FFIEC Guidance Sets Bar

'Bankers Live and Die by the Guidance'
What real impact will changes to existing online authentication guidance from the Federal Financial Institutions Examination Council have on financial institutions and their customers? A great deal, says Fraud Red Team's David Shroyer, a risk assessor who focuses on identity, authentication and fraud strategies for banks. "Bankers live and die by the guidance," Shroyer says. "They look to guidance to determine what technology investments they will make."

Shroyer, who wrote a position paper in response to authentication updates outlined in a draft of expected guidelines published by the FFIEC, says the new guidance is expected to stress the need for annual assessments, "as threats, customers and functionality changes."

But he also stresses the drafted guidance's oversights. "We need to find a more comprehensive way to use the mobile phone as a verifiable authentication tool," Shroyer says. "And on the ATM side, because this is where so much of the cash-out money flows, we have to be more responsive and implement controls for both this threat and other threat vectors that ATMs face."

During this interview [transcript below], Shroyer discusses:

  • How bankers and the vendors align their security and compliance investments;
  • Risk assessments and the need for more scrutiny;
  • Protections and security controls for commercial customers.

Shroyer, a former executive of Identity, Security and Fraud for eChannels at Bank of America, is now a founding partner of Fraud Red Team, which conducts risk assessments for banks from the fraudster's perspective. Shroyer is also a partner of Greenway Solutions, a management consulting firm and Fraud Red Team affiliate that focuses on identity, authentication and fraud strategies.

Impact of Guidance?

TRACY KITTEN: What real impact will changes to existing online authentication guidance have on financial institutions and their customers? From a risk assessment perspective, financial institutions may be called upon to do much more. But who will be charged with ensuring they get there? I'm here today with David Shroyer, a former e-channels executive for Bank of America who is now a partner at Greenway Solutions and Fraud Red Team, which provides identity authentication and external testing for fraud process and control.

David, you've recently reviewed a copy of the drafted online authentication guideline updates that are expected to be passed down by the FFIEC. Going in with a disclaimer that this drafted guidance you have reviewed is not official and could differ greatly from anything official the FFIEC does publish when the guidance is actually passed down, I've noted some key areas that you've suggested are missing from the drafted guidance that we've both reviewed. I'd like to go through these one by one. In a position paper you drafted shortly after reviewing a copy of the drafted guidelines, you note that the guidance focuses too much on controls rather than processes and controls. Can you give us a little background and explain?

DAVID SHROYER: Hi, Tracy, and thanks for the opportunity to talk with you today, and thanks for the disclaimer. Based on my review, I really do think that the guidance is not complete; it's a draft. But it does give us the opportunity to understand where the agencies are thinking changes are needed. You know, we really have to think about this as an arms race with fraudsters who have intelligent, innovative and committed people. And, as such, the fraudsters live in the gaps that organizations, by definition of the word organization, exist. There's no control that is strong enough that the processes can't be subverted. If you think about it, one of the key examples would be that the authentication processes have disparities that exist between the true online and call-center channels. Criminals will continue to push and abuse the weakest channels until they get what they want.

KITTEN: What about the lack of some implicit direction in terms of online, call-center, mobile and ATM channel authentication processes? This is something else you've noted in the position paper. Why would it be important for the FFIEC to explicitly mention these channels, as well as their particular fraud risks?

More Channel Specificity Needed

SHROYER: Tracy, I think it's clear to everyone in the industry today that fraudsters are moving across channels just as the banks are moving across channels. The banks are doing it to allow customers to bank anywhere and anytime and provide convenience, but as we're doing that, we're opening the capabilities that the fraudsters are taking advantage of. A strong example of this might be in the mobile channel; and as this becomes a more expanded, non-traditional payment channel, it becomes a more valuable target for the fraudster, as we've already seen in the wild, with mobile-targeted malware.

KITTEN: Now you've also noted the absence in the guidelines for threat mitigation that relates to mobile, and, of course, the ATM channel. Why did those two particular channels stand out to you?

SHROYER: Well, I think two things stand out here for me. One, we need to find a more comprehensive way to use the mobile phone as a verifiable authentication tool. But we also need to find a way to protect that channel and that tool. And how do we mitigate the threats against a mobile device as we start to allow near field communications payments, and we sort of use the device as more of a form factor for higher risk and out-of-band authentication, which, by the way, the guidance is calling for? And on the ATM side, this is where so much of the cash out money flows. We have to be more responsive and implement controls for both this threat and the other threats that users of the ATMs are facing today.

What is 'High Risk'

KITTEN: Now, one of the things that came up in the drafted guidance, which we've actually written about a little bit and I've talked to some other industry sources about, is this whole notion of high-risk transactions. We don't really get a definition for what "high-risk" is or how the FFIEC is viewing high risk. What are the real high-risk transactions, in your mind?

SHROYER: Right. Well, you know, they call out the same high-risk transactions in both the 2005 version, the 2006 FAQ and in the draft that we've reviewed. I think that we have to keep in mind that they're right when they say that the money movement is around the high-risk transactions; but what might also be an opportunity is to look at the additional points of vulnerability, and these are the ones that always seem to precede the fraud, and those are where the customer is compromised. Think about your e-mail, your address and your phone numbers. When those start to change -- and, by the way, that's happening in all the channels -- organizations need to place higher focus on these changes, because they're really the risky transactions, especially when you tie that with other unusual behaviors, for example, the text-chat channel, the online channel or even direct calls to the call center.

Reg E and the Role of Guidance

KITTEN: Now, you've also noted that the guidance does not specifically call for any type of Regulation E protection, when it comes to small businesses. Do you think that the FFIEC should have explicitly noted or mentioned protections for small businesses and commercial customers, and amendments that might come down for Reg E?

