New Authentication Guidance Soon?FFIEC Weighs New Insights on Strong Authentication
Former regulator William Henley, Doug Johnson of the American Bankers Association and Gartner Analyst Avivah Litan are among those thought-leaders invited to meet with the FFIEC IT Subcomittee to discuss updates to existing online authentication guidance passed down by the federal banking regulatory agencies in 2005.
Litan emerged from the meeting with the clear sense that big changes are on the way. "The message I got is that new guidance will be coming soon," she says.
Henley, who served as the director of IT examinations for the Office of Thrift Supervision before joining BITS, a division of The Financial Services Roundtable, would not comment about expected guidance. But he did say in an interview last September that guidance regarding mobile banking security could be expected within the next 12 months. "Some of the primary concerns would be the open architecture associated with emerging technologies," Henley says, as well as the generation of safe software protocols and profit motives in unregulated markets, Henley said.
While none of the principals in the discussions will discuss on the record any specifics of the FFIEC's new guidance -- or its timeline -- observers believe the update will be issued soon.
Dave Jevans, CEO of online security vendor IronKey, believes the new guidance may be issued within the next four weeks. "The existing guidance focuses on the consumer. Today, the cybercriminals and the attacks are much more sophisticated," he says. "This guidance will address the corporate banking side of the online channel, and I expect the FFIEC will follow some of the recommendations that have already been issued by the FBI, FS-ISAC and NACHA, when it comes to online security for businesses and financial institutions."
Strong Authentication DefinedAmong the topics covered in the FFIEC's original 2005 strong authentication guidance:
- Customer Account Authentication -- Where risk assessment indicates the use of single-factor authentication is inadequate for certain types of services, institutions should employ multifactor authentication, layered security or other controls.
- Monitoring and Reporting -- Institutions should have policies and procedures in place that adequately monitor the system access. If they detect unauthorized access to applications and members' accounts, they must report to local law enforcement.
- Customer Awareness -- Customer education is critical, in terms of reducing account fraud and identity theft. Institutions should implement a customer awareness program and evaluate current education efforts to determine if additional steps are necessary.
What might the new guidance include?
Litan says banks can expect more centralized IT examinations and more precise definitions for what "strong" authentication requires. Guidance for mobile banking is likely to fall into that fold, too.
"There is some good stuff in the last guidance, but bankers have not focused on those things; instead, they focused on authentication and did the minimum," Litan says.
Some of the "good stuff" from the 2005 guidance, Litan says, includes defining multifactor authentication as:
- Something the user knows (password or PIN);
- Something the user has (an ATM card or smart card);
- Something the user is (a biometric characteristic, such as a fingerprint).
Adam Dolby , head of online security and authentication systems for Gemalto North America, says updated guidelines will have to hold banks accountable for security. If they don't, then banking institutions won't shift their thinking. "I think this guidance revision should lead to thought, not about compliance, but about what is actually needed," he says. "It's not just about the technology that gets an examiner off your back, but a solution that protects the movement of money at all stages."
More Burden on Banks?Regulators also are more knowledgeable than they were six years ago, Litan says. From her view, that increased knowledge could favor merchants, where account takeover liability is concerned. "Banks are not generally obligated by law to refund businesses their stolen funds," she writes in a blog post shortly after the event. "This untenable situation is probably one big reason the FFIEC is now stepping in."
The debate over responsibility is a heated one. Doug Johnson, vice president of risk management policy for the American Bankers Association, says banks and commercial customers have to partner. Though he could not be reached for comment about the FFIEC event, Johnson has been vocal about why banks should not bear the brunt of account takeover losses.
"The customer needs to be aware that in the ACH environment, if they are negligent, they might actually be responsible for the loss," Johnson says. "There's nothing like having that responsibility to get someone's attention and to realize that they have to work in partnership with their institutions."