FFIEC Guidance: What Banks Should KnowNothing New in Measures Demanded by Regulators
It's been a busy week.
More than six months after a draft of expected updates to the Federal Financial Institutions Examination Council 2005 "Authentication in an Internet Banking Environment" guidance inadvertently appeared briefly on the National Credit Union Administration's website, the formal supplement has finally been issued. [See NCUA Disclosed FFIEC Draft.]
No institution would argue with the notion that ensuring the protection and financial safety of the commercial customer is a top priority.
Enforcement of the new guidance takes effect in January, focusing on:
- Better risk assessments;
- Effective strategies for mitigating known online risks;
- Improved customer and employee fraud awareness. [See FFIEC Guidance: Focus on Awareness.]
We've been following the FFIEC supplement trail for several months, talking with industry analysts, bankers and online security vendors about the implications updates to online authentication guidance could and should have on the financial industry.
Everyone had an opinion. And as cases over incidents of corporate account takeover, a.k.a. ACH and wire fraud, heated up in the courts, the need for regulatory direction regarding reasonable online security and more risk assessment responsibility became ever more pronounced.
Let's examine the recently decided case between Michigan-based Experi-Metal Inc. and Comerica Bank. On June 13, the court ordered Comerica to pay EMI more than $550,000 for losses EMI suffered after the bank approved and pushed more that $1.9 million in fraudulent wire transfers to offshore accounts.
In his ruling, U.S. District Judge Patrick Duggan says Comerica Bank should have detected and stopped fraudulent transfers it approved for EMI.
Privacy attorney David Navetta, who specializes in IT security, says the court's view was that Comerica should have had better fraud detection mechanisms to detect and analyze risks. "The burden to establish good faith was on Comerica, according to the court," he says. "On the one hand, the court indicated that the bank had established commercially reasonable security. On the other hand, the court based its decision on the lack of fraud detection mechanisms employed by Comerica."
George Tubin, a senior research director for TowerGroup, says the timing of FFIEC's updated release is interesting, relative to the EMI ruling.
"If you look at the technology that they are recommending in the new supplement, if Comerica had used that recommended technology, it would have caught the fraud," Tubin says. "Based on the court ruling, I think banks will be held more accountable. But as long as banks are following what's outlined in the FFIEC guidance, they will be covered."
The crux of the EMI case revolved around "good faith." Tubin says that good faith is what the new FFIEC authentication supplement addresses when it points out that banks should be monitoring transactions with industry-acceptable technology. Quite simply, they should be putting forth their best efforts to thwart fraud.
In an indirect way, the Federal Deposit Insurance Corp.'s Jeff Kopchik echoed that sentiment this week, when he defended regulators' decision to begin compliance assessments in January, less than six months from now.
"The compliance deadline of January 2012 means when examiners go out, examiners want to see that institutions have at least completed their plans for compliance," Kopchik says. "We felt this time that institutions would not need as long a period of time to bring themselves into compliance. The 2005 guidance has been out there a while, and, frankly, people like yourself have been writing about it for a while and talking about it for a while."
In a nutshell, none of the guidance should come as a surprise, Kopchik says. And I agree.
Banks should already be doing most of the things the guidance supplement highlights. Layered security was called for in the 2005 guidance, under the guise of multifactor authentication, which many banks, by the way, still aren't doing.
The industry understands the "good faith" standard too well to let security gaps persist. No institution would argue with the notion that ensuring the protection and financial safety of the commercial customer is a top priority.