FFIEC Compliance

The Current Landscape
Today’s fraudsters are more agile and adaptive than ever before. Innovation is quickly being out-paced, and fraud continues to be a daunting threat to financial institutions. With new technologies emerging every day, it is critical for organizations to fraud proof their systems to ensure minimal amount of loss in the event of a breach and provide a secure experience for their clients. Changing regulations and updated guidelines from the FFIEC are intended to help with this, but sometimes just make the situation more daunting! According to a recent BankInfoSecurity survey, 29% of the 200 financial leaders surveyed said that they still don’t understand what regulators want in terms of FFIEC conformance, and 88% don’t believe conformance will do much to curb online fraud.

Where We Are Headed
We need to reach a landscape where organizations have a clear understanding of compliance requirements, how these will bolster their security and what more they can do to go beyond simply checking boxes off a guideline list. At 41st Parameter, we believe in the importance of being able to adapt to new risks and attack vectors, and FFIEC compliance is the first step in thwarting these threats. Here, we’ve put together five of the necessary steps organizations need to take on the road to reach compliance. Safe travels!

  1. Risk Assessment. The first step to FFIEC compliance – and a robust fraud prevention program – is to conduct periodic risk assessments. It’s important to know what you’re up against; fraud threats, especially in the online world, evolve rapidly, and your organization needs to adapt as new threats emerge. This also includes understanding the impact of changes in the banking ecosystem such as the increased adoption of mobile banking and shifting use patterns of your customer base.
  2. Layered Security. Taking a layered approach to security ensures that your organization can maintain comprehensive threat protection even if one element suffers a vulnerability. This approach should combine a variety of authentication techniques (such as dual customer authorization through different device access, out-of-band verification for transactions), account activity controls (such as “positive pay,” transaction value and frequency thresholds, allowable payment windows, control over account maintenance activities performed by customers or service channels, etc.) and policies and practices such as customer history monitoring and effective customer education.
  3. Vigilant Monitoring. With security systems and protocols in place, vigilant monitoring of transactions, customer behavior patterns, account activity and access to admin functions will reveal any anomalies and possible threats in progress, as well as potential areas of future vulnerability.
  4. Complex Device Identification. Device identification allows you to implement multifactor authentication or transaction verification. It’s critical that the solution you rely on goes beyond cookies or IP identification alone, and takes into account device-specific parameters in order to detect compromised or fraudulent devices.
  5. Customer Awareness and Education. Through effective communication and education, your customers can become another line of defence. Make sure that customers know under what circumstances your organization may contact them to request their banking credentials. Remind them of the resources available both for additional risk mitigation they can implement themselves, and how to sound an alert if they notice suspicious account activity or experience customer information security-related events.