Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Interview: FDIC director explains FFIEC standard

Michael L. Jackson, associate director of the FDIC, helped develop FFIEC, which aims to make online banking safer by forcing financial institutions to assess the risks in their environments and implement controls such as strong authentication.

FFIEC aims to make online banking safe for consumers by forcing financial services institutions to assess the risks in their environments and deploy appropriate controls such as strong authentication. Michael L. Jackson, associate director of the FDIC, helped develop the guidance two years ago; six months after the Dec. 31, 2006 compliance deadline, Jackson assesses FFIEC's impact so far.

Michael L. Jackson

What's your sense for compliance? Are most financial services institutions compliant--or close? Our early kick-of-the-tires indications are that yes, the industry has responded positively to the guidance. Keep in mind, the agencies are not doing anything different outside the normal exam process. If an organization is scheduled for an exam, the exam will proceed and we will look at the guidance. If an institution is not scheduled for an exam, we will not go in specifically to look just at the guidance.

What are some of the concerns being expressed by institutions that may be struggling to comply? Some of the questions were around whether they should do security assessments around applications, or enterprise-wide. We left it up to the organization to decide what was best. Also, who could do the risk assessment?

That could be contracted out, but the institution is still ultimately responsible for it. Other concerns were around specific technologies. Before the guidance became effective, there was talk in the press about tokens being a preferred solution. We reiterated numerous times that there was no preferred solution.

The solutions had to come out of the banks' risk assessment and business decision.

What is the word on consumer pushback? Are consumers noticing the stronger authentication demands, and what's the impact on business? I don't have a great handle on that, but early indications are that consumers are curious about it and understand it impacts them and secures their funds more than before. The bankers I've talked to, there's not a wholesale rejection of it; consumers are OK with it, it's just something that's different.

What comes next for the regulation? The next steps are that we would continue to try to educate consumers on vulnerabilities and their habits. We have to look at implementation vulnerabilities; if they're not implemented properly, they could also create vulnerabilities in the technology. We need to look at technology risk. When you have new products in production, we have to see if there's any risk based on that. Institutions have to look at how it's impacted their business and how adoption has gone with customers.

Download the full interview with Michael L. Jackson at

Article 11 of 13
This was last published in June 2007

Dig Deeper on Security audit, compliance and standards

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All