The Fraud Blog with Tracy Kitten

Mobile, Cloud Security Guidance Needed

Smaller Institutions Could Benefit from Regulators' Help
Mobile, Cloud Security Guidance Needed

Last year, federal regulators issued FFIEC authentication guidance for online transactions. But, unfortunately, regulators apparently don't plan to issue additional guidance on the security issues involved in mobile banking and cloud computing.

Larger institutions don't really need guidance on these topics. Most are addressing risks out of necessity. Higher transaction volumes expose them to more fraud. Besides, they have the staff and budgets in place to help mitigate risks.

Smaller institutions are more likely to adequately address the risks involved in mobile banking and cloud computing if they receive additional guidance. 

But smaller banking institutions - many of which are struggling to conform with the authentication guidance - would greatly benefit from some security and conformance direction on mobile banking and cloud computing from the Federal Financial Institutions Examination Council. Mobile and cloud are new frontiers for many of these organizations. So they need all the help they can get to adequately address emerging security issues.

Governance-Based Guidance

William Henley, who serves as the associate director for the FDIC's Technology Supervision Branch, confirms that new FFIEC guidance tied to specific technologies - such as mobile and cloud - is not likely.

In a recent interview, Henley told me federal regulators are honing their approach to focus on so-called "governance-based guidance."

"We don't constantly want to be chasing every new technology that comes out," he said. "We would constantly be reactive, and it would be very difficult to keep up."

Rather than issuing guidance based on recommended controls for specific services and technologies, regulators want to issue guidance that deals with broader risk-mitigation strategies, best practices and due diligence.

A Helping Hand

The FFIEC issued updated authentication guidance for a reason: Regulators found that too many institutions were not adequately addressing online-banking risks.

Similarly, mid-tier and community-level institutions are more likely to adequately address the risks involved in mobile banking and cloud computing if they receive additional guidance.

The FFIEC is aware that many institutions need help in these arenas. That's why it issued a resource document this summer to address questions about cloud risks.

But that document fell far short of providing the comprehensive guidance that's needed, say critics, including security attorney Francois Gilbert (see FFIEC's New Cloud Info 'Disappointing').

Clearly, institutions of all sizes should be addressing risks based on their own environments, and then follow best practices outlined in existing guidance.

But let's face it. Smaller institutions need extra help dealing with the security issues involved in mobile banking and cloud computing. Otherwise, they're left to make assumptions, guessing about what controls and security layers are needed.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.