FFIEC Authentication Guidance: What Your Vendors Need to Know

How Your Partners Can Help You Comply
The FFIEC Authentication Guidance update is out, and third-party service providers need to begin reviewing their internal systems and communicating with their financial institution customers, says Wells Fargo Bank's Phil Alexander.

If a vendor's particular function is covered under the updated FFIEC guidance, they need to be compliant, says Alexander, an information security officer for the institution.

"Make sure you're aware of the updated guidance," Alexander says in an interview with BankInfoSecurity.com's Tom Field [transcript below].

Third-party vendors should be completing their internal risk assessments, figuring out what their current posture is. They also need to make sure they're coordinated with their company and addressing any changes that need to be made. "You need to have that kind of coordination," says Alexander. "It's going to give your financial institution that comfort level that you're a vendor that, as part of being a good service provider, you're providing security and compliance."

Alexander has studied the new guidance and created a new webinar, Vendor's Guide to the FFIEC Authentication Guidance. In an exclusive interview about the guidance and what it means to banking and technology vendors, Alexander discusses:

  • How vendors will be impacted by the guidance;
  • What vendors should be doing now to prepare for 2012:,
  • Key questions for banking institutions to ask their vendors.

Alexander began his career in computers back in the late 1980s while serving in the U.S. military. Since then he has worked in both the public and private sectors in positions including; engineer, project manager, security architect, and IT director. He currently works as an Information Security Officer for Wells Fargo Bank.

He is also an avid public speaker, and regularly presents at security conferences around the country and abroad. He has published a number of information security articles as well. He is the author of Data Breach Disclosure Laws - a State by State Perspective. His second book, Information Security: A Manager's Guide to Thwarting Data Thieves and Hackers was published in 2008.

TOM FIELD: You've got unique insight and experience here. Why don't you tell us a bit about your current role and your interaction with vendors on an everyday basis?

PHIL ALEXANDER: Sure. I'm information security officer for Wells Fargo Bank, currently in the wholesale arm. I conduct both risk assessments and consultations for projects that come across my desk for a wide variety of lines of business in wholesale, and a fair amount of those do include third-party service providers, or simply put vendors. Part of my role is to make sure that those vendors are meeting our criteria to protect our data, our sensitive financial data, whether it's personally identifiable or financial data.

Vendor's Role

FIELD: Now I know you've had an opportunity to pore over the FFIEC Authentication Guidance update, and it's easy to see what the relevance is to financial institutions. But where do you make the connection of its relevance to the financial institution vendors?

ALEXANDER: That's a very good question. When we see this updated guidance from the FFIEC, of course their expectation is that we financial institutions are compliant. When we outsource services to a third party, requirement transfers to that third party. So if you're the vendor providing a service for a financial institution and that particular function is covered by the updated guidance, you need to be compliant as well. It's not at all acceptable for us to say at Wells Fargo, or any bank for that matter, it's not our fault we're not complaint. We outsource that to a third party. No, we have to be compliant which means you the third-party service provider must be compliant as well.

FIELD: My follow up was how are vendors impacted come January 2012 when the examiners will start coming around to check conformity with these guidelines, and I think you've just answered that. The vendors have got the institutions beat in conformance.

ALEXANDER: Right. They need to show they're compliant. It's an area I see vendors sometimes fall down as being able to have or to demonstrate they have a knowledge of their security posture, the things they're doing correctly, their opportunities for improvement and that they are aware of them.

Steps to Prepare

FIELD: What should the vendors be doing now to prepare themselves and help their financial institution customers prepare?

ALEXANDER: What they need to do is look at the updated guidance from the FFIEC. Mainly, it concerns itself with online banking, electronic banking and wires. That's all for corporate customers as well as the retail and consumer customers. They need to take a hard, honest look internally of where their systems are, where they're compliant and where they're not compliant, and in the latter case where they're not compliant develop a plan to make those adjustments and upgrades that are necessary. For me, when I do assessments of third-party vendors, the events that I look for are what your program is, what it isn't and that you're frank and honest. When you have those areas of improvement, you also have plans in place to correct those issues.

FIELD: You've just created a webinar exactly on this topic, about the meaning of the FFIEC guidance to vendors. What would you say are the key takeaways of your presentation?

ALEXANDER: Key takeaways would be to make sure you're aware of the updated guidance. Make sure that you do that internal risk assessment so you know what your posture is. Make sure you have your coordination and communication with your company that you're certified for, whether it's a financial institution or say they're corporate customers, because what you want to do is focus on several areas. One is any changes on your end. In order to get compliant you want to make sure that doesn't notably impact your customer. Also, the change you make doesn't mean they can't do online banking or they can't do a wire. You need to have that kind of coordination. And it's going to give your financial institution that comfort level that you're a vendor that, as part of being a good service provider, you're providing security and compliance, in this case the updated guidance from FFIEC.

FIELD: If you could boil it all down, what one piece of advice would you offer to vendors right now regarding this FFIEC Guidance update?

ALEXANDER: Take it seriously and heed what they're saying, because we financial institutions do. Quite frankly, it's been my experience that the vendors that can show they're secure and can show they're compliant, that's the value and that's going to help you not only retain current customers but to attract new ones.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.