Last month, the Federal Financial Institutions Examination Council (FFIEC) issued a supplement to its 2005 authentication guidance for financial institutions offering internet-based products and services.
The FFIEC is a US government interagency body “empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions,” according to the council.
The supplement is intended to improve risk management for financial institutions in terms of customer authentication, layered security, and other controls “in an increasingly hostile online environment”, according to the FFIEC’s Supplement to Authentication in an Internet Banking Environment.
“The supplement reiterates and reinforces the expectations described in the 2005 guidance that financial institutions should perform periodic risk assessments considering new and evolving threats to online accounts and adjust their customer authentication, layered security, and other controls as appropriate in response to identified risks”, the FFIEC said.
The supplement “establishes minimum control expectations for certain online banking activities and identifies controls that are less effective in the current environment. It also identifies certain specific minimum elements that should be part of an institution’s customer awareness and education program”, it added.
Entrust chief executive Bill Conner told Infosecurity: “I had hoped that they would be more prescriptive in terms of a stick and carrot relative to audits of these financial institutions....Banks know what they should be doing. They are just not doing it”, he added.
Given the dramatic increase in the number of the attacks and breaches at financial institutions, the FFIEC supplement lacks concrete actions and timetables necessary to help stop advanced fraud schemes from attacking financial institutions, transactions and customer identities, he said.
Conner recommended that the FFIEC provide incentives for financial institutions to deploy advanced information security technologies, such as awards for “best-in-class use cases.”
Laura Mather, co-founder and vice president of product marketing at website security provider Silver Tail Systems, agreed that the FFIEC supplement does not go far enough.
“My major concern with the guidelines is they focus on authentication. While authentication is critical, the criminals are getting more sophisticated in how they are able to attack websites….As criminals do more attacks outside of authentication, there are increased vulnerabilities. The banks that follow the guidelines might think they have addressed their vulnerabilities, but they really are still vulnerable”, she told Infosecurity.
The FFIEC has directed bank examiners to formally assess financial institutions under the supplement beginning in January 2012.