SHROYER: Well, you know, it's interesting, because I don't think the agencies have the purview or the responsibility to change Reg E; but I do think there's opportunity to place more focus on these challenges, especially the ones that the commercial customers are facing today. We've all seen the losses, and they're staggering. While they may not be a big deal across the industry, from a numbers perspective, for the small- and medium-sized business, they are a big deal, because they're not protected. I was pleased, though, to see that the draft points out, especially in the customer and awareness and education section, that banks need to have a conversation about what coverage customers explicitly have and do not have, based on their account type.

Contract and Protection Transparency

KITTEN: And as a former bank executive yourself, David, do you feel that that's something that's being done at some institutions and not all? Did you feel that that was really needed in the guidance -- that they needed to explicitly say, "Yes, you should educate your customers?"

SHROYER: Well, I don't think education was really taken as of strong of a point in the 2005 guidance as it should have been. Education is a key component. We need to focus on deputizing our customers, both to identify fraud and to protect themselves from fraud, and I don't think that we're doing a good enough job of that. So, in terms of the Reg E component, especially with the small- and medium-sized businesses, I think we need to really educate them on where their liability stands and what they need to do to protect themselves.

KITTEN: Now, you've also noted in the drafted guidance that there really isn't enough stress put on the protection that must be provided to business banking customers, from a customer-endpoint security perspective. Can you explain what you mean there?

SHROYER: Sure. If you think about it, we've really moved the liability wall, either intentionally or de facto, and this is common with the explosion of malware. The vulnerability doesn't lie at the bank's firewall, but at the customer's computer. I think the banks have to understand and really dig into the question, "Do we want to own that? In my opinion, we might not have a choice, unless we assume all of our customers are infected, and then we start to think about implementing hurdles of access that are far beyond reasonability for the customer. So, we've got to start protecting our customer's endpoint security, as that is where the point of liability is, especially in the cases we've seen in the commercial segment.

Money Laundering and Money Mules

KITTEN: And then what about some of the money laundering schemes our industry has recently faced? Specifically, you mentioned money mules, and you know that the guidelines don't really talk about money mules. Why is that alarming to you that there's no mention of money muling, if you will, in the proposed guidance?

SHROYER: This is a huge, huge opportunity that the banks face and the industry faces. There are more customer compromised credentials out there than we can even fathom. I think that the reason we're not seeing more fraud loss is because it really is a challenge, and it's the fraudsters' challenge, to turn a compromised credential into cold, hard cash. They do that through the recruitment and solicitation of money mules. Some of these are victims of work-from-home scams. Some of these money mules go into it fully aware, such as visa students who come into the U.S. who intend to do it to supplement their income. We have to talk about fighting money mules: What's the illegality and the prosecution of this crime? I think we have to face it and we have to talk about it in the guidelines, because it's a critical component of the fraud lifecycle.

Risk Assessments

KITTEN: Now, beyond the holes that we've noted above, David, your position paper also addresses risk assessments, and you note that the lacking recommendation for external risk-assessment testing is something that also alarms you. Risk assessments are conducted internally as well as externally by regulators, but how do regulators enforce risk assessments currently, and do they ensure that risk assessments are conducted on a regular basis, as well as in a proper fashion?

SHROYER: Well, I think that it's a misnomer that we're actually doing external risk assessments. Sometimes small banks will hire a firm to do external risk assessments, but most of the time, and in the experience that I've seen on the other side of the fence, the organizations have relied on internal teams to conduct these exercises. If you look across industry, these types of assessments are often coupled with external testing. If you think about it, IT-systems-penetration testing or even marketing, secret shopper types of tests happen all the time, where you hire a third party to actually come in and complement the internal assessments that are being done. I see this as an area that, especially in this environment, we could benefit from. You don't know what you don't know, and having an external focus on this provides that.

KITTEN: In your new role as a risk assessor, you do have a good perspective, as you've noted, because you've been on both sides of the fence and you can have two differing perspectives. Can you tell us a bit about what you see now, being a risk assessor, versus what you saw, maybe, being on the banking side?

SHROYER: Well, working on the other side, it's really important to note that banks really focus and depend on this guidance for direction. Teams are formed to focus specifically on FFIEC compliance. It's been great now to see how other institutions are facing the challenges, in my new role, and see how they're staying current on identity authentication and fraud-threat mitigation, how they struggle to keep up with the changing vectors and attacks.

KITTEN: You also note some good things about the current guidance, so we don't want to just focus on the things we think are missing. One of the good things that you've noted that has been included in the guidance is the guidance's recommendation for device identification. Why does that stand out to you? What about those recommendations stand out, relative to the previous guidance that was issued in 2005, and why do you see these recommendations being needed as improvements?

SHROYER: You know, I think this illustrates a great point of where the FFIEC is now working very closely with both the vendors and the banks. So, in comparison to the 2005 guidance, where they actually stressed IP geolocation as a control, now they're saying that it's just not a good parameter, because our fraudsters and even our legitimate customers are obfuscating this by using proxies. So, this is an area where it shows that the guidance is actually keeping up with the times, and I think we have to move past the point of using IP geolocation as a sole parameter for identifying fraud; and getting down to the device level is something that, while not insurmountable, is going to be the way to move forward.

KITTEN: And before we close, David, what final thoughts would you like to share about the expected guidance? Anything that we've missed or any other highlights that you'd like to note for the industry?

SHROYER: Tracy, I'm excited to see where the guidance lands. I think the more specific the guidance can be and the more assistance regulators can give to the institutions in a public and private partnership, the better off our institutions and customers are going to be and guarded against fraud. I think that it's critical that we actually partner with the regulators and the industry, because this is how the banks are living and dying, by meeting guidelines and balancing the risk-to-reward equation.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.