Financial Institutions thrust into a New Role as the “Enforcer”

 Author: Karen Crumbley, karenc@gladtech.net

The FFIEC’s Supplement to Authentication in an Internet Banking Environment has been out for over six months now, and it’s fair to say that the new Guidance has seen its share of analysis from the industry at large. At first I hesitated to broach such a topic that has already been the subject of so much focus throughout the latter half of 2011; however, I think there is a “sleeper” directive buried in the content that is being overlooked, inconspicuously hanging out in the Customer Awareness and Education section of the Guidance as follows:

• A suggestion that commercial online banking customers perform a related risk assessment and controls evaluation periodically

So, what does that statement mean exactly? While other items in the education section are prescriptive in nature, clearly requiring that a certain course of action be taken, this statement is somewhat vague. I am skeptical about the word “suggestion” in that statement and have a suspicion that this directive will not be nearly as capricious in nature as it implies. Instead, I believe that examiners may be looking for an action regarding this “suggestion” or prompting in an effort to address this aspect of the Guidance.

Financial institutions (FIs) seem hesitant to recommend a risk assessment of this nature.  Among other reasons, some of the uncertainty lies in the fact that they do not want to task a customer with this exercise.  The FIs are in a market that competes for the commercial customers’ business and could construe this as potentially burdensome from the customer’s view point.

FIs are accustomed to examiners/auditors’ expectations that they must perform several types of risk assessments, but now the tables are turned, and the FI finds itself suddenly thrust into a new role of being the enforcer. The FI will need to set expectations and provide the commercial customers with some type of framework so that they can conduct a risk assessment themselves. Additionally, the FI will need to guide the customer in determining the methodology, the frequency of this activity, and the way in which the information will be disseminated.

A few compelling reasons why FIs could benefit in this new role:

1. FIs can use this task as an opportunity to emphasize the shared responsibility (FI and customer together) for ensuring the security and confidentiality of Non Public Information (NPI) and FI transactions with business customers.
2. The FI will gain a risk perspective of each business as a unique entity and “risk rank” each business based on the combination of banking products/services and environment.
3. The business entity may gain a comprehensive understanding of the preventative, detective, and response measures involved with each banking product/service and provide a framework for risk aptitude and tolerance for future banking products/services.

If the overarching goal of the Guidance is to ensure that the customer’s non-public information is protected then why wouldn’t an FI implement this education directive and require its commercial customers to participate?