FFIEC aims to make online banking safe for consumers by forcing financial services institutions to assess the risks in their environments and deploy appropriate controls such as strong authentication. Michael L. Jackson, associate director of the FDIC, helped develop the guidance two years ago; six months after the Dec. 31, 2006 compliance deadline, Jackson assesses FFIEC's impact so far.
Michael L. Jackson
What's your sense for compliance? Are most financial services institutions compliant--or close? Our early kick-of-the-tires indications are that yes, the industry has responded positively to the guidance. Keep in mind, the agencies are not doing anything different outside the normal exam process. If an organization is scheduled for an exam, the exam will proceed and we will look at the guidance. If an institution is not scheduled for an exam, we will not go in specifically to look just at the guidance.
What are some of the concerns being expressed by institutions that may be struggling to comply? Some of the questions were around whether they should do security assessments around applications, or enterprise-wide. We left it up to the organization to decide what was best. Also, who could do the risk assessment?
That could be contracted out, but the institution is still ultimately responsible for it. Other concerns were around specific technologies. Before the guidance became effective, there was talk in the press about tokens being a preferred solution. We reiterated numerous times that there was no preferred solution.
The solutions had to come out of the banks' risk assessment and business decision.
What is the word on consumer pushback? Are consumers noticing the stronger authentication demands, and what's the impact on business? I don't have a great handle on that, but early indications are that consumers are curious about it and understand it impacts them and secures their funds more than before. The bankers I've talked to, there's not a wholesale rejection of it; consumers are OK with it, it's just something that's different.
What comes next for the regulation? The next steps are that we would continue to try to educate consumers on vulnerabilities and their habits. We have to look at implementation vulnerabilities; if they're not implemented properly, they could also create vulnerabilities in the technology. We need to look at technology risk. When you have new products in production, we have to see if there's any risk based on that. Institutions have to look at how it's impacted their business and how adoption has gone with customers.
Download the full interview with Michael L. Jackson at searchsecurity.com/ismag.