FFIEC Updated “Guidance” to Financial Institutions (and what it means)

Michael J. McEvoyPrincipal, Banking [email protected]

FFIEC Updated “Guidance” to Financial Institutions

(and what it means)

What It Is

Minimum steps FIs need to take to protect customer data and prevent Online fraud

Previous “guidance” issued in 2005 and 2001

New guidance takes effect in January 2012

1

What Prompted the Update

Consumer Adoption of Digital Channels Has Been Dramatic

Consumer Adoption of

Digital Channels

More Online Functionality

Growing Opportunity

for Fraudsters

Novarica/Novantas research shows shift to digital channels

Banks have improved functionality / transactional capabilities

Emergence of mobile banking – new challenges ahead

More users, more activity per user

–Opportunities for online fraud have risen considerably

3

Basic Banking Transactions Now Well Established Online

4

Customers are Turning to Digital Channels for More Complex Transactions

5

Consumer Adoption of Digital Channels Has Been Dramatic

Consumer Adoption of

Digital Channels

More Online Functionality

Growing Opportunity

for Fraudsters

Novarica/Novantas research shows shift to digital channels

Banks have improved functionality / transactional capabilities

Emergence of mobile banking – new challenges ahead

More users, more activity per user

–Opportunities for online fraud have risen considerably

6

Threats Have Become More Sophisticated, Effective and Malicious

The Internet’s “dark side”

–Easier access to tools to compromise authentication mechanisms

–Phishing, Pharming, Malware

Cybercrime complaints have risen dramatically

–Many involve small businesses and municipalities

–ACH and wire transfers by businesses: more frequent, higher value

Size of opportunity has attracted organized criminal groups

Broadband penetration rates growing globally – increasing threats from outside the US

7

What Prompted the Update?

Since 2005…….

Customer use of the online channels has grown dramatically

Threat level has increased

Also, the FDIC say:

Risk assessments & upgrades were not being done

FFIEC wanted to “raise the bar”

8

What is in the Update?

Three Key Components to the FFIEC’s Approach

Risk Assessment

Layered Security

Customer Awareness

and Education

Regular Risk Assessments

–Triggered more frequently

–More comprehensive than in the past

Layered Security

–Certain controls no longer considered effective

–Additional protections for business customers

–May involve out-of-band verification, dual authorization, account controls, etc.

Customer Awareness and Education

–Educate customers on steps being taken to protect them

–Alerts to customers for suspicious activities on their accounts10

More Triggers for Risk Assessments

Risk Assessments to be Triggered:

–When new information becomes available (e.g. new software threats)

–Before offering new products online / adding significant functionality

–No later than 12 months after previous review

Risk Assessments to be More Comprehensive than in Past to Consider, at a Minimum:

–Changes to internal / external threat environment

–Changes in the customer base for online banking

–Changes in online functionality offered to customers

–Actual incidents of security breaches, identity theft and fraud

Guidance is more specific than in the past

11

Business Accounts to Require Additional Protection

Guidance makes distinction - for first time – between retail and business accounts

Business accounts have a higher risk profile

ACH, wire transfers – more frequent, higher value

Therefore, controls in place for business accounts need to be stronger

12

Additional controls for adding new payees, admins., etc.

Multifactor Authentication should be offered to business customers (for log-in: other types

of controls may be adequate after log-in)

Layered Security – a New Baseline

Different controls at different points in process so weakness in one is compensated for by strength in another. Examples:

―Out-of-band verification

―Restrictions on the account (e.g. positive pay, debit blocks)

―Controls on account activities (e.g. number of transactions per day, allowable payment windows)

At minimum, layered security should include anomaly detection & response:

―At initial customer login, and

―At initiation of funds transfers to other parties

Authentication Controls

Certain types of controls no longer considered adequate, as primary controls

Ineffective:

Simple device identification (e.g. simple cookie)

Simple challenge questions

Effective:

Complex challenge questions (i.e. ‘out-of-wallet’ questions)

Complex device identification

Device reputation

14

What Now?

16

FFIEC Guidance

Risk Assessment

Gap Analysis

Written Action Plan

Vendor Relationships

Prioritize Resources

Prepare Customers

What CIOs Must Do to Prepare for 2012

Start with Risk Assessment

Next, do a Gap Analysis

Create Written Action Plan

Evidence of Dialog with Vendors

Educate Customers, Forewarn them of Changes on the Way

Continuous risk assessment is absolutely essential from now on

– Individual project risk assessment

–Department-by-department risk assessment

–Bank-wide overall risk assessment

• FIs are not absolved of responsibility until vendor implementation

• Meanwhile, improvise:

Internally developed anomaly detection

Transaction Calendar (business customers)

Final Thoughts….

17

FFIEC Updated “Guidance” to Financial Institutions

(and what it means)

http://www.LinkedIn.com/in/michaelmcevoy

Michael J. McEvoyPrincipal, Banking [email protected]