FDIC Raises the Bar on Data Security By John Burnett
FDIC Raises the Bar on Data Security
By John Burnett
The FDIC significantly raised the bar on Data Security with its July 5, 2005, FIL 59-05, adding two significant new concerns that must be addressed by financial institutions' customer data security programs.
The FIL announced the release of a Supplement to the FDIC's December 2004 study on "Putting an End to Account-Hijacking Identity Theft."
Read the Study Putting and End to Account-Hijacking Identity Theft- 12/2004
Study Supplement- 06/2005
FDIC FIL 59-05 - 07/05/2005
The Supplement focuses on a discussion of seven technologies not discussed in the original study. These augment the list of technologies that have the potential to reduce the level of account hijacking and other forms of identity theft currently threatening consumers and their financial institutions.
The seven additional technologies --
- Internet Protocol Address (IPA) Location and Geo-Location
- Mutual Authentication
- Device Authentication
- Non-Hardware-Based One-Time-Password Scratch Card
- Trusted Platform Module (TPM) Chip
- User-Based Software to Detect Phishing and Fraudulent Web Sites
- Out-of-Band Authentication
Added Security Requirements
In addition, the Supplement includes two substantive findings that significantly raise regulatory expectations of financial institutions' information security programs.
- Financial institutions should include in their information security risk assessments an analysis to determine (a) whether the institution needs to implement more secure customer authentication methods, and, if so, (b) which method or methods make the most sense in view of the bank's lines of business and customer base.
- If the institution allows retail customers to access sensitive customer information via online banking or similar products, the channel must be secure. Specifically, the institution should supplement the usual user name/password combination with reliable multifactor authentication or other layered security.
These two findings, prominently featured in the both the FIL and the Study, make it clear that the FDIC (and, by association, the other FFIEC members) expect that financial institutions will complete the added security needs analysis. Further, if there is any retail customer access to "sensitive customer information" via online banking products, there is an expectation that banks will make their access controls more robust by adding some form of layered security. It should be noted that "sensitive customer information" need not include access to identity data. Mere access to payment information or check images can provide enough leverage to assist in further attempts to compromise the customer's account and identity.
Protecting Against, and Responding to, Customer Information Breaches
This CD-ROM training will help you understand the regulatory requirements, as well as the practical considerations, for developing and implementing your program. It also contains sample Web site language, sample customer notifications, suggestions for response team activities, and checklists for action. Order it now in the Banker Store!
Balancing Consumer Reluctance and Data Security
The FDIC answered several comments to the Study from financial institutions and their trade associations suggesting that consumers might resist the implementation of two-factor authentication, thereby slowing the growth of online banking. The agency said that the Supplement suggests that consumers are ready for added security for their accounts and sensitive personal information, and that several of the technologies described in the Supplement are more transparent to consumers, thus less likely to foster discomfort.
Official Guidance Still Possible
The FIL does not rise to the same level as an official Guidance Document from the FDIC. One might consider it a sort of "best practices" statement coupled with a great deal of information designed to justify the adoption of those best practices. However, the agency indicated when it released the original Study (December 2004) that it was considering issuing guidance on this topic later in 2005. In this Supplement, the FDIC restated that fact, and reported that it is consulting with the other federal regulators on the question.
First published on BankersOnline.com 7/13/05
First published on 07/13/2005