Until early February 2011 I thought FFIEC was a obscure governmental agency which set out guidelines for the examiners of the various financial regulatory agencies of the federal government. Its proper name is Federal Financial Institutions Examination Council. It is a creation of FIRREA. It is a interagency body composed of the Federal Reserve, FDIC, NCUA, OCC and OTS (for a time). Its guidance is designed to provide uniform principles, standards and report forms for examiners of the financial regulatory bodies. In 2005 FFIEC published guidance for authentication in electronic transactions including ACH and wire transfer. In 2010 FFIEC was updating the guidance. FFIEC's members were set to release the draft on December 31, 2010. However, one agency asked for delay. The word apparently did not get to NCAU and it posted the draft guidance on December 31. .Bank Info Security blog, edited by Tracy Kitten reported that immediately over the New Year's holiday 1,100 copies were downloaded. (The draft guidance is titled, "Interagency Supplement to Authentication in an Internet Banking Environment"). The details of the FFIEC draft guidance were then analyzed in detail by leading members of bank security community from mid-February to March, 2011 in Bank Info Security (
http://www.bankinfosecurity.com/).
Although the Bank Info Security expert reporters'analysis of the FFIEC draft guidance contains many suggestions and generally approves the draft guidance, the experts have ignored the reality of coping with a wide array of commercial customers and varying levels of sophistication in ACH, wire transfer and internet banking departments.
The principal draft guidance recommendations as reported by Bank Info Security are: (1) better risk assessments to address emerging threats now used frequently by foreign and domestic gangs, such as
man in the middle, man in the browser and
key loggers [a Google search will quickly summarize how each works, but essentially the criminal injects himself in the middle between the server and the computer user and intercepts data without the knowledge of the server or user; and in key logging the bad guy captures key strokes remotely]; (2) use multi-factor identification [again, a Google search explains the operation well, but multi-factor authentication is the use of more than a password to authenticate identity with a preference for three factor authentication]; (3) layered security [again see Google, but the concept involves vertical layers of review or checking of IDs; (4) improved user authentication measures; and (5) customer and employee training of fraud awareness.
In the writer's personal experience, the technologically of the Russians, Eastern Europeans, Nigerians, and some domestic gangs will attack and conquer the latest token or gimmick to defeat authentication security measures. The Russians, etc. have no other jobs and as quick as a new device is implemented, absent multifactor or layered security, the Bad Guys may be in business.
David Shroyer, an expert reporting in Bank Info Security notes in a February 24, 2011 edition of the blog, that the draft guidance mentions the vulnerabilities of small to medium sized commercial accounts. Most surprising is the concept that banks must "educate" commercial customers to the lack of protection of Regulation E in most commercial transactions. The draft guidance also puts much more responsibility on the bank to monitor high risk transactions such as wire transfer or ACH, including regular reviews of volume and value for customers and the customer's online users. The guidance also suggests banks encourage commercial customers to perform risk assessments and control evaluations.
This is not just an bank IT issue. Recently, as reported by Bank Info Security, two customers with large wire transfer losses have used the 2005 FFIEC guidance to argue that two banks did not follow acceptable standards. If the FFIEC 2010 draft guidance is adopted (which it may not be in the December form) banks are in the cross hairs of broad but vague standards that do not fit reality for many banks.
New Mexico banks don't have search out the big security companies or out of state auditors to analyze the issues posed by the draft guidance, once it is adopted. New Mexico has competent experts in the '"authentication" and the compliance process which is involved. in the draft guidance Aside from the "usual suspects" like the big national firms,. New Mexico has local resources. One is CAaNES,LLC which offers a network security and other services. (
http://www.caanes.com/) CAaNES, LLC is a creature of NM Tech University's Reseach Corporation and is actively involved in research.
REDW, LLC, an Albuquerque accounting firm, regularly does security and authentication evaluations and audits for banks
, and has an IT Governance, Risk Management and Compliance Practice http://www.redw.com/
My friends in bank IT will now point out to you that I am a
techno idiot. But it does not take a technocrat to judge that all banks are not created equal, all customers are not equal (in the sense of internet banking). A great number of commercial customer losses to internet fraud are caused by poor internal controls at the customer level. Most customers resist bringing in outside experts to strengthen their controls. Most bank internet systems require a named "administrator" who is solely responsible for passwords and other security devices. Often, for convenience sake, passwords are doled out without restrictions or user accounts are set up without thought. The customer's CFO or person in charge must be available (or a back up named) to insure that at the first sign of a suspicious transaction internet banking can contact him or her to stop the transactions. Most major wire fraud transactions are not done in one wire transfer but are spread over several transfers. In short customer accountability is required.
My suggestions follow but they are not a substitute for an expert review of issues raised by the draft guidance.
1. If you don't have them, use very strong internet banking, wire transfer and ACH agreements for commercial customers. NACHA has a model form for ACH transactions, although it needs modifications. Insert a clear statement concerning Regulation E's inapplicability to commercial transactions. Consumer forms of agreement usually can be simpler.
2. If possible, communicate any concerns to the customer if controls are lax or the customer's administrator does not control passwords, other security devices or is not careful about setting up user accounts.
3. Institute a clear and reliable communications system with the customer's CFO, administrator or other appropriate authority figure to immediately alert that person to suspicious circumstances or transactions. I would not leave out the CEO if no one else can be found.
4. Contact a knowledgeable insurance consultant or broker about obtaining "cyber" insurance coverage or similar coverage. Make sure that the coverage extends to the type of ACH or wire transfer account takeover or invasion which is now occurring frequently.
5. In one lawsuit reported by Bank Info Security, a CEO complained that knowing the size of his company's accounts the bank should have given the company information about multi-factor identification and other types of protection. Picking and choosing which commercial customers get the most effective security has grave legal risks. On what risk or "reasonable care" basis do you differentiate between an $800,000 account and a $200,000 account? Telling a New Mexico jury that you take better care of the "big" $800,000 customer when the $200,000 customer has lost $175,000 is a recipe for losing. Start with high risk, but treat everyone as vulnerable and get protections in as soon as possible.
And, last but not least, meet with IT and see what problems exist in following the final FFIEC guidelines when they arrive in final form. Consult an expert if needed.
Marshall G. Martin
Comeau, Maldegen, Templeman & Indall, LLP
(505) 982 4611
(505) 228 8506
newmexicobankinglawyer.blogspot.com
