Hey FFIEC, Is This Really Guidance?
5 July 2011
Last week the FFIEC issued the long awaited Supplement to Authentication in an Internet Banking Environment
. I read through the 12 page report (it's actually 8 pages with a 4 page appendix), and kept reminding myself that I should try to look at this in a cup half full manner. Yes, I can be a cup half empty kind of a guy, however I must say that this document doesn't say much that most banks don't already know. The wording is vague, open to interpretation, and unclear. It's a great read for someone who is new to the space that wants to get a high level overview of some of the challenges banks are facing. I know that banks are going to be placing a lot of energy into analyzing this document, and making sure they can follow the so-called guidance. The first problem is the title - Supplement to AUTHENTICATION. Authentication is was definitely a big deal back in 2005 when the first iteration of this document was released. At this stage of the game, it really doesn't mean much. Sure, all banks should have it, and yes they should pay attention to new solutions that can enhance authentication. Today, with current threats and attacks, authentication is about as useful as a security guard that is placed in front of a bank building. The guard can scare people off, and provide the appearance of security. If criminals or terrorists want in, we all know that the guard is nothing more than a useless sentry. So sure, let's keep on forcing customers to use the familiar image/phrase/challenge question routine for online banking. But let's accept the fact that multifactor authentication, even using hard tokens, is pretty useless. The document keeps referring to layered security - that's a good thing. But how long have we been hearing that for? Great that its down on paper given that it's so critical. It's the most important step a financial institution can take but a lot more detail and guidance is required here. There was quite a buzz regarding the fact that the document doesn't discuss mobile banking security. That ties back to the vagueness of the document. Personally, that doesn't bother me as much. The info in this doc has to be consumed with the understanding that consumers and businesses are using a range of electronic devices - PCs, mobile phones, tablets, etc. Yes, there are going to be security issues that are device category specific. It would have been nice to see things laid out a little more clearly, or at least recognition of this trend. On page 3, the document goes over high risk transactions. The overly structured section misses a key point - as features migrate out of the branch for cheaper self service alternatives (think consumer wire transfers online) the risks increase. Financial institutions need to plan for these changes now and understand that the online channel is already handling higher risk consumer transactions. In my opinion, the most important section of this document should have been customer awareness and education. It takes up approximately half a page. Banks do a very poor job of educating customers, and there are tons of examples to prove it. Since the consumer is the weakest link in the equation
, this clearly requires a lot more attention. Can I be a curmudgeon? Absolutely. Is it warranted in this case (objectively speaking of course)? Without a doubt.