By Jim Salters
With roughly 4 1/2 months remaining before year-end, we thought we’d share
our take on some of the recent industry developments and our lessons learned
as we’ve helped our clients prepare for the deadline.
The New FAQ
week, the FFIEC published an official FAQ, seeking to clarify a number of questions
that bankers have been asking over the past 10 months.
I continue to be amazed by how many writers continue to refer to this
guidance as requiring “two-factor” or “multifactor” authentication. A
recent story also mixed the terms “verification” and “authentication”,
which are related but very different concepts. With press coverage
like this, I guess it is no wonder that interpreting the guidance
continues to be a subject of debate.
As we have participated in this industry dialog, and helped our
clients understand and prepare for the deadline, my take is that the
FFIEC’s FAQ reiterates and officially documents what most industry
insiders have known for months. It is reassuring to see their
responses in writing, mitigating any risk that an individual examiner
would have a different interpretation. The FFIEC agencies have been
very proactive about engaging with the industry, clarifying their
objectives, yet remaining sufficiently vague about specifics, allowing
banks to approach the issue with their best judgement.
Readiness Is Everything
While difficulty interpreting the guidance is one potential explanation for
Gartner’s estimate that only 20% of banks are in compliance with five months
to go, our work with banks in this area has shown us two additional
challenges that aren’t really talked about in the industry press, but we think are also contributing to the intertia:
1. Lack of a risk assessment process and methodology:
The risk assessment requirement in the guidance implies that banks have an
existing risk assessment process and methodology, which should form the
basis of evaluating and justifying additional controls beyond usernames and
passwords. However, in our experience, some banks don’t really have a
standard risk assessment process or methodology. So as the guidance clearly
calls for a risk assessment, these banks need to design a risk assessment
process and methodology first, which is not trivial, and is much bigger than
just authentication itself.
2. “Wait and see” regarding solutions:
Selecting solutions six-to-eight months ago was a fairly risky proposition.
A plethora of new solutions were hitting the market, and it wasn’t clear
which solutions, and which startups, would thrive, and which might quickly
become extinct. And pricing was very much in flux. Taking a “wait and see”
posture, if one didn’t want to be a first mover, was probably prudent. Some
large banks we worked with initially thought one-time password tokens might
be the best option, despite the cost. The rationale was that the
technology, and the companies behind them, were proven, and the newer
software-based methods were not. These newer technologies and providers
have come a long way since then, though, as a flurry of acquisitions appears
to have signficantly reduced this risk, folding smaller players like
Passmark, Cyota, and Business Signatures into larger, better capitalized
companies with more diverse product offerings. In addition, many of these
solutions have been deployed by early movers, protecting millions of
customers, and demonstrating their total cost of ownership, customer
acceptance and impact, and scalability.
How Can Glenbrook Help Your Institution?
Need help understanding the guidance, planning and executing your risk
assessments, and selecting additional controls? Most recently, we’ve helped
a top 10 financial institution with our Glenbrook Risk Assessment Framework
for Internet Banking, allowing them to quickly demonstrate progress with
examiners, understand the longer-term implications for their overall risk
assessment process, and take effective action to meet the year-end deadline.
Let us know if we can help you as well.
Initial Publication Date: August 17, 2006