will play key roles in the security of mobile payments.
Johnson leads the ABA's enterprise risk and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources to deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and serves on the BITS/Financial Services Roundtable Security Steering Committee.
New Tech Investments
TRACY KITTEN: Doug, what changes have you seen banks making over the last 24 months in the approaches and technologies they've invested in to curb phishing attacks and enhance customer education?
DOUG JOHNSON: Tracy, one of the things that we've seen is banks really recognizing that their customers, both on the retail as well as the commercial [sides], are increasingly desiring electronic technologies to be able to accomplish transactions they normally used to do on paper. And I think one of the best examples of that is what is happening in the retail space with the over 55 generation. 2011 was the first year the ABA saw the over 55 category actually saying that online banking was their primarily delivery channel for financial services.
So I think that speaks volumes, in terms of what financial institutions are facing when it comes to attempting to protect that environment and maintaining confidence in that environment as that growth curve continues.
In response to that, and in response to the Authentication Guidance, I think institutions are looking at a variety of security solutions to attempt to curb those phishing attacks and to enhance customer education as the customer increasingly uses these technologies.
One of the things that we are seeing, particularly at the community-bank level, is decisions being made by a core processor or an Internet banking service provider that provides those security services to the bank. I think at one point in time there was an expectation that it was going to be the core processor and the Internet banking service provider that was going to be providing those technologies. But community banks are now recognizing that, in response to customer demand as well as new guidance, they have to look at other third parties to add on additional services, whether they be anomaly detection or out-of-band authentication, which may or may not be available through their core processor.
I think that we'll see core processors trying to respond to that by developing relationships with those third parties in some fashion and essentially the banking industry demanding that occurs. Banks understand they absolutely have to use these other technologies, because it is all about having a variety of layers of security ... that is needed to protect the environment.
Curbing ACH/Wire Fraud
KITTEN: I also wanted to ask about how banks are responding to some of these incidents of corporate and consumer account take-over that we've seen in the industry. It sounds like some of the things that institutions are looking at a variety of solutions and also talking with core processors.
JOHNSON: Absolutely. It takes a village. There is no question about it. And I think one of the things that demonstrates, frankly, how well banks have responded to the incidents of corporate and consumer account take-over are some data points which indicate that banks are doing a better job of really trying to keep those attacks from being successful. One data point comes out of the Financial Services Information Sharing and Analysis Center survey. ... Back in 2009, among the banks that were surveyed, the percentage of corporate account takeover attempts where monetary transactions were created was around 70 percent. That has decreased to 32 percent in 2011, so we've have a substantial decrease in the percentage of successful cases associated with corporate account takeover in the face of an increasing threat.
That speaks to what financial institutions have always done - and that is to ensure that they are aware of the threats and that they take the mitigating measures to counteract those threats. We've seen that in the paper environment. We now see that in the electronic environment as well; so I think that is a really good measure of response. Those are the institutions that are very aware of the threat and are doing a lot to counteract the threat - and those are the ones that had the desire to respond to the survey. One of the obligations we as a trade association have is to ensure that the word gets out to the financial institution environment so that all institutions are aware of the threat.
FFIEC Authentication Guidance
KITTEN: I wanted to also ask about the FFIEC's updated Authentication Guidance. Financial institutions are making investments in anti-fraud technologies that address phishing and more customer education, of course, and those are both tenets noted by the FFIEC. How well do you believe, Doug, banks understand and currently conform to that updated guidance?
JOHNSON: I think that it varies substantially, just like any population of companies would vary. We have some institutions that are very well positioned to deal with the requirements of the guidance. What I have seen in the majority of institutions is a lot of energy around the risk assessment process. So I think one thing that I compliment the agencies on is really going back to the 2005 guidance and saying, "You know, we told you this in 2005. We meant it in 2005. What we meant was that a risk assessment of a dynamic nature is key, in order to protect the environment."
The questions that we get do relate to, "How do I, as an institution, really appropriately build that risk assessment and make that a dynamic process so that I am continually looking at how threats are changing?" I think that is a good exercise. It is a good exercise to maintain customer confidence within the entire environment. But the other piece of that is that when you mention customer education, it does take a partnership between the bank and the customer in order to protect the environment. And so what I see institutions doing as well is really thinking very carefully about how they accomplish that customer education.
Yesterday at lunch I was with a senior manager of one of our local institutions and he was asking some of those very questions. That is why he invited us over to the bank, to really talk through, "How do we make the customer aware of the threats that are in the environment, while also giving them the tools to be able to withstand that threat, show what options they have, whether that be at a stand-alone PC or dual authorization or positive pay, whatever? How should they be utilizing tools in concert with the financial institution's tools to protect the environment?"
I think that is the effective approach in the customer education vein: to ensure that the customers are aware that the bank has their back, first and foremost, but that they also have a role to play and need to invest in tools that help them perform that role. Those are the two things that are driving some of the investments - the anti-fraud technologies and ensuring that some of those technologies are available and are cost-effective. The guidance gives community banks, in particular, the ability to put in internal controls and other potentially lower-cost solutions than having to always look to technology.
KITTEN: Doug, have you talked to any institutions that have actually undergone or are in the process of examinations for conformance?
JOHNSON: I have, through our various working groups and committees here at ABA, which are composed of bankers that are in the information security/cybersecurity space. Serving on these groups and committees gives the banks the opportunity to compare notes, if you will, associated with what their examination experience has been. It again has been all over the map. The consistent voice from the examiners has been: "What is your plan going forward?" I think the agencies want to see that the risk assessment is either complete or well under way, and that there is a reasonable and rational path forward through the balance of this year and into next year associated with the ramping up of any of the additional security measures that have been recommended, based upon how the banks see the threat environment changing or where they see some vulnerabilities.
Clearly, the examination process is leaving institutions with an impression that they should be swiftly moving forward; that there is no need for conformance today, but that the right people within the institution have to be involved in that process, and there has to be a reasonable expectation of those various authentication measures that may be additional to what is already in place. They need a plan for getting those in place.
KITTEN: And then what about mobile banking concerns, as they relate to the guidance? Do you think any additional guidance is needed, as it might relate specifically to mobile?
JOHNSON: Tracy, one of the things that I'm finding very interesting about mobile is that it is becoming, and will become, increasing difficult to separate mobile from online. If you look at the recent announcement by Microsoft, and the announcement by Google as recently as yesterday associated with the new tablets, the Windows-based applications will not just be mobile. There will be various versions of Windows 8, which will be across, essentially, three platforms, and there will be a lot of interoperability between those three. So I think what that creates is a desire to build a seamless environment - the threats kind of converge, associated with each of those platforms. That is a helpful way to think about this holistic environment that is being created, as opposed to thinking about mobile separately. That is good news, because it doesn't mean that you have to sit there and worry about independent threats to three independent platforms.
From the guidance standpoint, I think that fits well into the existing guidance, as opposed to needing additional guidance, and that is consistent with the agencies. Not to speak for them, but I think that is what they are seeing as well. We'll see whether or not they feel a need to do something additional, as it relates to mobile, because there are certain vulnerabilities related to out-of-band communication that are affected when you talk about that integrative platform. Is it truly out-of-band communication, when you know the phone has some level of integration on a software basis with the rest of the platform? So I think there are certain things that need to be thought through. But what I've seen with the agencies is that they've had a process whereby they've pulled in banks ... and service providers for conversations to really understand the environment before they launch forward into the brave world of new guidance. So, we'll see where they go; but I think there is a lot in the Authentication Guidance that also relates to mobile at this point.