The New FAQ

Earlier this week, the FFIEC published an official FAQ, seeking to clarify a number of questions that bankers have been asking over the past 10 months. I continue to be amazed by how many writers continue to refer to this guidance as requiring "two-factor" or "multifactor" authentication. A recent story also mixed the terms "verification" and "authentication", which are related but very different concepts. With press coverage like this, I guess it is no wonder that interpreting the guidance continues to be a subject of debate.

No Surprises

As we have participated in this industry dialog, and helped our clients understand and prepare for the deadline, my take is that the FFIEC's FAQ reiterates and officially documents what most industry insiders have known for months. It is reassuring to see their responses in writing, mitigating any risk that an individual examiner would have a different interpretation. The FFIEC agencies have been very proactive about engaging with the industry, clarifying their objectives, yet remaining sufficiently vague about specifics, allowing banks to approach the issue with their best judgement.

Readiness Is Everything

While difficulty interpreting the guidance is one potential explanation for Gartner's estimate that only 20% of banks are in compliance with five months to go, our work with banks in this area has shown us two additional challenges that aren't really talked about in the industry press, but we think are also contributing to the intertia:

1. Lack of a risk assessment process and methodology:

The risk assessment requirement in the guidance implies that banks have an existing risk assessment process and methodology, which should form the basis of evaluating and justifying additional controls beyond usernames and passwords. However, in our experience, some banks don't really have a standard risk assessment process or methodology. So as the guidance clearly calls for a risk assessment, these banks need to design a risk assessment process and methodology first, which is not trivial, and is much bigger than just authentication itself.

2. "Wait and see" regarding solutions:

Selecting solutions six-to-eight months ago was a fairly risky proposition. A plethora of new solutions were hitting the market, and it wasn't clear which solutions, and which startups, would thrive, and which might quickly become extinct. And pricing was very much in flux. Taking a "wait and see" posture, if one didn't want to be a first mover, was probably prudent. Some large banks we worked with initially thought one-time password tokens might be the best option, despite the cost. The rationale was that the technology, and the companies behind them, were proven, and the newer software-based methods were not. These newer technologies and providers have come a long way since then, though, as a flurry of acquisitions appears to have signficantly reduced this risk, folding smaller players like Passmark, Cyota, and Business Signatures into larger, better capitalized companies with more diverse product offerings. In addition, many of these solutions have been deployed by early movers, protecting millions of customers, and demonstrating their total cost of ownership, customer acceptance and impact, and scalability.

How Can Glenbrook Help Your Institution?

Need help understanding the guidance, planning and executing your risk assessments, and selecting additional controls? Most recently, we've helped a top 10 financial institution with our Glenbrook Risk Assessment Framework for Internet Banking, allowing them to quickly demonstrate progress with examiners, understand the longer-term implications for their overall risk assessment process, and take effective action to meet the year-end deadline.

Publication History

Initial Publication Date: August 17, 2006