Author: Karen Crumbley, karenc@gladtech.net
The FFIEC’s Supplement to Authentication in an Internet Banking Environment has been out for over six months now, and it’s fair to say that the new Guidance has seen its share of analysis from the industry at large. At first I hesitated to broach such a topic that has already been the subject of so much focus throughout the latter half of 2011; however, I think there is a “sleeper” directive buried in the content that is being overlooked, inconspicuously hanging out in the Customer Awareness and Education section of the Guidance as follows:
• A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically
So, what does that statement mean exactly? While other items in the education section are prescriptive in nature, clearly requiring that a certain course of action be taken, this statement is somewhat vague. I am skeptical about the word “suggestion” in that statement and have a suspicion that this directive will not be nearly as capricious in nature as it implies. Instead, I believe that examiners may be looking for an action regarding this “suggestion” or prompting in an effort to address this aspect of the Guidance.
Financial institutions (FIs) seem hesitant to recommend a risk assessment of this nature. Among other reasons, some of the uncertainty lies in the fact that they do not want to task a customer with this exercise. The FIs are in a market that competes for the commercial customers’ business and could construe this as potentially burdensome from the customer’s view point.
FIs are accustomed to examiners/auditors’ expectations that they must perform several types of risk assessments, but now the tables are turned, and the FI finds itself suddenly thrust into a new role of being the enforcer. The FI will need to set expectations and provide the commercial customers with some type of framework so that they can conduct a risk assessment themselves. Additionally, the FI will need to guide the customer in determining the methodology, the frequency of this activity, and the way in which the information will be disseminated.
A few compelling reasons why FIs could benefit in this new role:
If the overarching goal of the Guidance is to ensure that the customer’s non-public information is protected then why wouldn’t an FI implement this education directive and require its commercial customers to participate?
Stay up to date with the latest people-inspired innovation at Jack Henry.
Learn more about people-inspired innovation at Jack Henry.
Who We Serve
What We Offer
Who We Are