Initial Commentary on the FFIEC Internet Banking Guidance FAQs
As with all federal level guidance publications, as well as federal level legislation, it is not expedient to recommend specific technologies to solve the problem, whatever that problem is. The problem before the Internet banking industry is one of weak authentication. The problem can be solved in a number of ways with a number of technologies â€“ one way is not recognized to be better than another necessarily. Technology changes and morphs; seemingly at the speed of light, leaving the solutions of 2001 pre-empted by the solutions of 2006.
There have been a number of early adopters of multi-factor authentication. The leaders in the financial services industry have been planning for quite some time to move towards stronger authentication and were ready to move forward when the FFIEC began publishing guidance documents. There were significant financial investments made in new technologies, departments were created, and people were hired. Others held back and watched. Many financial institutions do not have the capital to invest in cutting edge technology and must wait until tried and true solutions emerge.
The FAQs focus on Internet banking, but the principles also apply to all forms of electronic banking, including telephone banking systems. While the Agencies do not mandate particular solutions, they stress the principles of best practices in securing customer information. The requirement is not to implement multi-factor authentication per se, but to use several methods to mitigate risk. For instance, if single-factor authentication is the only control mechanism, with no other control mechanisms in place, it is not considered â€œenoughâ€.
Even if an institution acquired an external security assessment and the results of that assessment stated that existing controls were sufficient, and if that institution used only single-factor authentication for high-risk transactions, then the conclusions of the security assessment could not be justified. The emphasis, again, is on â€œhigh-risk transactions that involve the movement of funds to other parties and access to customer informationâ€.
While there has been a significant increase in incidents of fraud, including identity theft, not all incidents relate strictly to Internet banking. Most incidents of identity theft have been related to theft â€“ theft of information and theft of equipment that stores customer information. There is also the problem of e-commerce, the use of debit and credit cards over the Internet. The FAQs do not attempt to address these problems.
The guidance suggests that financial institutions not skip the step of a risk assessment and jump into implementing particular controls. Thatâ€™s just good advice. How can you implement controls if you are not clear on what the particular risks are in any given area of the transaction environment?
Financial institutions are advised to consider the risks of phishing, pharming, and malware. This is interesting because many financial institutions consider this to be the responsibility of the customer. It sounds like that responsibility has been put squarely back in the lap of the customerâ€™s financial institution. This is a good thing for customers, but requires more work on the part of the financial institution.
In regards to customers, institutions may not permit customers to â€œopt-outâ€ of additional authentication controls, but may permit customers to choose between different authentication options offered Institutions must also provide a customer awareness program. This can be implemented in a number of ways. I noticed recently that my institution immediately took me to a particular page when I logged in, asking me to read the material and click to continue. You can easily skip by the page, but it was a nice effort to inform on the institutionâ€™s part and did not cause me any undue time commitment. I appreciated the effort.
While the FFIEC did a good job of answering the most common questions, the answers to the problem are not clear cut and the absolute path is not known. The important thing to take away is that the risk assessment is clearly an absolute requirement, identifying high risk transactions is an absolute requirement, and safeguarding those high-risk transactions with more than single-factor authentication is an absolute requirement. Other than that, selecting and implementing the right technology solutions is up to the financial institutions themselves.