Risk Assessments & Documentation Keys to FFIEC Guidance

With the compliance date for the FFIEC’s Internet Banking Authentication right around the corner, several credit unions have expressed their concerns as to the compliance impact their credit union will face if the guidelines for authentication are not fully implemented by January, 2012.
The core principles of the FFIEC guidance include ongoing risk assessments and strategies, layered security controls, and improved customer awareness of online banking risks. The Supplement stresses that the risk assessment(s) involved in the institution’s efforts to comply with the guidelines is not a one-time project. Instead, it’s ongoing:

“Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every twelve months.”

The risk assessment(s) aids in determining which online transactions are higher risk than others. And although the guidance applies to all internet banking, it recognizes the fact that financial institutions will have more robust controls as the risk level of the transaction increases. The guidance uses consumer and business banking as an example. Although both would require security controls, the Guidance recognizes that the risk level differs:

“Since the frequency and dollar amounts of these [consumer] transactions are generally lower than commercial transactions, they pose a comparatively lower level of risk. Financial institutions should implement layered security, as described herein, consistent with the risk for covered consumer transactions."

The Guidance goes on to state:

“Since the frequency and dollar amounts of these [business] transactions are generally higher than consumer transactions, they pose a comparatively increased level of risk to the institution and its customer. Financial institutions should implement layered security, as described herein, utilizing controls consistent with the increased level of risk for covered business transactions. Additionally, the Agencies recommend that institutions offer multifactor authentication to their business customers.”

NCUA Letter to Credit Unions 11-CU-09 states:

“Federally insured credit unions will be expected to adapt appropriate strategies from the supplement to strengthen and enhance controls by January 2012. Beginning in 2012, at credit unions offering electronic services, NCUA examiners will evaluate these controls under the enhanced expectations outlined in the supplement.”

Documentation is Key. As credit unions strive towards following the updated guidance, they should be sure to document their progress to show examiners. Highlight the steps the credit union has taken to implement additional security controls as indicated by the risk assessment. Show examiners your plan for continued risk assessments and new controls. If your vendors will be slowly rolling out security enhancements in 2012, document your communications with these vendors so that examiners know you are working on mitigating these risks.
Risk Assessments & Documentation Keys to FFIEC Guidance:

By JiJi Bahhur, Regulatory Compliance Counsel NAFCU

For additional information on the FFIEC Authentication Guidance, check out our June 29^th blog post.