Five Questions You Should Ask About FFIEC Compliance

Examinations with the agency’s new guidance begin this month.

February 08, 2012
/ PRINT / ShareShare / Text Size +

The Federal Financial Institutions Examination Council (FFIEC) recently released the supplement to its “Authentication in an Internet Banking Environment” guidance, which the agency first issued in 2005.

Credit unions are now required to comply with the new requirements, and examinations with the new guidance are starting this month.

These updates of the FFIEC regulations specifically address customer authentication, layered security, and other controls in the growing online environment.

Below are five major questions about complying with FFIEC’s Internet banking authentication guidance that every credit union should address before implementing a solution.

1. What does ‘layered security’ actually mean?

“Layered security” refers to the arrangement of fraud tools in a sequential fashion.

A layered approach starts with the most simple, benign,  and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases.

2. What does ‘multi-factor authentication’ actually mean?

A simple example of multi-factor authentication is the use of a debit card at an ATM.

The plastic debit card is an item you must physically possess to withdraw cash, but the transaction also requires the personal identification number (PIN) to complete the transaction.

The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication.

3. Who does this guidance affect, and does it affect each type of credit grantor/ lender differently?

The guidance pertains to all financial institutions in the U.S. that fall under FFIEC’s influence.

While the guidance specifically mentions authenticating in an online environment, it’s clear that the overall approach the agency advocates applies to authentication in any environment.

4. How will the regulation mitigate fraud risk in the short- and long-term?

The guidance is an important way to reinforce that:

  • Fraud losses undermine faith in our financial system;
  • Fraud tactics evolve constantly; and
  • The tools that combat fraud tactics have to evolve as well.

The guidance provides a perspective on why it’s important to understand the risk and to respond accordingly.

5. How are organizations responding?

Experian estimates that less than half of the institutions affected by this guidance are prepared for the examinations.

Many of the fraud tools in the marketplace, particularly those used to authenticate individuals, were deployed as point-solutions.

Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, “layered” approach that the guidance is seeking.

CHRISTOPHER RYAN is a senior fraud business consultant with Experian’s Global Consulting Practice.

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory (www.appreciationatwork.com/assess) will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive