Banks, service providers confused by organization’s attempt to clear up confusion
By Marisa Torrieri, Contributing Editor
Should a small, mom-and-pop bank start issuing one-time-password tokens? What are the penalties if it doesn’t? And will the bank’s beefed-up security system get the thumbs up when the bank auditor rolls around in January for a regular inspection? These are the types of questions many hoped to find answered in the newly released “Frequently Asked Questions (FAQ) on FFIEC Guidance on Authentication in an Internet Banking Environment” document issued by the Federal Financial Institutions Examination Council (FFIEC). For most, however, the document left more unanswered than answered questions.
December 31, 2006 is the deadline for financial institutions to conduct risk assessments and determine the safety of their Internet security systems for online banking. So says the FFIEC guidelines issued one year ago in their document titled, Authentication in an Internet Banking Environment. But for financial institutions (FI), technology service providers, and securities application makers confusion still reigns as to just what they must do to comply and what the ramifications of non-compliance might be.
The FFIEC guidance applies to retail and commercial financial institutions, addressing the need for risk-based assessment, customer awareness, and security measures that go beyond single-factor authentication for customers accessing their financial institutions’ Internet-based services.
Guidance without a mandate adds to the confusion
Though not a regulation, the guidance has prompted FIs and their service providers to more closely examine their Internet security. But because it’s not a regulation, it’s causing confusion and anxiety for those who take it seriously.
In response, the FFIEC issued the FAQ on August 15, 2006 in an attempt to clear up dozens of questions that have arisen since October 2005, when the FFIEC’s member council agencies (the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision) issued the document.
Questions include: “Does the guidance require the use of multifactor authentication?” “Does the guidance apply to correspondent banking?” and “Can an institution perform a risk assessment and conclude that stronger authentication is not warranted?”
Still, a number of industry insiders, as well as developers of high-end security products targeting FIs, charge the FAQs only create more confusion.
“The document kind of solidifies what I said nearly a year ago,” says Doug Graham, Internet and financial security consultant at BusinessEdge Solutions. “There really weren’t any teeth in the original FFIEC document. There were no penalties enforced, there was some guidance but no regulation, and I think what a lot of people were looking for was regulation … it’s less clear now than it was a year ago.”
For example, “(In certain questions in the FAQ) they’re saying, ‘no, we’re not mandating multi factor, but if you use single factor [authentication], it’s not good enough.”
“Let’s say I’m chief of security at a bank and I take this to my board of directors, there’s nothing here that justifies two-factor authentication,” he says. “What I’m looking for is guidance to justify authentication to the higher-ups.”
Steve Langerock, CEO of Internet security device manufacturer Aladdin North America, said questions such as Risk Assessment Q-5 (Should the risk assessment specifically consider the risks of phishing, pharming, and malware?) bring up new issues for financial institutions they hadn’t considered when they planned their risk assessments.
“It leaves banks still scrambling for answers to – what do we do and how do we do it?'” says Mr. Langerock. “The biggest problem the banks face is that the recommendations are vague, there’s no standard in the industry, and there’s no ‘best practices.'”
What’s meant by a ‘risk assessment’
Two things that are made clear by the FAQs are that single-factor authentication is not enough for banks that offer Internet banking and that all financial institutions must conduct a risk assessment of their Internet-security systems.
Most major large- and medium-size financial institutions have sought outside consultants for risk assessment, which weigh costs and benefits of using two-factor authentication, as well as the risk of financial loss for Internet transactions, says Mr. Graham, who works with various organizations’ security officers, including those of financial institutions, in such capacities.
A typical risk assessment involves security officers analyzing systems in place and possible threats to those systems. It involves asking questions like, ‘what can I lose in a security transaction?’ Or, ‘how much risk is there with a particular activity?’ And, ‘What is the loss if I do nothing about it?’ It involves the identification of threats to security (internal, online, etc.), activities (the types of transactions being done such as Internet banking), and potential losses.
“So if I have a risk of X million dollars because of a lack of authentication, if it makes financial sense of me to implement that (security) measure, I implement that measure,” says Mr. Graham.
An Internet security risk assessment takes time and cooperation with different business units, a lot of people to do it, and – at least when conducted for the first time – could take several months between the audit, reporting, and documentation processes.
The risk assessment focuses on protecting the bank’s assets, not necessarily the assets of the customer. Depending on the perspective one looks from, results may vary, says Mr. Graham.
Balancing security with customer convenience
Even after conducting a risk assessment, another lingering challenge FIs in the U.S. face is how to balance security with consumers who don’t want to deal with complex passwords, logins, or methodologies that might be imposed for Internet banking.
“I think, for two factor authentication, the biggest issue for the banks, is to make a determination that they want to be aggressive about it,” says Jon Karl, vice president of business development and founder of iovation, a technology company whose business centers around uniquely identifying devices used for financial transactions as they move around a network. The company works closely with others who are deeply interested in fraud management, a client base that is mainly overseas.
“The vast majority of the financial institutions in the United States take the stance that they don’t want customers involved in the authentication process,” says Mr. Karl. “But I think they’re missing the fact that customers want to know that their bank is protecting them.”
Included among the 35 questions and answers in the document, “Frequently Asked Questions (FAQ) on FFIEC Guidance on Authentication in an Internet Banking Environment” were a number that dealt specifically with two-factor authentication. These and a selection of other relevant items are included in the following recap.
Does the guidance require the use of multifactor authentication?
No, the guidance does not call for the use of multifactor authentication. The use of multifactor authentication is one of several methods that can be used to mitigate risk as discussed in the guidance. However, the guidance identifies circumstances under which the Agencies would view the use of single-factor authentication as the only control mechanism as inadequate and conclude that additional risk mitigation is warranted.
Does the guidance specify the use of hardware tokens for authentication?
No, the use of hardware tokens is one possible method for enhancing controls surrounding the authentication of customers.
Are the Agencies recommending multifactor authentication over layered security or other compensating controls?
No, any of these controls may be an effective method to mitigate risk in accordance with the guidance, if properly implemented.
Are there banking applications where single-factor authentication as the only control mechanism would be adequate?
Single-factor authentication alone would be adequate for electronic banking applications that do not process high-risk transactions, e.g., systems that do not allow funds to be transferred to other parties or that do not permit access to customer information.
Can an institution perform a risk assessment and conclude that stronger authentication is not warranted?
An institution’s risk assessment may conclude that existing controls are appropriate. However, such a conclusion would not be justified if the institution’s electronic banking systems use single-factor authentication as their only control for high-risk transactions involving access to customer information or the movement of funds to other parties.
What do the Agencies expect institutions to have accomplished by year-end 2006?
The Agencies expect that institutions will complete the risk assessment and will implement risk mitigation activities by year-end 2006. The Agencies are not considering any general extension of the timing associated with this guidance.
May an institution permit customers to “opt-out” of additional authentication controls?
No, the Agencies believe that permitting customers to opt-out is not an effective risk mitigation strategy and would undermine the effectiveness of the control. In addition, this would not address reputation risk to the institution. However, an institution may permit customers to choose between different authentication options provided the options offered are consistent with the guidance.
To see a copy of “Frequently Asked Questions” on FFIEC Guidance on Authentication in an Internet Banking Environment, please visit http://www.ffiec.gov/pdf/authentication_faq.pdf.