Did Disclosure Delay Guidance?Unofficial Release of FFIEC Draft Opens Regulators to Feedback
Speculation about the pending update to online authentication guidance has been circulating around water coolers for months now. And no doubt expectations were raised by the publicity around recent corporate account takeover incidents, which fueled the discussion and piqued regulators' interest in tighter online protections.
In January, when a handful of industry sources started buzzing about their meetings with the Federal Financial Institutions Examination Council, saying changes to existing authentication guidance were imminent, none was too surprised by what they heard.
There is an inference that most banks at risk don't watch for suspicious activity ...
Coming out of those meetings, most of us expected to see this new guidance by the middle of the first quarter, at the latest. But then in February we got a sneak peak of the FFIEC's drafted guidance, after it was inadvertently disclosed and started circulating throughout the industry.
Which brings us to March, and we still wait to see the final version. At this point, when the guidance will be issued is anyone's guess. And as IT security attorney David Navetta explains, the disclosure of the drafted guidance -- and subsequent reporting about what was in it -- may have slowed the process.
"From a public perspective, seeing a draft of what's being proposed helps us know what the regulators are thinking," Navetta says. "But it could pose some problems for the actual guidance." Since regulators now have more critics who will inevitably compare the drafted guidance with the final guidance when it's published, "A [disclosure] like this could make it more challenging for the regulators," he says.
In other words, we may have to wait a little longer. And I think the industry can live with that. Perhaps that extra time offers some advantage, like giving regulators more time to review and refine their recommendations. The extra time also gives bankers more opportunity to see the FFIEC's direction and share their thoughts about what the update really needs.
After reading our recent coverage about the draft, one banker told me that he doesn't understand why the regulators feel banks are not adequately protecting their commercial customers from risk. "There is an inference that most banks at risk don't watch for suspicious activity, and it is difficult to believe a notable number of banks don't," he says. "I am very interested in seeing what direction, if any, is given on the user-awareness part [when it comes to the security] of using their computers."
He points to existing computer and Internet safety best practices listed on the United States Computer Emergency Readiness Team's website, saying they were about as thorough as industry best practices could be.
Other critics have pointed to the draft's mention of multifactor authentication and layered security, saying better definitions here could help institutions.
The point is - and it's a good one: Banking regulators now have the opportunity to weigh additional feedback as they craft the final guidance. They should take this extra time and input and use it wisely.