Since the FFIEC guidance reached your desk, the new compliance rules will approach fast, and if you fail to take action that brings your institution up to standard, you could face penalties and fines. Most people still wonder, “What is FFIEC guidance and how do I do it?” Compliance set the standards for online banking in 2005 when the Federal Financial Institutions Examination Council issued it.
Some of the standards require multifactor authentication because they have proven how inadequate the single-factor authentication looks. We have seen increasingly sophisticated and more daring attacks from hackers, which suggests how we need these standards to continue rising.
More than one form of authentication has been implemented as a way of verifying the legitimacy of online transactions. Some of the authentication methods used include finger scanning, iris recognition, voice ID and facial recognition. You can use these methods in conjunction with a traditional password and user ID.
What Is FFIEC?
This set of guidelines basically raises a standard for what will be acceptable in online transactions. It keeps everyone who uses the online platform safe and secure. While the FFIEC does not impose penalties and fines, most of the guidelines have been created to protect both the financial institution and the people who use them. When an audit comes, the auditor will look for signs of compliance, and if they don’t find them, the fines and penalties will come from the NCUA.
Who Uses FFIEC?
A lot of banking institutions will make use out of these guidelines. As stated before, when a banking institution has been found non-compliant, they face harsh penalties and fines as a result. These guidelines exist to address potential problems and make them less of a concern. As time progresses, people have identified a way to make stronger authentication.
Some of these authentication methods include, “Out of Wallet” and “Out of Band.” RSA’s Identity Verification technology has become top notch. For financial institutions to complete these things, first they have to ask themselves, “What do we have?”
Second, they have to ask themselves, “What do we need?” In the end, this gives you the best chance of choosing the right authentication method. When you use a variety of methods, you can avoid the application of redundant layers, which will only serve to leave a gaping hole in your security.
How to Follow the FFIEC Guidelines?
First, enforce a strong step-up authentication that eliminates the potential for risky activities. This form of authentication shoots down the most widely used authentication method known as the Challenge/Response Question. Nevertheless, they still identified other methods. Choosing the right authentication question often depends on asking yourself what your current structure looks like.
Once you have identified the current structure, next, you will figure out how to implement a stronger means of authentication. Not only does the FFIEC understand the threats against the consumer, it now recognizes the potential dangers against commercial clients. As these threats have come under rein, they now push for further scrutiny of user activities on the individual account.
Education for staff is not just a luxury but a requirement of those who work at your institution. You may also want to provide what is referred to as Information Security Awareness Training for commercial clients and customers. Should you ever decide you need a shoulder to lean on, ask an IT security expert. You must build a strong relationship with your technology service provider, but the burden of meeting the FFIEC deadline will fall on you.
6 Tips for FFIEC
Tip #1: Answer Statements Honestly
First, you should prioritize your efforts and make sure every statement has been made so honestly. You might feel the temptation to answer with a “Yes” on everything because a “No” means more work. However, remember the auditors will examine the results, and what they find you may have to provide concrete evidence in support of your answers.
Tip #2: Make References from the FFIEC
Every reference you find will have a statement on the maturity levels, and it even contains a reference to an IT Booklet. That will also clarify what they mean by given statement.
Tip #3: Prioritize the Right Effort
The CAT will be based on a model of maturity. This means you shouldn’t focus on the higher levels until after you have achieved the lowest maturity. You don’t have to worry what the evolving maturity statements will be, and you will also not have to worry if you miss the baseline controls.
Tip #4: Report to the Appropriate Parties
Because the CAT will likely continue into the future, there’s nothing wrong with making it a priority area of focus. Everyone should understand the standards and what will be expected of them.
Tip #5: Team Effort for Real Progress
Unfortunately, you can’t just hand the action item list over to your IT technician and expect him to handle this. For the most positive results, you will need a concerted team effort. The staff members should involve everything from budgeting, cyber security, and policy to technical controls, contracts, and training.
Tip #6: Get Started as Soon as Possible
It might be somewhat understated, but if you have not started to try to comply with CAT already, you may want to start. An auditor could ask to see this, and you will have to demonstrate how you have taken it seriously. Nevertheless, a simple completion of the assessment will not be enough, and you will need a solid plan of execution.
Basically, the FFIEC exists to keep everyone from the financial institution to the consumer safe. You have to meet these guidelines with an eagerness to avoid the danger of an audit and receiving a penalty.
While it might be somewhat of a pain for financial institutions, one can never understate the positive role it serves. Have you ever had to implement the guidelines of the FFIEC? If so, what did you do and how did it help? We’d love to hear your thoughts and opinions in the comments below.