Authentication Guidance May Be NearBanking Regulator Says FFIEC Draft Needs Just 1 Agency's Signoff
Gigi Hyland, board member of the National Credit Union Administration, says the latest draft of this guidance is awaiting final signoff from just one member agency of the Federal Financial Institutions Examination Council.
A draft of this guidance was inadvertently disclosed by the NCUA last December, and it subsequently spread virally throughout the banking industry. Regulators, until now, have declined comment, but industry insiders have speculated that the guidance release could be delayed for months, as the FFIEC incorporates feedback from banking agencies, institutions and vendors.
Hyland is more optimistic.
"We at the NCUA are anxiously awaiting the final green light from the last regulatory agency that's reviewing this," Hyland said in the course of a new podcast interview with Editorial Director Tom Field (See: NCUA's Hyland on Top Fraud Threats ). "In the FFIEC process, we all have to be in agreement before it gets issued. So, the vetting process within each agency is sometimes more protracted than within other agencies."
Hyland did not identify the agency that is holding up the release, but did acknowledge her desire to see the guidance issued soon. "We're waiting, essentially, and working with other regulators to try to come together and agree on the final guidance, so we can issue it, hopefully, as expeditiously as possible."
Advice to InstitutionsHyland did not disclose any elements of the current draft. But the five key recommendations emphasized in the earlier draft are:
- Better risk assessments to help institutions understand and respond to emerging threats, including man-in-the-middle or man-in-the-browser attacks, as well as keyloggers;
- Widespread use of multifactor authentication, especially for so-called "high-risk" transactions;
- Layered security controls to detect and effectively respond to suspicious or anomalous activity;
- More effective authentication techniques, including improved device identification and protection, as well as stronger challenge questions;
- Heightened customer education initiatives, particularly for commercial accounts.
As they await the final guidance, banking institutions already are tailoring their budgets and information security programs for compliance. Hyland's advice to these institutions: "Stay abreast of all of the literature out there on the most recent security threats to financial institutions. Security needs to keep pace with the threat environment."
She urges institutions to conduct new risk assessments, then adjust their authentication controls based on results. "I don't think there's any perfect solution because it is an ever evolving process, but [institutions] need to really try to stay ahead of the curve and be aware as much as possible about the entry points that are obvious and not so obvious in their systems and their processes to try to mitigate as much of the risk as they possibly can."
Mobile Banking Guidance Coming?Hyland also says that, beyond the authentication update, banking regulators may indeed be weighing additional new guidance on emerging technologies - including mobile banking.
"[Credit unions] are continuing to grow into the space of electronic banking delivery channels - certainly including mobile banking," she says. "As this is an emerging area, NCUA is weighing guidance approaches for these types of emerging technologies."
Without setting a timeline, Hyland says mobile is a hot topic among regulators and could lead to new FFIEC guidance. "[Mobile] is certainly on our radar screen as a regulator and insurer, and I know it's on other regulator radar screens as well," she says.